Packages

• apps.kubermatic.k8c.io/v1
• kubermatic.k8c.io/v1

apps.kubermatic.k8c.io/v1

Resource Types

• ApplicationDefinition
• ApplicationDefinitionList
• ApplicationInstallation
• ApplicationInstallationList

AppNamespaceSpec

AppNamespaceSpec describe the desired state of the namespace where application will be created.

Appears in:

• ApplicationDefinitionSpec
• ApplicationInstallationSpec

Field	Description
name string	Name is the namespace to deploy the Application into. Should be a valid lowercase RFC1123 domain name
create boolean	Create defines whether the namespace should be created if it does not exist. Defaults to true
labels object (keys:string, values:string)	Labels of the namespace More info: http://kubernetes.io/docs/user-guide/labels
annotations object (keys:string, values:string)	Annotations of the namespace More info: http://kubernetes.io/docs/user-guide/annotations

Back to top

ApplicationDefinition

ApplicationDefinition is the Schema for the applicationdefinitions API.

Appears in:

• ApplicationDefinitionList

Field	Description
apiVersion string	apps.kubermatic.k8c.io/v1
kind string	ApplicationDefinition
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
spec ApplicationDefinitionSpec

Back to top

ApplicationDefinitionList

ApplicationDefinitionList contains a list of ApplicationDefinition.

Field	Description
apiVersion string	apps.kubermatic.k8c.io/v1
kind string	ApplicationDefinitionList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items ApplicationDefinition array

Back to top

ApplicationDefinitionSpec

ApplicationDefinitionSpec defines the desired state of ApplicationDefinition.

Appears in:

• ApplicationDefinition

Field	Description
displayName string	DisplayName is the name for the application that will be displayed in the UI.
description string	Description of the application. what is its purpose
method TemplateMethod	Method used to install the application
defaultValues RawExtension	DefaultValues specify default values for the UI which are passed to helm templating when creating an application. Comments are not preserved. Deprecated: Use DefaultValuesBlock instead. This field was deprecated in KKP 2.25 and will be removed in KKP 2.27+.
defaultValuesBlock string	DefaultValuesBlock specifies default values for the UI which are passed to helm templating when creating an application. Comments are preserved.
defaultNamespace AppNamespaceSpec	DefaultNamespace specifies the default namespace which is used if a referencing ApplicationInstallation has no target namespace defined. If unset, the name of the ApplicationDefinition is being used instead.
defaultDeployOptions DeployOptions	DefaultDeployOptions holds the settings specific to the templating method used to deploy the application. These settings can be overridden in applicationInstallation.
defaultVersion string	DefaultVersion of the application to use, if not specified the latest available version will be used.
enforced boolean	Enforced specifies if the application is enforced to be installed on the user clusters. Enforced applications are installed/updated by KKP for the user clusters. Users are not allowed to update/delete them. KKP will revert the changes done by the application to the desired state specified in the ApplicationDefinition.
default boolean	Default specifies if the application should be installed by default when a new user cluster is created. Default applications are not enforced and users can update/delete them. KKP will only install them during cluster creation if the user didn't explicitly opt out from installing default applications.
selector DefaultingSelector	Selector is used to select the targeted user clusters for defaulting and enforcing applications. This is only used for default/enforced applications and ignored otherwise.
documentationURL string	DocumentationURL holds a link to official documentation of the Application Alternatively this can be a link to the Readme of a chart in a git repository
sourceURL string	SourceURL holds a link to the official source code mirror or git repository of the application
logo string	Logo of the Application as a base64 encoded svg
logoFormat string	LogoFormat contains logo format of the configured Application. Options are "svg+xml" and "png"
versions ApplicationVersion array	Available version for this application

Back to top

ApplicationInstallation

ApplicationInstallation describes a single installation of an Application.

Appears in:

• ApplicationInstallationList

Field	Description
apiVersion string	apps.kubermatic.k8c.io/v1
kind string	ApplicationInstallation
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
spec ApplicationInstallationSpec
status ApplicationInstallationStatus

Back to top

ApplicationInstallationCondition

Appears in:

• ApplicationInstallationStatus

Field	Description
status ConditionStatus	Status of the condition, one of True, False, Unknown.
lastHeartbeatTime Time	Last time we got an update on a given condition.
lastTransitionTime Time	Last time the condition transit from one status to another.
reason string	(brief) reason for the condition's last transition.
message string	Human readable message indicating details about last transition.
observedGeneration integer	observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

Back to top

ApplicationInstallationConditionType

Underlying type: string

swagger:enum ApplicationInstallationConditionType All condition types must be registered within the AllApplicationInstallationConditionTypes variable.

Appears in:

• ApplicationInstallationStatus

ApplicationInstallationList

ApplicationInstallationList is a list of ApplicationInstallations.

Field	Description
apiVersion string	apps.kubermatic.k8c.io/v1
kind string	ApplicationInstallationList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items ApplicationInstallation array

Back to top

ApplicationInstallationSpec

Appears in:

• ApplicationInstallation

Field	Description
namespace AppNamespaceSpec	Namespace describe the desired state of the namespace where application will be created.
applicationRef ApplicationRef	ApplicationRef is a reference to identify which Application should be deployed
values RawExtension	Values specify values overrides that are passed to helm templating. Comments are not preserved. Deprecated: Use ValuesBlock instead. This field was deprecated in KKP 2.25 and will be removed in KKP 2.27+.
valuesBlock string	ValuesBlock specifies values overrides that are passed to helm templating. Comments are preserved.
reconciliationInterval Duration	ReconciliationInterval is the interval at which to force the reconciliation of the application. By default, Applications are only reconciled on changes on spec, annotations, or the parent application definition. Meaning that if the user manually deletes the workload deployed by the application, nothing will happen until the application CR change. Setting a value greater than zero force reconciliation even if no changes occurred on application CR. Setting a value equal to 0 disables the force reconciliation of the application (default behavior). Setting this too low can cause a heavy load and may disrupt your application workload depending on the template method.
deployOptions DeployOptions	DeployOptions holds the settings specific to the templating method used to deploy the application.

Back to top

ApplicationInstallationStatus

ApplicationInstallationStatus denotes status information about an ApplicationInstallation.

Appears in:

• ApplicationInstallation

Field	Description
conditions object (keys:ApplicationInstallationConditionType, values:ApplicationInstallationCondition)	Conditions contains conditions an installation is in, its primary use case is status signaling between controllers or between controllers and the API
applicationVersion ApplicationVersion	ApplicationVersion contains information installing / removing application
method TemplateMethod	Method used to install the application
helmRelease HelmRelease	HelmRelease holds the information about the helm release installed by this application. This field is only filled if template method is 'helm'.
failures integer	Failures counts the number of failed installation or updagrade. it is reset on successful reconciliation.

Back to top

ApplicationRef

ApplicationRef describes a KKP-wide, unique reference to an Application.

Appears in:

• ApplicationInstallationSpec

Field	Description
name string	Name of the Application. Should be a valid lowercase RFC1123 domain name
version string	Version of the Application. Must be a valid SemVer version

Back to top

ApplicationSource

Appears in:

• ApplicationTemplate

Field	Description
helm HelmSource	Install Application from a Helm repository
git GitSource	Install application from a Git repository

Back to top

ApplicationTemplate

Appears in:

• ApplicationVersion

Field	Description
source ApplicationSource	Defined how the source of the application (e.g Helm chart) is retrieved. Exactly one type of source must be defined.
templateCredentials DependencyCredentials	DependencyCredentials holds the credentials that may be needed for templating the application.

Back to top

ApplicationVersion

Appears in:

• ApplicationDefinitionSpec
• ApplicationInstallationStatus

Field	Description
version string	Version of the application (e.g. v1.2.3)
template ApplicationTemplate	Template defines how application is installed (source provenance, Method...)

Back to top

DefaultingSelector

DefaultingSelector is used to select the targeted user clusters for defaulting and enforcing applications.

Appears in:

• ApplicationDefinitionSpec

Field	Description
datacenters string array	Datacenters is a list of datacenters where the application can be installed.

Back to top

DependencyCredentials

Appears in:

• ApplicationTemplate

Field	Description
helmCredentials HelmCredentials	HelmCredentials holds the ref to the secret with helm credentials needed to build helm dependencies. It is not required when using helm as a source, as dependencies are already prepackaged in this case. It's either username / password or a registryConfigFile can be defined.

Back to top

DeployOptions

DeployOptions holds the settings specific to the templating method used to deploy the application.

Appears in:

• ApplicationDefinitionSpec
• ApplicationInstallationSpec

Field	Description
helm HelmDeployOptions

Back to top

GitAuthMethod

Underlying type: string

Appears in:

• GitCredentials

GitCredentials

Appears in:

• GitSource

Field	Description
method GitAuthMethod	Authentication method. Either password or token or ssh-key. If method is password then username and password must be defined. If method is token then token must be defined. If method is ssh-key then ssh-key must be defined.
username SecretKeySelector	Username holds the ref and key in the secret for the username credential. The Secret must exist in the namespace where KKP is installed (default is "kubermatic"). The Secret must be annotated with `apps.kubermatic.k8c.io/secret-type:` set to "helm" or "git".
password SecretKeySelector	Password holds the ref and key in the secret for the Password credential. The Secret must exist in the namespace where KKP is installed (default is "kubermatic"). The Secret must be annotated with `apps.kubermatic.k8c.io/secret-type:` set to "helm" or "git".
token SecretKeySelector	Token holds the ref and key in the secret for the token credential. The Secret must exist in the namespace where KKP is installed (default is "kubermatic"). The Secret must be annotated with `apps.kubermatic.k8c.io/secret-type:` set to "helm" or "git".
sshKey SecretKeySelector	SSHKey holds the ref and key in the secret for the SshKey credential. The Secret must exist in the namespace where KKP is installed (default is "kubermatic"). The Secret must be annotated with `apps.kubermatic.k8c.io/secret-type:` set to "helm" or "git".

Back to top

GitReference

Appears in:

• GitSource

Field	Description
branch string	Branch to checkout. Only the last commit of the branch will be checkout in order to reduce the amount of data to download.
commit string	Commit SHA in a Branch to checkout. It must be used in conjunction with branch field.
tag string	Tag to check out. It can not be used in conjunction with commit or branch.

Back to top

GitSource

Appears in:

• ApplicationSource

Field	Description
remote string	URL to the repository. Can be HTTP(s) (e.g. https://example.com/myrepo) or SSH (e.g. git://example.com[:port]/path/to/repo.git/).
ref GitReference	Git reference to checkout. For large repositories, we recommend to either use Tag, Branch or Branch+Commit. This allows a shallow clone, which dramatically speeds up performance
path string	Path of the "source" in the repository. default is repository root
credentials GitCredentials	Credentials are optional and holds the git credentials

Back to top

HelmCredentials

Appears in:

• DependencyCredentials
• HelmSource

Field	Description
username SecretKeySelector	Username holds the ref and key in the secret for the username credential. The Secret must exist in the namespace where KKP is installed (default is "kubermatic"). The Secret must be annotated with `apps.kubermatic.k8c.io/secret-type:` set to "helm" or "git"
password SecretKeySelector	Password holds the ref and key in the secret for the password credential. The Secret must exist in the namespace where KKP is installed (default is "kubermatic"). The Secret must be annotated with `apps.kubermatic.k8c.io/secret-type:` set to "helm" or "git"
registryConfigFile SecretKeySelector	RegistryConfigFile holds the ref and key in the secret for the registry credential file. The value is dockercfg file that follows the same format rules as ~/.docker/config.json. The Secret must exist in the namespace where KKP is installed (default is "kubermatic"). The Secret must be annotated with `apps.kubermatic.k8c.io/secret-type:` set to "helm" or "git"

Back to top

HelmDeployOptions

HelmDeployOptions holds the deployment settings when templating method is Helm.

Appears in:

• DeployOptions

Field	Description
wait boolean	Wait corresponds to the --wait flag on Helm cli. if set, will wait until all Pods, PVCs, Services, and minimum number of Pods of a Deployment, StatefulSet, or ReplicaSet are in a ready state before marking the release as successful. It will wait for as long as timeout
timeout Duration	Timeout corresponds to the --timeout flag on Helm cli. time to wait for any individual Kubernetes operation.
atomic boolean	Atomic corresponds to the --atomic flag on Helm cli. if set, the installation process deletes the installation on failure; the upgrade process rolls back changes made in case of failed upgrade.
enableDNS boolean	EnableDNS corresponds to the --enable-dns flag on Helm cli. enable DNS lookups when rendering templates. if you enable this flag, you have to verify that helm template function 'getHostByName' is not being used in a chart to disclose any information you do not want to be passed to DNS servers.(c.f. CVE-2023-25165)

Back to top

HelmRelease

Appears in:

• ApplicationInstallationStatus

Field	Description
name string	Name is the name of the release.
version integer	Version is an int which represents the revision of the release.
info HelmReleaseInfo	Info provides information about a release.

Back to top

HelmReleaseInfo

HelmReleaseInfo describes release information. tech note: we can not use release.Info from Helm because the underlying type used for time has no json tag.

Appears in:

• HelmRelease

Field	Description
firstDeployed Time	FirstDeployed is when the release was first deployed.
lastDeployed Time	LastDeployed is when the release was last deployed.
deleted Time	Deleted tracks when this object was deleted.
description string	Description is human-friendly "log entry" about this release.
status Status	Status is the current state of the release.
notes string	Notes is the rendered templates/NOTES.txt if available.

Back to top

HelmSource

Appears in:

• ApplicationSource

Field	Description
url string	URL of the Helm repository the following schemes are supported: * http://example.com/myrepo (HTTP) * https://example.com/myrepo (HTTPS) * oci://example.com:5000/myrepo (OCI, HTTPS by default, use plainHTTP to enable unencrypted HTTP)
insecure boolean	Insecure disables certificate validation when using an HTTPS registry. This setting has no effect when using a plaintext connection.
plainHTTP boolean	PlainHTTP will enable HTTP-only (i.e. unencrypted) traffic for oci:// URLs. By default HTTPS is used when communicating with an oci:// URL.
chartName string	Name of the Chart.
chartVersion string	Version of the Chart.
credentials HelmCredentials	Credentials are optional and hold the ref to the secret with Helm credentials. Either username / password or registryConfigFile can be defined.

Back to top

TemplateMethod

Underlying type: string

Appears in:

• ApplicationDefinitionSpec
• ApplicationInstallationStatus

kubermatic.k8c.io/v1

Resource Types

• Addon
• AddonConfig
• AddonConfigList
• AddonList
• AdmissionPlugin
• AdmissionPluginList
• Alertmanager
• AlertmanagerList
• AllowedRegistry
• AllowedRegistryList
• Cluster
• ClusterBackupStorageLocation
• ClusterBackupStorageLocationList
• ClusterList
• ClusterTemplate
• ClusterTemplateInstance
• ClusterTemplateInstanceList
• ClusterTemplateList
• Constraint
• ConstraintList
• ConstraintTemplate
• ConstraintTemplateList
• EtcdBackupConfig
• EtcdBackupConfigList
• EtcdRestore
• EtcdRestoreList
• ExternalCluster
• ExternalClusterList
• GroupProjectBinding
• GroupProjectBindingList
• IPAMAllocation
• IPAMAllocationList
• IPAMPool
• IPAMPoolList
• KubermaticConfiguration
• KubermaticConfigurationList
• KubermaticSetting
• KubermaticSettingList
• MLAAdminSetting
• MLAAdminSettingList
• Preset
• PresetList
• Project
• ProjectList
• ResourceQuota
• ResourceQuotaList
• RuleGroup
• RuleGroupList
• Seed
• SeedList
• User
• UserList
• UserProjectBinding
• UserProjectBindingList
• UserSSHKey
• UserSSHKeyList

AKS

Appears in:

• PresetSpec

Field	Description
enabled boolean	Only enabled presets will be available in the KKP dashboard.
isCustomizable boolean	IsCustomizable marks a preset as editable on the KKP UI; Customizable presets still have the credentials obscured on the UI, but other fields that are not considered private are displayed during cluster creation. Users can then update those fields, if required. NOTE: This is only supported for OpenStack Cloud Provider in KKP 2.26. Support for other providers will be added later on.
datacenter string	If datacenter is set, this preset is only applicable to the configured datacenter.
tenantID string	The Azure Active Directory Tenant used for the user cluster.
subscriptionID string	The Azure Subscription used for the user cluster.
clientID string	The service principal used to access Azure.
clientSecret string	The client secret corresponding to the given service principal.

Back to top

APIServerSettings

Appears in:

• ComponentSettings

Field	Description
replicas integer
resources ResourceRequirements
tolerations Toleration array
endpointReconcilingDisabled boolean
nodePortRange string

Back to top

AWS

Appears in:

• PresetSpec

Field	Description
enabled boolean	Only enabled presets will be available in the KKP dashboard.
isCustomizable boolean	IsCustomizable marks a preset as editable on the KKP UI; Customizable presets still have the credentials obscured on the UI, but other fields that are not considered private are displayed during cluster creation. Users can then update those fields, if required. NOTE: This is only supported for OpenStack Cloud Provider in KKP 2.26. Support for other providers will be added later on.
datacenter string	If datacenter is set, this preset is only applicable to the configured datacenter.
accessKeyID string	The Access key ID used to authenticate against AWS.
secretAccessKey string	The Secret Access Key used to authenticate against AWS.
assumeRoleARN string	Defines the ARN for an IAM role that should be assumed when handling resources on AWS. It will be used to acquire temporary security credentials using an STS AssumeRole API operation whenever creating an AWS session.
assumeRoleExternalID string	An arbitrary string that may be needed when calling the STS AssumeRole API operation. Using an external ID can help to prevent the "confused deputy problem".
vpcID string	AWS VPC to use. Must be configured.
routeTableID string	Route table to use. This can be configured, but if left empty will be automatically filled in during reconciliation.
instanceProfileName string	Instance profile to use. This can be configured, but if left empty will be automatically filled in during reconciliation.
securityGroupID string	Security group to use. This can be configured, but if left empty will be automatically filled in during reconciliation.
roleARN string	ARN to use. This can be configured, but if left empty will be automatically filled in during reconciliation.

Back to top

AWSCloudSpec

AWSCloudSpec specifies access data to Amazon Web Services.

Appears in:

• CloudSpec

Field	Description
credentialsReference GlobalSecretKeySelector
accessKeyID string	The Access key ID used to authenticate against AWS.
secretAccessKey string	The Secret Access Key used to authenticate against AWS.
assumeRoleARN string	Defines the ARN for an IAM role that should be assumed when handling resources on AWS. It will be used to acquire temporary security credentials using an STS AssumeRole API operation whenever creating an AWS session.
assumeRoleExternalID string	An arbitrary string that may be needed when calling the STS AssumeRole API operation. Using an external ID can help to prevent the "confused deputy problem".
vpcID string
roleARN string	The IAM role, the control plane will use. The control plane will perform an assume-role
routeTableID string
instanceProfileName string
securityGroupID string
nodePortsAllowedIPRange string	A CIDR range that will be used to allow access to the node port range in the security group to. Only applies if the security group is generated by KKP and not preexisting. If NodePortsAllowedIPRange nor NodePortsAllowedIPRanges is set, the node port range can be accessed from anywhere.
nodePortsAllowedIPRanges NetworkRanges	Optional: CIDR ranges that will be used to allow access to the node port range in the security group to. Only applies if the security group is generated by KKP and not preexisting. If NodePortsAllowedIPRange nor NodePortsAllowedIPRanges is set, the node port range can be accessed from anywhere.
disableIAMReconciling boolean	DisableIAMReconciling is used to disable reconciliation for IAM related configuration. This is useful in air-gapped setups where access to IAM service is not possible.

Back to top

Addon

Addon specifies a cluster addon. Addons can be installed into user clusters to provide additional manifests for CNIs, CSIs or other applications, which makes addons a necessary component to create functioning user clusters. Addon objects must be created inside cluster namespaces.

Appears in:

• AddonList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	Addon
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
spec AddonSpec	Spec describes the desired addon state.
status AddonStatus	Status contains information about the reconciliation status.

Back to top

AddonCondition

Appears in:

• AddonStatus

Field	Description
status ConditionStatus	Status of the condition, one of True, False, Unknown.
lastHeartbeatTime Time	Last time we got an update on a given condition.
lastTransitionTime Time	Last time the condition transitioned from one status to another.
kubermaticVersion string	KubermaticVersion is the version of KKP that last _successfully_ reconciled this addon.

Back to top

AddonConditionType

Underlying type: string

Appears in:

• AddonStatus

AddonConfig

AddonConfig specifies addon configuration. Addons can be installed without a matching AddonConfig, but they will be missing a logo, description and the potentially necessary form fields in the KKP dashboard to make the addon comfortable to use.

Appears in:

• AddonConfigList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	AddonConfig
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
spec AddonConfigSpec	Spec describes the configuration of an addon.

Back to top

AddonConfigList

AddonConfigList is a list of addon configs.

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	AddonConfigList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items AddonConfig array	Items refers to the list of AddonConfig objects.

Back to top

AddonConfigSpec

AddonConfigSpec specifies configuration of addon.

Appears in:

• AddonConfig

Field	Description
shortDescription string	ShortDescription of the configured addon that contains more detailed information about the addon, it will be displayed in the addon details view in the UI
description string	Description of the configured addon, it will be displayed in the addon overview in the UI
logo string	Logo of the configured addon, encoded in base64
logoFormat string	LogoFormat contains logo format of the configured addon, i.e. svg+xml
formSpec AddonFormControl array	Controls that can be set for configured addon

Back to top

AddonFormControl

AddonFormControl specifies addon form control.

Appears in:

• AddonConfigSpec

Field	Description
displayName string	DisplayName is visible in the UI
internalName string	InternalName is used internally to save in the addon object
helpText string	HelpText is visible in the UI next to the control
required boolean	Required indicates if the control has to be set
type string	Type of displayed control

Back to top

AddonList

AddonList is a list of addons.

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	AddonList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items Addon array	Items refers to the list of the cluster addons.

Back to top

AddonPhase

Underlying type: string

Appears in:

• AddonStatus

AddonSpec

AddonSpec specifies details of an addon.

Appears in:

• Addon

Field	Description
name string	Name defines the name of the addon to install
cluster ObjectReference	Cluster is the reference to the cluster the addon should be installed in
variables RawExtension	Variables is free form data to use for parsing the manifest templates
requiredResourceTypes GroupVersionKind array	RequiredResourceTypes allows to indicate that this addon needs some resource type before it can be installed. This can be used to indicate that a specific CRD and/or extension apiserver must be installed before this addon can be installed. The addon will not be installed until that resource is served.
isDefault boolean	IsDefault indicates whether the addon is installed because it was configured in the default addon section in the KubermaticConfiguration. User-installed addons must not set this field to true, as extra default Addon objects (that are not in the KubermaticConfiguration) will be garbage-collected.

Back to top

AddonStatus

AddonStatus contains information about the reconciliation status.

Appears in:

• Addon

Field	Description
phase AddonPhase	Phase is a description of the current addon status, summarizing the various conditions. This field is for informational purpose only and no logic should be tied to the phase.
conditions object (keys:AddonConditionType, values:AddonCondition)

Back to top

AdmissionPlugin

AdmissionPlugin is the type representing a AdmissionPlugin.

Appears in:

• AdmissionPluginList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	AdmissionPlugin
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
spec AdmissionPluginSpec	Spec describes an admission plugin name and in which k8s version it is supported.

Back to top

AdmissionPluginList

AdmissionPluginList is the type representing a AdmissionPluginList.

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	AdmissionPluginList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items AdmissionPlugin array	Items refers to the list of Admission Plugins

Back to top

AdmissionPluginSpec

AdmissionPluginSpec specifies admission plugin name and from which k8s version is supported.

Appears in:

• AdmissionPlugin

Field	Description
pluginName string
fromVersion Semver	FromVersion flag can be empty. It means the plugin fit to all k8s versions

Back to top

Alertmanager

Appears in:

• AlertmanagerList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	Alertmanager
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
spec AlertmanagerSpec	Spec describes the configuration of the Alertmanager.
status AlertmanagerStatus	Status stores status information about the Alertmanager.

Back to top

AlertmanagerConfigurationStatus

AlertmanagerConfigurationStatus stores status information about the AlertManager configuration.

Appears in:

• AlertmanagerStatus

Field	Description
lastUpdated Time	LastUpdated stores the last successful time when the configuration was successfully applied
status ConditionStatus	Status of whether the configuration was applied, one of True, False
errorMessage string	ErrorMessage contains a default error message in case the configuration could not be applied. Will be reset if the error was resolved and condition becomes True

Back to top

AlertmanagerList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	AlertmanagerList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items Alertmanager array	Items refers to the list of Alertmanager objects.

Back to top

AlertmanagerSpec

AlertmanagerSpec describes the configuration of the Alertmanager.

Appears in:

• Alertmanager

Field	Description
configSecret LocalObjectReference	ConfigSecret refers to the Secret in the same namespace as the Alertmanager object, which contains configuration for this Alertmanager.

Back to top

AlertmanagerStatus

AlertmanagerStatus stores status information about the AlertManager.

Appears in:

• Alertmanager

Field	Description
configStatus AlertmanagerConfigurationStatus	ConfigStatus stores status information about the AlertManager configuration.

Back to top

Alibaba

Appears in:

• PresetSpec

Field	Description
enabled boolean	Only enabled presets will be available in the KKP dashboard.
isCustomizable boolean	IsCustomizable marks a preset as editable on the KKP UI; Customizable presets still have the credentials obscured on the UI, but other fields that are not considered private are displayed during cluster creation. Users can then update those fields, if required. NOTE: This is only supported for OpenStack Cloud Provider in KKP 2.26. Support for other providers will be added later on.
datacenter string	If datacenter is set, this preset is only applicable to the configured datacenter.
accessKeyID string	The Access Key ID used to authenticate against Alibaba.
accessKeySecret string	The Access Key Secret used to authenticate against Alibaba.

Back to top

AlibabaCloudSpec

AlibabaCloudSpec specifies the access data to Alibaba.

Appears in:

• CloudSpec

Field	Description
credentialsReference GlobalSecretKeySelector
accessKeyID string	The Access Key ID used to authenticate against Alibaba.
accessKeySecret string	The Access Key Secret used to authenticate against Alibaba.

Back to top

AllowedRegistry

AllowedRegistry is the object representing an allowed registry.

Appears in:

• AllowedRegistryList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	AllowedRegistry
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
spec AllowedRegistrySpec	Spec describes the desired state for an allowed registry.

Back to top

AllowedRegistryList

AllowedRegistryList specifies a list of allowed registries.

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	AllowedRegistryList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items AllowedRegistry array	Items refers to the list of the allowed registries.

Back to top

AllowedRegistrySpec

AllowedRegistrySpec specifies the data for allowed registry spec.

Appears in:

• AllowedRegistry

Field	Description
registryPrefix string	RegistryPrefix contains the prefix of the registry which will be allowed. User clusters will be able to deploy only images which are prefixed with one of the allowed image registry prefixes.

Back to top

Anexia

Appears in:

• PresetSpec

Field	Description
enabled boolean	Only enabled presets will be available in the KKP dashboard.
isCustomizable boolean	IsCustomizable marks a preset as editable on the KKP UI; Customizable presets still have the credentials obscured on the UI, but other fields that are not considered private are displayed during cluster creation. Users can then update those fields, if required. NOTE: This is only supported for OpenStack Cloud Provider in KKP 2.26. Support for other providers will be added later on.
datacenter string	If datacenter is set, this preset is only applicable to the configured datacenter.
token string	Token is used to authenticate with the Anexia API.

Back to top

AnexiaCloudSpec

AnexiaCloudSpec specifies the access data to Anexia.

Appears in:

• CloudSpec

Field	Description
credentialsReference GlobalSecretKeySelector
token string	Token is used to authenticate with the Anexia API.

Back to top

AnnotationSettings

AnnotationSettings is the settings for the annotations.

Appears in:

• SettingSpec

Field	Description
hiddenAnnotations string array	HiddenAnnotations are the annotations that are hidden from the user in the UI.
protectedAnnotations string array	ProtectedAnnotations are the annotations that are visible in the UI but cannot be added or modified by the user.

Back to top

Announcement

The announcement feature allows administrators to broadcast important messages to all users.

Appears in:

• SettingSpec

Field	Description
message string	The message content of the announcement.
isActive boolean	Indicates whether the announcement is active.
createdAt Time	Timestamp when the announcement was created.
expires Time	Expiration date for the announcement.

Back to top

AntiAffinityType

Underlying type: string

AntiAffinityType is the type of anti-affinity that should be used. Can be “preferred” or “required”.

Appears in:

• EtcdStatefulSetSettings

ApplicationSettings

Appears in:

• ClusterSpec

ApplicationsConfiguration

ApplicationsConfiguration contains configuration for default Applications configuration settings.

Appears in:

• KubermaticUserClusterConfiguration

Field	Description
namespace string	Namespace is the namespace which is set as the default for applications installed via ui If left empty the default for the application installation namespace is the name of the resource itself

Back to top

AuditLoggingSettings

AuditLoggingSettings configures audit logging functionality.

Appears in:

• ClusterSpec

Field	Description
enabled boolean	Enabled will enable or disable audit logging.
policyPreset AuditPolicyPreset	Optional: PolicyPreset can be set to utilize a pre-defined set of audit policy rules.
sidecar AuditSidecarSettings	Optional: Configures the fluent-bit sidecar deployed alongside kube-apiserver.
webhookBackend AuditWebhookBackendSettings	Optional: Configures the webhook backend for audit logs.

Back to top

AuditPolicyPreset

Underlying type: string

AuditPolicyPreset refers to a pre-defined set of audit policy rules. Supported values are metadata, recommended and minimal. See KKP documentation for what each policy preset includes.

Appears in:

• AuditLoggingSettings

AuditSidecarConfiguration

AuditSidecarConfiguration defines custom configuration for the fluent-bit sidecar deployed with a kube-apiserver. Also see https://docs.fluentbit.io/manual/v/1.8/administration/configuring-fluent-bit/configuration-file.

Appears in:

• AuditSidecarSettings

Field	Description
service object (keys:string, values:string)
filters object array
outputs object array

Back to top

AuditSidecarSettings

Appears in:

• AuditLoggingSettings

Field	Description
resources ResourceRequirements
config AuditSidecarConfiguration

Back to top

AuditWebhookBackendSettings

AuditWebhookBackendSettings configures webhook backend for audit logging functionality.

Appears in:

• AuditLoggingSettings
• DatacenterSpec

Field	Description
auditWebhookConfig SecretReference	Required : AuditWebhookConfig contains reference to secret holding the audit webhook config file
auditWebhookInitialBackoff string

Back to top

Azure

Appears in:

• PresetSpec

Field	Description
enabled boolean	Only enabled presets will be available in the KKP dashboard.
isCustomizable boolean	IsCustomizable marks a preset as editable on the KKP UI; Customizable presets still have the credentials obscured on the UI, but other fields that are not considered private are displayed during cluster creation. Users can then update those fields, if required. NOTE: This is only supported for OpenStack Cloud Provider in KKP 2.26. Support for other providers will be added later on.
datacenter string	If datacenter is set, this preset is only applicable to the configured datacenter.
tenantID string	The Azure Active Directory Tenant used for the user cluster.
subscriptionID string	The Azure Subscription used for the user cluster.
clientID string	The service principal used to access Azure.
clientSecret string	The client secret corresponding to the given service principal.
resourceGroup string	The resource group that will be used to look up and create resources for the cluster in. If set to empty string at cluster creation, a new resource group will be created and this field will be updated to the generated resource group's name.
vnetResourceGroup string	Optional: Defines a second resource group that will be used for VNet related resources instead. If left empty, NO additional resource group will be created and all VNet related resources use the resource group defined by `resourceGroup`.
vnet string	The name of the VNet resource used for setting up networking in. If set to empty string at cluster creation, a new VNet will be created and this field will be updated to the generated VNet's name.
subnet string	The name of a subnet in the VNet referenced by `vnet`. If set to empty string at cluster creation, a new subnet will be created and this field will be updated to the generated subnet's name. If no VNet is defined at cluster creation, this field should be empty as well.
routeTable string	The name of a route table associated with the subnet referenced by `subnet`. If set to empty string at cluster creation, a new route table will be created and this field will be updated to the generated route table's name. If no subnet is defined at cluster creation, this field should be empty as well.
securityGroup string	The name of a security group associated with the subnet referenced by `subnet`. If set to empty string at cluster creation, a new security group will be created and this field will be updated to the generated security group's name. If no subnet is defined at cluster creation, this field should be empty as well.
loadBalancerSKU LBSKU	LoadBalancerSKU sets the LB type that will be used for the Azure cluster, possible values are "basic" and "standard", if empty, "standard" will be used

Back to top

AzureCloudSpec

AzureCloudSpec defines cloud resource references for Microsoft Azure.

Appears in:

• CloudSpec

Field	Description
credentialsReference GlobalSecretKeySelector	CredentialsReference allows referencing a `Secret` resource instead of passing secret data in this spec.
tenantID string	The Azure Active Directory Tenant used for this cluster. Can be read from `credentialsReference` instead.
subscriptionID string	The Azure Subscription used for this cluster. Can be read from `credentialsReference` instead.
clientID string	The service principal used to access Azure. Can be read from `credentialsReference` instead.
clientSecret string	The client secret corresponding to the given service principal. Can be read from `credentialsReference` instead.
resourceGroup string	The resource group that will be used to look up and create resources for the cluster in. If set to empty string at cluster creation, a new resource group will be created and this field will be updated to the generated resource group's name.
vnetResourceGroup string	Optional: Defines a second resource group that will be used for VNet related resources instead. If left empty, NO additional resource group will be created and all VNet related resources use the resource group defined by `resourceGroup`.
vnet string	The name of the VNet resource used for setting up networking in. If set to empty string at cluster creation, a new VNet will be created and this field will be updated to the generated VNet's name.
subnet string	The name of a subnet in the VNet referenced by `vnet`. If set to empty string at cluster creation, a new subnet will be created and this field will be updated to the generated subnet's name. If no VNet is defined at cluster creation, this field should be empty as well.
routeTable string	The name of a route table associated with the subnet referenced by `subnet`. If set to empty string at cluster creation, a new route table will be created and this field will be updated to the generated route table's name. If no subnet is defined at cluster creation, this field should be empty as well.
securityGroup string	The name of a security group associated with the subnet referenced by `subnet`. If set to empty string at cluster creation, a new security group will be created and this field will be updated to the generated security group's name. If no subnet is defined at cluster creation, this field should be empty as well.
nodePortsAllowedIPRange string	A CIDR range that will be used to allow access to the node port range in the security group to. Only applies if the security group is generated by KKP and not preexisting. If NodePortsAllowedIPRange nor NodePortsAllowedIPRanges is set, the node port range can be accessed from anywhere.
nodePortsAllowedIPRanges NetworkRanges	Optional: CIDR ranges that will be used to allow access to the node port range in the security group to. Only applies if the security group is generated by KKP and not preexisting. If NodePortsAllowedIPRange nor NodePortsAllowedIPRanges is set, the node port range can be accessed from anywhere.
assignAvailabilitySet boolean	Optional: AssignAvailabilitySet determines whether KKP creates and assigns an AvailabilitySet to machines. Defaults to `true` internally if not set.
availabilitySet string	An availability set that will be associated with nodes created for this cluster. If this field is set to empty string at cluster creation and `AssignAvailabilitySet` is set to `true`, a new availability set will be created and this field will be updated to the generated availability set's name.
loadBalancerSKU LBSKU	LoadBalancerSKU sets the LB type that will be used for the Azure cluster, possible values are "basic" and "standard", if empty, "standard" will be used.

Back to top

BackupConfig

Appears in:

• ClusterSpec

Field	Description
backupStorageLocation LocalObjectReference

Back to top

BackupDestination

BackupDestination defines the bucket name and endpoint as a backup destination, and holds reference to the credentials secret.

Appears in:

• EtcdBackupRestore

Field	Description
endpoint string	Endpoint is the API endpoint to use for backup and restore.
bucketName string	BucketName is the bucket name to use for backup and restore.
credentials SecretReference	Credentials hold the ref to the secret with backup credentials

Back to top

BackupStatus

Appears in:

• EtcdBackupConfigStatus

Field	Description
scheduledTime Time	ScheduledTime will always be set when the BackupStatus is created, so it'll never be nil
backupName string
jobName string
backupStartTime Time
backupFinishedTime Time
backupPhase BackupStatusPhase
backupMessage string
deleteJobName string
deleteStartTime Time
deleteFinishedTime Time
deletePhase BackupStatusPhase
deleteMessage string

Back to top

BackupStatusPhase

Underlying type: string

Appears in:

• BackupStatus

Baremetal

Appears in:

• PresetSpec

Field	Description
enabled boolean	Only enabled presets will be available in the KKP dashboard.
isCustomizable boolean	IsCustomizable marks a preset as editable on the KKP UI; Customizable presets still have the credentials obscured on the UI, but other fields that are not considered private are displayed during cluster creation. Users can then update those fields, if required. NOTE: This is only supported for OpenStack Cloud Provider in KKP 2.26. Support for other providers will be added later on.
datacenter string	If datacenter is set, this preset is only applicable to the configured datacenter.
tinkerbell Tinkerbell

Back to top

BaremetalCloudSpec

BaremetalCloudSpec specifies access data for a baremetal cluster.

Appears in:

• CloudSpec

Field	Description
credentialsReference GlobalSecretKeySelector
tinkerbell TinkerbellCloudSpec

Back to top

BringYourOwnCloudSpec

BringYourOwnCloudSpec specifies access data for a bring your own cluster.

Appears in:

• CloudSpec

CIDR

Underlying type: string

Appears in:

• EnvoyLoadBalancerService

CNIPluginSettings

CNIPluginSettings contains the spec of the CNI plugin used by the Cluster.

Appears in:

• ClusterSpec

Field	Description
type CNIPluginType	Type is the CNI plugin type to be used.
version string	Version defines the CNI plugin version to be used. This varies by chosen CNI plugin type.

Back to top

CNIPluginType

Underlying type: string

CNIPluginType defines the type of CNI plugin installed. Possible values are canal, cilium or none.

Appears in:

• CNIPluginSettings

CleanupOptions

Appears in:

• SettingSpec

Field	Description
enabled boolean	Enable checkboxes that allow the user to ask for LoadBalancers and PVCs to be deleted in order to not leave potentially expensive resources behind.
enforced boolean	If enforced is set to true, the cleanup of LoadBalancers and PVCs is enforced.

Back to top

CloudSpec

CloudSpec stores configuration options for a given cloud provider. Provider specs are mutually exclusive.

Appears in:

• ClusterSpec

Field	Description
dc string	DatacenterName states the name of a cloud provider "datacenter" (defined in `Seed` resources) this cluster should be deployed into.
providerName string	ProviderName is the name of the cloud provider used for this cluster. This must match the given provider spec (e.g. if the providerName is "aws", then the `aws` field must be set).
digitalocean DigitaloceanCloudSpec	Digitalocean defines the configuration data of the DigitalOcean cloud provider.
baremetal BaremetalCloudSpec	Baremetal defines the configuration data for a Baremetal cluster.
bringyourown BringYourOwnCloudSpec	BringYourOwn defines the configuration data for a Bring Your Own cluster.
edge EdgeCloudSpec	Edge defines the configuration data for an edge cluster.
aws AWSCloudSpec	AWS defines the configuration data of the Amazon Web Services(AWS) cloud provider.
azure AzureCloudSpec	Azure defines the configuration data of the Microsoft Azure cloud.
openstack OpenstackCloudSpec	Openstack defines the configuration data of an OpenStack cloud.
packet PacketCloudSpec	Packet defines the configuration data of a Packet / Equinix Metal cloud.
hetzner HetznerCloudSpec	Hetzner defines the configuration data of the Hetzner cloud.
vsphere VSphereCloudSpec	VSphere defines the configuration data of the vSphere.
gcp GCPCloudSpec	GCP defines the configuration data of the Google Cloud Platform(GCP).
kubevirt KubevirtCloudSpec	Kubevirt defines the configuration data of the KubeVirt.
alibaba AlibabaCloudSpec	Alibaba defines the configuration data of the Alibaba.
anexia AnexiaCloudSpec	Anexia defines the configuration data of the Anexia.
nutanix NutanixCloudSpec	Nutanix defines the configuration data of the Nutanix.
vmwareclouddirector VMwareCloudDirectorCloudSpec	VMwareCloudDirector defines the configuration data of the VMware Cloud Director.

Back to top

Cluster

Cluster represents a Kubermatic Kubernetes Platform user cluster. Cluster objects exist on Seed clusters and each user cluster consists of a namespace containing the Kubernetes control plane and additional pods (like Prometheus or the machine-controller).

Appears in:

• ClusterList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	Cluster
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
spec ClusterSpec	Spec describes the desired cluster state.
status ClusterStatus	Status contains reconciliation information for the cluster.

Back to top

ClusterAddress

ClusterAddress stores access and address information of a cluster.

Appears in:

• ClusterStatus

Field	Description
url string	URL under which the Apiserver is available
port integer	Port is the port the API server listens on
externalName string	ExternalName is the DNS name for this cluster
internalURL string	InternalName is the seed cluster internal absolute DNS name to the API server
adminToken string	AdminToken is the token for the kubeconfig, the user can download
ip string	IP is the external IP under which the apiserver is available
apiServerExternalAddress string	APIServerExternalAddress is the external address of the API server (IP or DNS name) This field is populated only when the API server service is of type LoadBalancer. If set, this address will be used in the kubeconfig for the user cluster that can be downloaded from the KKP UI.

Back to top

ClusterBackupStorageLocation

ClusterBackupStorageLocation is a KKP wrapper around Velero BSL spec.

Appears in:

• ClusterBackupStorageLocationList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	ClusterBackupStorageLocation
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
spec BackupStorageLocationSpec	Spec is a Velero BSL spec
status BackupStorageLocationStatus

Back to top

ClusterBackupStorageLocationList

ClusterBackupStorageLocationList is a list of ClusterBackupStorageLocations.

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	ClusterBackupStorageLocationList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items ClusterBackupStorageLocation array	Items is a list of EtcdBackupConfig objects.

Back to top

ClusterCondition

Appears in:

• ClusterStatus

Field	Description
status ConditionStatus	Status of the condition, one of True, False, Unknown.
kubermaticVersion string	KubermaticVersion current kubermatic version.
lastHeartbeatTime Time	Last time we got an update on a given condition.
lastTransitionTime Time	Last time the condition transit from one status to another.
reason string	(brief) reason for the condition's last transition.
message string	Human readable message indicating details about last transition.

Back to top

ClusterConditionType

Underlying type: string

ClusterConditionType is used to indicate the type of a cluster condition. For all condition types, the true value must indicate success. All condition types must be registered within the AllClusterConditionTypes variable.

Appears in:

• ClusterStatus

ClusterEncryptionPhase

Underlying type: string

Appears in:

• ClusterEncryptionStatus

ClusterEncryptionStatus

ClusterEncryptionStatus holds status information about the encryption-at-rest feature on the user cluster.

Appears in:

• ClusterStatus

Field	Description
activeKey string	The current "primary" key used to encrypt data written to etcd. Secondary keys that can be used for decryption (but not encryption) might be configured in the ClusterSpec.
encryptedResources string array	List of resources currently encrypted.
phase ClusterEncryptionPhase	The current phase of the encryption process. Can be one of `Pending`, `Failed`, `Active` or `EncryptionNeeded`. The `encryption_controller` logic will process the cluster based on the current phase and issue necessary changes to make sure encryption on the cluster is active and updated with what the ClusterSpec defines.

Back to top

ClusterList

ClusterList specifies a list of user clusters.

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	ClusterList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items Cluster array

Back to top

ClusterNetworkingConfig

ClusterNetworkingConfig specifies the different networking parameters for a cluster.

Appears in:

• ClusterSpec

Field	Description
ipFamily IPFamily	Optional: IP family used for cluster networking. Supported values are "", "IPv4" or "IPv4+IPv6". Can be omitted / empty if pods and services network ranges are specified. In that case it defaults according to the IP families of the provided network ranges. If neither ipFamily nor pods & services network ranges are specified, defaults to "IPv4".
services NetworkRanges	The network ranges from which service VIPs are allocated. It can contain one IPv4 and/or one IPv6 CIDR. If both address families are specified, the first one defines the primary address family.
pods NetworkRanges	The network ranges from which POD networks are allocated. It can contain one IPv4 and/or one IPv6 CIDR. If both address families are specified, the first one defines the primary address family.
nodeCidrMaskSizeIPv4 integer	NodeCIDRMaskSizeIPv4 is the mask size used to address the nodes within provided IPv4 Pods CIDR. It has to be larger than the provided IPv4 Pods CIDR. Defaults to 24.
nodeCidrMaskSizeIPv6 integer	NodeCIDRMaskSizeIPv6 is the mask size used to address the nodes within provided IPv6 Pods CIDR. It has to be larger than the provided IPv6 Pods CIDR. Defaults to 64.
dnsDomain string	Domain name for services.
proxyMode string	ProxyMode defines the kube-proxy mode ("ipvs" / "iptables" / "ebpf"). Defaults to "ipvs". "ebpf" disables kube-proxy and requires CNI support.
ipvs IPVSConfiguration	IPVS defines kube-proxy ipvs configuration options
nodeLocalDNSCacheEnabled boolean	NodeLocalDNSCacheEnabled controls whether the NodeLocal DNS Cache feature is enabled. Defaults to true.
coreDNSReplicas integer	CoreDNSReplicas is the number of desired pods of user cluster coredns deployment. Deprecated: This field should not be used anymore, use cluster.componentsOverride.coreDNS.replicas instead. Only one of the two fields can be set at any time.
konnectivityEnabled boolean	Deprecated: KonnectivityEnabled enables konnectivity for controlplane to node network communication. Konnectivity is the only supported choice for controlplane to node network communication. This field is defaulted to true and setting it to false is rejected. It will be removed in a future release.
tunnelingAgentIP string	TunnelingAgentIP is the address used by the tunneling agents

Back to top

ClusterPhase

Underlying type: string

Appears in:

• ClusterStatus

ClusterSpec

ClusterSpec describes the desired state of a user cluster.

Appears in:

• Cluster
• ClusterTemplate

Field	Description
humanReadableName string	HumanReadableName is the cluster name provided by the user.
version Semver	Version defines the wanted version of the control plane.
cloud CloudSpec	Cloud contains information regarding the cloud provider that is responsible for hosting the cluster's workload.
containerRuntime string	ContainerRuntime to use, i.e. `docker` or `containerd`. By default `containerd` will be used.
imagePullSecret SecretReference	Optional: ImagePullSecret references a secret with container registry credentials. This is passed to the machine-controller which sets the registry credentials on node level.
cniPlugin CNIPluginSettings	Optional: CNIPlugin refers to the spec of the CNI plugin used by the Cluster.
clusterNetwork ClusterNetworkingConfig	Optional: ClusterNetwork specifies the different networking parameters for a cluster.
machineNetworks MachineNetworkingConfig array	Optional: MachineNetworks is the list of the networking parameters used for IPAM.
exposeStrategy ExposeStrategy	ExposeStrategy is the strategy used to expose a cluster control plane.
apiServerAllowedIPRanges NetworkRanges	Optional: APIServerAllowedIPRanges is a list of IP ranges allowed to access the API server. Applicable only if the expose strategy of the cluster is LoadBalancer. If not configured, access to the API server is unrestricted.
componentsOverride ComponentSettings	Optional: Component specific overrides that allow customization of control plane components.
oidc OIDCSettings	Optional: OIDC specifies the OIDC configuration parameters for enabling authentication mechanism for the cluster.
features object (keys:string, values:boolean)	A map of optional or early-stage features that can be enabled for the user cluster. Some feature gates cannot be disabled after being enabled. The available feature gates vary based on KKP version, Kubernetes version and Seed configuration. Please consult the KKP documentation for specific feature gates.
updateWindow UpdateWindow	Optional: UpdateWindow configures automatic update systems to respect a maintenance window for applying OS updates to nodes. This is only respected on Flatcar nodes currently.
usePodSecurityPolicyAdmissionPlugin boolean	Enables the admission plugin `PodSecurityPolicy`. This plugin is deprecated by Kubernetes.
usePodNodeSelectorAdmissionPlugin boolean	Enables the admission plugin `PodNodeSelector`. Needs additional configuration via the `podNodeSelectorAdmissionPluginConfig` field.
useEventRateLimitAdmissionPlugin boolean	Enables the admission plugin `EventRateLimit`. Needs additional configuration via the `eventRateLimitConfig` field. This plugin is considered "alpha" by Kubernetes.
admissionPlugins string array	A list of arbitrary admission plugin names that are passed to kube-apiserver. Must not include admission plugins that can be enabled via a separate setting.
podNodeSelectorAdmissionPluginConfig object (keys:string, values:string)	Optional: Provides configuration for the PodNodeSelector admission plugin (needs plugin enabled via `usePodNodeSelectorAdmissionPlugin`). It's used by the backend to create a configuration file for this plugin. The key:value from this map is converted to : in the file. Use `clusterDefaultNodeSelector` as key to configure a default node selector.
eventRateLimitConfig EventRateLimitConfig	Optional: Configures the EventRateLimit admission plugin (if enabled via `useEventRateLimitAdmissionPlugin`) to create limits on Kubernetes event generation. The EventRateLimit plugin is capable of comparing and rate limiting incoming `Events` based on several configured buckets.
enableUserSSHKeyAgent boolean	Optional: Deploys the UserSSHKeyAgent to the user cluster. This field is immutable. If enabled, the agent will be deployed and used to sync user ssh keys attached by users to the cluster. No SSH keys will be synced after node creation if this is disabled.
enableOperatingSystemManager boolean	Deprecated: EnableOperatingSystemManager has been deprecated starting with KKP 2.26 and will be removed in KKP 2.28+. This field is no-op and OSM is always enabled for user clusters. OSM is responsible for creating and managing worker node configuration.
kubelb KubeLB	KubeLB holds the configuration for the kubeLB component. Only available in Enterprise Edition.
kubernetesDashboard KubernetesDashboard	KubernetesDashboard holds the configuration for the kubernetes-dashboard component.
auditLogging AuditLoggingSettings	Optional: AuditLogging configures Kubernetes API audit logging (https://kubernetes.io/docs/tasks/debug-application-cluster/audit/) for the user cluster.
opaIntegration OPAIntegrationSettings	Optional: OPAIntegration is a preview feature that enables OPA integration for the cluster. Enabling it causes OPA Gatekeeper and its resources to be deployed on the user cluster. By default it is disabled.
serviceAccount ServiceAccountSettings	Optional: ServiceAccount contains service account related settings for the user cluster's kube-apiserver.
mla MLASettings	Optional: MLA contains monitoring, logging and alerting related settings for the user cluster.
applicationSettings ApplicationSettings	Optional: ApplicationSettings contains the settings relative to the application feature.
encryptionConfiguration EncryptionConfiguration	Optional: Configures encryption-at-rest for Kubernetes API data. This needs the `encryptionAtRest` feature gate.
pause boolean	If this is set to true, the cluster will not be reconciled by KKP. This indicates that the user needs to do some action to resolve the pause.
pauseReason string	PauseReason is the reason why the cluster is not being managed. This field is for informational purpose only and can be set by a user or a controller to communicate the reason for pausing the cluster.
debugLog boolean	Enables more verbose logging in KKP's user-cluster-controller-manager.
disableCsiDriver boolean	Optional: DisableCSIDriver disables the installation of CSI driver on the cluster If this is true at the data center then it can't be over-written in the cluster configuration
backupConfig BackupConfig	Optional: BackupConfig contains the configuration options for managing the Cluster Backup Velero integration feature.

Back to top

ClusterStatus

ClusterStatus stores status information about a cluster.

Appears in:

• Cluster

Field	Description
address ClusterAddress	Address contains the IPs/URLs to access the cluster control plane.
lastUpdated Time	Deprecated: LastUpdated contains the timestamp at which the cluster was last modified. It is kept only for KKP 2.20 release to not break the backwards-compatibility and not being set for KKP higher releases.
extendedHealth ExtendedClusterHealth	ExtendedHealth exposes information about the current health state. Extends standard health status for new states.
lastProviderReconciliation Time	LastProviderReconciliation is the time when the cloud provider resources were last fully reconciled (during normal cluster reconciliation, KKP does not re-check things like security groups, networks etc.).
namespaceName string	NamespaceName defines the namespace the control plane of this cluster is deployed in.
versions ClusterVersionsStatus	Versions contains information regarding the current and desired versions of the cluster control plane and worker nodes.
userName string	Deprecated: UserName contains the name of the owner of this cluster. This field is not actively used and will be removed in the future.
userEmail string	UserEmail contains the email of the owner of this cluster. During cluster creation only, this field will be used to bind the `cluster-admin` `ClusterRole` to a cluster owner.
errorReason ClusterStatusError	ErrorReason contains a error reason in case the controller encountered an error. Will be reset if the error was resolved.
errorMessage string	ErrorMessage contains a default error message in case the controller encountered an error. Will be reset if the error was resolved.
conditions object (keys:ClusterConditionType, values:ClusterCondition)	Conditions contains conditions the cluster is in, its primary use case is status signaling between controllers or between controllers and the API.
phase ClusterPhase	Phase is a description of the current cluster status, summarizing the various conditions, possible active updates etc. This field is for informational purpose only and no logic should be tied to the phase.
inheritedLabels object (keys:string, values:string)	InheritedLabels are labels the cluster inherited from the project. They are read-only for users.
encryption ClusterEncryptionStatus	Encryption describes the status of the encryption-at-rest feature for encrypted data in etcd.
resourceUsage ResourceDetails	ResourceUsage shows the current usage of resources for the cluster.

Back to top

ClusterStatusError

Underlying type: string

Appears in:

• ClusterStatus

ClusterTemplate

ClusterTemplate is the object representing a cluster template.

Appears in:

• ClusterTemplateList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	ClusterTemplate
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
clusterLabels object (keys:string, values:string)
inheritedClusterLabels object (keys:string, values:string)
credential string
userSSHKeys ClusterTemplateSSHKey array	UserSSHKeys is the list of SSH public keys that should be assigned to all nodes in the cluster.
spec ClusterSpec	Spec describes the desired state of a user cluster.

Back to top

ClusterTemplateInstance

ClusterTemplateInstance is the object representing a cluster template instance.

Appears in:

• ClusterTemplateInstanceList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	ClusterTemplateInstance
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
spec ClusterTemplateInstanceSpec	Spec specifies the data for cluster instances.

Back to top

ClusterTemplateInstanceList

ClusterTemplateInstanceList specifies a list of cluster template instances.

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	ClusterTemplateInstanceList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items ClusterTemplateInstance array	Items refers to the list of ClusterTemplateInstance objects.

Back to top

ClusterTemplateInstanceSpec

ClusterTemplateInstanceSpec specifies the data for cluster instances.

Appears in:

• ClusterTemplateInstance

Field	Description
projectID string
clusterTemplateID string
clusterTemplateName string
replicas integer

Back to top

ClusterTemplateList

ClusterTemplateList specifies a list of cluster templates.

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	ClusterTemplateList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items ClusterTemplate array	Items refers to the list of the ClusterTemplate objects.

Back to top

ClusterTemplateSSHKey

ClusterTemplateSSHKey is the object for holding SSH key.

Appears in:

• ClusterTemplate

Field	Description
id string	ID is the name of the UserSSHKey object that is supposed to be assigned to any ClusterTemplateInstance created based on this template.
name string	Name is the human readable SSH key name.

Back to top

ClusterVersionsStatus

ClusterVersionsStatus contains information regarding the current and desired versions of the cluster control plane and worker nodes.

Appears in:

• ClusterStatus

Field	Description
controlPlane Semver	ControlPlane is the currently active cluster version. This can lag behind the apiserver version if an update is currently rolling out.
apiserver Semver	Apiserver is the currently desired version of the kube-apiserver. During upgrades across multiple minor versions (e.g. from 1.20 to 1.23), this will gradually be increased by the update-controller until the desired cluster version (spec.version) is reached.
controllerManager Semver	ControllerManager is the currently desired version of the kube-controller-manager. This field behaves the same as the apiserver field.
scheduler Semver	Scheduler is the currently desired version of the kube-scheduler. This field behaves the same as the apiserver field.
oldestNodeVersion Semver	OldestNodeVersion is the oldest node version currently in use inside the cluster. This can be nil if there are no nodes. This field is primarily for speeding up reconciling, so that the controller doesn't have to re-fetch to the usercluster and query its node on every reconciliation.

Back to top

ComponentSettings

Appears in:

• ClusterSpec
• SeedSpec

Field	Description
apiserver APIServerSettings	Apiserver configures kube-apiserver settings.
controllerManager ControllerSettings	ControllerManager configures kube-controller-manager settings.
scheduler ControllerSettings	Scheduler configures kube-scheduler settings.
etcd EtcdStatefulSetSettings	Etcd configures the etcd ring used to store Kubernetes data.
prometheus StatefulSetSettings	Prometheus configures the Prometheus instance deployed into the cluster control plane.
nodePortProxyEnvoy NodeportProxyComponent	NodePortProxyEnvoy configures the per-cluster nodeport-proxy-envoy that is deployed if the `LoadBalancer` expose strategy is used. This is not effective if a different expose strategy is configured.
konnectivityProxy KonnectivityProxySettings	KonnectivityProxy configures konnectivity-server and konnectivity-agent components.
userClusterController ControllerSettings	UserClusterController configures the KKP usercluster-controller deployed as part of the cluster control plane.
operatingSystemManager ControllerSettings	OperatingSystemManager configures operating-system-manager (the component generating node bootstrap scripts for machine-controller).
coreDNS DeploymentSettings	CoreDNS configures CoreDNS deployed as part of the cluster control plane.

Back to top

ConditionType

Underlying type: string

ConditionType is the type defining the cluster or datacenter condition that must be met to block a specific version.

Appears in:

• Incompatibility

Constraint

Constraint specifies a kubermatic wrapper for the gatekeeper constraints.

Appears in:

• ConstraintList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	Constraint
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
spec ConstraintSpec	Spec describes the desired state for the constraint.

Back to top

ConstraintList

ConstraintList specifies a list of constraints.

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	ConstraintList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items Constraint array	Items is a list of Gatekeeper Constraints

Back to top

ConstraintSelector

ConstraintSelector is the object holding the cluster selection filters.

Appears in:

• ConstraintSpec

Field	Description
providers string array	Providers is a list of cloud providers to which the Constraint applies to. Empty means all providers are selected.
labelSelector LabelSelector	LabelSelector selects the Clusters to which the Constraint applies based on their labels

Back to top

ConstraintSpec

ConstraintSpec specifies the data for the constraint.

Appears in:

• Constraint

Field	Description
constraintType string	ConstraintType specifies the type of gatekeeper constraint that the constraint applies to
disabled boolean	Disabled is the flag for disabling OPA constraints
match Match	Match contains the constraint to resource matching data
parameters Parameters	Parameters specifies the parameters used by the constraint template REGO. It supports both the legacy rawJSON parameters, in which all the parameters are set in a JSON string, and regular parameters like in Gatekeeper Constraints. If rawJSON is set, during constraint syncing to the user cluster, the other parameters are ignored Example with rawJSON parameters: parameters: rawJSON: '\{"labels":["gatekeeper"]\}' And with regular parameters: parameters: labels: ["gatekeeper"]
selector ConstraintSelector	Selector specifies the cluster selection filters
enforcementAction string	EnforcementAction defines the action to take in response to a constraint being violated. By default, EnforcementAction is set to deny as the default behavior is to deny admission requests with any violation.

Back to top

ConstraintTemplate

ConstraintTemplate is the object representing a kubermatic wrapper for a gatekeeper constraint template.

Appears in:

• ConstraintTemplateList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	ConstraintTemplate
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
spec ConstraintTemplateSpec	Spec specifies the gatekeeper constraint template and KKP related spec.

Back to top

ConstraintTemplateList

ConstraintTemplateList specifies a list of constraint templates.

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	ConstraintTemplateList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items ConstraintTemplate array	Items refers to the list of ConstraintTemplate objects.

Back to top

ConstraintTemplateSelector

ConstraintTemplateSelector is the object holding the cluster selection filters.

Appears in:

• ConstraintTemplateSpec

Field	Description
providers string array	Providers is a list of cloud providers to which the Constraint Template applies to. Empty means all providers are selected.
labelSelector LabelSelector	LabelSelector selects the Clusters to which the Constraint Template applies based on their labels

Back to top

ConstraintTemplateSpec

ConstraintTemplateSpec is the object representing the gatekeeper constraint template spec and kubermatic related spec.

Appears in:

• ConstraintTemplate

Field	Description
crd CRD
targets Target array
selector ConstraintTemplateSelector	Selector configures which clusters this constraint template is applied to.

Back to top

ContainerRuntimeContainerd

ContainerRuntimeContainerd defines containerd container runtime registries configs.

Appears in:

• NodeSettings

Field	Description
registries object (keys:string, values:ContainerdRegistry)	A map of registries to use to render configs and mirrors for containerd registries

Back to top

ControllerSettings

Appears in:

• ComponentSettings

Field	Description
replicas integer
resources ResourceRequirements
tolerations Toleration array
leaderElection LeaderElectionSettings

Back to top

CustomLink

Appears in:

• CustomLinks

Field	Description
label string
url string
icon string
location string

Back to top

CustomLinks

Underlying type: [CustomLink](#customlink)

Appears in:

• SettingSpec

Field	Description
label string
url string
icon string
location string

Back to top

CustomNetworkPolicy

Underlying type: [struct{Name string "json:\"name\""; Spec k8s.io/api/networking/v1.NetworkPolicySpec "json:\"spec\""}](#struct{name-string-"json:\"name\"";-spec-k8sioapinetworkingv1networkpolicyspec-"json:\"spec\""})

CustomNetworkPolicy contains a name and the Spec of a NetworkPolicy.

Appears in:

• DatacenterSpecKubevirt

Datacenter

Appears in:

• SeedSpec

Field	Description
country string	Optional: Country of the seed as ISO-3166 two-letter code, e.g. DE or UK. For informational purposes in the Kubermatic dashboard only.
location string	Optional: Detailed location of the cluster, like "Hamburg" or "Datacenter 7". For informational purposes in the Kubermatic dashboard only.
node NodeSettings	Node holds node-specific settings, like e.g. HTTP proxy, Docker registries and the like. Proxy settings are inherited from the seed if not specified here.
spec DatacenterSpec	Spec describes the cloud provider settings used to manage resources in this datacenter. Exactly one cloud provider must be defined.

Back to top

DatacenterSpec

DatacenterSpec configures a KKP datacenter. Provider configuration is mutually exclusive, and as such only a single provider can be configured per datacenter.

Appears in:

• Datacenter

Field	Description
digitalocean DatacenterSpecDigitalocean	Digitalocean configures a Digitalocean datacenter.
bringyourown DatacenterSpecBringYourOwn	BringYourOwn contains settings for clusters using manually created nodes via kubeadm.
baremetal DatacenterSpecBaremetal	Baremetal contains settings for baremetal clusters in datacenters.
edge DatacenterSpecEdge	Edge contains settings for clusters using manually created nodes in edge envs.
aws DatacenterSpecAWS	AWS configures an Amazon Web Services (AWS) datacenter.
azure DatacenterSpecAzure	Azure configures an Azure datacenter.
openstack DatacenterSpecOpenstack	Openstack configures an Openstack datacenter.
packet DatacenterSpecPacket	Packet configures an Equinix Metal datacenter.
hetzner DatacenterSpecHetzner	Hetzner configures a Hetzner datacenter.
vsphere DatacenterSpecVSphere	VSphere configures a VMware vSphere datacenter.
vmwareclouddirector DatacenterSpecVMwareCloudDirector	VMwareCloudDirector configures a VMware Cloud Director datacenter.
gcp DatacenterSpecGCP	GCP configures a Google Cloud Platform (GCP) datacenter.
kubevirt DatacenterSpecKubevirt	Kubevirt configures a KubeVirt datacenter.
alibaba DatacenterSpecAlibaba	Alibaba configures an Alibaba Cloud datacenter.
anexia DatacenterSpecAnexia	Anexia configures an Anexia datacenter.
nutanix DatacenterSpecNutanix	Nutanix configures a Nutanix HCI datacenter.
requiredEmails string array	Optional: When defined, only users with an e-mail address on the given domains can make use of this datacenter. You can define multiple domains, e.g. "example.com", one of which must match the email domain exactly (i.e. "example.com" will not match "user@test.example.com").
enforceAuditLogging boolean	Optional: EnforceAuditLogging enforces audit logging on every cluster within the DC, ignoring cluster-specific settings.
enforcedAuditWebhookSettings AuditWebhookBackendSettings	Optional: EnforcedAuditWebhookSettings allows admins to control webhook backend for audit logs of all the clusters within the DC, ignoring cluster-specific settings.
enforcePodSecurityPolicy boolean	Optional: EnforcePodSecurityPolicy enforces pod security policy plugin on every clusters within the DC, ignoring cluster-specific settings.
providerReconciliationInterval Duration	Optional: ProviderReconciliationInterval is the time that must have passed since a Cluster's status.lastProviderReconciliation to make the cluster controller perform an in-depth provider reconciliation, where for example missing security groups will be reconciled. Setting this too low can cause rate limits by the cloud provider, setting this too high means that *if* a resource at a cloud provider is removed/changed outside of KKP, it will take this long to fix it.
operatingSystemProfiles OperatingSystemProfileList	Optional: DefaultOperatingSystemProfiles specifies the OperatingSystemProfiles to use for each supported operating system.
machineFlavorFilter MachineFlavorFilter	Optional: MachineFlavorFilter is used to filter out allowed machine flavors based on the specified resource limits like CPU, Memory, and GPU etc.
disableCsiDriver boolean	Optional: DisableCSIDriver disables the installation of CSI driver on every clusters within the DC If true it can't be over-written in the cluster configuration
kubelb KubeLBDatacenterSettings	Optional: KubeLB holds the configuration for the kubeLB at the data center level. Only available in Enterprise Edition.
apiServerServiceType ServiceType	APIServerServiceType is the service type used for API Server service `apiserver-external` for the user clusters. By default, the type of service that will be used is determined by the `ExposeStrategy` used for the cluster.

Back to top

DatacenterSpecAWS

DatacenterSpecAWS describes an AWS datacenter.

Appears in:

• DatacenterSpec

Field	Description
region string	The AWS region to use, e.g. "us-east-1". For a list of available regions, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html
images ImageList	List of AMIs to use for a given operating system. This gets defaulted by querying for the latest AMI for the given distribution when machines are created, so under normal circumstances it is not necessary to define the AMIs statically.

Back to top

DatacenterSpecAlibaba

DatacenterSpecAlibaba describes a alibaba datacenter.

Appears in:

• DatacenterSpec

Field	Description
region string	Region to use, for a full list of regions see https://www.alibabacloud.com/help/doc-detail/40654.htm

Back to top

DatacenterSpecAnexia

DatacenterSpecAnexia describes a anexia datacenter.

Appears in:

• DatacenterSpec

Field	Description
locationID string	LocationID the location of the region

Back to top

DatacenterSpecAzure

DatacenterSpecAzure describes an Azure cloud datacenter.

Appears in:

• DatacenterSpec

Field	Description
location string	Region to use, for example "westeurope". A list of available regions can be found at https://azure.microsoft.com/en-us/global-infrastructure/locations/
images ImageList	Images to use for each supported operating system

Back to top

DatacenterSpecBaremetal

DatacenterSpecBaremetal describes a datacenter of baremetal nodes.

Appears in:

• DatacenterSpec

Field	Description
tinkerbell DatacenterSpecTinkerbell

Back to top

DatacenterSpecBringYourOwn

DatacenterSpecBringYourOwn describes a datacenter our of bring your own nodes.

Appears in:

• DatacenterSpec

DatacenterSpecDigitalocean

DatacenterSpecDigitalocean describes a DigitalOcean datacenter.

Appears in:

• DatacenterSpec

Field	Description
region string	Datacenter location, e.g. "ams3". A list of existing datacenters can be found at https://www.digitalocean.com/docs/platform/availability-matrix/

Back to top

DatacenterSpecEdge

DatacenterSpecEdge describes a datacenter of edge nodes.

Appears in:

• DatacenterSpec

DatacenterSpecGCP

DatacenterSpecGCP describes a GCP datacenter.

Appears in:

• DatacenterSpec

Field	Description
region string	Region to use, for example "europe-west3", for a full list of regions see https://cloud.google.com/compute/docs/regions-zones/
zoneSuffixes string array	List of enabled zones, for example [a, c]. See the link above for the available zones in your chosen region.
regional boolean	Optional: Regional clusters spread their resources across multiple availability zones. Refer to the official documentation for more details on this: https://cloud.google.com/kubernetes-engine/docs/concepts/regional-clusters

Back to top

DatacenterSpecHetzner

DatacenterSpecHetzner describes a Hetzner cloud datacenter.

Appears in:

• DatacenterSpec

Field	Description
datacenter string	Datacenter location, e.g. "nbg1-dc3". A list of existing datacenters can be found at https://docs.hetzner.com/general/others/data-centers-and-connection/
network string	Network is the pre-existing Hetzner network in which the machines are running. While machines can be in multiple networks, a single one must be chosen for the HCloud CCM to work.
location string	Optional: Detailed location of the datacenter, like "Hamburg" or "Datacenter 7". For informational purposes only.

Back to top

DatacenterSpecKubevirt

DatacenterSpecKubevirt describes a kubevirt datacenter.

Appears in:

• DatacenterSpec

Field	Description
namespacedMode NamespacedMode	NamespacedMode represents the configuration for enabling the single namespace mode for all user-clusters in the KubeVirt datacenter.
dnsPolicy string	DNSPolicy represents the dns policy for the pod. Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. Defaults to "ClusterFirst". DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy.
dnsConfig PodDNSConfig	DNSConfig represents the DNS parameters of a pod. Parameters specified here will be merged to the generated DNS configuration based on DNSPolicy.
enableDefaultNetworkPolicies boolean	Optional: EnableDefaultNetworkPolicies enables deployment of default network policies like cluster isolation. Defaults to true.
enableDedicatedCpus boolean	Optional: EnableDedicatedCPUs enables the assignment of dedicated cpus instead of resource requests and limits for a virtual machine. Defaults to false.
customNetworkPolicies CustomNetworkPolicy array	Optional: CustomNetworkPolicies allows to add some extra custom NetworkPolicies, that are deployed in the dedicated infra KubeVirt cluster. They are added to the defaults.
images KubeVirtImageSources	Images represents standard VM Image sources.
infraStorageClasses KubeVirtInfraStorageClass array	Optional: InfraStorageClasses contains a list of KubeVirt infra cluster StorageClasses names that will be used to initialise StorageClasses in the tenant cluster. In the tenant cluster, the created StorageClass name will have as name: kubevirt-
providerNetwork ProviderNetwork	Optional: ProviderNetwork describes the infra cluster network fabric that is being used
ccmZoneAndRegionEnabled boolean	Optional: indicates if region and zone labels from the cloud provider should be fetched.
ccmLoadBalancerEnabled boolean	Optional: indicates if the ccm should create and manage the clusters load balancers.
vmEvictionStrategy EvictionStrategy	VMEvictionStrategy describes the strategy to follow when a node drain occurs. If not set the default value is External and the VM will be protected by a PDB.
csiDriverOperator KubeVirtCSIDriverOperator	CSIDriverOperator configures the kubevirt csi driver operator in the user cluster such as the csi driver images overwriting.
matchSubnetAndStorageLocation boolean	Optional: MatchSubnetAndStorageLocation if set to true, the region and zone of the subnet and storage class must match. For example, if the storage class has the region `eu` and zone was `central`, the subnet must be in the same region and zone. otherwise KKP will reject the creation of the machine deployment and eventually the cluster.

Back to top

DatacenterSpecNutanix

DatacenterSpecNutanix describes a Nutanix datacenter.

Appears in:

• DatacenterSpec

Field	Description
endpoint string	Endpoint to use for accessing Nutanix Prism Central. No protocol or port should be passed, for example "nutanix.example.com" or "10.0.0.1"
port integer	Optional: Port to use when connecting to the Nutanix Prism Central endpoint (defaults to 9440)
allowInsecure boolean	Optional: AllowInsecure allows to disable the TLS certificate check against the endpoint (defaults to false)
images ImageList	Images to use for each supported operating system

Back to top

DatacenterSpecOpenstack

DatacenterSpecOpenstack describes an OpenStack datacenter.

Appears in:

• DatacenterSpec

Field	Description
authURL string	Authentication URL
availabilityZone string	Used to configure availability zone.
region string	Authentication region name
ignoreVolumeAZ boolean	Optional
enforceFloatingIP boolean	Optional
dnsServers string array	Used for automatic network creation
images ImageList	Images to use for each supported operating system.
manageSecurityGroups boolean	Optional: Gets mapped to the "manage-security-groups" setting in the cloud config. This setting defaults to true.
loadBalancerProvider string	Optional: Gets mapped to the "lb-provider" setting in the cloud config. defaults to ""
loadBalancerMethod string	Optional: Gets mapped to the "lb-method" setting in the cloud config. defaults to "ROUND_ROBIN".
useOctavia boolean	Optional: Gets mapped to the "use-octavia" setting in the cloud config. use-octavia is enabled by default in CCM since v1.17.0, and disabled by default with the in-tree cloud provider.
trustDevicePath boolean	Optional: Gets mapped to the "trust-device-path" setting in the cloud config. This setting defaults to false.
nodeSizeRequirements OpenstackNodeSizeRequirements	Optional: Restrict the allowed VM configurations that can be chosen in the KKP dashboard. This setting does not affect the validation webhook for MachineDeployments.
enabledFlavors string array	Optional: List of enabled flavors for the given datacenter
ipv6Enabled boolean	Optional: defines if the IPv6 is enabled for the datacenter
csiCinderTopologyEnabled boolean	Optional: configures enablement of topology support for the Cinder CSI Plugin. This requires Nova and Cinder to have matching availability zones configured.
enableConfigDrive boolean	Optional: enable a configuration drive that will be attached to the instance when it boots. The instance can mount this drive and read files from it to get information
nodePortsAllowedIPRange NetworkRanges	A CIDR ranges that will be used to allow access to the node port range in the security group. By default it will be open to 0.0.0.0/0. Only applies if the security group is generated by KKP and not preexisting and will be applied only if no ranges are set at the cluster level.

Back to top

DatacenterSpecPacket

DatacenterSpecPacket describes a Packet datacenter.

Appears in:

• DatacenterSpec

Field	Description
facilities string array	The list of enabled facilities, for example "ams1", for a full list of available facilities see https://metal.equinix.com/developers/docs/locations/facilities/
metro string	Metros are facilities that are grouped together geographically and share capacity and networking features, see https://metal.equinix.com/developers/docs/locations/metros/

Back to top

DatacenterSpecTinkerbell

Underlying type: [struct{Images TinkerbellImageSources "json:\"images,omitempty\""}](#struct{images-tinkerbellimagesources-"json:\"images,omitempty\""})

DatacenterSepcTinkerbell contains spec for tinkerbell provider.

Appears in:

• DatacenterSpecBaremetal

DatacenterSpecVMwareCloudDirector

Appears in:

• DatacenterSpec

Field	Description
url string	Endpoint URL to use, including protocol, for example "https://vclouddirector.example.com".
allowInsecure boolean	If set to true, disables the TLS certificate check against the endpoint.
catalog string	The default catalog which contains the VM templates.
storageProfile string	The name of the storage profile to use for disks attached to the VMs.
templates ImageList	A list of VM templates to use for a given operating system. You must define at least one template.

Back to top

DatacenterSpecVSphere

DatacenterSpecVSphere describes a vSphere datacenter.

Appears in:

• DatacenterSpec

Field	Description
endpoint string	Endpoint URL to use, including protocol, for example "https://vcenter.example.com".
allowInsecure boolean	If set to true, disables the TLS certificate check against the endpoint.
datastore string	The default Datastore to be used for provisioning volumes using storage classes/dynamic provisioning and for storing virtual machine files in case no `Datastore` or `DatastoreCluster` is provided at Cluster level.
datacenter string	The name of the datacenter to use.
cluster string	The name of the vSphere cluster to use. Used for out-of-tree CSI Driver.
storagePolicy string	The name of the storage policy to use for the storage class created in the user cluster.
rootPath string	Optional: The root path for cluster specific VM folders. Each cluster gets its own folder below the root folder. Must be the FQDN (for example "/datacenter-1/vm/all-kubermatic-vms-in-here") and defaults to the root VM folder: "/datacenter-1/vm"
templates ImageList	A list of VM templates to use for a given operating system. You must define at least one template. See: https://github.com/kubermatic/machine-controller/blob/master/docs/vsphere.md#template-vms-preparation
infraManagementUser VSphereCredentials	Optional: Infra management user is the user that will be used for everything except the cloud provider functionality, which will still use the credentials passed in via the Kubermatic dashboard/API.
ipv6Enabled boolean	Optional: defines if the IPv6 is enabled for the datacenter
defaultTagCategoryID string	DefaultTagCategoryID is the tag category id that will be used as default, if users don't specify it on a cluster level, and they don't wish KKP to create default generated tag category, upon cluster creation.

Back to top

DefaultProjectResourceQuota

DefaultProjectResourceQuota contains the default resource quota which will be set for all projects that do not have a custom quota already set.

Appears in:

• SettingSpec

Field	Description
quota ResourceDetails	Quota specifies the default CPU, Memory and Storage quantities for all the projects.

Back to top

DeploymentSettings

Appears in:

• APIServerSettings
• ComponentSettings
• ControllerSettings

Field	Description
replicas integer
resources ResourceRequirements
tolerations Toleration array

Back to top

Digitalocean

Appears in:

• PresetSpec

Field	Description
enabled boolean	Only enabled presets will be available in the KKP dashboard.
isCustomizable boolean	IsCustomizable marks a preset as editable on the KKP UI; Customizable presets still have the credentials obscured on the UI, but other fields that are not considered private are displayed during cluster creation. Users can then update those fields, if required. NOTE: This is only supported for OpenStack Cloud Provider in KKP 2.26. Support for other providers will be added later on.
datacenter string	If datacenter is set, this preset is only applicable to the configured datacenter.
token string	Token is used to authenticate with the DigitalOcean API.

Back to top

DigitaloceanCloudSpec

DigitaloceanCloudSpec specifies access data to DigitalOcean.

Appears in:

• CloudSpec

Field	Description
credentialsReference GlobalSecretKeySelector
token string	Token is used to authenticate with the DigitalOcean API.

Back to top

EKS

Appears in:

• PresetSpec

Field	Description
enabled boolean	Only enabled presets will be available in the KKP dashboard.
isCustomizable boolean	IsCustomizable marks a preset as editable on the KKP UI; Customizable presets still have the credentials obscured on the UI, but other fields that are not considered private are displayed during cluster creation. Users can then update those fields, if required. NOTE: This is only supported for OpenStack Cloud Provider in KKP 2.26. Support for other providers will be added later on.
datacenter string	If datacenter is set, this preset is only applicable to the configured datacenter.
accessKeyID string	The Access key ID used to authenticate against AWS.
secretAccessKey string	The Secret Access Key used to authenticate against AWS.
assumeRoleARN string	Defines the ARN for an IAM role that should be assumed when handling resources on AWS. It will be used to acquire temporary security credentials using an STS AssumeRole API operation whenever creating an AWS session. required: false
assumeRoleExternalID string	An arbitrary string that may be needed when calling the STS AssumeRole API operation. Using an external ID can help to prevent the "confused deputy problem". required: false

Back to top

EdgeCloudSpec

EdgeCloudSpec specifies access data for an edge cluster.

Appears in:

• CloudSpec

EncryptionConfiguration

EncryptionConfiguration configures encryption-at-rest for Kubernetes API data.

Appears in:

• ClusterSpec

Field	Description
enabled boolean	Enables encryption-at-rest on this cluster.
resources string array	List of resources that will be stored encrypted in etcd.
secretbox SecretboxEncryptionConfiguration	Configuration for the `secretbox` static key encryption scheme as supported by Kubernetes. More info: https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#providers

Back to top

EnvoyLoadBalancerService

Appears in:

• NodePortProxyComponentEnvoy

Field	Description
annotations object (keys:string, values:string)	Annotations are used to further tweak the LoadBalancer integration with the cloud provider.
sourceRanges CIDR array	SourceRanges will restrict loadbalancer service to IP ranges specified using CIDR notation like 172.25.0.0/16. This field will be ignored if the cloud-provider does not support the feature. More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/

Back to top

EtcdBackupConfig

EtcdBackupConfig describes how snapshots of user cluster etcds should be performed. Each user cluster automatically gets a default EtcdBackupConfig in its cluster namespace.

Appears in:

• EtcdBackupConfigList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	EtcdBackupConfig
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
spec EtcdBackupConfigSpec	Spec describes details of an Etcd backup.
status EtcdBackupConfigStatus

Back to top

EtcdBackupConfigCondition

Appears in:

• EtcdBackupConfigStatus

Field	Description
status ConditionStatus	Status of the condition, one of True, False, Unknown.
lastHeartbeatTime Time	Last time we got an update on a given condition.
lastTransitionTime Time	Last time the condition transit from one status to another.
reason string	(brief) reason for the condition's last transition.
message string	Human readable message indicating details about last transition.

Back to top

EtcdBackupConfigConditionType

Underlying type: string

EtcdBackupConfigConditionType is used to indicate the type of a EtcdBackupConfig condition. For all condition types, the true value must indicate success. All condition types must be registered within the AllClusterConditionTypes variable.

Appears in:

• EtcdBackupConfigStatus

EtcdBackupConfigList

EtcdBackupConfigList is a list of etcd backup configs.

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	EtcdBackupConfigList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items EtcdBackupConfig array	Items is a list of EtcdBackupConfig objects.

Back to top

EtcdBackupConfigSpec

EtcdBackupConfigSpec specifies details of an etcd backup.

Appears in:

• EtcdBackupConfig

Field	Description
name string	Name defines the name of the backup The name of the backup file in S3 will be - If a schedule is set (see below), - will be appended.
cluster ObjectReference	Cluster is the reference to the cluster whose etcd will be backed up
schedule string	Schedule is a cron expression defining when to perform the backup. If not set, the backup is performed exactly once, immediately.
keep integer	Keep is the number of backups to keep around before deleting the oldest one If not set, defaults to DefaultKeptBackupsCount. Only used if Schedule is set.
destination string	Destination indicates where the backup will be stored. The destination name must correspond to a destination in the cluster's Seed.Spec.EtcdBackupRestore.

Back to top

EtcdBackupConfigStatus

Appears in:

• EtcdBackupConfig

Field	Description
currentBackups BackupStatus array	CurrentBackups tracks the creation and deletion progress of all backups managed by the EtcdBackupConfig
conditions object (keys:EtcdBackupConfigConditionType, values:EtcdBackupConfigCondition)	Conditions contains conditions of the EtcdBackupConfig
cleanupRunning boolean	If the controller was configured with a cleanupContainer, CleanupRunning keeps track of the corresponding job

Back to top

EtcdBackupRestore

EtcdBackupRestore holds the configuration of the automatic backup and restores.

Appears in:

• SeedSpec

Field	Description
destinations object (keys:string, values:BackupDestination)	Destinations stores all the possible destinations where the backups for the Seed can be stored. If not empty, it enables automatic backup and restore for the seed.
defaultDestination string	DefaultDestination marks the default destination that will be used for the default etcd backup config which is created for every user cluster. Has to correspond to a destination in Destinations. If removed, it removes the related default etcd backup configs.

Back to top

EtcdRestore

EtcdRestore specifies an add-on.

Appears in:

• EtcdRestoreList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	EtcdRestore
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
spec EtcdRestoreSpec	Spec describes details of an etcd restore.
status EtcdRestoreStatus

Back to top

EtcdRestoreList

EtcdRestoreList is a list of etcd restores.

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	EtcdRestoreList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items EtcdRestore array	Items is the list of the Etcd restores.

Back to top

EtcdRestorePhase

Underlying type: string

EtcdRestorePhase represents the lifecycle phase of an EtcdRestore.

Appears in:

• EtcdRestoreStatus

EtcdRestoreSpec

EtcdRestoreSpec specifies details of an etcd restore.

Appears in:

• EtcdRestore

Field	Description
name string	Name defines the name of the restore The name of the restore file in S3 will be - If a schedule is set (see below), - will be appended.
cluster ObjectReference	Cluster is the reference to the cluster whose etcd will be backed up
backupName string	BackupName is the name of the backup to restore from
backupDownloadCredentialsSecret string	BackupDownloadCredentialsSecret is the name of a secret in the cluster-xxx namespace containing credentials needed to download the backup
destination string	Destination indicates where the backup was stored. The destination name should correspond to a destination in the cluster's Seed.Spec.EtcdBackupRestore. If empty, it will use the legacy destination configured in Seed.Spec.BackupRestore

Back to top

EtcdRestoreStatus

Appears in:

• EtcdRestore

Field	Description
phase EtcdRestorePhase
restoreTime Time

Back to top

EtcdStatefulSetSettings

Appears in:

• ComponentSettings

Field	Description
clusterSize integer	ClusterSize is the number of replicas created for etcd. This should be an odd number to guarantee consensus, e.g. 3, 5 or 7.
storageClass string	StorageClass is the Kubernetes StorageClass used for persistent storage which stores the etcd WAL and other data persisted across restarts. Defaults to `kubermatic-fast` (the global default).
resources ResourceRequirements	Resources allows to override the resource requirements for etcd Pods.
tolerations Toleration array	Tolerations allows to override the scheduling tolerations for etcd Pods.
hostAntiAffinity AntiAffinityType	HostAntiAffinity allows to enforce a certain type of host anti-affinity on etcd pods. Options are "preferred" (default) and "required". Please note that enforcing anti-affinity via "required" can mean that pods are never scheduled.
zoneAntiAffinity AntiAffinityType	ZoneAntiAffinity allows to enforce a certain type of availability zone anti-affinity on etcd pods. Options are "preferred" (default) and "required". Please note that enforcing anti-affinity via "required" can mean that pods are never scheduled.
nodeSelector object (keys:string, values:string)	NodeSelector is a selector which restricts the set of nodes where etcd Pods can run.

Back to top

EventRateLimitConfig

EventRateLimitConfig configures the EventRateLimit admission plugin. More info: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#eventratelimit

Appears in:

• ClusterSpec

Field	Description
server EventRateLimitConfigItem
namespace EventRateLimitConfigItem
user EventRateLimitConfigItem
sourceAndObject EventRateLimitConfigItem

Back to top

EventRateLimitConfigItem

Appears in:

• EventRateLimitConfig

Field	Description
qps integer
burst integer
cacheSize integer

Back to top

ExposeStrategy

Underlying type: string

ExposeStrategy is the strategy used to expose a cluster control plane. Possible values are NodePort, LoadBalancer or Tunneling (requires a feature gate).

Appears in:

• ClusterSpec
• KubermaticConfigurationSpec
• SeedSpec

ExtendedClusterHealth

ExtendedClusterHealth stores health information of a cluster.

Appears in:

• ClusterStatus

Field	Description
apiserver HealthStatus
scheduler HealthStatus
controller HealthStatus
machineController HealthStatus
etcd HealthStatus
openvpn HealthStatus	Deprecated: OpenVPN will be removed entirely in the future.
konnectivity HealthStatus
cloudProviderInfrastructure HealthStatus
userClusterControllerManager HealthStatus
applicationController HealthStatus
gatekeeperController HealthStatus
gatekeeperAudit HealthStatus
monitoring HealthStatus
logging HealthStatus
alertmanagerConfig HealthStatus
mlaGateway HealthStatus
operatingSystemManager HealthStatus
kubernetesDashboard HealthStatus
kubelb HealthStatus

Back to top

ExternalCluster

ExternalCluster is the object representing an external kubernetes cluster.

Appears in:

• ExternalClusterList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	ExternalCluster
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
spec ExternalClusterSpec	Spec describes the desired cluster state.
status ExternalClusterStatus	Status contains reconciliation information for the cluster.

Back to top

ExternalClusterAKSCloudSpec

Appears in:

• ExternalClusterCloudSpec

Field	Description
credentialsReference GlobalSecretKeySelector	CredentialsReference allows referencing a `Secret` resource instead of passing secret data in this spec.
name string
tenantID string	The Azure Active Directory Tenant used for this cluster. Can be read from `credentialsReference` instead.
subscriptionID string	The Azure Subscription used for this cluster. Can be read from `credentialsReference` instead.
clientID string	The service principal used to access Azure. Can be read from `credentialsReference` instead.
clientSecret string	The client secret corresponding to the given service principal. Can be read from `credentialsReference` instead.
location string	The geo-location where the resource lives
resourceGroup string	The resource group that will be used to look up and create resources for the cluster in. If set to empty string at cluster creation, a new resource group will be created and this field will be updated to the generated resource group's name.

Back to top

ExternalClusterBringYourOwnCloudSpec

Appears in:

• ExternalClusterCloudSpec

ExternalClusterCloudSpec

ExternalClusterCloudSpec mutually stores access data to a cloud provider.

Appears in:

• ExternalClusterSpec

Field	Description
providerName ExternalClusterProvider
gke ExternalClusterGKECloudSpec
eks ExternalClusterEKSCloudSpec
aks ExternalClusterAKSCloudSpec
kubeone ExternalClusterKubeOneCloudSpec
bringyourown ExternalClusterBringYourOwnCloudSpec

Back to top

ExternalClusterCondition

Appears in:

• ExternalClusterStatus

Field	Description
phase ExternalClusterPhase
message string	Human readable message indicating details about last transition.

Back to top

ExternalClusterEKSCloudSpec

Appears in:

• ExternalClusterCloudSpec

Field	Description
credentialsReference GlobalSecretKeySelector
name string
accessKeyID string	The Access key ID used to authenticate against AWS. Can be read from `credentialsReference` instead.
secretAccessKey string	The Secret Access Key used to authenticate against AWS. Can be read from `credentialsReference` instead.
region string
roleArn string	The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes control plane to make calls to Amazon Web Services API operations on your behalf.
vpcID string	The VPC associated with your cluster.
subnetIDs string array	The subnets associated with your cluster.
securityGroupIDs string array	The security groups associated with the cross-account elastic network interfaces that are used to allow communication between your nodes and the Kubernetes control plane.
assumeRoleARN string	The ARN for an IAM role that should be assumed when handling resources on AWS. It will be used to acquire temporary security credentials using an STS AssumeRole API operation whenever creating an AWS session. required: false
assumeRoleExternalID string	An arbitrary string that may be needed when calling the STS AssumeRole API operation. Using an external ID can help to prevent the "confused deputy problem". required: false

Back to top

ExternalClusterGKECloudSpec

Appears in:

• ExternalClusterCloudSpec

Field	Description
credentialsReference GlobalSecretKeySelector
name string
serviceAccount string	ServiceAccount: The Google Cloud Platform Service Account. Can be read from `credentialsReference` instead.
zone string	Zone: The name of the Google Compute Engine zone (https://cloud.google.com/compute/docs/zones#available) in which the cluster resides.

Back to top

ExternalClusterKubeOneCloudSpec

Appears in:

• ExternalClusterCloudSpec

Field	Description
providerName string	The name of the cloud provider used, one of "aws", "azure", "digitalocean", "gcp", "hetzner", "nutanix", "openstack", "packet", "vsphere" KubeOne natively-supported providers
region string	The cloud provider region in which the cluster resides. This field is used only to display information.
credentialsReference GlobalSecretKeySelector
sshReference GlobalSecretKeySelector
manifestReference GlobalSecretKeySelector

Back to top

ExternalClusterList

ExternalClusterList specifies a list of external kubernetes clusters.

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	ExternalClusterList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items ExternalCluster array	Items holds the list of the External Kubernetes cluster.

Back to top

ExternalClusterNetworkRanges

ExternalClusterNetworkRanges represents ranges of network addresses.

Appears in:

• ExternalClusterNetworkingConfig

Field	Description
cidrBlocks string array

Back to top

ExternalClusterNetworkingConfig

ExternalClusterNetworkingConfig specifies the different networking parameters for an external cluster.

Appears in:

• ExternalClusterSpec

Field	Description
services ExternalClusterNetworkRanges	The network ranges from which service VIPs are allocated. It can contain one IPv4 and/or one IPv6 CIDR. If both address families are specified, the first one defines the primary address family.
pods ExternalClusterNetworkRanges	The network ranges from which POD networks are allocated. It can contain one IPv4 and/or one IPv6 CIDR. If both address families are specified, the first one defines the primary address family.

Back to top

ExternalClusterPhase

Underlying type: string

Appears in:

• ExternalClusterCondition

ExternalClusterProvider

Underlying type: string

ExternalClusterProvider is the identifier for the cloud provider that hosts the external cluster control plane.

Appears in:

• ExternalClusterCloudSpec

ExternalClusterProviderType

Underlying type: string

ExternalClusterProviderType is used to indicate ExternalCluster Provider Types.

Appears in:

• KubermaticVersioningConfiguration

ExternalClusterProviderVersioningConfiguration

ExternalClusterProviderVersioningConfiguration configures the available and default Kubernetes versions for ExternalCluster Providers.

Appears in:

• KubermaticVersioningConfiguration

Field	Description
versions Semver array	Versions lists the available versions.
default Semver	Default is the default version to offer users.
updates Semver array	Updates is a list of available upgrades.

Back to top

ExternalClusterSpec

ExternalClusterSpec specifies the data for a new external kubernetes cluster.

Appears in:

• ExternalCluster

Field	Description
humanReadableName string	HumanReadableName is the cluster name provided by the user
kubeconfigReference GlobalSecretKeySelector	Reference to cluster Kubeconfig
version Semver	Defines the wanted version of the control plane.
cloudSpec ExternalClusterCloudSpec	CloudSpec contains provider specific fields
clusterNetwork ExternalClusterNetworkingConfig	ClusterNetwork contains the different networking parameters for an external cluster.
containerRuntime string	ContainerRuntime to use, i.e. `docker` or `containerd`.
pause boolean	If this is set to true, the cluster will not be reconciled by KKP. This indicates that the user needs to do some action to resolve the pause.
pauseReason string	PauseReason is the reason why the cluster is not being managed. This field is for informational purpose only and can be set by a user or a controller to communicate the reason for pausing the cluster.

Back to top

ExternalClusterStatus

ExternalClusterStatus denotes status information about an ExternalCluster.

Appears in:

• ExternalCluster

Field	Description
condition ExternalClusterCondition	Conditions contains conditions an externalcluster is in, its primary use case is status signaling for controller

Back to top

GCP

Appears in:

• PresetSpec

Field	Description
enabled boolean	Only enabled presets will be available in the KKP dashboard.
isCustomizable boolean	IsCustomizable marks a preset as editable on the KKP UI; Customizable presets still have the credentials obscured on the UI, but other fields that are not considered private are displayed during cluster creation. Users can then update those fields, if required. NOTE: This is only supported for OpenStack Cloud Provider in KKP 2.26. Support for other providers will be added later on.
datacenter string	If datacenter is set, this preset is only applicable to the configured datacenter.
serviceAccount string	ServiceAccount is the Google Service Account (JSON format), encoded with base64.
network string
subnetwork string

Back to top

GCPCloudSpec

GCPCloudSpec specifies access data to GCP.

Appears in:

• CloudSpec

Field	Description
credentialsReference GlobalSecretKeySelector
serviceAccount string	The Google Service Account (JSON format), encoded with base64.
network string
subnetwork string
nodePortsAllowedIPRange string	A CIDR range that will be used to allow access to the node port range in the firewall rules to. If NodePortsAllowedIPRange nor NodePortsAllowedIPRanges is set, the node port range can be accessed from anywhere.
nodePortsAllowedIPRanges NetworkRanges	Optional: CIDR ranges that will be used to allow access to the node port range in the firewall rules to. If NodePortsAllowedIPRange nor NodePortsAllowedIPRanges is set, the node port range can be accessed from anywhere.

Back to top

GKE

Appears in:

• PresetSpec

Field	Description
enabled boolean	Only enabled presets will be available in the KKP dashboard.
isCustomizable boolean	IsCustomizable marks a preset as editable on the KKP UI; Customizable presets still have the credentials obscured on the UI, but other fields that are not considered private are displayed during cluster creation. Users can then update those fields, if required. NOTE: This is only supported for OpenStack Cloud Provider in KKP 2.26. Support for other providers will be added later on.
datacenter string	If datacenter is set, this preset is only applicable to the configured datacenter.
serviceAccount string

Back to top

GroupProjectBinding

GroupProjectBinding specifies a binding between a group and a project This resource is used by the user management to manipulate member groups of the given project.

Appears in:

• GroupProjectBindingList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	GroupProjectBinding
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
spec GroupProjectBindingSpec	Spec describes an oidc group binding to a project.

Back to top

GroupProjectBindingList

GroupProjectBindingList is a list of group project bindings.

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	GroupProjectBindingList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items GroupProjectBinding array	Items holds the list of the group and project bindings.

Back to top

GroupProjectBindingSpec

GroupProjectBindingSpec specifies an oidc group binding to a project.

Appears in:

• GroupProjectBinding

Field	Description
group string	Group is the group name that is bound to the given project.
projectID string	ProjectID is the ID of the target project. Should be a valid lowercase RFC1123 domain name
role string	Role is the user's role within the project, determining their permissions. Possible roles are: "viewers" - allowed to get/list project resources "editors" - allowed to edit all project resources "owners" - same as editors, but also can manage users in the project

Back to top

GroupVersionKind

GroupVersionKind unambiguously identifies a kind. It doesn’t anonymously include GroupVersion to avoid automatic coercion. It doesn’t use a GroupVersion to avoid custom marshalling.

Appears in:

• AddonSpec

Field	Description
group string
version string

Back to top

HealthStatus

Underlying type: string

Appears in:

• ExtendedClusterHealth

Hetzner

Appears in:

• PresetSpec

Field	Description
enabled boolean	Only enabled presets will be available in the KKP dashboard.
isCustomizable boolean	IsCustomizable marks a preset as editable on the KKP UI; Customizable presets still have the credentials obscured on the UI, but other fields that are not considered private are displayed during cluster creation. Users can then update those fields, if required. NOTE: This is only supported for OpenStack Cloud Provider in KKP 2.26. Support for other providers will be added later on.
datacenter string	If datacenter is set, this preset is only applicable to the configured datacenter.
token string	Token is used to authenticate with the Hetzner API.
network string	Network is the pre-existing Hetzner network in which the machines are running. While machines can be in multiple networks, a single one must be chosen for the HCloud CCM to work. If this is empty, the network configured on the datacenter will be used.

Back to top

HetznerCloudSpec

HetznerCloudSpec specifies access data to hetzner cloud.

Appears in:

• CloudSpec

Field	Description
credentialsReference GlobalSecretKeySelector
token string	Token is used to authenticate with the Hetzner cloud API.
network string	Network is the pre-existing Hetzner network in which the machines are running. While machines can be in multiple networks, a single one must be chosen for the HCloud CCM to work. If this is empty, the network configured on the datacenter will be used.

Back to top

IPAMAllocation

IPAMAllocation is the object representing an allocation from an IPAMPool made for a particular KKP user cluster.

Appears in:

• IPAMAllocationList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	IPAMAllocation
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
spec IPAMAllocationSpec

Back to top

IPAMAllocationList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	IPAMAllocationList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items IPAMAllocation array

Back to top

IPAMAllocationSpec

IPAMAllocationSpec specifies an allocation from an IPAMPool made for a particular KKP user cluster.

Appears in:

• IPAMAllocation

Field	Description
type IPAMPoolAllocationType	Type is the allocation type that is being used.
dc string	DC is the datacenter of the allocation.
cidr SubnetCIDR	CIDR is the CIDR that is being used for the allocation. Set when "type=prefix".
addresses string array	Addresses are the IP address ranges that are being used for the allocation. Set when "type=range".

Back to top

IPAMPool

IPAMPool is the object representing Multi-Cluster IP Address Management (IPAM) configuration for KKP user clusters.

Appears in:

• IPAMPoolList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	IPAMPool
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
spec IPAMPoolSpec	Spec describes the Multi-Cluster IP Address Management (IPAM) configuration for KKP user clusters.

Back to top

IPAMPoolAllocationType

Underlying type: string

IPAMPoolAllocationType defines the type of allocation to be used. Possible values are prefix and range.

Appears in:

• IPAMAllocationSpec
• IPAMPoolDatacenterSettings

IPAMPoolDatacenterSettings

IPAMPoolDatacenterSettings contains IPAM Pool configuration for a datacenter.

Appears in:

• IPAMPoolSpec

Field	Description
type IPAMPoolAllocationType	Type is the allocation type to be used.
poolCidr SubnetCIDR	PoolCIDR is the pool CIDR to be used for the allocation.
allocationPrefix integer	AllocationPrefix is the prefix for the allocation. Used when "type=prefix".
excludePrefixes SubnetCIDR array	Optional: ExcludePrefixes is used to exclude particular subnets for the allocation. NOTE: must be the same length as allocationPrefix. Can be used when "type=prefix".
allocationRange integer	AllocationRange is the range for the allocation. Used when "type=range".
excludeRanges string array	Optional: ExcludeRanges is used to exclude particular IPs or IP ranges for the allocation. Examples: "192.168.1.100-192.168.1.110", "192.168.1.255". Can be used when "type=range".

Back to top

IPAMPoolList

IPAMPoolList is the list of the object representing Multi-Cluster IP Address Management (IPAM) configuration for KKP user clusters.

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	IPAMPoolList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items IPAMPool array	Items holds the list of IPAM pool objects.

Back to top

IPAMPoolSpec

IPAMPoolSpec specifies the Multi-Cluster IP Address Management (IPAM) configuration for KKP user clusters.

Appears in:

• IPAMPool

Field	Description
datacenters object (keys:string, values:IPAMPoolDatacenterSettings)	Datacenters contains a map of datacenters (DCs) for the allocation.

Back to top

IPFamily

Underlying type: string

Appears in:

• ClusterNetworkingConfig

IPVSConfiguration

IPVSConfiguration contains ipvs-related configuration details for kube-proxy.

Appears in:

• ClusterNetworkingConfig

Field	Description
strictArp boolean	StrictArp configure arp_ignore and arp_announce to avoid answering ARP queries from kube-ipvs0 interface. defaults to true.

Back to top

ImageList

Underlying type: OperatingSystem]string

ImageList defines a map of operating system and the image to use.

Appears in:

• DatacenterSpecAWS
• DatacenterSpecAzure
• DatacenterSpecNutanix
• DatacenterSpecOpenstack
• DatacenterSpecVMwareCloudDirector
• DatacenterSpecVSphere

Incompatibility

Incompatibility represents a version incompatibility for a user cluster.

Appears in:

• KubermaticVersioningConfiguration

Field	Description
provider string	Provider to which to apply the compatibility check. Empty string matches all providers
version string	Version is the Kubernetes version that must be checked. Wildcards are allowed, e.g. "1.25.*".
condition ConditionType	Condition is the cluster or datacenter condition that must be met to block a specific version
operation OperationType	Operation is the operation triggering the compatibility check (CREATE or UPDATE)

Back to top

Kind

Kind specifies the resource Kind and APIGroup.

Appears in:

• Match

Field	Description
kinds string array	Kinds specifies the kinds of the resources
apiGroups string array	APIGroups specifies the APIGroups of the resources

Back to top

KonnectivityProxySettings

Appears in:

• ComponentSettings

Field	Description
resources ResourceRequirements	Resources configure limits/requests for Konnectivity components.
keepaliveTime string	KeepaliveTime represents a duration of time to check if the transport is still alive. The option is propagated to agents and server. Defaults to 1m.

Back to top

KubeLB

KubeLB contains settings for the kubeLB component as part of the cluster control plane. This component is responsible for managing load balancers. Only available in Enterprise Edition.

Appears in:

• ClusterSpec

Field	Description
enabled boolean	Controls whether kubeLB is deployed or not.
useLoadBalancerClass boolean	UseLoadBalancerClass is used to configure the use of load balancer class `kubelb` for kubeLB. If false, kubeLB will manage all load balancers in the user cluster irrespective of the load balancer class.
enableGatewayAPI boolean	EnableGatewayAPI is used to configure the use of gateway API for kubeLB.

Back to top

KubeLBDatacenterSettings

Appears in:

• DatacenterSpec

Field	Description
kubeconfig ObjectReference	Kubeconfig is reference to the Kubeconfig for the kubeLB management cluster.
enabled boolean	Enabled is used to enable/disable kubeLB for the datacenter. This is used to control whether installing kubeLB is allowed or not for the datacenter.
enforced boolean	Enforced is used to enforce kubeLB installation for all the user clusters belonging to this datacenter. Setting enforced to false will not uninstall kubeLB from the user clusters and it needs to be disabled manually.
nodeAddressType string	NodeAddressType is used to configure the address type from node, used for load balancing. Optional: Defaults to ExternalIP.
useLoadBalancerClass boolean	UseLoadBalancerClass is used to configure the use of load balancer class `kubelb` for kubeLB. If false, kubeLB will manage all load balancers in the user cluster irrespective of the load balancer class.
enableGatewayAPI boolean	EnableGatewayAPI is used to configure the use of gateway API for kubeLB.
enableSecretSynchronizer boolean	EnableSecretSynchronizer is used to configure the use of secret synchronizer for kubeLB.
disableIngressClass boolean	DisableIngressClass is used to disable the ingress class `kubelb` filter for kubeLB.

Back to top

KubeLBSettings

Appears in:

• KubeLBDatacenterSettings
• SeedSpec

Field	Description
kubeconfig ObjectReference	Kubeconfig is reference to the Kubeconfig for the kubeLB management cluster.

Back to top

KubeVirtCSIDriverOperator

KubeVirtCSIDriverOperator contains the different configurations for the kubevirt csi driver operator in the user cluster.

Appears in:

• DatacenterSpecKubevirt
• KubevirtCloudSpec

Field	Description
overwriteRegistry string	OverwriteRegistry overwrite the images registry that the operator pulls.

Back to top

KubeVirtImageSources

KubeVirtImageSources represents KubeVirt image sources.

Appears in:

• DatacenterSpecKubevirt

Field	Description
http KubeVirtHTTPSource	HTTP represents a http source.

Back to top

KubeVirtInfraStorageClass

Appears in:

• DatacenterSpecKubevirt
• KubevirtCloudSpec

Field	Description
name string
isDefaultClass boolean	Optional: IsDefaultClass. If true, the created StorageClass in the tenant cluster will be annotated with: storageclass.kubernetes.io/is-default-class : true If missing or false, annotation will be: storageclass.kubernetes.io/is-default-class : false
volumeBindingMode VolumeBindingMode	VolumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound. When unset, VolumeBindingImmediate is used.
labels object (keys:string, values:string)	Labels is a map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services.
zones string array	Zones represent a logical failure domain. It is common for Kubernetes clusters to span multiple zones for increased availability
regions string array	Regions represents a larger domain, made up of one or more zones. It is uncommon for Kubernetes clusters to span multiple regions
volumeProvisioner KubeVirtVolumeProvisioner	VolumeProvisioner The **Provider** field specifies whether a storage class will be utilized by the Containerized Data Importer (CDI) to create VM disk images and/or by the KubeVirt CSI Driver to provision volumes in the infrastructure cluster. If no storage class in the seed object has this value set, the storage class will be used for both purposes: CDI will create VM disk images, and the CSI driver will provision and attach volumes in the user cluster. However, if the value is set to `kubevirt-csi-driver`, the storage class cannot be used by CDI for VM disk image creation.

Back to top

KubeVirtVolumeProvisioner

Underlying type: string

KubeVirtVolumeProvisioner represents what is the provisioner of the storage class volume, whether it will be the csi driver and/or CDI for disk images.

Appears in:

• KubeVirtInfraStorageClass

KubermaticAPIConfiguration

KubermaticAPIConfiguration configures the dashboard.

Appears in:

• KubermaticConfigurationSpec

Field	Description
dockerRepository string	DockerRepository is the repository containing the Kubermatic REST API image.
dockerTag string	DockerTag is used to overwrite the Kubermatic API Docker image tag and is only for development purposes. This field must not be set in production environments. If DockerTag is specified then DockerTagSuffix will be ignored. ---
dockerTagSuffix string	DockerTagSuffix is appended to the KKP version used for referring to the custom Kubermatic API image. If left empty, either the `DockerTag` if specified or the original Kubermatic API Docker image tag will be used. With DockerTagSuffix the tag becomes i.e. "v2.15.0-SUFFIX".
accessibleAddons string array	AccessibleAddons is a list of addons that should be enabled in the API.
pprofEndpoint string	PProfEndpoint controls the port the API should listen on to provide pprof data. This port is never exposed from the container and only available via port-forwardings.
resources ResourceRequirements	Resources describes the requested and maximum allowed CPU/memory usage.
debugLog boolean	DebugLog enables more verbose logging.
replicas integer	Replicas sets the number of pod replicas for the API deployment.

Back to top

KubermaticAddonsConfiguration

KubermaticAddonConfiguration describes the addons for a given cluster runtime.

Appears in:

• KubermaticUserClusterConfiguration

Field	Description
default string array	Default is the list of addons to be installed by default into each cluster. Mutually exclusive with "defaultManifests".
defaultManifests string	DefaultManifests is a list of addon manifests to install into all clusters. Mutually exclusive with "default".
dockerRepository string	DockerRepository is the repository containing the Docker image containing the possible addon manifests.
dockerTagSuffix string	DockerTagSuffix is appended to the tag used for referring to the addons image. If left empty, the tag will be the KKP version (e.g. "v2.15.0"), with a suffix it becomes "v2.15.0-SUFFIX".

Back to top

KubermaticAuthConfiguration

KubermaticAuthConfiguration defines keys and URLs for Dex.

Appears in:

• KubermaticConfigurationSpec

Field	Description
clientID string
tokenIssuer string
issuerRedirectURL string
issuerClientID string
issuerClientSecret string
issuerCookieKey string
serviceAccountKey string
skipTokenIssuerTLSVerify boolean

Back to top

KubermaticConfiguration

KubermaticConfiguration is the configuration required for running Kubermatic.

Appears in:

• KubermaticConfigurationList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	KubermaticConfiguration
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
spec KubermaticConfigurationSpec
status KubermaticConfigurationStatus

Back to top

KubermaticConfigurationList

KubermaticConfigurationList is a collection of KubermaticConfigurations.

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	KubermaticConfigurationList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items KubermaticConfiguration array

Back to top

KubermaticConfigurationSpec

KubermaticConfigurationSpec is the spec for a Kubermatic installation.

Appears in:

• KubermaticConfiguration

Field	Description
caBundle TypedLocalObjectReference	CABundle references a ConfigMap in the same namespace as the KubermaticConfiguration. This ConfigMap must contain a ca-bundle.pem with PEM-encoded certificates. This bundle automatically synchronized into each seed and each usercluster. APIGroup and Kind are currently ignored.
imagePullSecret string	ImagePullSecret is used to authenticate against Docker registries.
auth KubermaticAuthConfiguration	Auth defines keys and URLs for Dex. These must be defined unless the HeadlessInstallation feature gate is set, which will disable the UI/API and its need for an OIDC provider entirely.
featureGates object (keys:string, values:boolean)	FeatureGates are used to optionally enable certain features.
ui KubermaticUIConfiguration	UI configures the dashboard.
api KubermaticAPIConfiguration	API configures the frontend REST API used by the dashboard.
seedController KubermaticSeedControllerConfiguration	SeedController configures the seed-controller-manager.
masterController KubermaticMasterControllerConfiguration	MasterController configures the master-controller-manager.
webhook KubermaticWebhookConfiguration	Webhook configures the webhook.
userCluster KubermaticUserClusterConfiguration	UserCluster configures various aspects of the user-created clusters.
exposeStrategy ExposeStrategy	ExposeStrategy is the strategy to expose the cluster with. Note: The `seed_dns_overwrite` setting of a Seed's datacenter doesn't have any effect if this is set to LoadBalancerStrategy.
ingress KubermaticIngressConfiguration	Ingress contains settings for making the API and UI accessible remotely.
versions KubermaticVersioningConfiguration	Versions configures the available and default Kubernetes versions and updates.
verticalPodAutoscaler KubermaticVPAConfiguration	VerticalPodAutoscaler configures the Kubernetes VPA integration.
proxy KubermaticProxyConfiguration	Proxy allows to configure Kubermatic to use proxies to talk to the world outside of its cluster.
mirrorImages string array	MirrorImages is a list of container images that will be mirrored with the `kubermatic-installer mirror-images` command. Each entry should be in the format "repository:tag".

Back to top

KubermaticConfigurationStatus

KubermaticConfigurationStatus stores status information about a KubermaticConfiguration.

Appears in:

• KubermaticConfiguration

Field	Description
kubermaticVersion string	KubermaticVersion current Kubermatic Version.
kubermaticEdition string	KubermaticEdition current Kubermatic Edition , i.e. Community Edition or Enterprise Edition.

Back to top

KubermaticIngressConfiguration

Appears in:

• KubermaticConfigurationSpec

Field	Description
domain string	Domain is the base domain where the dashboard shall be available. Even with a disabled Ingress, this must always be a valid hostname.
className string	ClassName is the Ingress resource's class name, used for selecting the appropriate ingress controller.
namespaceOverride string	NamespaceOverride need to be set if a different ingress-controller is used than the KKP default one.
disable boolean	Disable will prevent an Ingress from being created at all. This is mostly useful during testing. If the Ingress is disabled, the CertificateIssuer setting can also be left empty, as no Certificate resource will be created.
certificateIssuer TypedLocalObjectReference	CertificateIssuer is the name of a cert-manager Issuer or ClusterIssuer (default) that will be used to acquire the certificate for the configured domain. To use a namespaced Issuer, set the Kind to "Issuer" and manually create the matching Issuer in Kubermatic's namespace. Setting an empty name disables the automatic creation of certificates and disables the TLS settings on the Kubermatic Ingress.

Back to top

KubermaticMasterControllerConfiguration

KubermaticMasterControllerConfiguration configures the Kubermatic master controller-manager.

Appears in:

• KubermaticConfigurationSpec

Field	Description
dockerRepository string	DockerRepository is the repository containing the Kubermatic master-controller-manager image.
projectsMigrator KubermaticProjectsMigratorConfiguration	ProjectsMigrator configures the migrator for user projects.
pprofEndpoint string	PProfEndpoint controls the port the master-controller-manager should listen on to provide pprof data. This port is never exposed from the container and only available via port-forwardings.
resources ResourceRequirements	Resources describes the requested and maximum allowed CPU/memory usage.
debugLog boolean	DebugLog enables more verbose logging.
replicas integer	Replicas sets the number of pod replicas for the master-controller-manager.

Back to top

KubermaticProjectsMigratorConfiguration

KubermaticProjectsMigratorConfiguration configures the Kubermatic master controller-manager.

Appears in:

• KubermaticMasterControllerConfiguration

Field	Description
dryRun boolean	DryRun makes the migrator only log the actions it would take.

Back to top

KubermaticProxyConfiguration

KubermaticProxyConfiguration can be used to control how the various Kubermatic components reach external services / the Internet. These settings are reflected as environment variables for the Kubermatic pods.

Appears in:

• KubermaticConfigurationSpec

Field	Description
http string	HTTP is the full URL to the proxy to use for plaintext HTTP connections, e.g. "http://internalproxy.example.com:8080".
https string	HTTPS is the full URL to the proxy to use for encrypted HTTPS connections, e.g. "http://secureinternalproxy.example.com:8080".
noProxy string	NoProxy is a comma-separated list of hostnames / network masks for which no proxy shall be used. If you make use of proxies, this list should contain all local and cluster-internal domains and networks, e.g. "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,mydomain". The operator will always prepend the following elements to this list if proxying is configured (i.e. HTTP/HTTPS are not empty): "127.0.0.1/8", "localhost", ".local", ".local.", "kubernetes", ".default", ".svc"

Back to top

KubermaticSeedControllerConfiguration

KubermaticSeedControllerConfiguration configures the Kubermatic seed controller-manager.

Appears in:

• KubermaticConfigurationSpec

Field	Description
dockerRepository string	DockerRepository is the repository containing the Kubermatic seed-controller-manager image.
backupStoreContainer string	BackupStoreContainer is the container used for shipping etcd snapshots to a backup location.
backupDeleteContainer string	BackupDeleteContainer is the container used for deleting etcd snapshots from a backup location.
backupCleanupContainer string	Deprecated: BackupCleanupContainer is the container used for removing expired backups from the storage location. This field is a no-op and is no longer used. The old backup controller it was used for has been removed. Do not set this field.
maximumParallelReconciles integer	MaximumParallelReconciles limits the number of cluster reconciliations that are active at any given time.
pprofEndpoint string	PProfEndpoint controls the port the seed-controller-manager should listen on to provide pprof data. This port is never exposed from the container and only available via port-forwardings.
resources ResourceRequirements	Resources describes the requested and maximum allowed CPU/memory usage.
debugLog boolean	DebugLog enables more verbose logging.
replicas integer	Replicas sets the number of pod replicas for the seed-controller-manager.
disabledCollectors MetricsCollector array	DisabledCollectors contains a list of metrics collectors that should be disabled. Acceptable values are "Addon", "Cluster", "ClusterBackup", "Project", and "None".

Back to top

KubermaticSetting

KubermaticSetting is the type representing a KubermaticSetting. These settings affect the KKP dashboard and are not relevant when using the Kube API on the master/seed clusters directly.

Appears in:

• KubermaticSettingList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	KubermaticSetting
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
spec SettingSpec

Back to top

KubermaticSettingList

KubermaticSettingList is a list of settings.

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	KubermaticSettingList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items KubermaticSetting array

Back to top

KubermaticUIConfiguration

KubermaticUIConfiguration configures the dashboard.

Appears in:

• KubermaticConfigurationSpec

Field	Description
dockerRepository string	DockerRepository is the repository containing the Kubermatic dashboard image.
dockerTag string	DockerTag is used to overwrite the dashboard Docker image tag and is only for development purposes. This field must not be set in production environments. If DockerTag is specified then DockerTagSuffix will be ignored. ---
dockerTagSuffix string	DockerTagSuffix is appended to the KKP version used for referring to the custom dashboard image. If left empty, either the `DockerTag` if specified or the original dashboard Docker image tag will be used. With DockerTagSuffix the tag becomes i.e. "v2.15.0-SUFFIX".
config string	Config sets flags for various dashboard features.
resources ResourceRequirements	Resources describes the requested and maximum allowed CPU/memory usage.
replicas integer	Replicas sets the number of pod replicas for the UI deployment.
extraVolumeMounts VolumeMount array	ExtraVolumeMounts allows to mount additional volumes into the UI container.
extraVolumes Volume array	ExtraVolumes allows to mount additional volumes into the UI container.

Back to top

KubermaticUserClusterConfiguration

KubermaticUserClusterConfiguration controls various aspects of the user-created clusters.

Appears in:

• KubermaticConfigurationSpec

Field	Description
kubermaticDockerRepository string	KubermaticDockerRepository is the repository containing the Kubermatic user-cluster-controller-manager image.
dnatControllerDockerRepository string	DNATControllerDockerRepository is the repository containing the dnat-controller image.
etcdLauncherDockerRepository string	EtcdLauncherDockerRepository is the repository containing the Kubermatic etcd-launcher image.
overwriteRegistry string	OverwriteRegistry specifies a custom Docker registry which will be used for all images used for user clusters (user cluster control plane + addons). This also applies to the KubermaticDockerRepository and DNATControllerDockerRepository fields.
addons KubermaticAddonsConfiguration	Addons controls the optional additions installed into each user cluster.
systemApplications SystemApplicationsConfiguration	SystemApplications contains configuration for system Applications (such as CNI).
applications ApplicationsConfiguration	Applications contains configuration for default Application settings.
nodePortRange string	NodePortRange is the port range for user clusters - this must match the NodePort range of the seed cluster.
monitoring KubermaticUserClusterMonitoringConfiguration	Monitoring can be used to fine-tune to in-cluster Prometheus.
disableApiserverEndpointReconciling boolean	DisableAPIServerEndpointReconciling can be used to toggle the `--endpoint-reconciler-type` flag for the Kubernetes API server.
etcdVolumeSize string	EtcdVolumeSize configures the volume size to use for each etcd pod inside user clusters.
apiserverReplicas integer	APIServerReplicas configures the replica count for the API-Server deployment inside user clusters.
machineController MachineControllerConfiguration	MachineController configures the Machine Controller
operatingSystemManager OperatingSystemManager	OperatingSystemManager configures the image repo and the tag version for osm deployment.

Back to top

KubermaticUserClusterMonitoringConfiguration

KubermaticUserClusterMonitoringConfiguration can be used to fine-tune to in-cluster Prometheus.

Appears in:

• KubermaticUserClusterConfiguration

Field	Description
disableDefaultRules boolean	DisableDefaultRules disables the recording and alerting rules.
disableDefaultScrapingConfigs boolean	DisableDefaultScrapingConfigs disables the default scraping targets.
customRules string	CustomRules can be used to inject custom recording and alerting rules. This field must be a YAML-formatted string with a `group` element at its root, as documented on https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/. This value is treated as a Go template, which allows to inject dynamic values like the internal cluster address or the cluster ID. Refer to pkg/resources/prometheus and the documentation for more information on the available fields.
customScrapingConfigs string	CustomScrapingConfigs can be used to inject custom scraping rules. This must be a YAML-formatted string containing an array of scrape configurations as documented on https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config. This value is treated as a Go template, which allows to inject dynamic values like the internal cluster address or the cluster ID. Refer to pkg/resources/prometheus and the documentation for more information on the available fields.
scrapeAnnotationPrefix string	ScrapeAnnotationPrefix (if set) is used to make the in-cluster Prometheus scrape pods inside the user clusters.

Back to top

KubermaticVPAComponent

Appears in:

• KubermaticVPAConfiguration

Field	Description
dockerRepository string	DockerRepository is the repository containing the component's image.
resources ResourceRequirements	Resources describes the requested and maximum allowed CPU/memory usage.

Back to top

KubermaticVPAConfiguration

KubermaticVPAConfiguration configures the Kubernetes VPA.

Appears in:

• KubermaticConfigurationSpec

Field	Description
recommender KubermaticVPAComponent
updater KubermaticVPAComponent
admissionController KubermaticVPAComponent

Back to top

KubermaticVersioningConfiguration

KubermaticVersioningConfiguration configures the available and default Kubernetes versions.

Appears in:

• KubermaticConfigurationSpec

Field	Description
versions Semver array	Versions lists the available versions.
default Semver	Default is the default version to offer users.
updates Update array	Updates is a list of available and automatic upgrades. All 'to' versions must be configured in the version list for this orchestrator. Each update may optionally be configured to be 'automatic: true', in which case the controlplane of all clusters whose version matches the 'from' directive will get updated to the 'to' version. If automatic is enabled, the 'to' version must be a version and not a version range. Also, updates may set 'automaticNodeUpdate: true', in which case Nodes will get updates as well. 'automaticNodeUpdate: true' implies 'automatic: true' as well, because Nodes may not have a newer version than the controlplane.
providerIncompatibilities Incompatibility array	ProviderIncompatibilities lists all the Kubernetes version incompatibilities
externalClusters object (keys:ExternalClusterProviderType, values:ExternalClusterProviderVersioningConfiguration)	ExternalClusters contains the available and default Kubernetes versions and updates for ExternalClusters.

Back to top

KubermaticWebhookConfiguration

KubermaticWebhookConfiguration configures the Kubermatic webhook.

Appears in:

• KubermaticConfigurationSpec

Field	Description
dockerRepository string	DockerRepository is the repository containing the Kubermatic webhook image.
pprofEndpoint string	PProfEndpoint controls the port the webhook should listen on to provide pprof data. This port is never exposed from the container and only available via port-forwardings.
resources ResourceRequirements	Resources describes the requested and maximum allowed CPU/memory usage.
debugLog boolean	DebugLog enables more verbose logging.
replicas integer	Replicas sets the number of pod replicas for the webhook.

Back to top

KubernetesDashboard

KubernetesDashboard contains settings for the kubernetes-dashboard component as part of the cluster control plane.

Appears in:

• ClusterSpec

Field	Description
enabled boolean	Controls whether kubernetes-dashboard is deployed to the user cluster or not. Enabled by default.

Back to top

Kubevirt

Appears in:

• PresetSpec

Field	Description
enabled boolean	Only enabled presets will be available in the KKP dashboard.
isCustomizable boolean	IsCustomizable marks a preset as editable on the KKP UI; Customizable presets still have the credentials obscured on the UI, but other fields that are not considered private are displayed during cluster creation. Users can then update those fields, if required. NOTE: This is only supported for OpenStack Cloud Provider in KKP 2.26. Support for other providers will be added later on.
datacenter string	If datacenter is set, this preset is only applicable to the configured datacenter.
kubeconfig string	Kubeconfig is the cluster's kubeconfig file, encoded with base64.
vpcName string	VPCName is a virtual network name dedicated to a single tenant within a KubeVirt
subnetName string	SubnetName is the name of a subnet that is smaller, segmented portion of a larger network, like a Virtual Private Cloud (VPC).

Back to top

KubevirtCloudSpec

KubevirtCloudSpec specifies the access data to Kubevirt.

Appears in:

• CloudSpec

Field	Description
credentialsReference GlobalSecretKeySelector
kubeconfig string	The cluster's kubeconfig file, encoded with base64.
csiKubeconfig string
preAllocatedDataVolumes PreAllocatedDataVolume array	Custom Images are a good example of this use case.
infraStorageClasses string array	Deprecated: in favor of StorageClasses. InfraStorageClasses is a list of storage classes from KubeVirt infra cluster that are used for initialization of user cluster storage classes by the CSI driver kubevirt (hot pluggable disks)
storageClasses KubeVirtInfraStorageClass array	StorageClasses is a list of storage classes from KubeVirt infra cluster that are used for initialization of user cluster storage classes by the CSI driver kubevirt (hot pluggable disks. It contains also some flag specifying which one is the default one.
imageCloningEnabled boolean	ImageCloningEnabled flag enable/disable cloning for a cluster.
vpcName string	VPCName is a virtual network name dedicated to a single tenant within a KubeVirt.
subnetName string	SubnetName is the name of a subnet that is smaller, segmented portion of a larger network, like a Virtual Private Cloud (VPC).
csiDriverOperator KubeVirtCSIDriverOperator	CSIDriverOperator configures the kubevirt csi driver operator.

Back to top

LBSKU

Underlying type: string

Azure SKU for Load Balancers. Possible values are basic and standard.

Appears in:

• Azure
• AzureCloudSpec

LeaderElectionSettings

Appears in:

• ControllerSettings

Field	Description
leaseDurationSeconds integer	LeaseDurationSeconds is the duration in seconds that non-leader candidates will wait to force acquire leadership. This is measured against time of last observed ack.
renewDeadlineSeconds integer	RenewDeadlineSeconds is the duration in seconds that the acting controlplane will retry refreshing leadership before giving up.
retryPeriodSeconds integer	RetryPeriodSeconds is the duration in seconds the LeaderElector clients should wait between tries of actions.

Back to top

LoggingRateLimitSettings

LoggingRateLimitSettings contains rate-limiting configuration for logging in the user cluster.

Appears in:

• MLAAdminSettingSpec

Field	Description
ingestionRate integer	IngestionRate represents ingestion rate limit in requests per second (nginx `rate` in `r/s`).
ingestionBurstSize integer	IngestionBurstSize represents ingestion burst size in number of requests (nginx `burst`).
queryRate integer	QueryRate represents query request rate limit per second (nginx `rate` in `r/s`).
queryBurstSize integer	QueryBurstSize represents query burst size in number of requests (nginx `burst`).

Back to top

MLAAdminSetting

MLAAdminSetting is the object representing cluster-specific administrator settings for KKP user cluster MLA (monitoring, logging & alerting) stack.

Appears in:

• MLAAdminSettingList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	MLAAdminSetting
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
spec MLAAdminSettingSpec	Spec describes the cluster-specific administrator settings for KKP user cluster MLA (monitoring, logging & alerting) stack.

Back to top

MLAAdminSettingList

MLAAdminSettingList specifies a list of administrtor settings for KKP user cluster MLA (monitoring, logging & alerting) stack.

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	MLAAdminSettingList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items MLAAdminSetting array	Items holds the list of the cluster-specific administrative settings for KKP user cluster MLA.

Back to top

MLAAdminSettingSpec

MLAAdminSettingSpec specifies the cluster-specific administrator settings for KKP user cluster MLA (monitoring, logging & alerting) stack.

Appears in:

• MLAAdminSetting

Field	Description
clusterName string	ClusterName is the name of the user cluster whose MLA settings are defined in this object.
monitoringRateLimits MonitoringRateLimitSettings	MonitoringRateLimits contains rate-limiting configuration for monitoring in the user cluster.
loggingRateLimits LoggingRateLimitSettings	LoggingRateLimits contains rate-limiting configuration logging in the user cluster.

Back to top

MLASettings

Appears in:

• ClusterSpec

Field	Description
monitoringEnabled boolean	MonitoringEnabled is the flag for enabling monitoring in user cluster.
loggingEnabled boolean	LoggingEnabled is the flag for enabling logging in user cluster.
monitoringResources ResourceRequirements	MonitoringResources is the resource requirements for user cluster prometheus.
loggingResources ResourceRequirements	LoggingResources is the resource requirements for user cluster promtail.
monitoringReplicas integer	MonitoringReplicas is the number of desired pods of user cluster prometheus deployment.

Back to top

MachineControllerConfiguration

MachineControllerConfiguration configures Machine Controller.

Appears in:

• KubermaticUserClusterConfiguration

Field	Description
imageRepository string	ImageRepository is used to override the Machine Controller image repository. It is only for development, tests and PoC purposes. This field must not be set in production environments.
imageTag string	ImageTag is used to override the Machine Controller image. It is only for development, tests and PoC purposes. This field must not be set in production environments.

Back to top

MachineDeploymentOptions

Appears in:

• SettingSpec

Field	Description
autoUpdatesEnabled boolean	AutoUpdatesEnabled enables the auto updates option for machine deployments on the dashboard. In case of flatcar linux, this will enable automatic updates through update engine and for other operating systems, this will enable package updates on boot for the machines.
autoUpdatesEnforced boolean	AutoUpdatesEnforced enforces the auto updates option for machine deployments on the dashboard. In case of flatcar linux, this will enable automatic updates through update engine and for other operating systems, this will enable package updates on boot for the machines.

Back to top

MachineFlavorFilter

Appears in:

• DatacenterSpec
• SettingSpec

Field	Description
minCPU integer	Minimum number of vCPU
maxCPU integer	Maximum number of vCPU
minRAM integer	Minimum RAM size in GB
maxRAM integer	Maximum RAM size in GB
enableGPU boolean	Include VMs with GPU

Back to top

MachineNetworkingConfig

MachineNetworkingConfig specifies the networking parameters used for IPAM.

Appears in:

• ClusterSpec

Field	Description
cidr string
gateway string
dnsServers string array

Back to top

Match

Match contains the constraint to resource matching data.

Appears in:

• ConstraintSpec

Field	Description
kinds Kind array	Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the constraint will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope
scope string	Scope accepts *, Cluster, or Namespaced which determines if cluster-scoped and/or namespace-scoped resources are selected. (defaults to *)
namespaces string array	Namespaces is a list of namespace names. If defined, a constraint will only apply to resources in a listed namespace.
excludedNamespaces string array	ExcludedNamespaces is a list of namespace names. If defined, a constraint will only apply to resources not in a listed namespace.
labelSelector LabelSelector	LabelSelector is a standard Kubernetes label selector.
namespaceSelector LabelSelector	NamespaceSelector is a standard Kubernetes namespace selector. If defined, make sure to add Namespaces to your configs.config.gatekeeper.sh object to ensure namespaces are synced into OPA

Back to top

MeteringConfiguration

MeteringConfiguration contains all the configuration for the metering tool.

Appears in:

• SeedSpec

Field	Description
enabled boolean
storageClassName string	StorageClassName is the name of the storage class that the metering Prometheus instance uses to store metric data for reporting.
storageSize string	StorageSize is the size of the storage class. Default value is 100Gi. Changing this value requires manual deletion of the existing Prometheus PVC (and thereby removing all metering data).
retentionDays integer	RetentionDays is the number of days for which data should be kept in Prometheus. Default value is 90.
reports object (keys:string, values:MeteringReportConfiguration)	ReportConfigurations is a map of report configuration definitions.

Back to top

MeteringReportConfiguration

Appears in:

• MeteringConfiguration

Field	Description
schedule string	Schedule in Cron format, see https://en.wikipedia.org/wiki/Cron. Please take a note that Schedule is responsible only for setting the time when a report generation mechanism kicks off. The Interval MUST be set independently.
interval integer	Interval defines the number of days consulted in the metering report. Ignored when `Monthly` is set to true
monthly boolean	Monthly creates a report for the previous month.
retention integer	Retention defines a number of days after which reports are queued for removal. If not set, reports are kept forever. Please note that this functionality works only for object storage that supports an object lifecycle management mechanism.
type string array	Types of reports to generate. Available report types are cluster and namespace. By default, all types of reports are generated.
format MeteringReportFormat	Format is the file format of the generated report, one of "csv" or "json" (defaults to "csv").

Back to top

MeteringReportFormat

Underlying type: string

MeteringReportFormat maps directly to the values supported by the kubermatic-metering tool.

Appears in:

• MeteringReportConfiguration

MetricsCollector

Underlying type: string

MetricsCollector is the name of an available metrics collector.

Appears in:

• KubermaticSeedControllerConfiguration
• SeedSpec

MlaOptions

Appears in:

• SettingSpec

Field	Description
loggingEnabled boolean
loggingEnforced boolean
monitoringEnabled boolean
monitoringEnforced boolean

Back to top

MonitoringRateLimitSettings

MonitoringRateLimitSettings contains rate-limiting configuration for monitoring in the user cluster.

Appears in:

• MLAAdminSettingSpec

Field	Description
ingestionRate integer	IngestionRate represents the ingestion rate limit in samples per second (Cortex `ingestion_rate`).
ingestionBurstSize integer	IngestionBurstSize represents ingestion burst size in samples per second (Cortex `ingestion_burst_size`).
maxSeriesPerMetric integer	MaxSeriesPerMetric represents maximum number of series per metric (Cortex `max_series_per_metric`).
maxSeriesTotal integer	MaxSeriesTotal represents maximum number of series per this user cluster (Cortex `max_series_per_user`).
queryRate integer	QueryRate represents query request rate limit per second (nginx `rate` in `r/s`).
queryBurstSize integer	QueryBurstSize represents query burst size in number of requests (nginx `burst`).
maxSamplesPerQuery integer	MaxSamplesPerQuery represents maximum number of samples during a query (Cortex `max_samples_per_query`).
maxSeriesPerQuery integer	MaxSeriesPerQuery represents maximum number of timeseries during a query (Cortex `max_series_per_query`).

Back to top

NamespacedMode

Underlying type: [struct{Enabled bool "json:\"enabled,omitempty\""; Namespace string "json:\"name,omitempty\""}](#struct{enabled-bool-"json:\"enabled,omitempty\"";-namespace-string-"json:\"name,omitempty\""})

Appears in:

• DatacenterSpecKubevirt

NetworkRanges

NetworkRanges represents ranges of network addresses.

Appears in:

• AWSCloudSpec
• AzureCloudSpec
• ClusterNetworkingConfig
• ClusterSpec
• DatacenterSpecOpenstack
• GCPCloudSpec
• OpenstackCloudSpec

Field	Description
cidrBlocks string array

Back to top

NodePortProxyComponentEnvoy

Appears in:

• NodeportProxyConfig

Field	Description
dockerRepository string	DockerRepository is the repository containing the component's image.
resources ResourceRequirements	Resources describes the requested and maximum allowed CPU/memory usage.
loadBalancerService EnvoyLoadBalancerService

Back to top

NodeSettings

NodeSettings are node specific flags which can be configured on datacenter level.

Appears in:

• Datacenter

Field	Description
httpProxy ProxyValue	Optional: If set, this proxy will be configured for both HTTP and HTTPS.
noProxy ProxyValue	Optional: If set this will be set as NO_PROXY environment variable on the node; The value must be a comma-separated list of domains for which no proxy should be used, e.g. "*.example.com,internal.dev". Note that the in-cluster apiserver URL will be automatically prepended to this value.
insecureRegistries string array	Optional: These image registries will be configured as insecure on the container runtime.
registryMirrors string array	Optional: These image registries will be configured as registry mirrors on the container runtime.
pauseImage string	Optional: Translates to --pod-infra-container-image on the kubelet. If not set, the kubelet will default it.
containerdRegistryMirrors ContainerRuntimeContainerd	Optional: ContainerdRegistryMirrors configure registry mirrors endpoints. Can be used multiple times to specify multiple mirrors.

Back to top

NodeportProxyComponent

Appears in:

• ComponentSettings
• NodePortProxyComponentEnvoy
• NodeportProxyConfig

Field	Description
dockerRepository string	DockerRepository is the repository containing the component's image.
resources ResourceRequirements	Resources describes the requested and maximum allowed CPU/memory usage.

Back to top

NodeportProxyConfig

Appears in:

• SeedSpec

Field	Description
disable boolean	Disable will prevent the Kubermatic Operator from creating a nodeport-proxy setup on the seed cluster. This should only be used if a suitable replacement is installed (like the nodeport-proxy Helm chart).
annotations object (keys:string, values:string)	Annotations are used to further tweak the LoadBalancer integration with the cloud provider where the seed cluster is running. Deprecated: Use .envoy.loadBalancerService.annotations instead.
envoy NodePortProxyComponentEnvoy	Envoy configures the Envoy application itself.
envoyManager NodeportProxyComponent	EnvoyManager configures the Kubermatic-internal Envoy manager.
updater NodeportProxyComponent	Updater configures the component responsible for updating the LoadBalancer service.
ipFamilyPolicy IPFamilyPolicy	IPFamilyPolicy configures the IP family policy for the LoadBalancer service.
ipFamilies IPFamily array	IPFamilies configures the IP families to use for the LoadBalancer service.

Back to top

NotificationsOptions

Appears in:

• SettingSpec

Field	Description
hideErrors boolean	HideErrors will silence error notifications for the dashboard.
hideErrorEvents boolean	HideErrorEvents will silence error events for the dashboard.

Back to top

Nutanix

Appears in:

• PresetSpec

Field	Description
enabled boolean	Only enabled presets will be available in the KKP dashboard.
isCustomizable boolean	IsCustomizable marks a preset as editable on the KKP UI; Customizable presets still have the credentials obscured on the UI, but other fields that are not considered private are displayed during cluster creation. Users can then update those fields, if required. NOTE: This is only supported for OpenStack Cloud Provider in KKP 2.26. Support for other providers will be added later on.
datacenter string	If datacenter is set, this preset is only applicable to the configured datacenter.
proxyURL string	Optional: To configure a HTTP proxy to access Nutanix Prism Central.
username string	Username that is used to access the Nutanix Prism Central API.
password string	Password corresponding to the provided user.
clusterName string	The name of the Nutanix cluster to which the resources and nodes are deployed to.
projectName string	Optional: Nutanix project to use. If none is given, no project will be used.
csiUsername string	Prism Element Username for CSI driver.
csiPassword string	Prism Element Password for CSI driver.
csiEndpoint string	CSIEndpoint to access Nutanix Prism Element for CSI driver.
csiPort integer	CSIPort to use when connecting to the Nutanix Prism Element endpoint (defaults to 9440).

Back to top

NutanixCSIConfig

NutanixCSIConfig contains credentials and the endpoint for the Nutanix Prism Element to which the CSI driver connects.

Appears in:

• NutanixCloudSpec

Field	Description
username string	Prism Element Username for CSI driver.
password string	Prism Element Password for CSI driver.
endpoint string	Prism Element Endpoint to access Nutanix Prism Element for CSI driver.
port integer	Optional: Port to use when connecting to the Nutanix Prism Element endpoint (defaults to 9440).
storageContainer string	Optional: defaults to "SelfServiceContainer".
fstype string	Optional: defaults to "xfs"
ssSegmentedIscsiNetwork boolean	Optional: defaults to "false".

Back to top

NutanixCloudSpec

NutanixCloudSpec specifies the access data to Nutanix.

Appears in:

• CloudSpec

Field	Description
credentialsReference GlobalSecretKeySelector
clusterName string	ClusterName is the Nutanix cluster that this user cluster will be deployed to.
projectName string	The name of the project that this cluster is deployed into. If none is given, no project will be used.
proxyURL string	Optional: Used to configure a HTTP proxy to access Nutanix Prism Central.
username string	Username to access the Nutanix Prism Central API.
password string	Password corresponding to the provided user.
csi NutanixCSIConfig	NutanixCSIConfig for CSI driver that connects to a prism element.

Back to top

OIDCProviderConfiguration

OIDCProviderConfiguration allows to configure OIDC provider at the Seed level. If set, it overwrites the OIDC configuration from the KubermaticConfiguration. OIDC is later used to configure:

• access to User Cluster API-Servers (via user kubeconfigs) - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens,
• access to User Cluster’s Kubernetes Dashboards.

Appears in:

• SeedSpec

Field	Description
issuerURL string	URL of the provider which allows the API server to discover public signing keys.
issuerClientID string	IssuerClientID is the application's ID.
issuerClientSecret string	IssuerClientSecret is the application's secret.
cookieHashKey string	Optional: CookieHashKey is required, used to authenticate the cookie value using HMAC. It is recommended to use a key with 32 or 64 bytes. If not set, configuration is inherited from the default OIDC provider.
cookieSecureMode boolean	Optional: CookieSecureMode if true then cookie received only with HTTPS otherwise with HTTP. If not set, configuration is inherited from the default OIDC provider.
offlineAccessAsScope boolean	Optional: OfflineAccessAsScope if true then "offline_access" scope will be used otherwise 'access_type=offline" query param will be passed. If not set, configuration is inherited from the default OIDC provider.
skipTLSVerify boolean	Optional: SkipTLSVerify skip TLS verification for the token issuer. If not set, configuration is inherited from the default OIDC provider.

Back to top

OIDCSettings

OIDCSettings contains OIDC configuration parameters for enabling authentication mechanism for the cluster.

Appears in:

• ClusterSpec

Field	Description
issuerURL string
clientID string
clientSecret string
usernameClaim string
groupsClaim string
requiredClaim string
extraScopes string
usernamePrefix string
groupsPrefix string

Back to top

OPAIntegrationSettings

OPAIntegrationSettings configures the usage of OPA (Open Policy Agent) Gatekeeper inside the user cluster.

Appears in:

• ClusterSpec

Field	Description
enabled boolean	Enables OPA Gatekeeper integration.
webhookTimeoutSeconds integer	The timeout in seconds that is set for the Gatekeeper validating webhook admission review calls. Defaults to `10` (seconds).
experimentalEnableMutation boolean	Optional: Enables experimental mutation in Gatekeeper.
controllerResources ResourceRequirements	Optional: ControllerResources is the resource requirements for user cluster gatekeeper controller.
auditResources ResourceRequirements	Optional: AuditResources is the resource requirements for user cluster gatekeeper audit.

Back to top

OSVersions

Underlying type: object

OSVersions defines a map of OS version and the source to download the image.

Appears in:

• ImageListWithVersions
• KubeVirtHTTPSource
• TinkerbellHTTPSource

OpaOptions

Appears in:

• SettingSpec

Field	Description
enabled boolean
enforced boolean

Back to top

OpenStack

Appears in:

• ProviderConfiguration

Field	Description
enforceCustomDisk boolean	EnforceCustomDisk will enforce the custom disk option for machines for the dashboard.

Back to top

Openstack

Appears in:

• PresetSpec

Field	Description
enabled boolean	Only enabled presets will be available in the KKP dashboard.
isCustomizable boolean	IsCustomizable marks a preset as editable on the KKP UI; Customizable presets still have the credentials obscured on the UI, but other fields that are not considered private are displayed during cluster creation. Users can then update those fields, if required. NOTE: This is only supported for OpenStack Cloud Provider in KKP 2.26. Support for other providers will be added later on.
datacenter string	If datacenter is set, this preset is only applicable to the configured datacenter.
useToken boolean
applicationCredentialID string	Application credential ID to authenticate in combination with an application credential secret (which is not the user's password).
applicationCredentialSecret string	Application credential secret (which is not the user's password) to authenticate in combination with an application credential ID.
username string
password string
project string	Project, formally known as tenant.
projectID string	ProjectID, formally known as tenantID.
domain string	Domain holds the name of the identity service (keystone) domain.
network string	Network holds the name of the internal network When specified, all worker nodes will be attached to this network. If not specified, a network, subnet & router will be created.
securityGroups string
floatingIPPool string	FloatingIPPool holds the name of the public network The public network is reachable from the outside world and should provide the pool of IP addresses to choose from.
routerID string
subnetID string

Back to top

OpenstackCloudSpec

OpenstackCloudSpec specifies access data to an OpenStack cloud.

Appears in:

• CloudSpec

Field	Description
credentialsReference GlobalSecretKeySelector
username string
password string
project string	project, formally known as tenant.
projectID string	project id, formally known as tenantID.
domain string	Domain holds the name of the identity service (keystone) domain.
applicationCredentialID string	Application credential ID to authenticate in combination with an application credential secret (which is not the user's password).
applicationCredentialSecret string	Application credential secret (which is not the user's password) to authenticate in combination with an application credential ID.
useToken boolean
token string	Used internally during cluster creation
network string	Network holds the name of the internal network When specified, all worker nodes will be attached to this network. If not specified, a network, subnet & router will be created. Note that the network is internal if the "External" field is set to false
securityGroups string	SecurityGroups is a comma-separated list of group names that shall be used for Machines in the cluster. If this field is left empty, a single default security group will be created and this field will be filled-in.
nodePortsAllowedIPRange string	A CIDR range that will be used to allow access to the node port range in the security group to. Only applies if the security group is generated by KKP and not preexisting. If NodePortsAllowedIPRange nor NodePortsAllowedIPRanges is set, the node port range can be accessed from anywhere.
nodePortsAllowedIPRanges NetworkRanges	Optional: CIDR ranges that will be used to allow access to the node port range in the security group to. Only applies if the security group is generated by KKP and not preexisting. If NodePortsAllowedIPRange nor NodePortsAllowedIPRanges is set, the node port range can be accessed from anywhere.
floatingIPPool string	FloatingIPPool holds the name of the public network The public network is reachable from the outside world and should provide the pool of IP addresses to choose from. When specified, all worker nodes will receive a public ip from this floating ip pool Note that the network is external if the "External" field is set to true
routerID string
subnetID string
ipv6SubnetID string	IPv6SubnetID holds the ID of the subnet used for IPv6 networking. If not provided, a new subnet will be created if IPv6 is enabled.
ipv6SubnetPool string	IPv6SubnetPool holds the name of the subnet pool used for creating new IPv6 subnets. If not provided, the default IPv6 subnet pool will be used.
useOctavia boolean	Whether or not to use Octavia for LoadBalancer type of Service implementation instead of using Neutron-LBaaS. Attention:Openstack CCM use Octavia as default load balancer implementation since v1.17.0 Takes precedence over the 'use_octavia' flag provided at datacenter level if both are specified.
enableIngressHostname boolean	Enable the `enable-ingress-hostname` cloud provider option on the Openstack CCM. Can only be used with the external CCM and might be deprecated and removed in future versions as it is considered a workaround for the PROXY protocol to preserve client IPs.
ingressHostnameSuffix string	Set a specific suffix for the hostnames used for the PROXY protocol workaround that is enabled by EnableIngressHostname. The suffix is set to `nip.io` by default. Can only be used with the external CCM and might be deprecated and removed in future versions as it is considered a workaround only.
cinderTopologyEnabled boolean	Flag to configure enablement of topology support for the Cinder CSI plugin. This requires Nova and Cinder to have matching availability zones configured.

Back to top

OpenstackNodeSizeRequirements

Underlying type: [struct{MinimumVCPUs int "json:\"minimumVCPUs,omitempty\""; MinimumMemory int "json:\"minimumMemory,omitempty\""}](#struct{minimumvcpus-int-"json:\"minimumvcpus,omitempty\"";-minimummemory-int-"json:\"minimummemory,omitempty\""})

Appears in:

• DatacenterSpecOpenstack

OperatingSystemManager

OperatingSystemManager configures the image repo and the tag version for osm deployment.

Appears in:

• KubermaticUserClusterConfiguration

Field	Description
imageRepository string	ImageRepository is used to override the OperatingSystemManager image repository. It is recommended to use this field only for development, tests and PoC purposes. For production environments. it is not recommended, to use this field due to compatibility with the overall KKP stack.
imageTag string	ImageTag is used to override the OperatingSystemManager image. It is recommended to use this field only for development, tests and PoC purposes. For production environments. it is not recommended, to use this field due to compatibility with the overall KKP stack.

Back to top

OperatingSystemProfileList

Underlying type: OperatingSystem]string

OperatingSystemProfileList defines a map of operating system and the OperatingSystemProfile to use.

Appears in:

• DatacenterSpec

OperationType

Underlying type: string

OperationType is the type defining the operations triggering the compatibility check (CREATE or UPDATE).

Appears in:

• Incompatibility

Packet

Appears in:

• PresetSpec

Field	Description
enabled boolean	Only enabled presets will be available in the KKP dashboard.
isCustomizable boolean	IsCustomizable marks a preset as editable on the KKP UI; Customizable presets still have the credentials obscured on the UI, but other fields that are not considered private are displayed during cluster creation. Users can then update those fields, if required. NOTE: This is only supported for OpenStack Cloud Provider in KKP 2.26. Support for other providers will be added later on.
datacenter string	If datacenter is set, this preset is only applicable to the configured datacenter.
apiKey string
projectID string
billingCycle string

Back to top

PacketCloudSpec

PacketCloudSpec specifies access data to a Packet cloud.

Appears in:

• CloudSpec

Field	Description
credentialsReference GlobalSecretKeySelector
apiKey string
projectID string
billingCycle string

Back to top

Parameters

Underlying type: RawMessage

Appears in:

• ConstraintSpec

PreAllocatedDataVolume

Appears in:

• KubevirtCloudSpec

Field	Description
name string
annotations object (keys:string, values:string)
url string
size string
storageClass string

Back to top

Preset

Presets are preconfigured cloud provider credentials that can be applied to new clusters. This frees end users from having to know the actual credentials used for their clusters.

Appears in:

• PresetList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	Preset
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
spec PresetSpec

Back to top

PresetList

PresetList is the type representing a PresetList.

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	PresetList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items Preset array	List of presets

Back to top

PresetSpec

Presets specifies default presets for supported providers.

Appears in:

• Preset

Field	Description
digitalocean Digitalocean	Access data for DigitalOcean.
hetzner Hetzner	Access data for Hetzner.
azure Azure	Access data for Microsoft Azure Cloud.
vsphere VSphere	Access data for vSphere.
baremetal Baremetal	Access data for Baremetal (Tinkerbell only for now).
aws AWS	Access data for Amazon Web Services(AWS) Cloud.
openstack Openstack	Access data for OpenStack.
packet Packet	Access data for Packet Cloud.
gcp GCP	Access data for Google Cloud Platform(GCP).
kubevirt Kubevirt	Access data for KuberVirt.
alibaba Alibaba	Access data for Alibaba Cloud.
anexia Anexia	Access data for Anexia.
nutanix Nutanix	Access data for Nutanix.
vmwareclouddirector VMwareCloudDirector	Access data for VMware Cloud Director.
gke GKE	Access data for Google Kubernetes Engine(GKE).
eks EKS	Access data for Amazon Elastic Kubernetes Service(EKS).
aks AKS	Access data for Azure Kubernetes Service(AKS).
requiredEmails string array	RequiredEmails is a list of e-mail addresses that this presets should be restricted to. Each item in the list can be either a full e-mail address or just a domain name. This restriction is only enforced in the KKP API.
projects string array	Projects is a list of project IDs that this preset is limited to.
enabled boolean	Only enabled presets will be available in the KKP dashboard.

Back to top

Project

Project is the type describing a project. A project is a collection of SSH keys, clusters and members. Members are assigned by creating UserProjectBinding objects.

Appears in:

• ProjectList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	Project
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
spec ProjectSpec	Spec describes the configuration of the project.
status ProjectStatus	Status holds the current status of the project.

Back to top

ProjectList

ProjectList is a collection of projects.

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	ProjectList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items Project array	Items is the list of the projects.

Back to top

ProjectPhase

Underlying type: string

Appears in:

• ProjectStatus

ProjectSpec

ProjectSpec is a specification of a project.

Appears in:

• Project

Field	Description
name string	Name is the human-readable name given to the project.
allowedOperatingSystems allowedOperatingSystems	AllowedOperatingSystems defines a map of operating systems that can be used for the machines inside this project.

Back to top

ProjectStatus

ProjectStatus represents the current status of a project.

Appears in:

• Project

Field	Description
phase ProjectPhase	Phase describes the project phase. New projects are in the `Inactive` phase; after being reconciled they move to `Active` and during deletion they are `Terminating`.

Back to top

ProviderConfiguration

Appears in:

• SettingSpec

Field	Description
openStack OpenStack	OpenStack are the configurations for openstack provider.
vmwareCloudDirector VMwareCloudDirectorSettings	VMwareCloudDirector are the configurations for VMware Cloud Director provider.

Back to top

ProviderNetwork

Underlying type: [struct{Name string "json:\"name\""; VPCs []VPC "json:\"vpcs,omitempty\""; NetworkPolicyEnabled bool "json:\"networkPolicyEnabled,omitempty\""}](#struct{name-string-"json:\"name\"";-vpcs-[]vpc-"json:\"vpcs,omitempty\"";-networkpolicyenabled-bool-"json:\"networkpolicyenabled,omitempty\""})

ProviderNetwork describes the infra cluster network fabric that is being used.

Appears in:

• DatacenterSpecKubevirt

ProviderPreset

Appears in:

• AKS
• AWS
• Alibaba
• Anexia
• Azure
• Baremetal
• Digitalocean
• EKS
• GCP
• GKE
• Hetzner
• Kubevirt
• Nutanix
• Openstack
• Packet
• VMwareCloudDirector
• VSphere

Field	Description
enabled boolean	Only enabled presets will be available in the KKP dashboard.
isCustomizable boolean	IsCustomizable marks a preset as editable on the KKP UI; Customizable presets still have the credentials obscured on the UI, but other fields that are not considered private are displayed during cluster creation. Users can then update those fields, if required. NOTE: This is only supported for OpenStack Cloud Provider in KKP 2.26. Support for other providers will be added later on.
datacenter string	If datacenter is set, this preset is only applicable to the configured datacenter.

Back to top

ProxySettings

ProxySettings allow configuring a HTTP proxy for the controlplanes and nodes.

Appears in:

• NodeSettings
• SeedSpec

Field	Description
httpProxy ProxyValue	Optional: If set, this proxy will be configured for both HTTP and HTTPS.
noProxy ProxyValue	Optional: If set this will be set as NO_PROXY environment variable on the node; The value must be a comma-separated list of domains for which no proxy should be used, e.g. "*.example.com,internal.dev". Note that the in-cluster apiserver URL will be automatically prepended to this value.

Back to top

ProxyValue

Underlying type: string

Appears in:

• NodeSettings
• ProxySettings

ResourceDetails

ResourceDetails holds the CPU, Memory and Storage quantities.

Appears in:

• ClusterStatus
• DefaultProjectResourceQuota
• ResourceQuotaSpec
• ResourceQuotaStatus

ResourceQuota

ResourceQuota specifies the amount of cluster resources a project can use.

Appears in:

• ResourceQuotaList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	ResourceQuota
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
spec ResourceQuotaSpec	Spec describes the desired state of the resource quota.
status ResourceQuotaStatus	Status holds the current state of the resource quota.

Back to top

ResourceQuotaList

ResourceQuotaList is a collection of resource quotas.

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	ResourceQuotaList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items ResourceQuota array	Items is the list of the resource quotas.

Back to top

ResourceQuotaSpec

ResourceQuotaSpec describes the desired state of a resource quota.

Appears in:

• ResourceQuota

Field	Description
subject Subject	Subject specifies to which entity the quota applies to.
quota ResourceDetails	Quota specifies the current maximum allowed usage of resources.

Back to top

ResourceQuotaStatus

ResourceQuotaStatus describes the current state of a resource quota.

Appears in:

• ResourceQuota

Field	Description
globalUsage ResourceDetails	GlobalUsage is holds the current usage of resources for all seeds.
localUsage ResourceDetails	LocalUsage is holds the current usage of resources for the local seed.

Back to top

RuleGroup

Appears in:

• RuleGroupList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	RuleGroup
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
spec RuleGroupSpec

Back to top

RuleGroupList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	RuleGroupList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items RuleGroup array

Back to top

RuleGroupSpec

Appears in:

• RuleGroup

Field	Description
isDefault boolean	IsDefault indicates whether the ruleGroup is default
ruleGroupType RuleGroupType	RuleGroupType is the type of this ruleGroup applies to. It can be `Metrics` or `Logs`.
cluster ObjectReference	Cluster is the reference to the cluster the ruleGroup should be created in. All fields except for the name are ignored.
data integer array	Data contains the RuleGroup data. Ref: https://prometheus.io/docs/prometheus/latest/configuration/recording_rules/#rule_group

Back to top

RuleGroupType

Underlying type: string

Appears in:

• RuleGroupSpec

SSHKeySpec

Appears in:

• UserSSHKey

Field	Description
name string	Name is the human readable name for this SSH key.
owner string	Owner is the name of the User object that owns this SSH key. Deprecated: This field is not used anymore.
project string	Project is the name of the Project object that this SSH key belongs to. This field is immutable.
clusters string array	Clusters is the list of cluster names that this SSH key is assigned to.
fingerprint string	Fingerprint is calculated server-side based on the supplied public key and doesn't need to be set by clients.
publicKey string	PublicKey is the SSH public key.

Back to top

SecretboxEncryptionConfiguration

SecretboxEncryptionConfiguration defines static key encryption based on the ‘secretbox’ solution for Kubernetes.

Appears in:

• EncryptionConfiguration

Field	Description
keys SecretboxKey array	List of 'secretbox' encryption keys. The first element of this list is considered the "primary" key which will be used for encrypting data while writing it. Additional keys will be used for decrypting data while reading it, if keys higher in the list did not succeed in decrypting it.

Back to top

SecretboxKey

SecretboxKey stores a key or key reference for encrypting Kubernetes API data at rest with a static key.

Appears in:

• SecretboxEncryptionConfiguration

Field	Description
name string	Identifier of a key, used in various places to refer to the key.
value string	Value contains a 32-byte random key that is base64 encoded. This is the key used for encryption. Can be generated via `head -c 32 /dev/urandom \| base64`, for example.
secretRef SecretKeySelector	Instead of passing the sensitive encryption key via the `value` field, a secret can be referenced. The key of the secret referenced here needs to hold a key equivalent to the `value` field.

Back to top

Seed

Seed is the type representing a Seed cluster. Seed clusters host the the control planes for KKP user clusters.

Appears in:

• SeedList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	Seed
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
spec SeedSpec	Spec describes the configuration of the Seed cluster.
status SeedStatus	Status holds the runtime information of the Seed cluster.

Back to top

SeedCondition

Appears in:

• SeedStatus

Field	Description
status ConditionStatus	Status of the condition, one of True, False, Unknown.
lastHeartbeatTime Time	Last time we got an update on a given condition.
lastTransitionTime Time	Last time the condition transit from one status to another.
reason string	(brief) reason for the condition's last transition.
message string	Human readable message indicating details about last transition.

Back to top

SeedConditionType

Underlying type: string

SeedConditionType is used to indicate the type of a seed condition. For all condition types, the true value must indicate success. All condition types must be registered within the AllSeedConditionTypes variable.

Appears in:

• SeedStatus

SeedList

SeedDatacenterList is the type representing a SeedDatacenterList.

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	SeedList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items Seed array	List of seeds

Back to top

SeedMLASettings

SeedMLASettings allow configuring seed level MLA (Monitoring, Logging & Alerting) stack settings.

Appears in:

• SeedSpec

Field	Description
userClusterMLAEnabled boolean	Optional: UserClusterMLAEnabled controls whether the user cluster MLA (Monitoring, Logging & Alerting) stack is enabled in the seed.

Back to top

SeedPhase

Underlying type: string

Appears in:

• SeedStatus

SeedSpec

The spec for a seed cluster.

Appears in:

• Seed

Field	Description
country string	Optional: Country of the seed as ISO-3166 two-letter code, e.g. DE or UK. For informational purposes in the Kubermatic dashboard only.
location string	Optional: Detailed location of the cluster, like "Hamburg" or "Datacenter 7". For informational purposes in the Kubermatic dashboard only.
kubeconfig ObjectReference	A reference to the Kubeconfig of this cluster. The Kubeconfig must have cluster-admin privileges. This field is mandatory for every seed, even if there are no datacenters defined yet.
datacenters object (keys:string, values:Datacenter)	Datacenters contains a map of the possible datacenters (DCs) in this seed. Each DC must have a globally unique identifier (i.e. names must be unique across all seeds).
seedDNSOverwrite string	Optional: This can be used to override the DNS name used for this seed. By default the seed name is used.
nodeportProxy NodeportProxyConfig	NodeportProxy can be used to configure the NodePort proxy service that is responsible for making user-cluster control planes accessible from the outside.
proxySettings ProxySettings	Optional: ProxySettings can be used to configure HTTP proxy settings on the worker nodes in user clusters. However, proxy settings on nodes take precedence.
exposeStrategy ExposeStrategy	Optional: ExposeStrategy explicitly sets the expose strategy for this seed cluster, if not set, the default provided by the master is used.
mla SeedMLASettings	Optional: MLA allows configuring seed level MLA (Monitoring, Logging & Alerting) stack settings.
defaultComponentSettings ComponentSettings	DefaultComponentSettings are default values to set for newly created clusters. Deprecated: Use DefaultClusterTemplate instead.
defaultClusterTemplate string	DefaultClusterTemplate is the name of a cluster template of scope "seed" that is used to default all new created clusters
metering MeteringConfiguration	Metering configures the metering tool on user clusters across the seed.
etcdBackupRestore EtcdBackupRestore	EtcdBackupRestore holds the configuration of the automatic etcd backup restores for the Seed; if this is set, the new backup/restore controllers are enabled for this Seed.
oidcProviderConfiguration OIDCProviderConfiguration	OIDCProviderConfiguration allows to configure OIDC provider at the Seed level.
kubelb KubeLBSettings	KubeLB holds the configuration for the kubeLB at the Seed level. This component is responsible for managing load balancers. Only available in Enterprise Edition.
disabledCollectors MetricsCollector array	DisabledCollectors contains a list of metrics collectors that should be disabled. Acceptable values are "Addon", "Cluster", "ClusterBackup", "Project", and "None".

Back to top

SeedStatus

SeedStatus contains runtime information regarding the seed.

Appears in:

• Seed

Field	Description
phase SeedPhase	Phase contains a human readable text to indicate the seed cluster status. No logic should be tied to this field, as its content can change in between KKP releases.
clusters integer	Clusters is the total number of user clusters that exist on this seed.
versions SeedVersionsStatus	Versions contains information regarding versions of components in the cluster and the cluster itself.
conditions object (keys:SeedConditionType, values:SeedCondition)	Conditions contains conditions the seed is in, its primary use case is status signaling between controllers or between controllers and the API.

Back to top

SeedVersionsStatus

SeedVersionsStatus contains information regarding versions of components in the cluster and the cluster itself.

Appears in:

• SeedStatus

Field	Description
kubermatic string	Kubermatic is the version of the currently deployed KKP components. Note that a permanent version skew between master and seed is not supported and KKP setups should never run for longer times with a skew between the clusters.
cluster string	Cluster is the Kubernetes version of the cluster's control plane.

Back to top

ServiceAccountSettings

Appears in:

• ClusterSpec

Field	Description
tokenVolumeProjectionEnabled boolean
issuer string	Issuer is the identifier of the service account token issuer If this is not specified, it will be set to the URL of apiserver by default
apiAudiences string array	APIAudiences are the Identifiers of the API If this is not specified, it will be set to a single element list containing the issuer URL

Back to top

SettingSpec

Appears in:

• KubermaticSetting

Field	Description
customLinks CustomLinks	CustomLinks are additional links that can be shown the dashboard's footer.
defaultNodeCount integer	DefaultNodeCount is the default number of replicas for the initial MachineDeployment.
displayDemoInfo boolean	DisplayDemoInfo controls whether a "Demo System" hint is shown in the footer.
displayAPIDocs boolean	DisplayDemoInfo controls whether a a link to the KKP API documentation is shown in the footer.
displayTermsOfService boolean	DisplayDemoInfo controls whether a a link to TOS is shown in the footer.
enableDashboard boolean	EnableDashboard enables the link to the Kubernetes dashboard for a user cluster.
enableWebTerminal boolean	EnableWebTerminal enables the Web Terminal feature for the user clusters. Deprecated: EnableWebTerminal is deprecated and should be removed in KKP 2.27+. Please use webTerminalOptions instead. When webTerminalOptions.enabled is set then this field will be ignored.
enableShareCluster boolean	EnableShareCluster enables the Share Cluster feature for the user clusters.
enableOIDCKubeconfig boolean
enableClusterBackup boolean	EnableClusterBackup enables the Cluster Backup feature in the dashboard.
enableEtcdBackup boolean	EnableEtcdBackup enables the etcd Backup feature in the dashboard.
disableAdminKubeconfig boolean	DisableAdminKubeconfig disables the admin kubeconfig functionality on the dashboard.
userProjectsLimit integer	UserProjectsLimit is the maximum number of projects a user can create.
restrictProjectCreation boolean
restrictProjectDeletion boolean
enableExternalClusterImport boolean
cleanupOptions CleanupOptions	CleanupOptions control what happens when a cluster is deleted via the dashboard.
opaOptions OpaOptions
mlaOptions MlaOptions
mlaAlertmanagerPrefix string
mlaGrafanaPrefix string
notifications NotificationsOptions	Notifications are the configuration for notifications on dashboard.
providerConfiguration ProviderConfiguration	ProviderConfiguration are the cloud provider specific configurations on dashboard.
webTerminalOptions WebTerminalOptions	WebTerminalOptions are the configurations for the Web Terminal feature.
machineDeploymentVMResourceQuota MachineFlavorFilter	MachineDeploymentVMResourceQuota is used to filter out allowed machine flavors based on the specified resource limits like CPU, Memory, and GPU etc.
allowedOperatingSystems allowedOperatingSystems	AllowedOperatingSystems shows if the operating system is allowed to be use in the machinedeployment.
defaultQuota DefaultProjectResourceQuota	DefaultProjectResourceQuota allows to configure a default project resource quota which will be set for all projects that do not have a custom quota already set. EE-version only.
machineDeploymentOptions MachineDeploymentOptions
disableChangelogPopup boolean	DisableChangelogPopup disables the changelog popup in KKP dashboard.
staticLabels StaticLabel array	StaticLabels are a list of labels that can be used for the clusters.
annotations AnnotationSettings	Annotations are the settings for the annotations in KKP UI.
announcements object (keys:string, values:Announcement)	The announcement feature allows administrators to broadcast important messages to all users.

Back to top

StatefulSetSettings

Appears in:

• ComponentSettings

Field	Description
replicas integer
resources ResourceRequirements
tolerations Toleration array

Back to top

StaticLabel

StaticLabel is a label that can be used for the clusters.

Appears in:

• SettingSpec

Field	Description
key string
values string array
default boolean
protected boolean

Back to top

Subject

Subject describes the entity to which the quota applies to.

Appears in:

• ResourceQuotaSpec

Field	Description
name string	Name of the quota subject.

Back to top

Subnet

Subnet a smaller, segmented portion of a larger network, like a Virtual Private Cloud (VPC).

Appears in:

• VPC

Field	Description
name string
zones string array	Zones represent a logical failure domain. It is common for Kubernetes clusters to span multiple zones for increased availability
regions string array	Regions represents a larger domain, made up of one or more zones. It is uncommon for Kubernetes clusters to span multiple regions

Back to top

SubnetCIDR

Underlying type: string

SubnetCIDR is used to store IPv4/IPv6 CIDR.

Appears in:

• IPAMAllocationSpec
• IPAMPoolDatacenterSettings

SystemApplicationsConfiguration

SystemApplicationsConfiguration contains configuration for system Applications (e.g. CNI).

Appears in:

• KubermaticUserClusterConfiguration

Field	Description
helmRepository string	HelmRepository specifies OCI repository containing Helm charts of system Applications e.g. oci://localhost:5000/myrepo.
helmRegistryConfigFile SecretKeySelector	HelmRegistryConfigFile optionally holds the ref and key in the secret for the OCI registry credential file. The value is dockercfg file that follows the same format rules as ~/.docker/config.json The Secret must exist in the namespace where KKP is installed (default is "kubermatic"). The Secret must be annotated with `apps.kubermatic.k8c.io/secret-type:` set to "helm".

Back to top

Tinkerbell

Appears in:

• Baremetal

Field	Description
kubeconfig string	Kubeconfig is the cluster's kubeconfig file, encoded with base64.

Back to top

TinkerbellCloudSpec

Appears in:

• BaremetalCloudSpec

Field	Description
kubeconfig string	The cluster's kubeconfig file, encoded with base64.

Back to top

TinkerbellHTTPSource

TinkerbellHTTPSource represents list of images and their versions that can be downloaded over HTTP.

Appears in:

• TinkerbellImageSources

Field	Description
operatingSystems object (keys:OperatingSystem, values:OSVersions)	OperatingSystems represents list of supported operating-systems with their URLs.

Back to top

Update

Update represents an update option for a user cluster.

Appears in:

• KubermaticVersioningConfiguration

Field	Description
from string	From is the version from which an update is allowed. Wildcards are allowed, e.g. "1.18.*".
to string	To is the version to which an update is allowed. Must be a valid version if `automatic` is set to true, e.g. "1.20.13". Can be a wildcard otherwise, e.g. "1.20.*".
automatic boolean	Automatic controls whether this update is executed automatically for the control plane of all matching user clusters. ---
automaticNodeUpdate boolean	Automatic controls whether this update is executed automatically for the worker nodes of all matching user clusters. ---

Back to top

UpdateWindow

UpdateWindow allows defining windows for maintenance tasks related to OS updates. This is only applied to cluster nodes using Flatcar Linux. The reference time for this is the node system time and might differ from the user’s timezone, which needs to be considered when configuring a window.

Appears in:

• ClusterSpec

Field	Description
start string	Sets the start time of the update window. This can be a time of day in 24h format, e.g. `22:30`, or a day of week plus a time of day, for example `Mon 21:00`. Only short names for week days are supported, i.e. `Mon`, `Tue`, `Wed`, `Thu`, `Fri`, `Sat` and `Sun`.
length string	Sets the length of the update window beginning with the start time. This needs to be a valid duration as parsed by Go's time.ParseDuration (https://pkg.go.dev/time#ParseDuration), e.g. `2h`.

Back to top

User

User specifies a KKP user. Users can be either humans or KKP service accounts.

Appears in:

• UserList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	User
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
spec UserSpec	Spec describes a KKP user.
status UserStatus	Status holds the information about the KKP user.

Back to top

UserList

UserList is a list of users.

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	UserList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items User array	Items is the list of KKP users.

Back to top

UserProjectBinding

UserProjectBinding specifies a binding between a user and a project This resource is used by the user management to manipulate members of the given project.

Appears in:

• UserProjectBindingList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	UserProjectBinding
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
spec UserProjectBindingSpec	Spec describes a KKP user and project binding.

Back to top

UserProjectBindingList

UserProjectBindingList is a list of KKP user and project bindings.

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	UserProjectBindingList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items UserProjectBinding array	Items is the list of KKP user and project bindings.

Back to top

UserProjectBindingSpec

UserProjectBindingSpec specifies a user and project binding.

Appears in:

• UserProjectBinding

Field	Description
userEmail string	UserEmail is the email of the user that is bound to the given project.
projectID string	ProjectID is the name of the target project.
group string	Group is the user's group, determining their permissions within the project. Must be one of `owners`, `editors`, `viewers` or `projectmanagers`.

Back to top

UserSSHKey

UserSSHKey specifies a users UserSSHKey.

Appears in:

• UserSSHKeyList

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	UserSSHKey
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
spec SSHKeySpec

Back to top

UserSSHKeyList

UserSSHKeyList specifies a users UserSSHKey.

Field	Description
apiVersion string	kubermatic.k8c.io/v1
kind string	UserSSHKeyList
metadata ListMeta	Refer to Kubernetes API documentation for fields of metadata.
items UserSSHKey array

Back to top

UserSettings

UserSettings represent an user settings.

Appears in:

• UserSpec

Field	Description
selectedTheme string
itemsPerPage integer
selectedProjectID string
selectProjectTableView boolean
collapseSidenav boolean
displayAllProjectsForAdmin boolean
lastSeenChangelogVersion string
useClustersView boolean

Back to top

UserSpec

UserSpec specifies a user.

Appears in:

• User

Field	Description
id string	ID is an unused legacy field. Deprecated: do not set this field anymore.
name string	Name is the full name of this user.
email string	Email is the email address of this user. Emails must be globally unique across all KKP users.
admin boolean	IsAdmin defines whether this user is an administrator with additional permissions. Admins can for example see all projects and clusters in the KKP dashboard.
groups string array	Groups holds the information to which groups the user belongs to. Set automatically when logging in to the KKP API, and used by the KKP API.
project string	Project is the name of the project that this service account user is tied to. This field is only applicable to service accounts and regular users must not set this field.
settings UserSettings	Settings contains both user-configurable and system-owned configuration for the KKP dashboard.
invalidTokensReference GlobalSecretKeySelector	InvalidTokensReference is a reference to a Secret that contains invalidated login tokens. The tokens are used to provide a safe logout mechanism.
readAnnouncements string array	ReadAnnouncements holds the IDs of admin announcements that the user has read.

Back to top

UserStatus

UserStatus stores status information about a user.

Appears in:

• User

Field	Description
lastSeen Time

Back to top

VMwareCloudDirector

Appears in:

• PresetSpec

Field	Description
enabled boolean	Only enabled presets will be available in the KKP dashboard.
isCustomizable boolean	IsCustomizable marks a preset as editable on the KKP UI; Customizable presets still have the credentials obscured on the UI, but other fields that are not considered private are displayed during cluster creation. Users can then update those fields, if required. NOTE: This is only supported for OpenStack Cloud Provider in KKP 2.26. Support for other providers will be added later on.
datacenter string	If datacenter is set, this preset is only applicable to the configured datacenter.
username string	The VMware Cloud Director user name.
password string	The VMware Cloud Director user password.
apiToken string	The VMware Cloud Director API token.
vdc string	The organizational virtual data center.
organization string	The name of organization to use.
ovdcNetwork string	The name of organizational virtual data center network that will be associated with the VMs and vApp. Deprecated: OVDCNetwork has been deprecated starting with KKP 2.25 and will be removed in KKP 2.27+. It is recommended to use OVDCNetworks instead.
ovdcNetworks string array	OVDCNetworks is the list of organizational virtual data center networks that will be attached to the vApp and can be consumed the VMs.

Back to top

VMwareCloudDirectorCSIConfig

Appears in:

• VMwareCloudDirectorCloudSpec

Field	Description
storageProfile string	The name of the storage profile to use for disks created by CSI driver
filesystem string	Filesystem to use for named disks, defaults to "ext4"

Back to top

VMwareCloudDirectorCloudSpec

VMwareCloudDirectorCloudSpec specifies access data to VMware Cloud Director cloud.

Appears in:

• CloudSpec

Field	Description
credentialsReference GlobalSecretKeySelector
username string	The VMware Cloud Director user name.
password string	The VMware Cloud Director user password.
apiToken string	The VMware Cloud Director API token.
organization string	The name of organization to use.
vdc string	The organizational virtual data center.
ovdcNetwork string	The name of organizational virtual data center network that will be associated with the VMs and vApp. Deprecated: OVDCNetwork has been deprecated starting with KKP 2.25 and will be removed in KKP 2.27+. It is recommended to use OVDCNetworks instead.
ovdcNetworks string array	OVDCNetworks is the list of organizational virtual data center networks that will be attached to the vApp and can be consumed the VMs.
vapp string	VApp used for isolation of VMs and their associated network
csi VMwareCloudDirectorCSIConfig	Config for CSI driver

Back to top

VMwareCloudDirectorSettings

Appears in:

• ProviderConfiguration

Field	Description
ipAllocationModes ipAllocationMode array	IPAllocationModes are the allowed IP allocation modes for the VMware Cloud Director provider. If not set, all modes are allowed.

Back to top

VSphere

Appears in:

• PresetSpec

Field	Description
enabled boolean	Only enabled presets will be available in the KKP dashboard.
isCustomizable boolean	IsCustomizable marks a preset as editable on the KKP UI; Customizable presets still have the credentials obscured on the UI, but other fields that are not considered private are displayed during cluster creation. Users can then update those fields, if required. NOTE: This is only supported for OpenStack Cloud Provider in KKP 2.26. Support for other providers will be added later on.
datacenter string	If datacenter is set, this preset is only applicable to the configured datacenter.
username string	The vSphere user name.
password string	The vSphere user password.
vmNetName string	Deprecated: Use networks instead.
networks string array	List of vSphere networks.
datastore string	Datastore to be used for storing virtual machines and as a default for dynamic volume provisioning, it is mutually exclusive with DatastoreCluster.
datastoreCluster string	DatastoreCluster to be used for storing virtual machines, it is mutually exclusive with Datastore.
resourcePool string	ResourcePool is used to manage resources such as cpu and memory for vSphere virtual machines. The resource pool should be defined on vSphere cluster level.
basePath string	BasePath configures a vCenter folder path that KKP will create an individual cluster folder in. If it's an absolute path, the RootPath configured in the datacenter will be ignored. If it is a relative path, the BasePath part will be appended to the RootPath to construct the full path. For both cases, the full folder structure needs to exist. KKP will only try to create the cluster folder.

Back to top

VSphereCloudSpec

VSphereCloudSpec specifies access data to VSphere cloud.

Appears in:

• CloudSpec

Field	Description
credentialsReference GlobalSecretKeySelector
username string	The vSphere user name.
password string	The vSphere user password.
vmNetName string	The name of the vSphere network. Deprecated: Use networks instead.
networks string array	List of vSphere networks.
folder string	Folder to be used to group the provisioned virtual machines.
basePath string	Optional: BasePath configures a vCenter folder path that KKP will create an individual cluster folder in. If it's an absolute path, the RootPath configured in the datacenter will be ignored. If it is a relative path, the BasePath part will be appended to the RootPath to construct the full path. For both cases, the full folder structure needs to exist. KKP will only try to create the cluster folder.
datastore string	Datastore to be used for storing virtual machines and as a default for dynamic volume provisioning, it is mutually exclusive with DatastoreCluster.
datastoreCluster string	DatastoreCluster to be used for storing virtual machines, it is mutually exclusive with Datastore.
storagePolicy string	StoragePolicy to be used for storage provisioning
resourcePool string	ResourcePool is used to manage resources such as cpu and memory for vSphere virtual machines. The resource pool should be defined on vSphere cluster level.
infraManagementUser VSphereCredentials	This user will be used for everything except cloud provider functionality
tags VSphereTag	Tags represents the tags that are attached or created on the cluster level, that are then propagated down to the MachineDeployments. In order to attach tags on MachineDeployment, users must create the tag on a cluster level first then attach that tag on the MachineDeployment.

Back to top

VSphereCredentials

VSphereCredentials credentials represents a credential for accessing vSphere.

Appears in:

• DatacenterSpecVSphere
• VSphereCloudSpec

Field	Description
username string
password string

Back to top

VSphereTag

VSphereTag represents the tags that are attached or created on the cluster level, that are then propagated down to the MachineDeployments. In order to attach tags on MachineDeployment, users must create the tag on a cluster level first then attach that tag on the MachineDeployment.

Appears in:

• VSphereCloudSpec

Field	Description
tags string array	Tags represents the name of the created tags.
categoryID string	CategoryID is the id of the vsphere category that the tag belongs to. If the category id is left empty, the default category id for the cluster will be used.

Back to top

WebTerminalOptions

Appears in:

• SettingSpec

Field	Description
enabled boolean	Enabled enables the Web Terminal feature for the user clusters.
enableInternetAccess boolean	EnableInternetAccess enables the Web Terminal feature to access the internet.
additionalEnvironmentVariables EnvVar array	AdditionalEnvironmentVariables are the additional environment variables that can be set for the Web Terminal.

Back to top