-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Expand file tree
/
Copy pathinstall.openshift.io_installconfigs.yaml
More file actions
8849 lines (8824 loc) · 481 KB
/
install.openshift.io_installconfigs.yaml
File metadata and controls
8849 lines (8824 loc) · 481 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.19.0
name: installconfigs.install.openshift.io
spec:
group: install.openshift.io
names:
kind: InstallConfig
listKind: InstallConfigList
plural: installconfigs
singular: installconfig
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: InstallConfig is the configuration for an OpenShift install.
properties:
additionalTrustBundle:
description: |-
AdditionalTrustBundle is a PEM-encoded X.509 certificate bundle
that will be added to the nodes' trusted certificate store.
type: string
additionalTrustBundlePolicy:
description: |-
AdditionalTrustBundlePolicy determines when to add the AdditionalTrustBundle
to the nodes' trusted certificate store. "Proxyonly" is the default.
The field can be set to following specified values.
"Proxyonly" : adds the AdditionalTrustBundle to nodes when http/https proxy is configured.
"Always" : always adds AdditionalTrustBundle.
enum:
- ""
- Proxyonly
- Always
type: string
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
arbiter:
description: |-
Arbiter is the configuration for the machines that comprise the
arbiter nodes.
properties:
architecture:
default: amd64
description: |-
Architecture is the instruction set architecture of the machine pool.
Defaults to amd64.
enum:
- ""
- amd64
type: string
diskSetup:
description: |-
DiskSetup stores the type of disks that will be setup with MachineConfigs.
The available types are etcd, swap and user-defined.
items:
description: |-
Disk defines the type of disk (etcd, swap or user-defined) and the configuration
of each disk type.
properties:
etcd:
description: DiskEtcd defines a disk type of etcd.
properties:
platformDiskID:
type: string
type: object
swap:
description: DiskSwap defines a disk type of swap.
properties:
platformDiskID:
type: string
type: object
type:
description: DiskType is the string representation of the three
types disk setups
enum:
- etcd
- swap
- user-defined
type: string
userDefined:
description: DiskUserDefined defines a disk type of user-defined.
properties:
mountPath:
type: string
platformDiskID:
type: string
type: object
type: object
type: array
fencing:
description: |-
Fencing stores the information about a baremetal host's management controller.
Fencing may only be set for control plane nodes.
properties:
credentials:
description: Credentials stores the information about a baremetal
host's management controller.
items:
description: Credential stores the information about a baremetal
host's management controller.
properties:
address:
type: string
certificateVerification:
default: Enabled
description: |-
CertificateVerification Defines whether ssl certificate verification is required or not.
If omitted, the platform chooses a default, that default is enabled.
enum:
- Enabled
- Disabled
type: string
hostName:
type: string
password:
type: string
username:
type: string
required:
- address
- password
- username
type: object
type: array
type: object
hyperthreading:
default: Enabled
description: |-
Hyperthreading determines the mode of hyperthreading that machines in the
pool will utilize.
Default is for hyperthreading to be enabled.
enum:
- ""
- Enabled
- Disabled
type: string
management:
default: ClusterAPI
description: |-
Management is the API that will be used for machine management in the cluster.
Using this field for control plane machines requires the ClusterAPIControlPlaneInstall feature gate.
Using this field for compute machines requires the ClusterAPIComputeInstall feature gate.
Supported platforms: aws
Default is ClusterAPI.
enum:
- ClusterAPI
- MachineAPI
type: string
name:
description: |-
Name is the name of the machine pool.
For the control plane machine pool, the name will always be "master".
For the compute machine pools, the only valid name is "worker".
For the arbiter machine pools, the only valid name is "arbiter".
type: string
platform:
description: Platform is configuration for machine pool specific to
the platform.
properties:
aws:
description: AWS is the configuration used when installing on
AWS.
properties:
additionalSecurityGroupIDs:
description: |-
AdditionalSecurityGroupIDs contains IDs of additional security groups for machines, where each ID
is presented in the format sg-xxxx.
items:
type: string
maxItems: 10
type: array
amiID:
description: |-
AMIID is the AMI that should be used to boot the ec2 instance.
If set, the AMI should belong to the same region as the cluster.
type: string
cpuOptions:
description: |-
CPUOptions defines CPU-related settings for the instance, including the confidential computing policy.
When omitted, this means no opinion and the AWS platform is left to choose a reasonable default.
More info:
https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CpuOptionsRequest.html,
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/cpu-options-supported-instances-values.html
minProperties: 1
properties:
confidentialCompute:
description: |-
ConfidentialCompute specifies whether confidential computing should be enabled for the instance,
and, if so, which confidential computing technology to use.
Valid values are: Disabled, AMDEncryptedVirtualizationNestedPaging and omitted.
When set to Disabled, confidential computing will be disabled for the instance.
When set to AMDEncryptedVirtualizationNestedPaging, AMD SEV-SNP will be used as the confidential computing technology for the instance.
In this case, ensure the following conditions are met:
1) The selected instance type supports AMD SEV-SNP.
2) The selected AWS region supports AMD SEV-SNP.
3) The selected AMI supports AMD SEV-SNP.
More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html
When omitted, this means no opinion and the AWS platform is left to choose a reasonable default,
which is subject to change without notice. The current default is Disabled.
enum:
- Disabled
- AMDEncryptedVirtualizationNestedPaging
type: string
type: object
hostPlacement:
description: |-
hostPlacement configures placement on AWS Dedicated Hosts. This allows admins to assign instances to specific host
for a variety of needs including for regulatory compliance, to leverage existing per-socket or per-core software licenses (BYOL),
and to gain visibility and control over instance placement on a physical server.
When omitted, the instance is not constrained to a dedicated host.
properties:
affinity:
description: |-
affinity specifies the affinity setting for the instance.
Allowed values are AnyAvailable and DedicatedHost.
When Affinity is set to DedicatedHost, an instance started onto a specific host always restarts on the same host if stopped. In this scenario, the `dedicatedHost` field must be set.
When Affinity is set to AnyAvailable, and you stop and restart the instance, it can be restarted on any available host.
enum:
- DedicatedHost
- AnyAvailable
type: string
dedicatedHost:
description: |-
dedicatedHost specifies the exact host that an instance should be restarted on if stopped.
dedicatedHost is required when 'affinity' is set to DedicatedHost, and forbidden otherwise.
items:
description: DedicatedHost represents the configuration
for the usage of dedicated host.
properties:
id:
description: |-
id identifies the AWS Dedicated Host on which the instance must run.
The value must start with "h-" followed by 17 lowercase hexadecimal characters (0-9 and a-f).
Must be exactly 19 characters in length.
maxLength: 19
minLength: 19
type: string
x-kubernetes-validations:
- message: hostID must start with 'h-' followed
by 17 lowercase hexadecimal characters (0-9
and a-f)
rule: self.matches('^h-[0-9a-f]{17}$')
required:
- id
type: object
type: array
required:
- affinity
type: object
x-kubernetes-validations:
- message: dedicatedHost is required when affinity is DedicatedHost,
and forbidden otherwise
rule: 'has(self.affinity) && self.affinity == ''DedicatedHost''
? has(self.dedicatedHost) : !has(self.dedicatedHost)'
iamProfile:
description: |-
IAMProfile is the name of the IAM instance profile to use for the machine.
Leave unset to have the installer create the IAM Profile on your behalf.
Cannot be specified together with iamRole.
type: string
iamRole:
description: |-
IAMRole is the name of the IAM Role to use for the instance profile of the machine.
Leave unset to have the installer create the IAM Role on your behalf.
Cannot be specified together with iamProfile.
type: string
metadataService:
description: EC2MetadataOptions defines metadata service interaction
options for EC2 instances in the machine pool.
properties:
authentication:
description: |-
Authentication determines whether or not the host requires the use of authentication when interacting with the metadata service.
When using authentication, this enforces v2 interaction method (IMDSv2) with the metadata service.
When omitted, this means the user has no opinion and the value is left to the platform to choose a good
default, which is subject to change over time. The current default is optional.
At this point this field represents `HttpTokens` parameter from `InstanceMetadataOptionsRequest` structure in AWS EC2 API
https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_InstanceMetadataOptionsRequest.html
enum:
- Required
- Optional
type: string
type: object
rootVolume:
description: EC2RootVolume defines the root volume for EC2
instances in the machine pool.
properties:
iops:
description: |-
IOPS defines the amount of provisioned IOPS. (KiB/s). IOPS may only be set for
io1, io2, & gp3 volume types.
minimum: 0
type: integer
kmsKeyARN:
description: |-
The KMS key that will be used to encrypt the EBS volume.
If no key is provided the default KMS key for the account will be used.
https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetEbsDefaultKmsKeyId.html
type: string
size:
description: Size defines the size of the volume in gibibytes
(GiB).
minimum: 0
type: integer
throughput:
description: |-
Throughput to provision in MiB/s supported for the volume type. Not applicable to all types.
This parameter is valid only for gp3 volumes.
Valid Range: Minimum value of 125. Maximum value of 2000.
When omitted, this means no opinion, and the platform is left to
choose a reasonable default, which is subject to change over time.
The current default is 125.
format: int32
maximum: 2000
minimum: 125
type: integer
type:
description: Type defines the type of the volume.
type: string
required:
- size
- type
type: object
type:
description: |-
InstanceType defines the ec2 instance type.
eg. m4-large
type: string
zones:
description: Zones is list of availability zones that can
be used.
items:
type: string
type: array
type: object
azure:
description: Azure is the configuration used when installing on
Azure.
properties:
bootDiagnostics:
description: |-
BootDiagnostics has the value for the storage account URI where the
machine log information of the control plane is sent to.
Defaults to managed for control plane if no value is mentioned.
properties:
resourceGroup:
description: |-
ResourceGroup specifies the name of the resource group where the
storage account to be used for diagnostics storage is present.
Only used if the type is set to UserManaged.
type: string
storageAccountName:
description: |-
StorageAccountName specifies the storage account where the diagnostics
logs need to be stored.
Only used if the type is set to UserManaged.
type: string
type:
allOf:
- enum:
- Managed
- UserManaged
- Disabled
- enum:
- Disabled
- Managed
- UserManaged
description: |-
Type specifies the boot diagnostics type for the machines created.
Defaults as disabled for compute nodes and as managed for control plane
nodes.
Values allowed are Disabled, Managed and UserManaged.
type: string
required:
- resourceGroup
- storageAccountName
- type
type: object
dataDisks:
description: DataDisk specifies the parameters that are used
to add one or more data disks to the machine.
items:
description: DataDisk specifies the parameters that are
used to add one or more data disks to the machine.
properties:
cachingType:
description: CachingType specifies the caching requirements.
enum:
- None
- ReadOnly
- ReadWrite
type: string
diskSizeGB:
description: DiskSizeGB is the size in GB to assign
to the data disk.
format: int32
type: integer
lun:
description: |-
Lun Specifies the logical unit number of the data disk. This value is used to identify data disks within the VM and therefore must be unique for each data disk attached to a VM.
The value must be between 0 and 63.
format: int32
type: integer
managedDisk:
description: ManagedDisk specifies the Managed Disk
parameters for the data disk.
properties:
diskEncryptionSet:
description: DiskEncryptionSet specifies the customer-managed
disk encryption set resource id for the managed
disk.
properties:
id:
description: ID defines resourceID for diskEncryptionSet
resource. It must be in the same subscription
type: string
type: object
securityProfile:
description: SecurityProfile specifies the security
profile for the managed disk.
properties:
diskEncryptionSet:
description: |-
DiskEncryptionSet specifies the customer-managed disk encryption set resource id for the
managed disk that is used for Customer Managed Key encrypted ConfidentialVM OS Disk and
VMGuest blob.
properties:
id:
description: ID defines resourceID for diskEncryptionSet
resource. It must be in the same subscription
type: string
type: object
securityEncryptionType:
description: |-
SecurityEncryptionType specifies the encryption type of the managed disk.
It is set to DiskWithVMGuestState to encrypt the managed disk along with the VMGuestState
blob, and to VMGuestStateOnly to encrypt the VMGuestState blob only.
When set to VMGuestStateOnly, VirtualizedTrustedPlatformModule should be set to Enabled.
When set to DiskWithVMGuestState, EncryptionAtHost should be disabled, SecureBoot and
VirtualizedTrustedPlatformModule should be set to Enabled.
It can be set only for Confidential VMs.
enum:
- VMGuestStateOnly
- DiskWithVMGuestState
type: string
type: object
storageAccountType:
type: string
type: object
nameSuffix:
description: |-
NameSuffix is the suffix to be appended to the machine name to generate the disk name.
Each disk name will be in format <machineName>_<nameSuffix>.
type: string
required:
- diskSizeGB
- nameSuffix
type: object
type: array
encryptionAtHost:
description: EncryptionAtHost enables encryption at the VM
host.
type: boolean
identity:
default: UserAssigned
description: |-
Identity is the type of identity used for the virtual machine.
The type 'UserAssigned' is a standalone Azure resource provided by the user
and assigned to the VM.
The default identity is a user-assigned identity, generated by the installer.
This default is expected to change in future releases.
properties:
type:
description: Type specifies the type of identity to be
used.
enum:
- None
- UserAssigned
type: string
userAssignedIdentities:
description: |-
UserAssignedIdentities is a list of identities to be attached to a node.
Only one user-assigned identity may be supplied.
Supplying more than one user-assigned identity is an experimental feature
which may be enabled with the MachineAPIMigration feature gate.
items:
description: UserAssignedIdentity contains the fields
that comprise a user-assigned identity.
properties:
name:
description: Name is the name of the user-assigned
identity to be assigned to the node.
type: string
resourceGroup:
description: ResourceGroup is the resource group
that contains the user-assigned identity.
type: string
subscription:
description: Subscription is the subscription that
contains the user-assigned identity.
type: string
required:
- name
- resourceGroup
- subscription
type: object
type: array
required:
- type
- userAssignedIdentities
type: object
osDisk:
description: OSDisk defines the storage for instance.
properties:
diskEncryptionSet:
description: DiskEncryptionSet defines a disk encryption
set.
properties:
name:
description: Name is the name of the disk encryption
set.
type: string
resourceGroup:
description: |-
ResourceGroup defines the Azure resource group used by the disk
encryption set.
type: string
subscriptionId:
description: |-
SubscriptionID defines the Azure subscription the disk encryption
set is in.
Must be the same subscription ID as the resource group of the installer.
type: string
required:
- name
- resourceGroup
type: object
diskSizeGB:
description: DiskSizeGB defines the size of disk in GB.
format: int32
minimum: 0
type: integer
diskType:
description: |-
DiskType defines the type of disk.
For control plane nodes, the valid values are Premium_LRS and StandardSSD_LRS.
Default is Premium_LRS.
enum:
- Standard_LRS
- Premium_LRS
- StandardSSD_LRS
type: string
securityProfile:
description: SecurityProfile specifies the security profile
for the managed disk.
properties:
diskEncryptionSet:
description: |-
DiskEncryptionSet specifies the customer managed disk encryption set resource id for the
managed disk that is used for Customer Managed Key encrypted ConfidentialVM OS Disk and
VMGuestState blob.
properties:
name:
description: Name is the name of the disk encryption
set.
type: string
resourceGroup:
description: |-
ResourceGroup defines the Azure resource group used by the disk
encryption set.
type: string
subscriptionId:
description: |-
SubscriptionID defines the Azure subscription the disk encryption
set is in.
Must be the same subscription ID as the resource group of the installer.
type: string
required:
- name
- resourceGroup
type: object
securityEncryptionType:
description: |-
SecurityEncryptionType specifies the encryption type of the managed disk.
It is set to DiskWithVMGuestState to encrypt the managed disk along with the VMGuestState
blob, and to VMGuestStateOnly to encrypt the VMGuestState blob only.
When set to VMGuestStateOnly, the VTpmEnabled should be set to true.
When set to DiskWithVMGuestState, both SecureBootEnabled and VTpmEnabled should be set to true.
It can be set only for Confidential VMs.
enum:
- VMGuestStateOnly
- DiskWithVMGuestState
type: string
type: object
required:
- diskSizeGB
type: object
osImage:
description: OSImage defines the image to use for the OS.
properties:
offer:
description: Offer is the offer of the image.
type: string
plan:
description: |-
Plan is the purchase plan of the image.
If omitted, it defaults to "WithPurchasePlan".
enum:
- WithPurchasePlan
- NoPurchasePlan
type: string
publisher:
description: Publisher is the publisher of the image.
type: string
sku:
description: SKU is the SKU of the image.
type: string
version:
description: Version is the version of the image.
type: string
required:
- offer
- publisher
- sku
- version
type: object
settings:
description: |-
Settings specify the security type and the UEFI settings of the virtual machine. This field can
be set for Confidential VMs and Trusted Launch for VMs.
properties:
confidentialVM:
description: |-
ConfidentialVM specifies the security configuration of the virtual machine.
For more information regarding Confidential VMs, please refer to:
https://learn.microsoft.com/azure/confidential-computing/confidential-vm-overview
properties:
uefiSettings:
description: UEFISettings specifies the security settings
like secure boot and vTPM used while creating the
virtual machine.
properties:
secureBoot:
description: |-
SecureBoot specifies whether secure boot should be enabled on the virtual machine.
Secure Boot verifies the digital signature of all boot components and halts the boot process if
signature verification fails.
If omitted, the platform chooses a default, which is subject to change over time, currently that default is disabled.
enum:
- Enabled
- Disabled
type: string
virtualizedTrustedPlatformModule:
description: |-
VirtualizedTrustedPlatformModule specifies whether vTPM should be enabled on the virtual machine.
When enabled the virtualized trusted platform module measurements are used to create a known good boot integrity policy baseline.
The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed.
This is required to be set to enabled if the SecurityEncryptionType is defined.
If omitted, the platform chooses a default, which is subject to change over time, currently that default is disabled.
enum:
- Enabled
- Disabled
type: string
type: object
required:
- uefiSettings
type: object
securityType:
description: |-
SecurityType specifies the SecurityType of the virtual machine. It has to be set to any specified value to
enable secure boot and vTPM. The default behavior is: secure boot and vTPM will not be enabled unless this property is set.
enum:
- ConfidentialVM
- TrustedLaunch
type: string
trustedLaunch:
description: |-
TrustedLaunch specifies the security configuration of the virtual machine.
For more information regarding TrustedLaunch for VMs, please refer to:
https://learn.microsoft.com/azure/virtual-machines/trusted-launch
properties:
uefiSettings:
description: UEFISettings specifies the security settings
like secure boot and vTPM used while creating the
virtual machine.
properties:
secureBoot:
description: |-
SecureBoot specifies whether secure boot should be enabled on the virtual machine.
Secure Boot verifies the digital signature of all boot components and halts the boot process if
signature verification fails.
If omitted, the platform chooses a default, which is subject to change over time, currently that default is disabled.
enum:
- Enabled
- Disabled
type: string
virtualizedTrustedPlatformModule:
description: |-
VirtualizedTrustedPlatformModule specifies whether vTPM should be enabled on the virtual machine.
When enabled the virtualized trusted platform module measurements are used to create a known good boot integrity policy baseline.
The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed.
This is required to be set to enabled if the SecurityEncryptionType is defined.
If omitted, the platform chooses a default, which is subject to change over time, currently that default is disabled.
enum:
- Enabled
- Disabled
type: string
type: object
required:
- uefiSettings
type: object
required:
- securityType
type: object
type:
description: |-
InstanceType defines the azure instance type.
eg. Standard_DS_V2
type: string
ultraSSDCapability:
description: ultraSSDCapability defines if the instance should
use Ultra SSD disks.
enum:
- Enabled
- Disabled
type: string
vmNetworkingType:
description: |-
VMNetworkingType specifies whether to enable accelerated networking.
Accelerated networking enables single root I/O virtualization (SR-IOV) to a VM, greatly improving its
networking performance.
eg. values: "Accelerated", "Basic"
enum:
- Accelerated
- Basic
type: string
zones:
description: |-
Zones is list of availability zones that can be used.
eg. ["1", "2", "3"]
items:
type: string
type: array
type: object
baremetal:
description: BareMetal is the configuration used when installing
on bare metal.
type: object
gcp:
description: GCP is the configuration used when installing on
GCP
properties:
confidentialCompute:
default: Disabled
description: |-
confidentialCompute is an optional field defining whether the instance should have
Confidential Computing enabled or not, and the Confidential Computing technology of choice.
With Disabled, Confidential Computing is disabled.
With Enabled, Confidential Computing is enabled with no preference on the
Confidential Computing technology. The platform chooses a default i.e. AMD SEV,
which is subject to change over time.
With AMDEncryptedVirtualization, Confidential Computing is enabled with
AMD Secure Encrypted Virtualization (AMD SEV).
With AMDEncryptedVirtualizationNestedPaging, Confidential Computing is
enabled with AMD Secure Encrypted Virtualization Secure Nested Paging
(AMD SEV-SNP).
With IntelTrustedDomainExtensions, Confidential Computing is enabled with
Intel Trusted Domain Extensions (Intel TDX).
If any value other than Disabled is set, a machine type and region that supports
Confidential Computing must be specified. Machine series and regions supporting
Confidential Computing technologies can be checked at
https://cloud.google.com/confidential-computing/confidential-vm/docs/supported-configurations#machine-type-cpu-zone
If any value other than Disabled is set, onHostMaintenance is required to be set
to "Terminate".
enum:
- ""
- Enabled
- Disabled
- AMDEncryptedVirtualization
- AMDEncryptedVirtualizationNestedPaging
- IntelTrustedDomainExtensions
type: string
onHostMaintenance:
default: Migrate
description: |-
OnHostMaintenance determines the behavior when a maintenance event occurs that might cause the instance to reboot.
Allowed values are "Migrate" and "Terminate".
If omitted, the platform chooses a default, which is subject to change over time, currently that default is "Migrate".
enum:
- Migrate
- Terminate
type: string
osDisk:
description: OSDisk defines the storage for instance.
properties:
DiskSizeGB:
description: DiskSizeGB defines the size of disk in GB.
format: int64
maximum: 65536
minimum: 16
type: integer
diskType:
description: |-
DiskType defines the type of disk.
For control plane nodes, the valid values are pd-balanced, pd-ssd, and hyperdisk-balanced.
enum:
- pd-balanced
- pd-ssd
- pd-standard
- hyperdisk-balanced
type: string
encryptionKey:
description: EncryptionKey defines the KMS key to be used
to encrypt the disk.
properties:
kmsKey:
description: KMSKey is a reference to a KMS Key to
use for the encryption.
properties:
keyRing:
description: KeyRing is the name of the KMS Key
Ring which the KMS Key belongs to.
type: string
location:
description: Location is the GCP location in which
the Key Ring exists.
type: string
name:
description: Name is the name of the customer
managed encryption key to be used for the disk
encryption.
type: string
projectID:
description: |-
ProjectID is the ID of the Project in which the KMS Key Ring exists.
Defaults to the VM ProjectID if not set.
type: string
required:
- keyRing
- location
- name
type: object
kmsKeyServiceAccount:
description: |-
KMSKeyServiceAccount is the service account being used for the
encryption request for the given KMS key. If absent, the Compute
Engine default service account is used.
See https://cloud.google.com/compute/docs/access/service-accounts#compute_engine_service_account
for details on the default service account.
type: string
type: object
required:
- DiskSizeGB
type: object
osImage:
description: OSImage defines a custom image for instance.
properties:
name:
description: Name defines the name of the image.
type: string
project:
description: Project defines the name of the project containing
the image.
type: string
required:
- name
- project
type: object
secureBoot:
description: |-
SecureBoot Defines whether the instance should have secure boot enabled.
secure boot Verify the digital signature of all boot components, and halt the boot process if signature verification fails.
If omitted, the platform chooses a default, which is subject to change over time, currently that default is false.
enum:
- Enabled
- Disabled
type: string
serviceAccount:
description: |-
ServiceAccount is the email of a gcp service account to be used during installations.
The provided service account can be attached to both control-plane nodes
and worker nodes in order to provide the permissions required by the cloud provider.
type: string
tags:
description: Tags defines a set of network tags which will
be added to instances in the machineset
items:
type: string
type: array
type:
description: |-
InstanceType defines the GCP instance type.
eg. n1-standard-4
type: string
zones:
description: Zones is list of availability zones that can
be used.
items:
type: string
type: array
type: object
ibmcloud:
description: IBMCloud is the configuration used when installing
on IBM Cloud.
properties:
bootVolume:
description: BootVolume is the configuration for the machine's
boot volume.
properties:
encryptionKey:
description: |-
EncryptionKey is the CRN referencing a Key Protect or Hyper Protect
Crypto Services key to use for volume encryption. If not specified, a
provider managed encryption key will be used.
type: string
type: object
dedicatedHosts:
description: DedicatedHosts is the configuration for the machine's
dedicated host and profile.
items:
description: DedicatedHost stores the configuration for
the machine's dedicated host platform.
properties:
name:
description: |-
Name is the name of the dedicated host to provision the machine on. If
specified, machines will be created on pre-existing dedicated host.
type: string
profile:
description: |-
Profile is the profile ID for the dedicated host. If specified, new
dedicated host will be created for machines.
type: string
type: object
type: array
type:
description: InstanceType is the VSI machine profile.
type: string
zones:
description: Zones is the list of availability zones used
for machines in the pool.
items:
type: string
type: array
type: object
nutanix:
description: Nutanix is the configuration used when installing
on Nutanix.
properties:
bootType:
description: |-
BootType indicates the boot type (Legacy, UEFI or SecureBoot) the Machine's VM uses to boot.
If this field is empty or omitted, the VM will use the default boot type "Legacy" to boot.
"SecureBoot" depends on "UEFI" boot, i.e., enabling "SecureBoot" means that "UEFI" boot is also enabled.
enum:
- ""
- Legacy
- UEFI
- SecureBoot
type: string
categories:
description: |-
Categories optionally adds one or more prism categories (each with key and value) for
the Machine's VM to associate with. All the category key and value pairs specified must
already exist in the prism central.
items:
description: NutanixCategory identifies a pair of prism
category key and value
properties:
key:
description: key is the prism category key name
maxLength: 64
minLength: 1
type: string
value:
description: value is the prism category value associated
with the key
maxLength: 64
minLength: 1
type: string
required:
- key
- value
type: object
type: array
x-kubernetes-list-map-keys:
- key
x-kubernetes-list-type: map
coresPerSocket: