global: # Gardener API server configuration values apiserver: enabled: true service: enabled: true topologyAwareRouting: enabled: false replicaCount: 1 securePort: 8443 serviceAccountName: gardener-apiserver logLevel: info logFormat: json logVerbosity: "2" image: repository: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver tag: latest pullPolicy: IfNotPresent livenessProbe: # health probes should be disabled for debugging purposes only enable: true initialDelaySeconds: 15 periodSeconds: 10 successThreshold: 1 failureThreshold: 3 timeoutSeconds: 15 readinessProbe: # health probes should be disabled for debugging purposes only enable: true initialDelaySeconds: 15 periodSeconds: 10 successThreshold: 1 failureThreshold: 3 timeoutSeconds: 15 resources: requests: cpu: 100m memory: 100Mi # podAnnotations: # YAML formated annotations used for pod template # podLabels: # YAML formated labels used for pod template minReadySeconds: 30 rollingUpdate: maxSurge: 1 maxUnavailable: 0 encryption: config: | apiVersion: apiserver.config.k8s.io/v1 kind: EncryptionConfiguration resources: - resources: - controllerdeployments.core.gardener.cloud - controllerregistrations.core.gardener.cloud - internalsecrets.core.gardener.cloud - shootstates.core.gardener.cloud providers: - identity: {} etcd: useSidecar: false # only meant for development purposes. if this is set to true, other etcd config values are ignored servers: https://etcd:2379 # BEGIN etcd TLS configuration (CA and client certificate) # - either specify 'tlsSecretName' or ('caBundleSecretName' and 'clientCertSecretName') or ('caBundle' and 'tls') # tlsSecretName: etcd-tls-secrets # must contain 'ca.crt', 'tls.crt', 'tls.key' keys # caBundleSecretName: etcd-ca-bundle # must contain 'bundle.crt' key # clientCertSecretName: etcd-client-cert # must contain 'tls.crt', 'tls.key' keys # caBundle: | # -----BEGIN CERTIFICATE----- # ... # -----END CERTIFICATE----- # tls: # crt: | # -----BEGIN CERTIFICATE----- # ... # -----END CERTIFICATE----- # key: | # -----BEGIN RSA PRIVATE KEY----- # ... # -----END RSA PRIVATE KEY----- # END etcd TLS configuration (CA and client certificate) insecureSkipTLSVerify: false groupPriorityMinimum: 10000 versionPriority: 20 # BEGIN gardener-apiserver TLS configuration (CA and server certificate) # - specify 'caBundle' and ('tlsSecretName' or 'tls') caBundle: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- # tlsSecretName: gardener-apiserver-tls-secrets # must contain 'tls.crt', 'tls.key' keys tls: crt: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- key: | -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY----- # END gardener-apiserver TLS configuration (CA and server certificate) featureGates: {} # enableAdmissionPlugins: [] # List of admission plugins to be enabled in addition to default enabled ones. # disableAdmissionPlugins: [] # List of admission plugins that should be disabled although they are in the default enabled plugins list. admission: plugins: [] # plugins: # list of admission plugins. Mutation and Validation admission plugins must not be added. # - name: ShootTolerationRestriction # configuration: # apiVersion: shoottolerationrestriction.admission.gardener.cloud/v1alpha1 # kind: Configuration # defaults: # - key: foo # whitelist: # - key: foo # - key: bar # value: baz validatingWebhook: # validation webhook plugin configuration # see https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#authenticate-apiservers # The path where the service account token is mounted via service account token projection is # /var/run/secrets/admission-tokens/validating-webhook-token # kubeconfig: | # apiVersion: v1 # kind: Config # users: # - name: '*' # user: # tokenFile: /var/run/secrets/admission-tokens/validating-webhook-token token: # if enabled, Service Account Token Projection is used to generate the token. # if disabled, a static configuration should be provided in the kubeconfig configuration from above. enabled: false audience: validating-webhook expirationSeconds: 3600 mutatingWebhook: # mutating webhook plugin configuration # see https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#authenticate-apiservers # The path where the service account token is mounted via service account token projection is # /var/run/secrets/admission-tokens/mutating-webhook-token # kubeconfig: | # apiVersion: v1 # kind: Config # users: # - name: '*' # user: # tokenFile: /var/run/secrets/admission-tokens/mutating-webhook-token token: # if enabled, Service Account Token Projection is used to generate the token. # if disabled, a static configuration should be provided in the kubeconfig configuration from above. enabled: false audience: mutating-webhook expirationSeconds: 3600 serviceAccountTokenVolumeProjection: enabled: false expirationSeconds: 43200 audience: "" # shootAdminKubeconfigMaxExpiration: 24h # shootViewerKubeconfigMaxExpiration: 24h # shootCredentialsRotationInterval: 2160h vpa: false hvpa: enabled: false maxReplicas: 4 minReplicas: 1 targetAverageUtilizationCpu: 80 targetAverageUtilizationMemory: 80 vpaScaleUpMode: "Auto" vpaScaleDownMode: "Auto" vpaScaleUpStabilization: stabilizationDuration: "3m" minChange: cpu: value: 300m percentage: 80 memory: value: 200M percentage: 80 vpaScaleDownStabilization: stabilizationDuration: "15m" minChange: cpu: value: 600m percentage: 80 memory: value: 600M percentage: 80 limitsRequestsGapScaleParams: cpu: value: "1" percentage: 70 memory: value: "1G" percentage: 70 shutdownDelayDuration: 15s # goAwayChance: 0.1 # http2MaxStreamsPerConnection: 1000 # requests: # maxNonMutatingInflight: 400 # maxMutatingInflight: 200 # minTimeout: 1m0s # timeout: 1m0s # watchCacheSizes: # default: 100 # resources: # - apiGroup: core.gardener.cloud # resource: shoots # size: 500 audit: # dynamicConfiguration: false Enables dynamic audit configuration. This feature also requires the DynamicAuditing feature flag log: # batchBufferSize: 10000 # batchMaxSize: 1 # batchMaxWait: 5m # batchThrottleBurst: 20 # batchThrottleEnable: false # batchThrottleQPS: 10.0 # format: json # maxAge: 7 maxBackup: 5 maxSize: 100 # mode: blocking path: /tmp/audit/audit.log # truncateEnabled: true # truncateMaxBatchSize: 10485760 # truncateMaxEventSize: 102400 # version: audit.k8s.io/v1 policy: | apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: None userGroups: - system:nodes - level: None users: - gardener - kubelet - system:kube-controller-manager - system:kube-scheduler - system:gardener-resource-manager - system:kube-aggregator - system:kube-proxy - system:apiserver - system:serviceaccount:garden:gardener-controller-manager - system:serviceaccount:garden:gardener-metrics-exporter - system:serviceaccount:kube-system:generic-garbage-collector - system:serviceaccount:kube-system:namespace-controller - garden.sapcloud.io:monitoring - garden.sapcloud.io:monitoring:prometheus - garden.sapcloud.io:monitoring:kube-state-metrics - gardener.cloud:monitoring - gardener.cloud:monitoring:prometheus - gardener.cloud:monitoring:kube-state-metrics - level: None nonResourceURLs: - /healthz* - /version - /openapi/* - /swagger* # Swagger endpoint is deprecated with https://github.com/kubernetes/kubernetes/pull/73148 - level: None resources: - group: "" resources: ["events"] - level: None verbs: ["get", "list", "watch"] - level: Metadata webhook: {} # batchBufferSize: 10000 # batchMaxSize: 400 # batchMaxWait: 30s # batchThrottleBurst: 15 # batchThrottleEnable: true # batchThrottleQPS: 10 # config: | # kubeconfig-formatted file that defines the audit webhook configuration. # initialBackoff: 10s # mode: batch # truncateEnabled: true # truncateMaxBatchSize: 10485760 # truncateMaxEventSize: 102400 # version: audit.k8s.io/v1 # Gardener admission controller configuration values admission: enabled: true replicaCount: 3 serviceAccountName: gardener-admission-controller image: repository: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller tag: latest pullPolicy: IfNotPresent resources: requests: cpu: 100m memory: 200Mi service: # clusterIP: 1.2.3.4 topologyAwareRouting: enabled: false # podAnnotations: # YAML formated annotations used for pod template # podLabels: # YAML formated labels used for pod template vpa: false config: gardenClientConnection: # acceptContentTypes: application/json # contentType: application/json qps: 100 burst: 130 logLevel: info logFormat: json server: webhooks: port: 2719 tlsSecretName: tls: caBundle: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- crt: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- key: | -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY----- healthProbes: # health probes should be disabled for debugging purposes only enable: true port: 2722 metrics: port: 2723 # resourceAdmissionConfiguration: # limits: # - apiGroups: ["core.gardener.cloud"] # apiVersions: ["*"] # resources: ["shoots"] # size: 100Ki # unrestrictedSubjects: # - kind: Group # name: gardener.cloud:system:seeds # apiGroup: rbac.authorization.k8s.io # operationMode: log enableDebugHandlers: false debugging: enableProfiling: false enableContentionProfiling: false seedRestriction: enabled: false serviceAccountTokenVolumeProjection: enabled: false expirationSeconds: 43200 audience: "" # Gardener controller manager configuration values controller: enabled: true replicaCount: 1 serviceAccountName: gardener-controller-manager image: repository: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager tag: latest pullPolicy: IfNotPresent resources: requests: cpu: 100m memory: 100Mi # podAnnotations: # YAML formated annotations used for pod template # podLabels: # YAML formated labels used for pod template additionalVolumes: [] additionalVolumeMounts: [] env: [] vpa: false serviceAccountTokenVolumeProjection: enabled: false expirationSeconds: 43200 audience: "" config: gardenClientConnection: # acceptContentTypes: application/json # contentType: application/json qps: 100 burst: 130 controllers: # event: # concurrentSyncs: 5 # ttlNonShootEvents: 1h # project: # concurrentSyncs: 5 # minimumLifetimeDays: 30 # staleGracePeriodDays: 14 # staleExpirationTimeDays: 90 # staleSyncPeriod: 12h # quotas: # Please make sure ResourceQuota controller (https://github.com/kubernetes/kubernetes/blob/release-1.2/docs/design/admission_control_resource_quota.md#resource-quota-controller) is enabled for Kube-Controller-Manager when using `ResourceQuotas`. # - config: # apiVersion: v1 # kind: ResourceQuota # spec: # hard: # count/shoots.core.gardener.cloud: "100" # count/secretbindings.core.gardener.cloud: "10" # count/secrets: "400" # projectSelector: {} seed: concurrentSyncs: 5 syncPeriod: 10s monitorPeriod: 40s shootMonitorPeriod: 300s seedExtensionsCheck: concurrentSyncs: 5 syncPeriod: 30s conditionThresholds: - type: ExtensionsReady duration: 1m seedBackupBucketsCheck: concurrentSyncs: 5 syncPeriod: 30s conditionThresholds: - type: BackupBucketsReady duration: 1m shootMaintenance: concurrentSyncs: 5 enableShootControlPlaneRestarter: true enableShootCoreAddonRestarter: false shootQuota: concurrentSyncs: 5 syncPeriod: 60m shootHibernation: concurrentSyncs: 5 triggerDeadlineDuration: 2h shootReference: concurrentSyncs: 5 shootRetry: concurrentSyncs: 5 retryPeriod: 10m retryJitterPeriod: 5m managedSeedSet: concurrentSyncs: 5 syncPeriod: 30m exposureClass: concurrentSyncs: 5 certificateSigningRequest: concurrentSyncs: 5 leaderElection: leaderElect: true leaseDuration: 15s renewDeadline: 10s retryPeriod: 2s resourceLock: leases # resourceName: gardener-controller-manager-leader-election # resourceNamespace: garden logLevel: info server: healthProbes: # health probes should be disabled for debugging purposes only enable: true port: 2718 metrics: port: 2719 debugging: enableProfiling: false enableContentionProfiling: false featureGates: {} # Gardener scheduler configuration values scheduler: enabled: true replicaCount: 1 serviceAccountName: gardener-scheduler image: repository: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler tag: latest pullPolicy: IfNotPresent resources: requests: cpu: 50m memory: 50Mi # podAnnotations: # YAML formatted annotations used for pod template # podLabels: # YAML formatted labels used for pod template vpa: false serviceAccountTokenVolumeProjection: enabled: false expirationSeconds: 43200 audience: "" config: clientConnection: # acceptContentTypes: application/json # contentType: application/json qps: 100 burst: 130 leaderElection: leaderElect: true leaseDuration: 15s renewDeadline: 10s retryPeriod: 2s resourceLock: leases # resourceNamespace: garden # resourceName: gardener-scheduler-leader-election logLevel: info server: healthProbes: # health probes should be disabled for debugging purposes only enable: true port: 10251 metrics: port: 19251 debugging: enableProfiling: false enableContentionProfiling: false # schedulers: # backupBucket: # concurrentSyncs: 5 # shoot: # concurrentSyncs: 5 # candidateDeterminationStrategy: SameRegion # either {SameRegion,MinimalDistance} featureGates: {} # Deployment related configuration deployment: virtualGarden: enabled: false clusterIP: 1.2.3.4 createNamespace: true apiserver: user: name: "" admission: user: name: "" controller: user: name: "" scheduler: user: name: "" # RBAC related configuration rbac: seedAuthorizer: enabled: false