WebSphereLibertyApplication custom resource

The WebSphereLibertyApplication custom resource (CR) represents an instance of WebSphere® Liberty that is installed into a Kubernetes namespace. The resource is created with the default configuration when the instance is created. You can use the CR to update the configuration.

WebSphereLibertyApplication YAML structure

The WebSphereLibertyApplication custom resource definition (CRD) has the following YAML structure. Each instance of the WebSphereLibertyApplication CR represents the application to be deployed on the cluster.

apiVersion: liberty.websphere.ibm.com/v1
kind: WebSphereLibertyApplication
metadata:
  name: my-app
spec:
  license:
    accept: false
    edition: IBM WebSphere Application Server
    productEntitlementSource: Standalone
    metric: Processor Value Unit (PVU)
  applicationImage: quay.io/my-repo/my-app:1.0
  service:
    type: ClusterIP
    port: 9080
  expose: true
  serviceability:
    size: 2Gi

WebSphereLibertyApplication configurable parameters

The WebSphereLibertyApplication CRD has configurable parameters. The following list describes the parameters and values that you are most likely to configure. For a complete list of configurable parameters, see the WebSphereLibertyApplication CRD. After you configure an application in a CR, you can deploy the application and then check the status of the deployed application.

Each WebSphereLibertyApplication CR must specify the license and applicationImage required parameters. Other configurable parameters are optional.

Tip: You can refer to child parameters with the parent_parameter.child_parameter format. For example, .spec.affinity.architecture.

affinity

Configures pods to run on specific nodes. For examples, see Limit a pod to run on specified nodes (.spec.affinity).

architecture: An array of architectures to be considered for deployment. Their position in the array indicates preference.
nodeAffinity: A YAML object that represents a NodeAffinity.
nodeAffinityLabels: A YAML object that contains a set of required labels and their values.
podAffinity: A YAML object that represents a PodAffinity.
podAntiAffinity: A YAML object that represents a PodAntiAffinity.

applicationImage

(Required) The absolute name of the image to be deployed, containing the registry and the tag. On Red Hat® OpenShift®, it can also be set to project_name/image_stream_name[:tag] to reference an image from an image stream. If project_name and tag values are not defined, project_name defaults to the namespace of the CR and tag defaults to the latest value. For more information, see Reference image streams (.spec.applicationImage).

applicationName

The name of the application this resource is part of. If not specified, it defaults to the name of the CR.

applicationVersion

The current version of the application. When the version is defined, the app.kubernetes.io/version label is added to all resources.

autoscaling

Configures the wanted resource consumption of pods. For more information, see Configure multiple application instances for high availability (.spec.replicas or .spec.autoscaling).

maxReplicas: (Required for autoscaling) The maximum number of pods that the autoscaler can set. The value cannot be less than the minimum number of replicas.
minReplicas: The minimum number of pods that the autoscaler can set.
targetCPUUtilizationPercentage: The target average CPU use, represented as a percentage of requested CPU, over all the pods.

createKnativeService

A Boolean to toggle the creation of Knative resources and use of Knative serving. To create a Knative service, set the parameter to true.

For examples, see Deploy serverless applications with Knative (.spec.createKnativeService) and Expose applications externally (.spec.expose, .spec.createKnativeService, .spec.route).

deployment

Defines the desired state and cycle of applications.

annotations

Annotations to add only to deployment and its resources.

updateStrategy

The strategy to replace old deployment pods with new pods.

deployment.updateStrategy.rollingUpdate: Rolling update configuration parameters.
deployment.updateStrategy.type: The type of the deployment. Can be Recreate or RollingUpdate. The default value is RollingUpdate.

disableServiceLinks

Disable information about services being injected into the application pod's environment variables. The default is false.

dns

DNS settings for the application pod. For more information, see Configure DNS (.spec.dns.policy and .spec.dns.config).

config: The DNS Config for the application pod.
policy: The DNS Policy for the application pod. Defaults to ClusterFirst.

env

A list of environment variables to set in the container in the {name, value} format, where value is a simple string. It might also follow the {name, valueFrom} format, where valueFrom refers to a value in a ConfigMap or Secret resource.

For examples, see Set environment variables for an application container (.spec.env or .spec.envFrom) and Override console logging environment variable default values (.spec.env).

name: The environment variable name. Must be a C_IDENTIFIER.
value: A string that defaults to "". Variable references $(VAR_NAME) are expanded by using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string is unchanged. Double $$ are reduced to a single $, which enables escaping the $(VAR_NAME) syntax; for example, "$$(VAR_NAME)" produces the string literal "$(VAR_NAME)". Escaped references are not expanded, regardless of whether the variable exists or not.
valueFrom: The source for the environment variable value. It cannot be used if value is not empty. Properties of valueFrom include configMapKeyRef, fieldRef, resourceFieldRef, and secretKeyRef.

envFrom

A list of references to ConfigMap or Secret resources that contain environment variables. Keys from ConfigMap or Secret resources become environment variable names in your container. Properties of envFrom include configMapRef, prefix, and secretRef.

For an example that uses .spec.envFrom.secretRef, see Using environment variables for basic authentication credentials. For another example, see Set environment variables for an application container (.spec.env or .spec.envFrom).

expose

A Boolean that exposes this application externally with a Route, Knative Route, or Ingress resource. For examples, see Expose applications externally (.spec.expose, .spec.createKnativeService, .spec.route).

initContainers

A list of containers to run before other containers in a pod. The list is of Init Container definitions.

license

(Required) The license must be reviewed and accepted before the application can be deployed. Information about the license, which is available at https://ibm.biz/was-license.

accept: A Boolean that specifies whether the license is accepted. The default is false. The value must be true to accept the license and enable deployment of the WebSphere Liberty application.
edition: The product edition. The default is IBM WebSphere Application Server, the base product. Other available edition values are IBM WebSphere Application Server Liberty Core, and IBM WebSphere Application Server Network Deployment.
productEntitlementSource: The entitlement source for the product. Specify the product for which you have a license. The default is Standalone, which includes WebSphere Application Server products such as Liberty. Other available values are IBM Cloud Pak for Applications Advanced, IBM Cloud Pak for Applications Standard, IBM WebSphere Application Server Family Edition, and IBM WebSphere Hybrid Edition.
metric: Deprecated. Charge metric code is now automatically determined based on the specified product edition and entitlement source.

manageTLS

A Boolean that enables automatic certificate generation and mounting of a TLS secret into the pod. The default is true. For more information, see Configuring transport layer security (TLS) certificates

manageLTPA

A Boolean that enables management of Lightweight Third-Party Authentication (LTPA) key sharing among Liberty containers. The default is false. For more information, see Configuring Lightweight Third-Party Authentication (LTPA).

managePasswordEncryption

Enable management of password encryption key sharing amongst Liberty containers. Defaults to false. For more information, see Managing Password Encryption

monitoring

Specifies parameters for Service Monitor. For examples, see Monitor resources (.spec.monitoring) and Specify multiple service ports (.spec.service.port* and .spec.monitoring.endpoints).

endpoints: A YAML snippet that represents an array of Endpoint components from ServiceMonitor. Items in the array can include authorization, basicAuth, bearerTokenFile, bearerTokenSecret, honorLabels, honorTimestamps, interval, metricRelabelings, oauth2, params, path, port, proxyUrl, relabelings, scheme, scrapeTimeout, targetPort, and tlsConfig.
labels: Labels to set on ServiceMonitor.

networkPolicy

Defines the network policy. For examples, see Allowing or limiting incoming traffic (.spec.networkPolicy).

disable: A Boolean to disable the creation of the network policy. The default value is false. By default, network policies for an application are created and limit incoming traffic.
fromLabels: The labels of one or more pods from which incoming traffic is allowed.
namespaceLabels: The labels of namespaces from which incoming traffic is allowed.

probes

Defines health checks on an application container to determine whether it is alive or ready to receive traffic. The following probes are available:

liveness: A periodic probe of container liveness. If the liveness probe fails, the container is restarted.
readiness: A periodic probe of container liveness. If the liveness probe fails, the container is restarted.
startup: A probe to determine successful initialization. If specified, other probes are not run until this probe completes successfully.

Each liveness, readiness, or startup probe has the following available properties. For examples, see Configure probes (.spec.probes).

probes.probe_type.exec

An action to take. Specify one action only.

A property of exec is command, which specifies a list of command values. For a command, specify the command line to run inside the container. The working directory for the command is root (/) in the container file system. The command is not run inside a shell, so traditional shell instructions such as '|' do not work. To use a shell, explicitly call out to that shell.

An exit status of 0 indicates a live or healthy status and a nonzero number indicates an unhealthy status.

probes.probe_type.failureThreshold

The minimum consecutive failures for the probe to be considered failed after a success. The default is 3. The minimum value is 1.

probes.probe_type.httpGet

The http request to perform.

probes.probe_type.httpGet.host: The hostname to connect to. The default is the pod IP. You likely want to set "Host" in httpHeaders instead.
probes.probe_type.httpGet.httpHeaders: A list of custom headers to set in the request. HTTP allows repeated headers. For each custom HTTP header to use in the HTTP probes, specify a header field name and value.
probes.probe_type.httpGet.path: A path to access on the HTTP server.
probes.probe_type.httpGet.port: (Required) A name or number of the port to access on the container. A name must be an IANA_SVC_NAME. A number must be in the 1 - 65535 range.
probes.probe_type.httpGet.scheme: The scheme to use to connect to the host. The default is HTTP.

initialDelaySeconds

The number of seconds after the container starts before liveness probes are run. For more information, see Container probes.

periodSeconds

How often (in seconds) to perform the probe. The default is 10 seconds. The minimum value is 1.

successThreshold

The minimum consecutive successes for the probe to be considered successful after a failure. The default is 1. It must be 1 for liveness and startup. The minimum value is 1.

tcpSocket

A TCPSocket action that involves a TCP port. TCP hooks are not supported.

probes.tcpSocket.host: (Optional) A host name to connect to. The default is the pod IP.
probes.tcpSocket.port: (Required) A name or number of the port to access on the container. A name must be an IANA_SVC_NAME. A number must be in the 1 to 65535 range.

terminationGracePeriodSeconds

The duration in seconds the pod needs to end gracefully upon probe failure. The grace period is the duration in seconds after the processes that are running in the pod are sent a termination signal and the time when the processes are halted. Set this value longer than the expected cleanup time for your process.

This value must be an integer that is not negative. The value zero (0) indicates to stop immediately with no opportunity to shut down. This field is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. The minimum value is 1.

timeoutSeconds

The number of seconds after which the probe times out. The default is 1 second. The minimum value is 1. For more information, see Container probes.

pullPolicy

The policy that is used when the image is pulled. Supported values are one of Always, Never, and IfNotPresent.

pullSecret

If a registry requires authentication, the name of the secret that contains credentials.

replicas

The static number of replica pods to run simultaneously. For more information, see Configure multiple application instances for high availability (.spec.replicas or .spec.autoscaling).

resources

Resource requests and limits for the application container.

limits: The maximum allowed amount of compute resources.
requests: The minimum allowed amount of compute resources. If requests is omitted for a container, it defaults to limits if that is explicitly specified, otherwise to an implementation-defined value. The .spec.resources.requests.cpu field is required for autoscaling.

For limits or requests, specify an integer or string. The pattern is ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$. Additional values can specify cpu and memory for resource limits or requests. For more information, see Resource Management for Pods and Containers.

route

Configures the ingress resource. For examples, see Expose applications externally (.spec.expose, .spec.createKnativeService, .spec.route) and Specify certificates (.spec.route.certificateSecretRef and .spec.service.certificateSecretRef).

annotations: Annotations to add to the Route.
certificateSecretRef: A name of a secret that already contains TLS key, certificate, and CA to use in the route. It can also contain destination CA certificate. The following keys are valid in the secret: ca.crt, destCA.crt, tls.crt, and tls.key.
host: The hostname for the Route.
insecureEdgeTerminationPolicy: The HTTP traffic policy with TLS enabled. Can be one of Allow, Redirect, and None.
path: The path for the Route.
pathType: The path type to use for Ingress.
termination: The TLS termination policy. Can be one of edge, reencrypt, and passthrough.

securityContext

A security context to control privilege and permission settings for the application container. For examples, see Set privileges and permissions for a pod or container (.spec.securityContext).

If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. For more information, see Configure a Security Context for a Pod or Container.

allowPrivilegeEscalation

A Boolean that controls whether a process can gain more privileges than its parent process. This Boolean controls whether the no_new_privs flag is set on the container process. AllowPrivilegeEscalation is true always when the container is run as Privileged and has CAP_SYS_ADMIN.

capabilities

The capabilities to add or drop when containers are run. Defaults to the default set of capabilities that the container runtime grants.

securityContext.capabilities.add: An array of added capabilities of POSIX capabilities type.
securityContext.capabilities.drop: An array of removed capabilities of POSIX capabilities type.

privileged

A Boolean to specify whether to run a container in privileged mode. Processes in privileged containers are equivalent to root on the host. The default is false.

procMount

The type of proc mount to use for the containers. The default is DefaultProcMount, which uses the container runtime defaults for read-only paths and masked paths. To use procMount, the ProcMountType feature flag must be enabled.

readOnlyRootFilesystem

A Boolean to specify whether this container has a read-only root file system. The default is false.

runAsGroup

The GID to run the entrypoint of the container process. If unset, runAsGroup uses the runtime default. The value can be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the SecurityContext value takes precedence.

runAsNonRoot

A Boolean that specifies whether the container must run as a nonroot user. If true, the kubelet validates the image at run time to ensure that it does not run as UID 0 (root), and fails to start the container if it does. If unset or false, the validation is not performed. The value can be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the SecurityContext value takes precedence.

runAsUser

The UID to run the entrypoint of the container process. If unset, the default is the user that is specified in image metadata. The value can be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the SecurityContext value takes precedence.

seLinuxOptions

The SELinux context to be applied to the container. Its properties include level, role, type, and user. If unspecified, the container runtime allocates a random SELinux context for each container. The value can be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the SecurityContext value takes precedence.

seccompProfile

The seccomp options to use by this container. If seccomp options are set at both the pod and container level, the container options override the pod options.

securityContext.seccompProfile.localhostProfile: A profile that is defined in a file on the node. The profile must be preconfigured on the node to work. Specify a descending path, relative to the kubelet configured seccomp profile location. Only set localhostProfile if type is Localhost.
securityContext.seccompProfile.type: (Required) The kind of seccomp profile to use. Valid options are Localhost (use a profile that is defined in a file on the node), RuntimeDefault (use the container runtime default profile), and Unconfined (use no profile).

windowsOptions

The Windows specific settings to apply to all containers. If unset, the options from the PodSecurityContext are used. If set in both SecurityContext and PodSecurityContext, the SecurityContext value takes precedence. The windowsOptions properties include gmsaCredentialSpec, gmsaCredentialSpecName, hostProcess, and runAsUserName.

semeruCloudCompiler

Configures the Semeru Cloud Compiler to handle Just-In-Time (JIT) compilation requests from the application.

enable: Enables the Semeru Cloud Compiler. Defaults to false.
replicas: Number of desired pods for the Semeru Cloud Compiler. Defaults to 1.
resources: Resource requests and limits for the Semeru Cloud Compiler. The CPU defaults to 100m with a limit of 2000m. The memory defaults to 800Mi, with a limit of 1200Mi.

service

Configures parameters for the network service of pods. For an example, see Specify multiple service ports (.spec.service.port* and .spec.monitoring.endpoints).

annotations: Annotations to add to the service. Annotations set on Service with .spec.service.annotations override annotations set in a CR as key-value pairs in the .metadata.annotations field.
bindable: A Boolean that specifies whether to expose the application as a bindable service. The default is false. To expose the application as a service, set .spec.service.bindable to true. For more information, see Bind applications with operator-managed backing services (.status.binding.name and .spec.service.bindable).
certificate: Configure the TLS certificates for the service. The annotations property is available for this parameter. Set annotations on the .spec.service.certificate.annotations parameter to add them to the certificate.
certificateSecretRef: A name of a secret that already contains TLS key, certificate, and CA to be mounted in the pod. The following keys are valid in the secret: ca.crt, tls.crt, and tls.key. For more information, see Specify certificates (.spec.route.certificateSecretRef and .spec.service.certificateSecretRef).
nodePort: Node proxies this port into your service. After this port is set to a nonzero value, it cannot be reset to zero. The minimum is 0 and the maximum is 65535.
port: The port that the container exposes.
portName: The name for the port that the container exposes.
ports: An array of service ports. Available properties for items in the .spec.service.ports array include appProtocol, name, nodePort, port, protocol, and targetPort. The .spec.service.ports.port value is required.
targetPort: The port that the operator assigns to containers inside pods. The default is the .spec.service.port value. The minimum is 1 and the maximum is 65535.
type: A Service Type string that describes ingress methods for a service.

serviceability

Specifies serviceability-related operations, such as gathering server memory dumps and server traces. For examples, see Storage for serviceability

size: A convenient field to request the size of the persisted storage to use for serviceability.
storageClassName: A convenient field to request the StorageClassName of the persisted storage to use for serviceability.
volumeClaimName: The name of the PersistentVolumeClaim resource that you created to use for serviceability.

serviceAccount

The service account to use for application deployment. If a service account name is not specified, a service account is automatically created. For more information, see Create a service account (.spec.serviceAccount).

mountToken: Determines whether the Service Account token is mounted into the application pods. Defaults to true.
name: Name of the service account to use for deploying the application.

serviceAccountName

Deprecated. Use .spec.serviceAccount.name instead. If both parameters are specified, the value of .spec.serviceAccount.name is used.

sidecarContainers

A list of sidecar containers, which are extra containers to be added to the pods. Its properties include args, command, env, envFrom, image, imagePullPolicy, lifecycle, livenessProbe, name, ports, readinessProbe, resources, securityContext, startupProbe, stdin, stdinOnce, terminationMessagePath, terminationMessagePolicy, tty, volumeDevices, volumeMounts, and workingDir. A name value is required.

sso

The configuration for single sign-on providers to authenticate with. Specify sensitive fields, such as clientId and clientSecret, for the selected providers by using the Secret. For more information, see Configuring single sign-on (SSO) for WebSphere Liberty operators.

github.hostname

The host name of your enterprise GitHub, such as github.mycompany.com. The default is github.com, which is the public GitHub.

mapToUserRegistry

Specifies whether to map a user identifier to a registry user. This parameter applies to all providers.

oauth2

The list of OAuth 2.0 providers with which to authenticate. Each list item provides an OAuth2 client configuration. List items must include authorizationEndpoint and tokenEndpoint fields. Specify sensitive fields, such as clientId and clientSecret, for the selected providers by using the Secret.

sso.oauth2[].accessTokenHeaderName: The name of the header to use when an OAuth access token is forwarded.
sso.oauth2[].accessTokenRequired: Determines whether the access token that is provided in the request is used for authentication. If the parameter is set to true, the client must provide a valid access token.
sso.oauth2[].accessTokenSupported: Determines whether to support access token authentication if an access token is provided in the request. If the parameter is set to true and an access token is provided in the request, then the access token is used as an authentication token.
sso.oauth2[].authorizationEndpoint: (Required) An authorization endpoint URL for the OAuth 2.0 provider.
sso.oauth2[].displayName: The name of the social login configuration for display.
sso.oauth2[].groupNameAttribute: The name of the claim. Use its value as the user group membership.
sso.oauth2[].id: The unique ID for the provider. The default value is oauth2.
sso.oauth2[].realmName: The realm name for this social media.
sso.oauth2[].realmNameAttribute: The name of the claim. Use its value as the subject realm.
sso.oauth2[].scope: One or more scopes to request.
sso.oauth2[].tokenEndpoint: (Required) A token endpoint URL for the OAuth 2.0 provider.
sso.oauth2[].tokenEndpointAuthMethod: The required authentication method.
sso.oauth2[].userApi: The URL for retrieving the user information.
sso.oauth2[].userApiType: The specification to use for the user API.
sso.oauth2[].userNameAttribute: The name of the claim. Use its value as the authenticated user principal.

oidc

The list of OpenID Connect (OIDC) providers with which to authenticate. Each list item provides an OIDC client configuration. List items must include the discoveryEndpoint field. Specify sensitive fields, such as clientId and clientSecret, for the selected providers by using the Secret.

sso.oidc[].discoveryEndpoint: (Required) A discovery endpoint URL for the OpenID Connect provider.
sso.oidc[].displayName: The name of the social login configuration for display.
sso.oidc[].groupNameAttribute: The name of the claim. Use its value as the user group membership.
sso.oidc[].hostNameVerificationEnabled: Specifies whether to enable host name verification when the client contacts the provider.
sso.oidc[].id: The unique ID for the provider. The default value is oidc.
sso.oidc[].realmNameAttribute: The name of the claim. Use its value as the subject realm.
sso.oidc[].scope: One or more scopes to request.
sso.oidc[].tokenEndpointAuthMethod: The required authentication method.
sso.oidc[].userInfoEndpointEnabled: Specifies whether the UserInfo endpoint is contacted.
sso.oidc[].userNameAttribute: The name of the claim. Use its value as the authenticated user principal.

redirectToRPHostAndPort

A callback protocol, host, and port number, such as https://myfrontend.mycompany.com. This parameter applies to all providers.

statefulSet

The wanted state and cycle of stateful applications. For examples, see Persist resources (.spec.statefulSet and .spec.volumeMounts).

annotations

Annotations to add only to the StatefulSet and its resources.

storage

Defines settings of persisted storage for StatefulSets.

statefulSet.storage.className: A convenient field to set the storage class of the persisted storage. Can be overridden by the storage.volumeClaimTemplate property.
statefulSet.storage.mountPath: The directory inside the container to where this persisted storage is bound.
statefulSet.storage.size: A convenient field to set the size of the persisted storage. Can be overridden by the statefulSet.storage.volumeClaimTemplate property. When storage is configured, the operator creates a StatefulSet instead of a Deployment. For more information, see Persistence.
statefulSet.storage.volumeClaimTemplate: A YAML object that represents a volumeClaimTemplate component of a StatefulSet. Its properties include apiVersion, kind, metadata, spec, and status.

updateStrategy

The strategy to replace old StatefulSet pods with new pods.

statefulSet.updateStrategy.rollingUpdate: Communicate parameters when type is RollingUpdateStatefulSetStrategyType.
Its partition property indicates the ordinal at which to partition the StatefulSet. The default value is 0.
statefulSet.updateStrategy.type: The type of the StatefulSetUpdateStrategy. The default value is RollingUpdate.

tolerations

Tolerations to be added to application pods. Tolerations allow the scheduler to schedule pods on nodes with matching taints. For more information, see Configure tolerations (.spec.tolerations).

topologySpreadConstraints

Defines the topology spread constraints. For more information, see Constrain how pods are spread between nodes and zones (.spec.topologySpreadConstraints).

constraints: The list of TopologySpreadConstraints for the application instance and if applicable, the Semeru Cloud Compiler instance.
disableOperatorDefaults: Whether the operator disables its default set of TopologySpreadConstraints. Defaults to false.

volumeMounts

Represents where to mount the volumes into the application container. Values for mountPath and name are required. For examples, see Persist resources (.spec.statefulSet and .spec.volumeMounts).

mountPath: The path within the container at which to mount the volume. The value must not contain a colon (:).
mountPropagation: Determines how mounts are propagated from the host to container and from the container to the host. When not set, MountPropagationNone is used. This field is beta in 1.10.
name: A value that must match the name of a volume.
readOnly: A Boolean that specifies to mount read-only if true, read/write otherwise (false or unspecified). The default value is false.
subPath: The path within the volume from which to mount the container volume. The default value is "" (volume root).
subPathExpr: The expanded path within the volume from which to mount the container volume. The subPathExpr property behaves like SubPath but environment variable references $(VAR_NAME) are expanded with the container environment. The default value is "" (volume root). SubPathExpr and SubPath are mutually exclusive.

volumes

A YAML object that represents a volume with data that the application container can access.

items

A named volume in a pod that any container in the pod can access. An items property can include the following items. The .spec.volumes.items.name property is required.

volumes.items.awsElasticBlockStore

An AWS disk resource that is attached to a kubelet host computer and then exposed to the pod. Its properties include fsType, partition, readOnly, and volumeID. The volumeID property is the unique identifier of the persistent disk resource in AWS (Amazon EBS volume) and is required. For more information, see awsElasticBlockStore.

volumes.items.azureDisk

An Azure data disk mount on the host and bind mount to the pod. Its properties include cachingMode, diskName, diskURI, fsType, kind, and readOnly. The diskName and diskURI properties are the name and URI of the data disk in the blob storage and are required. The readOnly default is false.

volumes.items.azureFile

An Azure file service mount on the host and bind mount to the pod. Its properties include readOnly, secretName, and shareName. The secretName and shareName properties are required. The readOnly default is false.

volumes.items.cephfs

A CephFS mount on the host that shares a pod lifetime. Its properties include monitors, path, readOnly, secretFile, secretRef, and user. The monitors property is a collection of Ceph monitors and is required. The readOnly default is false.

volumes.items.cinder

A cinder volume that is attached and mounted on the kubelet host computer. Its properties include fsType, readOnly, secretRef, and volumeID. The volumeID property is required. The readOnly default is false. For more information, see https://examples.k8s.io/mysql-cinder-pd/README.md.

volumes.items.configMap

A ConfigMap to populate the volume. Its properties include defaultMode, items, name, and optional.

volumes.items.csi

Ephemeral storage that is handled by external container storage interface (CSI) drivers (Beta feature). Its properties include driver, fsType, nodePublishSecretRef, readOnly, and volumeAttributes. The driver property is required and is the name of the CSI driver that handles this volume, typically the name as registered in the cluster. The readOnly default is false.

volumes.items.downwardAPI

The downward API about the pod to populate the volume. Its properties include defaultMode and items.

volumes.items.emptyDir

A temporary directory that shares a pod lifetime. Its properties include medium and sizeLimit. For more information, see emptyDir.

volumes.items.ephemeral

A volume that is handled by a cluster storage driver. A volume lifecycle is tied to the pod that defines it. It is created before the pod starts, and deleted when the pod is removed. Use ephemeral if the following conditions exist:

The volume is only needed while the pod runs.
Features of normal volumes like restoring from snapshot or capacity tracking are needed.
The storage driver is specified through a storage class.
The storage driver supports dynamic volume provisioning through a PersistentVolumeClaim.

Use PersistentVolumeClaim or one of the vendor-specific APIs for volumes that persist for longer than the lifecycle of an individual pod. Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to be used that way. A pod can use both types of ephemeral volumes and persistent volumes at the same time.

This is a beta feature and only available when the GenericEphemeralVolume feature gate is enabled.

The ephemeral property has a volumeClaimTemplate property with its .spec.volumes.items.ephemeral.volumeClaimTemplate.spec property required.

volumes.items.fc

A Fibre Channel resource that is attached to a kubelet host computer and then exposed to the pod. Its properties include fsType, lun, readOnly, targetWWNs, and wwids. The readOnly default is false.

volumes.items.flexVolume

A generic volume resource that is provisioned or attached with an exec based plug-in. Its properties include driver, fsType, options, readOnly, and secretRef. The driver property is required and is the name of the driver to use for this volume. The readOnly default is false.

volumes.items.flocker

A Flocker volume that is attached to a kubelet host computer. Its properties include datasetName and datasetUUID.

volumes.items.gcePersistentDisk

A GCE disk resource that is attached to a kubelet host computer and then exposed to the pod. Its properties include fsType, partition, pdName, and readOnly. The pdName property is required and is a unique name of the PD resource in GCE that can identify the disk in GCE. The readOnly default is false.

volumes.items.glusterfs

A GlusterFS mount on the host that shares a pod lifetime. Its properties include endpoints, path, and readOnly. The endpoints and path properties are required. endpoints is the endpoint name that details the Glusterfs topology. path is the Glusterfs volume path. The readOnly default is false.

volumes.items.hostPath

An existing file or directory on the host computer that is directly exposed to the container. This is generally used for system agents or other privileged objects that can see the host computer. Most containers do not need this. Its properties include path and type. The path property is required and is the directory path on the host. If the path is a symlink, it follows the link to the real path. For more information, see hostPath.

volumes.items.iscsi

An ISCSI disk resource that is attached to a kubelet host computer and then exposed to the pod. Its properties include chapAuthDiscovery, chapAuthSession, fsType, initiatorName, iqn, iscsiInterface, lun, portals, readOnly, secretRef, and targetPortal. The iqn, lun, and targetPortal properties are required and identify the target iSCSI qualified name, lun number, and portal. The readOnly default is false.

volumes.items.name

(Required) A DNS_LABEL that is unique within the pod. For more information, see Names.

volumes.items.nfs

An NFS mount on the host that shares a pod lifetime. Its properties include path, readOnly, and server. The path and server properties are required. path is that path that the NFS server exports. server is the hostname or IP address of the NFS server. The readOnly default is false.

volumes.items.persistentVolumeClaim

A reference to a PersistentVolumeClaim in the same namespace. Its properties include claimName and readOnly. The claimName property is required. path is the name of a PersistentVolumeClaim in the same namespace as the pod that uses this volume. The readOnly default is false.

volumes.items.photonPersistentDisk

A PhotonController persistent disk that is attached and mounted on the kubelet host computer. Its properties include fsType and pdID. The pdID property is required and identifies Photon Controller persistent disk.

volumes.items.portworxVolume

A portworx volume that is attached and mounted on the kubelet host computer. Its properties include fsType, readOnly, and volumeID. The volumeID property is required and uniquely identifies a Portworx volume. The readOnly default is false.

volumes.items.projected

Items for all-in-one resources such as secret, configmap, and downward API data. Its properties include defaultMode and sources.

volumes.items.quobyte

A Quobyte mount on the host that shares a pod lifetime. Its properties include group, readOnly, registry, tenant, user, and volume. The registry and volume properties are required. registry represents one or more Quobyte registry services in host:port pairs with a comma separator for multiple services. volume references an existing Quobyte volume by name. The readOnly default is false.

volumes.items.rbd

A Rados Block Device mount on the host that shares a pod lifetime. Its properties include fsType, image, keyring, monitors, pool, readOnly, secretRef, and user. The image and monitors properties are required. image is the rados image name. monitors is a collection of Ceph monitors. The readOnly default is false. For more information, see rbd.

volumes.items.scaleIO

A ScaleIO persistent volume that is attached and mounted on Kubernetes nodes. Its properties include fsType, gateway, protectionDomain, pool, readOnly, secretRef, sslEnabled, storageMode, storagePool, system, and volumeName. The gateway, secretRef, and system properties are required. gateway is the host address of the ScaleIO API Gateway. secretRef references the secret for ScaleIO user and other sensitive information. system is the name of the storage system in ScaleIO. The readOnly default is false.

volumes.items.secret

A secret to populate the volume. Its properties include defaultMode, items, optional, and secretName.

volumes.items.storageos

A StorageOS volume that is attached and mounted on Kubernetes nodes. Its properties include fsType, readOnly, secretRef, volumeName, and volumeNamespace. The readOnly default is false.

volumes.items.vsphereVolume

A vSphere volume that is attached and mounted on the kubelet host computer. Its properties include fsType, storagePolicyID, storagePolicyName, and volumePath. volumePath is required and is a path that identifies vSphere volume vmdk.