Cluster Configuration Variables

Kubernetes Service Variables Documentation

This document contains the configuration variables for the Kubernetes service.

Understanding Variables in VKS

VKS uses the Cluster API Cluster objects to expose the configuration of VKS workload clusters. In the Cluster API (CAPI) ecosystem, variables are the primary mechanism for customizing the configuration of a cluster. These variables are defined within a ClusterClass, which acts as a reusable blueprint or template for clusters.

The ClusterClass defines the schema including variable names, types (e.g., string, integer, boolean), and default values. When creating a workload cluster, these values need to be provided which are then used to actualize the workload cluster. These variables can be specified at the Cluster level or can be overridden at the control plane or a per node-pool level.

Variable Hierarchy and Overrides

CAPI employs a "most-specific-wins" inheritance model. This allows you to set broad defaults at the cluster level while fine-tuning the configuration for specific components like the control plane or individual node pools. When a variable is overridden at a particular level, this override takes precedence over the value at the Cluster level.

Global Cluster Level

Variables defined at the spec.topology.variables level of the Cluster object apply to the entire cluster.

Purpose: Establishes the baseline configuration.

Scope: These values are inherited by all nodes (both control plane and workers) unless a more specific override is provided.

Control Plane Level

The control plane can have its own specific overrides located under spec.topology.controlPlane.variables.

Purpose: Tailors the infrastructure specifically for the API server, etcd, and scheduler.

Override Logic: Values set here supersede the Global Cluster values but only apply to the control plane nodes.

Node Pool (MachineDeployment) Level

Node Pools represent your worker nodes. Since a cluster can have multiple pools for different workloads (e.g., GPU-optimized vs. general purpose), variables can be overridden at the individual pool level under spec.topology.workers.machineDeployments[].variables.

Purpose: Provides granular control over specific groups of worker nodes.

Override Logic: This is the highest level of specificity. A value set here overrides both the Global defaults and any Control Plane settings for that specific pool.

Variable availability across VKS versions

The following table shows which variables and their nested properties are available in each VKS version.

Property Path	3.2.0	3.3.0	3.4.0	3.5.0	3.6.0
bootstrapAddons					✓
└─ cniRef					✓

kubeAPIServerFQDNs	✓	✓	✓	✓	✓

kubernetes	✓	✓	✓	✓	✓
└─ apiServerConfiguration				✓	✓
└─ certificateRotation	✓	✓	✓	✓	✓
└─ endpointFQDNs	✓	✓	✓	✓	✓
└─ etcdConfiguration				✓	✓
└─ kubeControllerManagerConfiguration					✓
└─ kubeProxyConfiguration					✓
└─ kubeletConfiguration				✓	✓
└─ allowedUnsafeSysctls				✓	✓
└─ containerLogMaxFiles				✓	✓
└─ containerLogMaxSizeMiB				✓	✓
└─ eventBurst				✓	✓
└─ eventRecordQPS				✓	✓
└─ healthzBindAddress				✓	✓
└─ imageGCHighThresholdPercent				✓	✓
└─ imageGCLowThresholdPercent				✓	✓
└─ imageMaximumGCAge				✓	✓
└─ imageMinimumGCAge				✓	✓
└─ imagePullCredentialsVerificationPolicy				✓	✓
└─ logging				✓	✓
└─ maxParallelImagePulls				✓	✓
└─ maxPods				✓	✓
└─ podPidsLimit					✓
└─ preloadedImagesVerificationAllowlist				✓	✓
└─ registryBurst				✓	✓
└─ registryPullQPS				✓	✓
└─ serializeImagePulls				✓	✓
└─ streamingConnectionIdleTimeout				✓	✓
└─ security	✓	✓	✓	✓	✓
└─ podSecurityStandard	✓	✓	✓	✓	✓
└─ resourceQuotaConfiguration				✓	✓

networks					✓
└─ interfaces					✓

node	✓	✓	✓	✓	✓
└─ firewall					✓
└─ labels	✓	✓	✓	✓	✓
└─ taints	✓	✓	✓	✓	✓

osConfiguration	✓	✓	✓	✓	✓
└─ directoryJoin		✓	✓	✓	✓
└─ fips		✓	✓	✓	✓
└─ grub				✓	✓
└─ password				✓	✓
└─ enabled				✓	✓
└─ secretRef				✓	✓
└─ user					✓
└─ ntp	✓	✓	✓	✓	✓
└─ securityContext					✓
└─ sshd		✓	✓	✓	✓
└─ systemProxy	✓	✓	✓	✓	✓
└─ trust	✓	✓	✓	✓	✓
└─ tuned					✓
└─ ubuntuPro		✓	✓	✓	✓
└─ user	✓	✓	✓	✓	✓
└─ password			✓	✓	✓
└─ passwordSecret	✓	✓	✓	✓	✓
└─ requirePasswordOnSudo				✓	✓
└─ sshAuthorizedKey	✓	✓	✓	✓	✓
└─ user	✓	✓	✓	✓	✓

resourceConfiguration	✓	✓	✓	✓	✓
└─ systemReserved	✓	✓	✓	✓	✓

storageClass	✓	✓	✓	✓	✓

vmClass	✓	✓	✓	✓	✓

volumes	✓	✓	✓	✓	✓

vsphereOptions	✓	✓	✓	✓	✓
└─ persistentVolumes	✓	✓	✓	✓	✓
└─ availableStorageClasses	✓	✓	✓	✓	✓
└─ availableVolumeSnapshotClasses	✓	✓	✓	✓	✓
└─ customizableStorageClassAnnotations			✓	✓	✓
└─ customizableStorageClassLabels			✓	✓	✓
└─ defaultStorageClass	✓	✓	✓	✓	✓
└─ defaultVolumeSnapshotClass	✓	✓	✓	✓	✓

TKR_DATA	✓	✓	✓

Variable definitions

bootstrapAddons

Description: BootstrapAddons defines Addons to be installed on Cluster during bootstrapping. Only supported with Kubernetes 1.35 and above.

Introduced in version: 3.6.0

Required: No

Example:

cniRef:
    name: cni-test
    namespace: cni-namespace-test

Properties

Property	Type	Required	Description	Present since version
`cniRef`	cniRef	Yes	CNI Addon to instantiate for Cluster. Used to select CNI rather than ClusterBootstrap spec.CNI field. Compatible Addon/AddonRelease must exist.	3.6.0

cniRef

CNI Addon to instantiate for Cluster.
Used to select CNI rather than ClusterBootstrap spec.CNI field.
Compatible Addon/AddonRelease must exist. See cniRef properties below.

Properties

Property	Type	Required	Description	Present since version
`name`	string	Yes	Name of the Addon being referenced.	3.6.0
`namespace`	string	No	Namespace of the addon being referenced. If not specified, will use the default public namespace defined by the addon manager.	3.6.0

kubeAPIServerFQDNs

Description: Deprecated: This variable is deprecated. Use kubernetes.endpointFQDNs instead. This variable will be removed in a future release.

Introduced in version: 3.2.0

Required: No

Type: array

Array of: string

kubernetes

Description: Kubernetes configures cluster-wide settings for the Kubernetes cluster, typically applied to the control plane. Supported scopes: cluster, controlPlane, workers

Introduced in version: 3.2.0

Required: No

Example:

apiServerConfiguration:
    logs:
        flushFrequency: 10s
        format: json
        verbosity: 5
    maxMutatingRequestsInFlight: 100
    maxRequestsInFlight: 200
    profiling: false
    requestTimeout: 30s
certificateRotation:
    enabled: true
    renewalDaysBeforeExpiry: 99
endpointFQDNs:
    - fqdn.test1
    - fqdn.test2
etcdConfiguration:
    maximumDBSizeGiB: 5
kubeControllerManagerConfiguration:
    terminatedPodGCThreshold: 6789
kubeletConfiguration:
    allowedUnsafeSysctls:
        - kernel.msg*
        - net.ipv4.route.min_pmtu
    containerLogMaxFiles: 20
    containerLogMaxSizeMiB: 10
    eventBurst: 20
    eventRecordQPS: 20
    healthzBindAddress: 0.0.0.0
    imageGCHighThresholdPercent: 20
    imageGCLowThresholdPercent: 10
    imageMaximumGCAge: 5s
    imageMinimumGCAge: 1s
    imagePullCredentialsVerificationPolicy: AlwaysVerify
    logging:
        flushFrequency: 10s
        format: json
        verbosity: 5
    maxParallelImagePulls: 20
    maxPods: 20
    podPidsLimit: 66
    preloadedImagesVerificationAllowlist:
        - registry.example.com/myimage
        - my.registry.io/*
    registryBurst: 12
    registryPullQPS: 6
    serializeImagePulls: true
    streamingConnectionIdleTimeout: 10s
security:
    podSecurityStandard:
        audit: privileged
        deactivated: false
        enforce: restricted
        warn: baseline
    resourceQuotaConfiguration:
        enabled: true

Properties

Property	Type	Required	Description	Present since version
`apiServerConfiguration`	apiServerConfiguration	No	APIServerConfiguration contains configuration options for the Kubernetes API server. These settings control API server behavior including request limits, audit logging, admission control, authentication, and event retention.	3.5.0
`certificateRotation`	certificateRotation	No	CertificateRotation configures options for the automatic rotation of control plane certificates which have a default validity of 12 months. Note that certificates are always rotated during Kubernetes upgrades.	3.2.0
`endpointFQDNs`	[]string	No	EndpointFQDNs Configure FQDN aliases for the control plane endpoint for example to allow users to connect to the cluster using https://k8s.prod.example.com/	3.2.0
`etcdConfiguration`	etcdConfiguration	No	EtcdConfiguration contains configuration options for the etcd database used by Kubernetes. These settings control etcd behavior including database size limits and performance tuning. Supported scopes: cluster, controlPlane	3.5.0
`kubeControllerManagerConfiguration`	kubeControllerManagerConfiguration	No	KubeControllerManagerConfiguration contains configuration options for the kube-controller-manager. Supported scopes: cluster, controlPlane	3.6.0
`kubeProxyConfiguration`	kubeProxyConfiguration	No	KubeProxyConfiguration contains configuration options for kube-proxy component. KubeProxy subscribes to services and endpoints, and programs the network data plane on all the linux nodes for load balancing service traffic. These settings control the behaviour of kube-proxy.	3.6.0
`kubeletConfiguration`	kubeletConfiguration	No	KubeletConfiguration contains configuration options for the kubelet running on worker nodes. These settings control various aspects of kubelet behavior including resource limits, image management, logging, and security policies. Supported scopes: cluster, controlPlane, workers	3.5.0
`security`	security	No	Security configures Kubernetes specific security settings.	3.2.0

apiServerConfiguration

APIServerConfiguration contains configuration options for the Kubernetes API server.
These settings control API server behavior including request limits, audit logging,
admission control, authentication, and event retention. See apiServerConfiguration properties below.

Properties

Property	Type	Required	Description	Present since version
`logs`	logs	No	Logging configures the logging options for the API server, including log levels, formats, and output destinations. Refer to the Kubernetes component-base logs options for more information.	3.5.0
`maxMutatingRequestsInFlight`	integer	No	MaxMutatingRequestsInFlight is the maximum number of parallel mutating requests. Every further request has to wait. This field and MaxRequestsInFlight are summed to determine the server's total concurrency limit (which must be positive). Corresponds to the --max-mutating-requests-inflight flag. Default: 200	3.5.0
`maxRequestsInFlight`	integer	No	MaxRequestsInFlight is the maximum number of parallel non-long-running requests. Every further request has to wait. This field and MaxMutatingRequestsInFlight are summed to determine the server's total concurrency limit (which must be positive). Corresponds to the --max-requests-inflight flag. Default: 400	3.5.0
`profiling`	boolean	No	Profiling enables profiling via web interface host:port/debug/pprof/ Default: false	3.5.0
`requestTimeout`	string	No	RequestTimeout is the duration after which all non-long-running requests will be timed out. Corresponds to the --request-timeout flag. Default: 1m0s	3.5.0

logs

Logging configures the logging options for the API server, including
log levels, formats, and output destinations. Refer to the Kubernetes
component-base logs options for more information. See logs properties below.

Properties

Property	Type	Required	Description	Present since version
`flushFrequency`	string	No	FlushFrequency is the maximum time between log flushes. If specified as a string, it's parsed as a duration (e.g., "1s"). If specified as an integer, it's the maximum number of nanoseconds. Ignored if the selected logging backend writes log messages without buffering. Corresponds to --log-flush-frequency flag. Default: 5s	3.5.0
`format`	string	No	Format specifies the structure of log messages. Supported values are "text" (default) and "json". Corresponds to --logging-format flag. Default: "text" Possible values are: `text`, `json`.	3.5.0
`verbosity`	integer	No	Verbosity is the threshold that determines which log messages are logged. Default is zero which logs only the most important messages. Higher values enable additional messages. Error messages are always logged. Corresponds to -v or --v flag. Default: 0	3.5.0

certificateRotation

CertificateRotation configures options for the automatic rotation of control plane certificates
which have a default validity of 12 months. Note that certificates are always rotated during Kubernetes upgrades. See certificateRotation properties below.

Properties

Property	Type	Required	Description	Present since version
`enabled`	boolean	No	Enabled controls enablement of auto certificate rotation	3.2.0
`renewalDaysBeforeExpiry`	integer	No	RenewalDaysBeforeExpiry states the number of days before certificate expiry to initiate the renewal of certificates.	3.2.0

etcdConfiguration

EtcdConfiguration contains configuration options for the etcd database used by Kubernetes.
These settings control etcd behavior including database size limits and performance tuning.
Supported scopes: cluster, controlPlane See etcdConfiguration properties below.

Properties

Property	Type	Required	Description	Present since version
`maximumDBSizeGiB`	integer	Yes	MaximumDBSizeGiB specifies the maximum size of the etcd database in GiB. This value is used to set --quota-backend-bytes for etcd. To account for compaction, defragmentation, and temporary usage spikes, the volume is provisioned with 25% additional capacity and mounted at /var/lib/etcd path.	3.5.0

kubeControllerManagerConfiguration

KubeControllerManagerConfiguration contains configuration options for the kube-controller-manager.
Supported scopes: cluster, controlPlane See kubeControllerManagerConfiguration properties below.

Properties

Property	Type	Required	Description	Present since version
`terminatedPodGCThreshold`	integer	No	TerminatedPodGCThreshold is the number of terminated pods that can exist before the terminated pod garbage collector starts deleting terminated pods. If <= 0, the terminated pod garbage collector is disabled. Default: 6000	3.6.0

kubeProxyConfiguration

KubeProxyConfiguration contains configuration options for kube-proxy component.
KubeProxy subscribes to services and endpoints, and programs the network data
plane on all the linux nodes for load balancing service traffic. These settings
control the behaviour of kube-proxy. See kubeProxyConfiguration properties below.

Properties

Property	Type	Required	Description	Present since version
`mode`	string	No	Mode represents the kube-proxy backend mode used for programming data-plane. Default: iptables Scope: Cluster Possible values are: `iptables`, `nftables`.	3.6.0

kubeletConfiguration

KubeletConfiguration contains configuration options for the kubelet running on worker nodes.
These settings control various aspects of kubelet behavior including resource limits,
image management, logging, and security policies.
Supported scopes: cluster, controlPlane, workers See kubeletConfiguration properties below.

Properties

Property	Type	Required	Description	Present since version
`allowedUnsafeSysctls`	[]string	No	AllowedUnsafeSysctls is a comma separated allowlist of unsafe sysctls or sysctl patterns (ending in ``). All safe sysctls are enabled by default. A safe sysctl must be properly isolated between pods on the same node. This means that setting a safe sysctl for one pod: - must not have any influence on any other pod on the node - must not allow to harm the node's health - must not allow to gain CPU or memory resources outside of the resource limits of a pod. Unsafe sysctls fail to meet one or more of these criteria; the use of unsafe sysctls is at-your-own-risk and can lead to severe problems like wrong behavior of containers, resource shortage, or complete breakage of a node. Only modify sysctl parameters after you understand their effects, to avoid destabilizing your operating system. With this in mind, you can allow certain unsafe sysctls for very special situations such as high-performance or real-time application tuning. It is good practice to consider node pools with special sysctl settings as tainted within a cluster, and only schedule pods onto them which need those sysctl settings. Unsafe sysctl groups are `kernel.shm`, `kernel.msg`, `kernel.sem`, `fs.mqueue.`, and `net.`. These sysctls are namespaced but not allowed by default. For example: "`kernel.msg,net.ipv4.route.min_pmtu`" Default: []	3.5.0
`containerLogMaxFiles`	integer	No	ContainerLogMaxFiles is the maximum number of container log files that can be present for a container. Default: 5	3.5.0
`containerLogMaxSizeMiB`	integer	No	ContainerLogMaxSize defines the maximum size of the container log file before it is rotated in MiB. The mutator converts this integer into a kubelet-compatible string with the "Mi" unit when applying the configuration. For example: "5 => 5Mi". Default: 10	3.5.0
`eventBurst`	integer	No	EventBurst is the maximum size of a burst of event creations, temporarily allows event creations to burst to this number, while still not exceeding eventRecordQPS. Only used if eventRecordQPS > 0. Default: 100	3.5.0
`eventRecordQPS`	integer	No	EventRecordQPS is the maximum event creations per second. If 0, there is no limit enforced. Corresponds to --event-qps kubelet flag. Default: 50	3.5.0
`healthzBindAddress`	string	No	HealthzBindAddress is the IP address for the healthz server to serve on. Default: "127.0.0.1"	3.5.0
`imageGCHighThresholdPercent`	integer	No	ImageGCHighThresholdPercent is the percent of disk usage after which image garbage collection is always run. The percent is calculated as this field value out of 100. Default: 85	3.5.0
`imageGCLowThresholdPercent`	integer	No	ImageGCLowThresholdPercent is the percent of disk usage before which image garbage collection is never run. Lowest disk usage to garbage collect to. The percent is calculated as this field value out of 100. Default: 80	3.5.0
`imageMaximumGCAge`	string	No	ImageMaximumGCAge is the maximum age an image can be unused before it is garbage collected. The default of this field is "0s", which disables this field--meaning images won't be garbage collected based on being unused for too long. Default: "0s" (disabled)	3.5.0
`imageMinimumGCAge`	string	No	ImageMinimumGCAge is the minimum age for an unused image before it is garbage collected. Default: "2m"	3.5.0
`imagePullCredentialsVerificationPolicy`	string	No	ImagePullCredentialsVerificationPolicy determines how credentials should be verified when pod requests an image that is already present on the node. Supported values: - NeverVerify: anyone on a node can use any image present on the node - NeverVerifyPreloadedImages: images that were pulled to the node by something else than the kubelet can be used without reverifying pull credentials - NeverVerifyAllowlistedImages: like "NeverVerifyPreloadedImages" but only node images from `preloadedImagesVerificationAllowlist` don't require reverification - AlwaysVerify: all images require credential reverification Default: "NeverVerifyPreloadedImages" Possible values are: `NeverVerify`, `NeverVerifyPreloadedImages`, `NeverVerifyAllowlistedImages`, `AlwaysVerify`.	3.5.0
`logging`	logging	No	Logging specifies the logging configuration options for the kubelet. This controls log levels, formats, and output destinations for kubelet logs. Refer to the Kubernetes component-base logs options for more information.	3.5.0
`maxParallelImagePulls`	integer	No	MaxParallelImagePulls sets the maximum number of image pulls in parallel. This field is only used when SerializeImagePulls is false. Corresponds to --max-parallel-image-pulls kubelet flag. Default: nil (no limit)	3.5.0
`maxPods`	integer	No	MaxPods is the number of pods that can run on this Kubelet. Default: 110 NOTE: By default, the maximum allowed value is 250.	3.5.0
`podPidsLimit`	integer	No	PodPidsLimit is the maximum number of PIDs in any pod. Use Kubelet default (-1) when omitted. Default: nil	3.6.0
`preloadedImagesVerificationAllowlist`	[]string	No	PreloadedImagesVerificationAllowlist specifies a list of images that are exempted from credential reverification for the "NeverVerifyAllowlistedImages" `imagePullCredentialsVerificationPolicy`. The list accepts a full path segment wildcard suffix "/*". Only use image specs without an image tag or digest.	3.5.0
`registryBurst`	integer	No	RegistryBurst is the maximum size of bursty pulls, temporarily allows pulls to burst to this number, while still not exceeding registryPullQPS. Only used if registryPullQPS > 0. Default: 10	3.5.0
`registryPullQPS`	integer	No	RegistryPullQPS is the limit of registry pulls per second. Set to 0 for no limit. Default: 5	3.5.0
`serializeImagePulls`	boolean	No	SerializeImagePulls when enabled, tells the Kubelet to pull images one at a time. Default: true	3.5.0
`streamingConnectionIdleTimeout`	string	No	StreamingConnectionIdleTimeout is the maximum time a streaming connection can be idle before the connection is automatically closed. Default: "5m"	3.5.0

logging

Logging specifies the logging configuration options for the kubelet.
This controls log levels, formats, and output destinations for kubelet logs.
Refer to the Kubernetes component-base logs options for more information. See logging properties below.

Properties

Property	Type	Required	Description	Present since version
`flushFrequency`	string	No	FlushFrequency is the maximum time between log flushes. If specified as a string, it's parsed as a duration (e.g., "1s"). If specified as an integer, it's the maximum number of nanoseconds. Ignored if the selected logging backend writes log messages without buffering. Corresponds to --log-flush-frequency flag. Default: 5s	3.5.0
`format`	string	No	Format specifies the structure of log messages. Supported values are "text" (default) and "json". Corresponds to --logging-format flag. Default: "text" Possible values are: `text`, `json`.	3.5.0
`verbosity`	integer	No	Verbosity is the threshold that determines which log messages are logged. Default is zero which logs only the most important messages. Higher values enable additional messages. Error messages are always logged. Corresponds to -v or --v flag. Default: 0	3.5.0

security

Security configures Kubernetes specific security settings. See security properties below.

Properties

Property	Type	Required	Description	Present since version
`podSecurityStandard`	podSecurityStandard	No	PodSecurityStandard configures the PodSecurityStandard settings for the cluster.	3.2.0
`resourceQuotaConfiguration`	resourceQuotaConfiguration	No	ResourceQuotaConfiguration configures the ResourceQuota admission control settings for the cluster.	3.5.0

podSecurityStandard

PodSecurityStandard configures the PodSecurityStandard settings for the cluster. See podSecurityStandard properties below.

Properties

Property	Type	Required	Description	Present since version
`auditVersion`	string	No	AuditVersion can be used to pin the policy to the version that shipped with a given Kubernetes minor version (e.g. v1.31) when in audit mode.	3.2.0
`audit`	string	No	Audit sets the level for the audit PodSecurityConfiguration mode. Policy violations trigger an audit annotation, but are otherwise allowed One of "", privileged, baseline, restricted. Possible values are: ``, `privileged`, `baseline`, `restricted`.	3.2.0
`deactivated`	boolean	No	Deactivated disables the patches for Pod Security Standard via AdmissionConfiguration.	3.2.0
`enforceVersion`	string	No	EnforceVersion can be used to pin the policy to the version that shipped with a given Kubernetes minor version (e.g. v1.31) when in enforce mode.	3.2.0
`enforce`	string	No	Enforce sets the level for the enforce PodSecurityConfiguration mode. Policy violations cause the pod to be rejected. One of "", privileged, baseline, restricted. Possible values are: ``, `privileged`, `baseline`, `restricted`.	3.2.0
`exemptions`	exemptions	No	Exemptions can be statically configured based on (requesting) user, RuntimeClass, or namespace. A request meeting exemption criteria is ignored by the admission plugin. Currently only namespace exemptions are supported.	3.2.0
`warnVersion`	string	No	WarnVersion can be used to pin the policy to the version that shipped with a given Kubernetes minor version (e.g. v1.31) when in warn mode.	3.2.0
`warn`	string	No	Warn sets the level for the warn PodSecurityConfiguration mode. Policy violations trigger a user-facing warning, but are otherwise allowed. One of "", privileged, baseline, restricted. Possible values are: ``, `privileged`, `baseline`, `restricted`.	3.2.0

exemptions

Exemptions can be statically configured based on (requesting) user, RuntimeClass, or namespace.
A request meeting exemption criteria is ignored by the admission plugin.
Currently only namespace exemptions are supported. See exemptions properties below.

Properties

Property	Type	Required	Description	Present since version
`namespaces`	[]string	No	Namespaces where PodSecurityStandards will be ignored.	3.2.0

resourceQuotaConfiguration

ResourceQuotaConfiguration configures the ResourceQuota admission control settings for the cluster. See resourceQuotaConfiguration properties below.

Properties

Property	Type	Required	Description	Present since version
`enabled`	boolean	No	Enabled enables the patches for ResourceQuotaConfiguration via AdmissionConfiguration. Once enabled, the ResourceQuota admission controller will be configured to limit pods with PriorityClass In [system-node-critical, system-cluster-critical].	3.5.0

networks

Description: Networks defines the network configuration for the cluster

Introduced in version: 3.6.0

Required: No

Example:

interfaces:
    primary:
        network:
            apiVersion: crd.nsx.vmware.com/v1alpha1
            kind: SubnetSet
            name: subnetset-1
    secondary:
        - name: eth1
          network:
            apiVersion: crd.nsx.vmware.com/v1alpha1
            kind: SubnetSet
            name: subnetset-2
        - name: eth2
          network:
            apiVersion: crd.nsx.vmware.com/v1alpha1
            kind: Subnet
            name: subnet-3

Properties

Property	Type	Required	Description	Present since version
`interfaces`	interfaces	No	Interfaces describes one primary (eth0) and zero or more secondary interfaces attached to Node virtual machine.	3.6.0

interfaces

Interfaces describes one primary (eth0) and zero or more secondary interfaces attached to Node virtual machine. See interfaces properties below.

Properties

Property	Type	Required	Description	Present since version
`primary`	primary	No	Primary is the primary network interface which is used to connect the Kubernetes primary network for Load balancer, Service discovery, Pod traffic and management traffic etc. Customization is only supported with network provider NSX-VPC.	3.6.0
`secondary`	[]secondary	No	Secondary network is supported with network provider NSX-VPC and vsphere-network.	3.6.0

primary

Primary is the primary network interface which is used to connect the Kubernetes primary network
for Load balancer, Service discovery, Pod traffic and management traffic etc.
Customization is only supported with network provider NSX-VPC. See primary properties below.

Properties

Property	Type	Required	Description	Present since version
`network`	network	Yes	Network is the name of the network resource to which this interface is connected.	3.6.0
`mtu`	integer	No	MTU is the Maximum Transmission Unit size in bytes.	3.6.0
`routes`	[]routes	No	Routes is a list of optional, static routes. Please note this feature is available only with the following bootstrap providers: CloudInit.	3.6.0

network

Network is the name of the network resource to which this interface is connected. See network properties below.

Properties

Property	Type	Required	Description	Present since version
`apiVersion`	string	Yes	APIVersion of the remediation template. APIVersion must be fully qualified domain name followed by / and a version. NOTE: This field must be kept in sync with the APIVersion of the remediation template.	3.6.0
`kind`	string	Yes	Kind of the remediation template. Kind must consist of alphanumeric characters or '-', start with an alphabetic character, and end with an alphanumeric character.	3.6.0
`name`	string	Yes	Name of the remediation template. Name must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character.	3.6.0

routes

RouteSpec defines a static route for a guest. See routes properties below.

Properties

Property	Type	Required	Description	Present since version
`to`	string	Yes	To is an IPv4 CIDR. IPv6 is not supported yet. Examples: 192.168.1.0/24, 192.168.100.100/32, 0.0.0.0/0	3.6.0
`via`	string	Yes	Via is an IPv4 address. IPv6 is not supported yet.	3.6.0

secondary

Properties

Property	Type	Required	Description	Present since version
`name`	string	Yes	Name describes the unique name of this network interface, used to distinguish it from other network interfaces attached to node Virtual Machine.	3.6.0
`network`	network	Yes	Network is the name of the network resource to which this interface is connected.	3.6.0
`driver`	string	No	driver is the kernel driver to bind to the interface. Only "vfio-pci" is supported at the moment. Possible values are: `vfio-pci`.	3.6.0
`mtu`	integer	No	MTU is the Maximum Transmission Unit size in bytes.	3.6.0
`routes`	[]routes	No	Routes is a list of optional, static routes. Please note this feature is available only with the following bootstrap providers: CloudInit.	3.6.0
`sriovResourcePool`	sriovResourcePool	No	sriovResourcePool contains SRIOV device plugin resource pool configuration. This field should be set when driver is specified.	3.6.0

network

Network is the name of the network resource to which this interface is connected. See network properties below.

Properties

Property	Type	Required	Description	Present since version
`apiVersion`	string	Yes	APIVersion of the remediation template. APIVersion must be fully qualified domain name followed by / and a version. NOTE: This field must be kept in sync with the APIVersion of the remediation template.	3.6.0
`kind`	string	Yes	Kind of the remediation template. Kind must consist of alphanumeric characters or '-', start with an alphabetic character, and end with an alphanumeric character.	3.6.0
`name`	string	Yes	Name of the remediation template. Name must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character.	3.6.0

routes

RouteSpec defines a static route for a guest. See routes properties below.

Properties

Property	Type	Required	Description	Present since version
`to`	string	Yes	To is an IPv4 CIDR. IPv6 is not supported yet. Examples: 192.168.1.0/24, 192.168.100.100/32, 0.0.0.0/0	3.6.0
`via`	string	Yes	Via is an IPv4 address. IPv6 is not supported yet.	3.6.0

sriovResourcePool

sriovResourcePool contains SRIOV device plugin resource pool configuration.
This field should be set when driver is specified. See sriovResourcePool properties below.

Properties

Property	Type	Required	Description	Present since version
`name`	string	Yes	name is the resource name for the SRIOV device pool.	3.6.0
`prefix`	string	Yes	prefix is the resource prefix for the SRIOV device pool.	3.6.0

node

Description: Node configures Kubernetes node specific settings. Supported scopes: cluster, controlPlane, workers

Introduced in version: 3.2.0

Required: No

Example:

firewall:
    inboundRules:
        - fromPort: 100
          protocol: 6
          source: 10.10.10.0/24
          toPort: 100
        - fromPort: 200
          protocol: 22
          source: ""
          toPort: 200
labels:
    label-test1: label-value-test1
    label-test2: label-value-test2
taints:
    - effect: NoExecute
      key: taint-test1
      value: taint-value-test1
    - effect: NoSchedule
      key: taint-test2
      value: taint-value-test2

Properties

Property	Type	Required	Description	Present since version
`firewall`	firewall	No	Firewall specifies the firewall configuration that should be created on the node to allow specific kinds of traffic. Any rules defined will be merged with the default set of rules required for the cluster to function normally. Supported scopes: cluster, controlPlane, workers	3.6.0
`labels`	labels	No	Labels is a list of user defined name-value pairs	3.2.0
`taints`	[]taints	No	Taints specifies the taints the Node API object should be registered with. If this field is unset, i.e. nil, it will be defaulted with a control-plane taint for control-plane nodes. If you don't want to taint your control-plane node, set this field to an empty slice, i.e. `taints: []` in the YAML file. This field is solely used for Node registration.	3.2.0

firewall

Firewall specifies the firewall configuration that should be created on the node to allow specific kinds
of traffic. Any rules defined will be merged with the default set of rules required for the cluster to
function normally.
Supported scopes: cluster, controlPlane, workers See firewall properties below.

Properties

Property	Type	Required	Description	Present since version
`inboundRules`	[]inboundRules	Yes	InboundRules is a list of firewall rules that will be configured on each node to allow or deny specific kinds of traffic.	3.6.0

inboundRules

Properties

Property	Type	Required	Description	Present since version
`protocol`		Yes	Protocol is the type of traffic that this rule applies to. Allowed protocols include "tcp", "udp", "icmp", or an any valid IANA protocol number.	3.6.0
`fromPort`	integer	No	FromPort is the low end (inclusive) of the port range that this rule applies to.	3.6.0
`source`	string	No	Source is the CIDR range of the originating traffic that this rule applies to. If unset, the rule will apply to any source network. IP addresses specified to this option can be provided using CIDR notation: an appended slash and number specifies the number of "network bits" out of the address to use in the comparison. For example "192.168.0.0/16" would match all addresses starting with "192.168".	3.6.0
`toPort`	integer	No	ToPort is the high end (inclusive) of the port range that this rule applies to.	3.6.0

labels

Labels is a list of user defined name-value pairs See labels properties below.

taints

Taint configures taints that will be applied to node objects in the cluster or pool.
Kubernetes taint is composed of three fields: key, value, and effect. See taints properties below.

Properties

Property	Type	Required	Description	Present since version
`effect`	string	Yes	Effect of the taint on pods that do not tolerate the taint. Valid effects are NoSchedule, PreferNoSchedule and NoExecute. Possible values are: `NoSchedule`, `PreferNoSchedule`, `NoExecute`.	3.2.0
`key`	string	Yes	Key is the taint key to be applied to a node.	3.2.0
`value`	string	Yes	Value is the taint value corresponding to the taint key.	3.2.0

osConfiguration

Description: OSConfiguration configures the system settings of nodes that are independent of Kubernetes. Supported scopes: cluster, controlPlane, workers

Introduced in version: 3.2.0

Required: No

Example:

directoryJoin:
    credentialSecretRef: credential-secret-name-test
    domain: contoso.test
    gmsaControlSecurityGroupDN: CN=VKSClusterMembers,OU=VKSGMSAAccounts,DC=contoso,DC=test
    organizationalUnitDN: OU=VKSComputers,DC=contoso,DC=test
fips:
    enabled: true
grub:
    password:
        enabled: true
        secretRef:
            key: some-grub-secret-key
            name: my-grub-secret
        user: my-grub-user
ntp:
    servers:
        - ntp.test.1
        - ntp.test.2
securityContext:
    appArmor:
        profiles:
            - name: apparmor-profile-1
sshd:
    banner: Test banner
systemProxy:
    http: http://1.2.3.4:2139
    https: http://4.3.2.1:2139
    noProxy:
        - no.proxy.test1
        - no.proxy.test2
trust:
    additionalTrustedCAs:
        - caCert:
            secretRef:
                key: trust-ca-test1
                name: ""
        - caCert:
            secretRef:
                key: trust-ca-test2
                name: ""
        - caCert:
            secretRef:
                key: trust-ca-test3
                name: custom-trust-secret-1
tuned:
    active:
        - builtin-3.6.0
    profiles:
        builtin-3.6.0:
            profileRef:
                name: builtin-vks-v3.6.0
user:
    password:
        renewalDaysBeforeExpiry: 25
    passwordSecret:
        key: user-secret-key-test
        name: user-secret-name-test
    sshAuthorizedKey: sshAuthorizedKeyTest...
    user: customuser

Properties

Property	Type	Required	Description	Present since version
`directoryJoin`	directoryJoin	No	DirectoryJoin configures the node to join a Windows Active Directory. Only supported on Windows at present.	3.3.0
`fips`	fips	No	FIPS configures FIPS related settings for the Kubernetes cluster to run in FIPS mode. Supported scopes: cluster	3.3.0
`grub`	grub	No	GRUB configures GRUB Boot Loader.	3.5.0
`ntp`	ntp	No	NTP sets the time servers that will be used by nodes in the cluster. By default, NTP servers are inherited from vCenter.	3.2.0
`securityContext`	securityContext	No	SecurityContext holds security configurations that will be applied to node.	3.6.0
`sshd`	sshd	No	SSHD configures the sshd config of the node.	3.3.0
`systemProxy`	systemProxy	No	SystemProxy configures parameters that reference a proxy server for outbound cluster connections.	3.2.0
`trust`	trust	No	Trust configures system-wide certificate trust for nodes	3.2.0
`tuned`	tuned	No	TuneD injects TuneD profiles and activate specified profile on Linux nodes. Only supported on Linux.	3.6.0
`ubuntuPro`	ubuntuPro	No	UbuntuPro configures the Ubuntu Pro subscription of the node. Only supported on Ubuntu.	3.3.0
`user`	user	No	User is an administrative user that will be created on all nodes. If not set, this is defaulted to "vmware-system-user". The administrative user will be added to "wheel" group on Linux and "Administrators" on Windows	3.2.0

directoryJoin

DirectoryJoin configures the node to join a Windows Active Directory.
Only supported on Windows at present. See directoryJoin properties below.

Properties

Property	Type	Required	Description	Present since version
`credentialSecretRef`	string	Yes	CredentialSecretRef is the name of the secret containing Active Directory join credentials. These will be passed to all new Windows new nodes to allow them to join the Active Directory domain. The secret must have the following keys: username - The username for the Active Directory account. This must be in one of the following formats: - - <username> - @ password - The password for the account	3.3.0
`domain`	string	Yes	Domain is the FQDN of the Active Directory Kerberos domain to join.	3.3.0
`gmsaControlSecurityGroupDN`	string	No	GMSAControlSecurityGroupDN is an optional Windows Active Directory security group that has permissions to access the password of the Group Managed Service Accounts. The value will be validated according to https://tools.ietf.org/html/rfc4514	3.3.0
`organizationalUnitDN`	string	No	OrganizationalUnitDN is an optional organizational unit where the node will be added to in Active Directory. The value will be validated according to https://tools.ietf.org/html/rfc4514	3.3.0

fips

FIPS configures FIPS related settings for the Kubernetes cluster to run in FIPS mode.
Supported scopes: cluster See fips properties below.

Properties

Property	Type	Required	Description	Present since version
`enabled`	boolean	No	Enable specifies whether FIPS settings are enabled and enforced on the node	3.3.0

grub

GRUB configures GRUB Boot Loader. See grub properties below.

Properties

Property	Type	Required	Description	Present since version
`password`	password	No	Password configures the password protection for GRUB Boot Loader (Only applicable on Linux).	3.5.0

password

Password configures the password protection for GRUB Boot Loader (Only applicable on Linux). See password properties below.

Properties

Property	Type	Required	Description	Present since version
`enabled`	boolean	No	Enabled defines if the GRUB Boot Loader must be protected with a password	3.5.0
`secretRef`	secretRef	No	SecretRef is the name of the secret containing the password to protect GRUB Key is the data.key field within the secret containing the password value. If not specified, the secret will be automatically generated as -grub-password when `Enabled` is set to true. The password value must be a PBKDF2 SHA-512 hashed password using grub2-mkpasswd-pbkdf2. The value will set to GRUB password as superuser password. User must type in the plain-text password to boot from non-default entries or modify boot parameters for any boot entry. See https://www.gnu.org/software/grub/manual/grub/html_node/Invoking-grub_002dmkpasswd_002dpbkdf2.html for more information.	3.5.0
`user`	string	No	User specifies the username to use for GRUB password protection.	3.2.0

secretRef

SecretRef is the name of the secret containing the password to protect GRUB
Key is the data.key field within the secret containing the password value.
If not specified, the secret will be automatically generated as -grub-password when
Enabled is set to true.

The password value must be a PBKDF2 SHA-512 hashed password using grub2-mkpasswd-pbkdf2. The value will
set to GRUB password as superuser password. User must type in the plain-text password to boot from non-default entries
or modify boot parameters for any boot entry.

See https://www.gnu.org/software/grub/manual/grub/html_node/Invoking-grub_002dmkpasswd_002dpbkdf2.html for more information. See secretRef properties below.

Properties

Property	Type	Required	Description	Present since version
`key`	string	Yes	Key is the entry in the secret's data map that is to be used to retrieve secret data.	3.5.0
`name`	string	Yes	Name is the name of the secret and must be in the same namespace as the cluster.	3.5.0

ntp

NTP sets the time servers that will be used by nodes in the cluster.
By default, NTP servers are inherited from vCenter. See ntp properties below.

Properties

Property	Type	Required	Description	Present since version
`servers`	[]string	Yes	NTP sets the time servers that will be used by nodes in this cluster. By default, NTP servers are inherited from vCenter.	3.2.0

securityContext

SecurityContext holds security configurations that will be applied to node. See securityContext properties below.

Properties

Property	Type	Required	Description	Present since version
`appArmor`	appArmor	No	AppArmor configures the appArmor profiles of the node. Supported scopes: cluster, controlPlane, workers Only supported on Ubuntu and Photon nodes.	3.6.0

appArmor

AppArmor configures the appArmor profiles of the node.
Supported scopes: cluster, controlPlane, workers
Only supported on Ubuntu and Photon nodes. See appArmor properties below.

Properties

Property	Type	Required	Description	Present since version
`profiles`	[]profiles	Yes	Profiles is a list of appArmor profiles to be added to the node.	3.6.0

profiles

Properties

Property	Type	Required	Description	Present since version
`name`	string	Yes	Name is the AppArmorProfile object name, and the object should be in the same namespace of this cluster. The .spec.content value would be automatically loaded from this object.	3.6.0

sshd

SSHD configures the sshd config of the node. See sshd properties below.

Properties

Property	Type	Required	Description	Present since version
`banner`	string	No	Banner specifies the login message used for sending a legal warning message before authentication	3.3.0

systemProxy

SystemProxy configures parameters that reference a proxy server for outbound cluster connections. See systemProxy properties below.

Properties

Property	Type	Required	Description	Present since version
`http`	string	Yes	HTTP is the proxy server to be used for all http connections. This should be a hostname or dotted numerical IP address. To specify port number in this string, append :[port] to the end of the host name. The proxy string may be prefixed with [scheme]:// to specify which kind of proxy is used. This configures the http_proxy environment variable for profile login and systemd on Linux, and is inherited by kubelet and containerd. On Windows, the http_proxy environment variable is set for the kubelet and containerd service. In addition, WinHTTP proxy server is also set for the http protocol. Note, that for WinHTTP, a https scheme for proxy servers is not supported, and will be ignored for WinHTTP configuration. WinHTTP is used by services such as Windows Update Services.	3.2.0
`https`	string	Yes	HTTPS configures the proxy server to be used for all https connections. This should be a hostname or dotted numerical IP address. To specify port number in this string, append :[port] to the end of the host name. The proxy string may be prefixed with [scheme]:// to specify which kind of proxy is used. This configures the http_proxy environment variable for profile login and systemd on Linux, and is inherited by kubelet and containerd. On Windows, the http_proxy environment variable is set for the kubelet and containerd service. In addition, WinHTTP proxy server is also set for the http protocol. Note, that for WinHTTP, a https scheme for proxy servers is not supported, and will be ignored for WinHTTP configuration. WinHTTP is used by services such as Windows Update Services. All proxy servers MUST support the CONNECT method to allow pass-through TLS. Intercepting proxies will cause connectivity issues for websockets, HTTP/2 & HTTP/3.	3.2.0
`noProxy`	[]string	Yes	NoProxy configures the list of hostnames and CIDR ranges that should be reached without the configured proxy servers. The only wildcard available is a single * character, which matches all hosts, and effectively disables the proxy. Each name in this list is matched as either a domain which contains the hostname, or the hostname itself. For example, "ample.com" would match ample.com, ample.com:80, and www.ample.com, but not www.example.com or ample.com.org. IP addresses specified to this option can be provided using CIDR notation: an appended slash and number specifies the number of "network bits" out of the address to use in the comparison. For example "192.168.0.0/16" would match all addresses starting with "192.168". Enter IPv6 numerical addresses in the list of hostnames without enclosing brackets. On Linux, this configures no_proxy environment variables for systemd and the login profile, and is inherited by containerd and kubelet. On Windows, this configures the no_proxy environment variable for the containerd and kubelet services. The NoProxy list is also translated into a system winhttp bypass list. However, note that Windows does not support CIDR notation for the bypass list, and instead, CIDR ranges are converted 'best-effort' to wildcards, e.g. "192.168.0.0/16" becomes "192.168.."	3.2.0

trust

Trust configures system-wide certificate trust for nodes See trust properties below.

Properties

Property	Type	Required	Description	Present since version
`additionalTrustedCAs`	[]additionalTrustedCAs	Yes	AdditionalTrustedCAs is a list of additional CAs to be added to the system trust store of nodes.	3.2.0

additionalTrustedCAs

CaOnlyConfiguration defines model for caOnlyConfiguration. See additionalTrustedCAs properties below.

Properties

Property	Type	Required	Description	Present since version
`caCert`	caCert	Yes	SecretContent configures a reference to or content of secret data.	3.2.0

caCert

SecretContent configures a reference to or content of secret data. See caCert properties below.

Properties

Property	Type	Required	Description	Present since version
`content`	string	No	Content should only be used where it is ok if the secret data is viewable on the Cluster CR, and allows direct injection of a secret.	3.2.0
`secretRef`	secretRef	No	SecretRef is the name of a secret within the namespace that contains secret data to be used.	3.2.0

secretRef

SecretRef is the name of a secret within the namespace that contains secret data to be used. See secretRef properties below.

Properties

Property	Type	Required	Description	Present since version
`key`	string	Yes	Key is the entry in the secret's data map that is to be used to retrieve secret data.	3.2.0
`name`	string	Yes	Name is the name of the secret and must be in the same namespace as the cluster.	3.2.0

tuned

TuneD injects TuneD profiles and activate specified profile on Linux nodes.
Only supported on Linux. See tuned properties below.

Properties

Property	Type	Required	Description	Present since version
`active`	[]string	Yes	Active is a list of tuned profile name will be activated on node.	3.6.0
`profiles`	profiles	No	Profiles is a map of tuned profiles will be injected on node. Key is the desired tuned profile name, value is the TunedProfile CR reference which contains the profile content.	3.6.0

profiles

Profiles is a map of tuned profiles will be injected on node.
Key is the desired tuned profile name, value is the TunedProfile CR reference which contains the profile content. See profiles properties below.

ubuntuPro

UbuntuPro configures the Ubuntu Pro subscription of the node.
Only supported on Ubuntu. See ubuntuPro properties below.

Properties

Property	Type	Required	Description	Present since version
`tokenSecretRef`	string	Yes	TokenSecretRef is the name of the secret containing a valid Ubuntu Pro Subscription token. The secret must have a key token with the content of a valid token.	3.3.0
`services`	[]string	No	Services specifies the Ubuntu Pro services to be enabled.	3.3.0
`settings`	[]settings	No	Settings specifies the Ubuntu Pro client (ubuntu-advantage-tools) settings to be configured.	3.3.0

settings

UbuntuProSetting configures the setting for Ubuntu Pro client (ubuntu-advantage-tools). See settings properties below.

Properties

Property	Type	Required	Description	Present since version
`key`	string	Yes		3.3.0
`value`	string	Yes		3.3.0

user

User is an administrative user that will be created on all nodes. If not set, this is defaulted to
"vmware-system-user". The administrative user will be added to "wheel" group on Linux and "Administrators"
on Windows See user properties below.

Properties

Property	Type	Required	Description	Present since version
`user`	string	Yes	Name is the name of the user to be created. By default, this is vmware-system-user.	3.2.0
`passwordSecret`	passwordSecret	No	Key is the data.key field within the secret containing the password value. If not specified, the secret will be automatically generated as -ssh-password.	3.2.0
`password`	password	No	Password configures the password policy such as password max age and renewal settings.	3.4.0
`requirePasswordOnSudo`	boolean	No	RequirePasswordOnSudo configures whether password re-authentication is required on sudo.	3.5.0
`sshAuthorizedKey`	string	No	The string of the SSH public key that is to be used for the administrative account. The public key must be of any FIPS-140 approved algorithm. If not specified, a key will be automatically generated and the private key stored in the secret -ssh	3.2.0

password

Password configures the password policy such as password max age and renewal settings. See password properties below.

Properties

Property	Type	Required	Description	Present since version
`renewalDaysBeforeExpiry`	integer	No	RenewalDaysBeforeExpiry configures the days to renew the password before it gets expired. The expired password will re-newed when it reaches the validity MaxAgeInDays - RenewalDaysBeforeExpiry. On Linux, it also manages PASS_WARN_AGE in /etc/login.defs on Linux to give a warning when the password reaches the validity. Defaults to 7 days if omitted. Only supported on Linux at present.	3.4.0

passwordSecret

Key is the data.key field within the secret containing the password value.
If not specified, the secret will be automatically generated as -ssh-password. See passwordSecret properties below.

Properties

Property	Type	Required	Description	Present since version
`key`	string	Yes	Key is the data.key field within the secret containing the password value. For Linux, this must be the hashed value that should be inserted into /etc/shadow. For Windows, only plain text is supported, and is therefore not recommended and is not configured by default.	3.2.0
`name`	string	Yes	Name is the name of the secret containing the password for the administrative account.	3.2.0

resourceConfiguration

Description: ResourceConfiguration configures kubelet resource options. Currently, only CPU and memory reservations are supported. Supported scopes: cluster, controlPlane, workers

Introduced in version: 3.2.0

Required: No

Example:

systemReserved:
    cpu: 500m
    memory: 100Mi

Properties

Property	Type	Required	Description	Present since version
`systemReserved`	systemReserved	No	SystemReserved defines the system reserved CPU and memory reservations.	3.2.0

systemReserved

SystemReserved defines the system reserved CPU and memory reservations. See systemReserved properties below.

Properties

Property	Type	Required	Description	Present since version
`automatic`	boolean	No	Automatic controls the automatic calculation of system reserved resources.	3.2.0
`cpu`		No	CPU describes the number of CPU cores reserved for system processes. Inputs should be of type https://k8s.io/docs/reference/kubernetes-api/common-definitions/quantity/ For a detailed explanation of CPU resource units in Kubernetes, refer to https://k8s.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-cpu Example: The input value of 1 describes 1 virtual CPU core.	3.2.0
`memory`		No	Memory describes the memory resources reserved for system processes. Inputs should be of type https://k8s.io/docs/reference/kubernetes-api/common-definitions/quantity/ For a detailed explanation of memory resource units in Kubernetes, refer to https://k8s.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-memory Example: 4096Mi, 8G	3.2.0

storageClass

Description: StorageClass sets the StorageClass that will be used to create node root volumes.

Introduced in version: 3.2.0

Required: Yes

Example:

storage-class-test

Type: string

vmClass

Description: VMClass sets the VMClass that will be used to create nodes. Supported scopes: cluster, controlPlane, workers

Introduced in version: 3.2.0

Required: Yes

Example:

vm-class.test

Type: string

volumes

Description: Volumes configures additional disks to be attached to node virtual machines. Supported scopes: cluster, controlPlane, workers

Introduced in version: 3.2.0

Required: No

Example:

- capacity: 1T
  mountPath: volume/test1
  name: volume-test1
  storageClass: volume-class-test1

Type: array

Description: Volumes configures additional disks to be attached to node virtual machines. Supported scopes: cluster, controlPlane, workers

Array Items:

Volume defines a model for volumes.

Property	Type	Required	Description
capacity	string	Yes	Capacity defines the storage capacity of the volume.
mountPath	string	Yes	MountPath defines the mount path for the volume.
name	string	Yes	Name defines the name of the volume.
storageClass	string	No	StorageClass defines the Storage class to use for the volume.

vsphereOptions

Description: VSphereOptions configures vSphere specific options related to nodes Supported scopes: cluster, controlPlane, workers

Introduced in version: 3.2.0

Required: No

Example:

persistentVolumes:
    customizableStorageClassAnnotations:
        - annotation-key-1
        - annotation-key-2
    customizableStorageClassLabels:
        - label-key-1
        - label-key-2

Properties

Property	Type	Required	Description	Present since version
`persistentVolumes`	persistentVolumes	No	PersistentVolumes configures what is available for PVCs to be used in the cluster.	3.2.0

persistentVolumes

PersistentVolumes configures what is available for PVCs to be used in the cluster. See persistentVolumes properties below.

Properties

Property	Type	Required	Description	Present since version
`availableStorageClasses`	[]string	No	AvailableStorageClasses lists the storage classes that can be used in the cluster.	3.2.0
`availableVolumeSnapshotClasses`	[]string	No	AvailableVolumeSnapshotClasses lists the volume snapshot classes that can be used in the cluster.	3.2.0
`customizableStorageClassAnnotations`	[]string	No	CustomizableStorageClassAnnotations is a list of annotation keys set on the storage classes within the cluster which can be customized by the user. Any edits made to the values of these annotations will not be overridden by VKS.	3.4.0
`customizableStorageClassLabels`	[]string	No	CustomizableStorageClassLabels is a list of label keys set on the storage classes within the cluster which can be customized by the user. Any edits made to the values of these labels will not be overridden by VKS.	3.4.0
`defaultStorageClass`	string	No	DefaultStorageClass sets the default storage class inside the cluster. The StorageClass with this name gets a "storageclass.kubernetes.io/is-default-class: true" label added during storage class sync into the guest cluster.	3.2.0
`defaultVolumeSnapshotClass`	string	No	DefaultVolumeSnapshotClass sets the default volume snapshot class inside the cluster. The VolumeSnapshotClass with this name gets a "snapshot.storage.kubernetes.io/is-default-class: true" label added during volume snapshot class sync into the guest cluster.	3.2.0

TKR_DATA

Description: TKRData is an internal variable used to populate the Kubernetes configuration with the correct OCI images to bootstrap Kubernetes. Do not modify or set this manually without the assistance of VMware Support. Supported scopes: cluster, controlPlane, workers

Introduced in version: 3.2.0

Removed since: 3.5.0

Required: No