-
Notifications
You must be signed in to change notification settings - Fork 1.2k
/
Copy pathfeatures.yaml
244 lines (212 loc) · 10.8 KB
/
features.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
# Copyright 2020 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: config-features
namespace: knative-serving
labels:
app.kubernetes.io/name: knative-serving
app.kubernetes.io/component: controller
app.kubernetes.io/version: devel
annotations:
knative.dev/example-checksum: "63a13754"
data:
_example: |-
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# Default SecurityContext settings to secure-by-default values
# if unset.
#
# This value will default to "enabled" in a future release,
# probably Knative 1.10
secure-pod-defaults: "disabled"
# Indicates whether multi container support is enabled
#
# WARNING: Cannot safely be disabled once enabled.
# See: https://knative.dev/docs/serving/configuration/feature-flags/#multiple-containers
multi-container: "enabled"
# Indicates whether multi container probing is enabled
#
# WARNING: Cannot safely be disabled once enabled.
# See: https://knative.dev/docs/serving/configuration/feature-flags/#multiple-container-probing
multi-container-probing: "disabled"
# Indicates whether Kubernetes affinity support is enabled
#
# WARNING: Cannot safely be disabled once enabled.
# See: https://knative.dev/docs/serving/feature-flags/#kubernetes-node-affinity
kubernetes.podspec-affinity: "disabled"
# Indicates whether Kubernetes topologySpreadConstraints support is enabled
#
# WARNING: Cannot safely be disabled once enabled.
# See: https://knative.dev/docs/serving/feature-flags/#kubernetes-topology-spread-constraints
kubernetes.podspec-topologyspreadconstraints: "disabled"
# Indicates whether Kubernetes hostAliases support is enabled
#
# WARNING: Cannot safely be disabled once enabled.
# See: https://knative.dev/docs/serving/feature-flags/#kubernetes-host-aliases
kubernetes.podspec-hostaliases: "disabled"
# Indicates whether Kubernetes nodeSelector support is enabled
#
# WARNING: Cannot safely be disabled once enabled.
# See: https://knative.dev/docs/serving/feature-flags/#kubernetes-node-selector
kubernetes.podspec-nodeselector: "disabled"
# Indicates whether Kubernetes tolerations support is enabled
#
# WARNING: Cannot safely be disabled once enabled
# See: https://knative.dev/docs/serving/feature-flags/#kubernetes-toleration
kubernetes.podspec-tolerations: "disabled"
# Indicates whether Kubernetes FieldRef support is enabled
#
# WARNING: Cannot safely be disabled once enabled.
# See: https://knative.dev/docs/serving/feature-flags/#kubernetes-fieldref
kubernetes.podspec-fieldref: "disabled"
# Indicates whether Kubernetes RuntimeClassName support is enabled
#
# WARNING: Cannot safely be disabled once enabled.
# See: https://knative.dev/docs/serving/feature-flags/#kubernetes-runtime-class
kubernetes.podspec-runtimeclassname: "disabled"
# Indicates whether Kubernetes DNSPolicy support is enabled
#
# WARNING: Cannot safely be disabled once enabled.
# See: https://knative.dev/docs/serving/feature-flags/#kubernetes-dnspolicy
kubernetes.podspec-dnspolicy: "disabled"
# Indicates whether Kubernetes DNSConfig support is enabled
#
# WARNING: Cannot safely be disabled once enabled.
# See: https://knative.dev/docs/serving/feature-flags/#kubernetes-dnsconfig
kubernetes.podspec-dnsconfig: "disabled"
# This feature allows end-users to set a subset of fields on the Pod's SecurityContext
#
# When set to "enabled" or "allowed" it allows the following
# PodSecurityContext properties:
# - FSGroup
# - RunAsGroup
# - RunAsNonRoot
# - SupplementalGroups
# - RunAsUser
# - SeccompProfile
#
# This feature flag should be used with caution as the PodSecurityContext
# properties may have a side-effect on non-user sidecar containers that come
# from Knative or your service mesh
#
# WARNING: Cannot safely be disabled once enabled.
# See: https://knative.dev/docs/serving/feature-flags/#kubernetes-security-context
kubernetes.podspec-securitycontext: "disabled"
# Indicated whether sharing the process namespace via ShareProcessNamespace pod spec is allowed.
# This can be especially useful for sharing data from images directly between sidecars
#
# See: https://knative.dev/docs/serving/configuration/feature-flags/#kubernetes-share-process-namespace
kubernetes.podspec-shareprocessnamespace: "disabled"
# Indicates whether hostIPC support is enabled
#
# WARNING: Cannot safely be disabled once enabled.
# See https://knative.dev/docs/serving/configuration/feature-flags/#kubernetes-host-ipc
kubernetes.podspec-hostipc: "disabled"
# Indicates whether hostPID support is enabled
#
# WARNING: Cannot safely be disabled once enabled.
# See https://knative.dev/docs/serving/configuration/feature-flags/#kubernetes-host-pid
kubernetes.podspec-hostpid: "disabled"
# Indicates whether hostNetwork support is enabled
#
# WARNING: Cannot safely be disabled once enabled.
# See See https://knative.dev/docs/serving/configuration/feature-flags/#kubernetes-host-network
kubernetes.podspec-hostnetwork: "disabled"
# Indicates whether Kubernetes PriorityClassName support is enabled
#
# WARNING: Cannot safely be disabled once enabled.
# See: https://knative.dev/docs/serving/feature-flags/#kubernetes-priority-class-name
kubernetes.podspec-priorityclassname: "disabled"
# Indicates whether Kubernetes SchedulerName support is enabled
#
# WARNING: Cannot safely be disabled once enabled.
# See: https://knative.dev/docs/serving/feature-flags/#kubernetes-scheduler-name
kubernetes.podspec-schedulername: "disabled"
# This feature flag allows end-users to add a subset of capabilities on the Pod's SecurityContext.
#
# When set to "enabled" or "allowed" it allows capabilities to be added to the container.
# For a list of possible capabilities, see https://man7.org/linux/man-pages/man7/capabilities.7.html
kubernetes.containerspec-addcapabilities: "disabled"
# This feature validates PodSpecs from the validating webhook
# against the K8s API Server.
#
# When "enabled", the server will always run the extra validation.
# When "allowed", the server will not run the dry-run validation by default.
# However, clients may enable the behavior on an individual Service by
# attaching the following metadata annotation: "features.knative.dev/podspec-dryrun":"enabled".
# See: https://knative.dev/docs/serving/feature-flags/#kubernetes-dry-run
kubernetes.podspec-dryrun: "allowed"
# Controls whether tag header based routing feature are enabled or not.
# 1. Enabled: enabling tag header based routing
# 2. Disabled: disabling tag header based routing
# See: https://knative.dev/docs/serving/feature-flags/#tag-header-based-routing
tag-header-based-routing: "disabled"
# Controls whether http2 auto-detection should be enabled or not.
# 1. Enabled: http2 connection will be attempted via upgrade.
# 2. Disabled: http2 connection will only be attempted when port name is set to "h2c".
autodetect-http2: "disabled"
# Controls whether volume support for EmptyDir is enabled or not.
# 1. Enabled: enabling EmptyDir volume support
# 2. Disabled: disabling EmptyDir volume support
kubernetes.podspec-volumes-emptydir: "enabled"
# Controls whether volume support for HostPath is enabled or not.
# WARNING: Cannot safely be disabled once enabled.
# WARNING: If you can avoid using a hostPath volume, you should.
# Please read https://kubernetes.io/docs/concepts/storage/volumes/#hostpath before enabling this feature.
# 1. Enabled: enabling HostPath volume support
# 2. Disabled: disabling HostPath volume support
kubernetes.podspec-volumes-hostpath: "disabled"
# Controls whether init containers support is enabled or not.
# 1. Enabled: enabling init containers support
# 2. Disabled: disabling init containers support
kubernetes.podspec-init-containers: "disabled"
# Controls whether persistent volume claim support is enabled or not.
# 1. Enabled: enabling persistent volume claim support
# 2. Disabled: disabling persistent volume claim support
kubernetes.podspec-persistent-volume-claim: "disabled"
# Controls whether write access for persistent volumes is enabled or not.
# 1. Enabled: enabling write access for persistent volumes
# 2. Disabled: disabling write access for persistent volumes
kubernetes.podspec-persistent-volume-write: "disabled"
# Controls if the queue proxy podInfo feature is enabled, allowed or disabled
#
# This feature should be enabled/allowed when using queue proxy Options (Extensions)
# Enabling will mount a podInfo volume to the queue proxy container.
# The volume will contains an 'annotations' file (from the pod's annotation field).
# The annotations in this file include the Service annotations set by the client creating the service.
# If mounted, the annotations can be accessed by queue proxy extensions at /etc/podinfo/annnotations
#
# 1. "enabled": always mount a podInfo volume
# 2. "disabled": never mount a podInfo volume
# 3. "allowed": by default, do not mount a podInfo volume
# However, a client may mount the podInfo volume on an individual Service by attaching
# the following metadata annotation to the Service: "features.knative.dev/queueproxy-podinfo":"enabled".
#
# NOTE THAT THIS IS AN EXPERIMENTAL / ALPHA FEATURE
queueproxy.mount-podinfo: "disabled"
# Default queue proxy resource requests and limits to good values for most cases if set.
queueproxy.resource-defaults: "disabled"