Documentation/docs/self-hosted/configuration
#Configuration
This page explains how to think about Sandbox0Infra configuration and includes a generated field reference sourced from the operator CRD.
The goal is to keep the page readable for operators while still exposing the full supported config surface.
How to Read Sandbox0Infra#
A Sandbox0Infra spec is easier to reason about when you split it into five layers:
| Layer | Main fields | What it controls |
|---|---|---|
| Platform release | infra-operator chart / image version | Which sandbox0 component version to deploy |
| Core dependencies | spec.database, spec.juicefsDatabase, spec.storage, spec.registry | PostgreSQL, JuiceFS metadata, object storage, registry integration |
| Topology | spec.services.*, spec.controlPlane, spec.cluster, spec.region | Single-cluster vs multi-cluster shape and service placement |
| Public routing | spec.publicExposure, spec.internalAuth | Public sandbox URLs and inter-service trust |
| Runtime bootstrap | spec.builtinTemplates, spec.initUser | Default templates, warm pools, initial admin bootstrap |
Recommended Reading Order#
- Pick your topology with
spec.services.*. - Decide whether database/storage/registry stay
builtinor move external. - Configure public exposure and cluster identity.
- Seed templates and initial admin user.
- Only then tune per-service
configblocks.
spec.initUser is consumed by the gateway runtime, not created by the operator itself.
In local-password mode it bootstraps the first admin credentials; in OIDC-only mode it pre-creates the admin user and initial team so the first OIDC login with the same email lands on the intended admin account.
Deployment Profiles#
| Profile | Typical fields | Use when |
|---|---|---|
| Minimal single-cluster | services.clusterGateway, services.manager | Local eval, API validation, fast first install |
| Full single-cluster | Add storage, registry, services.storageProxy, services.netd | You need persistent volumes, snapshots, or network controls |
| Multi-cluster control plane | services.regionalGateway, services.scheduler | You coordinate multiple data-plane clusters in one region |
| Multi-cluster data plane | controlPlane, cluster, services.clusterGateway, services.manager, optional storageProxy/netd | You attach a cluster to an external control plane |
Official sample manifests:
- single-cluster/minimal.yaml
- single-cluster/fullmode.yaml
- single-cluster/volumes.yaml
- single-cluster/network-policy.yaml
- multi-cluster/control-plane.yaml
- multi-cluster/data-plane.yaml
What Usually Changes First#
External PostgreSQL#
Move spec.database.type from builtin to external when you want managed PostgreSQL durability, backup policy, and operational separation.
yamlspec: database: type: external external: host: your-db.rds.amazonaws.com port: 5432 database: sandbox0 username: sandbox0 passwordSecret: name: db-credentials key: password
S3 or OSS Backing Storage#
If you need persistent volume features in production, configure spec.storage and enable services.storageProxy.
yamlspec: storage: type: s3 s3: bucket: sandbox0-prod region: us-east-1 endpoint: https://s3.amazonaws.com credentialsSecret: name: aws-credentials accessKeyKey: accessKeyId secretKeyKey: secretAccessKey services: storageProxy: enabled: true
Public Routing and Region Identity#
spec.publicExposure decides the public host pattern used for sandbox URLs. Keep it consistent with your region and DNS plan.
yamlspec: publicExposure: enabled: true rootDomain: sandbox0.example.com regionId: aws-us-east-1
SSH Gateway#
Enable spec.services.sshGateway when you want a region-scoped SSH entrypoint that bridges standard ssh and scp clients into sandbox procd sessions.
The routing model is intentionally simple:
- One
ssh-gatewayper region - One fixed DNS-only host or TCP proxy address per region, for example
aws-us-east-1.ssh.sandbox0.app - SSH username is the target sandbox ID
- User authentication uses SSH public keys uploaded to the gateway API
In Kubernetes terms, spec.services.sshGateway.service.port is the externally exposed Service port and spec.services.sshGateway.config.sshPort is the container listen port. You usually keep the internal port at 2222 and expose 22 or a NodePort externally.
The operator also manages a persistent Ed25519 host key Secret for the service. As long as that Secret is retained, clients continue to see the same SSH host identity across pod restarts.
yamlspec: services: sshGateway: enabled: true replicas: 1 service: type: LoadBalancer port: 22 config: sshPort: 2222
For local labs or kind-style environments, a NodePort is often simpler:
yamlspec: services: sshGateway: enabled: true replicas: 1 service: type: NodePort port: 30222
After exposing the service through DNS or a load balancer, users can upload SSH public keys with POST /api/v1/users/me/ssh-keys and connect with standard clients. See SSH for the user-facing flow.
AWS LoadBalancer TLS#
When you expose regionalGateway or globalGateway through a cloud load balancer instead of Kubernetes Ingress, declare provider-specific Service annotations under spec.services.<service>.service.annotations. On AWS, this is the supported place to attach ACM certificates and choose the load balancer mode.
Also set spec.services.<service>.config.baseUrl to the final browser-facing URL. That keeps auth callbacks, generated links, and projected status endpoints aligned with the hostname you put behind Cloudflare.
yamlspec: services: regionalGateway: enabled: true service: type: LoadBalancer port: 443 annotations: service.beta.kubernetes.io/aws-load-balancer-type: nlb service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <acm-certificate-arn> service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443" config: baseUrl: https://your-gateway.example.com
Multi-Cluster Data Plane Registration#
Data-plane clusters need control-plane connection details and a stable cluster identity.
yamlspec: controlPlane: url: https://api.sandbox0.example.com internalAuthPublicKeySecret: name: control-plane-public-key key: public.key cluster: id: cluster-001 name: production-use1-a services: clusterGateway: enabled: true config: authMode: internal manager: enabled: true
Service-Level Config#
spec.services.<service>.config is where you tune component-specific behavior after the topology is already correct.
Examples:
services.clusterGateway.config.authModeswitches betweenpublic,internal, andbothservices.manager.config.autoscaler.*tunes pool scale behaviorservices.storageProxy.config.juicefs*tunes JuiceFS behavior and cache sizingservices.netd.config.*controls proxy ports, policy enforcement, and node-level networking behavior
Use spec.sandboxNodePlacement for the shared node placement consumed by sandbox template Pods, netd, and ctld. infra-operator owns sandbox0.ai/data-plane-ready and adds it to sandbox Pod placement after the required node-local components are Ready. The older services.netd.nodeSelector and services.netd.tolerations fields remain as compatibility aliases when the shared placement is unset.
ℹ
Use the generated reference below for exact field names, defaults, enums, and required flags. Use the sample manifests for operator-friendly starting points.
ℹ
Not every operational rule is expressible in CRD schema. Some defaults are applied at runtime inside services, and some validations are conditional. Examples include service runtime defaults in netd and conditional checks such as storage-proxy encryption requiring a key path.
Full Reference#
The reference below is generated from the Sandbox0Infra CRD schema produced by controller-gen, not manually maintained MDX.
This reference is generated from the `Sandbox0Infra` CRD schema. It stays aligned with defaults, enums, and required fields exposed by the operator, while deployment guidance on this page remains curated.
Databasespec.database21 fieldsDatabase configures the main database for sandbox0
Database
spec.database
21 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.database | object | No | - | Database configures the main database for sandbox0 |
spec.database.builtin | object | No | - | Builtin configures the built-in single-node PostgreSQL |
spec.database.builtin.database | string | No | sandbox0 | Database specifies the database name |
spec.database.builtin.enabled | boolean | No | true | Enabled enables the built-in database |
spec.database.builtin.image | string | No | postgres:16-alpine | Image specifies the postgres image for the builtin database |
spec.database.builtin.persistence | object | No | - | Persistence configures database storage |
spec.database.builtin.persistence.size | integer|string | No | 20Gi | Size specifies the storage size |
spec.database.builtin.persistence.storageClass | string | No | - | StorageClass specifies the storage class (empty for default) |
spec.database.builtin.port | integer | No | 5432 | Port specifies the database port |
spec.database.builtin.sslMode | string | No | disable | SSLMode specifies the SSL mode for builtin DSN |
spec.database.builtin.statefulResourcePolicy | string | No | Retain | StatefulResourcePolicy controls what happens to the builtin PVC and generated credentials secret when the builtin database is disabled or replaced by an external database. Allowed values: Retain, Delete. |
spec.database.builtin.username | string | No | sandbox0 | Username specifies the database username |
spec.database.external | object | No | - | External configures connection to external database |
spec.database.external.database | string | Yes | - | Database specifies the database name |
spec.database.external.host | string | Yes | - | Host specifies the database host |
spec.database.external.passwordSecret | object | Yes | - | PasswordSecret references the secret containing the password |
spec.database.external.passwordSecret.key | string | No | password | Key is the key in the secret |
spec.database.external.passwordSecret.name | string | No | - | Name is the name of the secret |
spec.database.external.port | integer | No | 5432 | Port specifies the database port |
spec.database.external.sslMode | string | No | require | SSLMode specifies the SSL mode for connection |
spec.database.external.username | string | Yes | - | Username specifies the database username |
spec.database.type | string | No | builtin | Type specifies the postgres database type: builtin, or external Allowed values: builtin, external. |
JuiceFS Metadata Databasespec.juicefsDatabase10 fieldsJuicefsDatabase configures the JuiceFS metadata database
JuiceFS Metadata Database
spec.juicefsDatabase
10 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.juicefsDatabase | object | No | - | JuicefsDatabase configures the JuiceFS metadata database |
spec.juicefsDatabase.external | object | No | - | External configures an independent database for JuiceFS |
spec.juicefsDatabase.external.database | string | Yes | - | Database specifies the database name |
spec.juicefsDatabase.external.host | string | Yes | - | Host specifies the database host |
spec.juicefsDatabase.external.passwordSecret | object | Yes | - | PasswordSecret references the secret containing the password |
spec.juicefsDatabase.external.passwordSecret.key | string | No | password | Key is the key in the secret |
spec.juicefsDatabase.external.passwordSecret.name | string | No | - | Name is the name of the secret |
spec.juicefsDatabase.external.port | integer | No | 5432 | Port specifies the database port |
spec.juicefsDatabase.external.sslMode | string | No | require | SSLMode specifies the SSL mode for connection |
spec.juicefsDatabase.external.username | string | Yes | - | Username specifies the database username |
spec.juicefsDatabase.shareWithMain | boolean | No | true | ShareWithMain uses the main database for JuiceFS metadata |
Storagespec.storage39 fieldsStorage configures the storage backend (JuiceFS S3 backend)
Storage
spec.storage
39 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.storage | object | No | - | Storage configures the storage backend (JuiceFS S3 backend) |
spec.storage.builtin | object | No | - | Builtin configures the built-in RustFS storage |
spec.storage.builtin.bucket | string | No | sandbox0 | Bucket specifies the default bucket name for builtin storage |
spec.storage.builtin.consoleEnabled | boolean | No | true | ConsoleEnabled enables the RustFS console |
spec.storage.builtin.consolePort | integer | No | 9001 | ConsolePort specifies the RustFS console port |
spec.storage.builtin.credentials | object | No | - | Credentials configures access credentials (auto-generated if not specified) |
spec.storage.builtin.credentials.accessKey | string | No | - | AccessKey is the access key |
spec.storage.builtin.credentials.secretKey | string | No | - | SecretKey is the secret key |
spec.storage.builtin.enabled | boolean | No | true | Enabled enables the built-in storage |
spec.storage.builtin.image | string | No | rustfs/rustfs:1.0.0-alpha.79 | Image specifies the RustFS image for builtin storage |
spec.storage.builtin.obsEnvironment | string | No | develop | ObsEnvironment specifies the RustFS environment label |
spec.storage.builtin.obsLogDirectory | string | No | /data/logs | ObsLogDirectory specifies the RustFS log directory |
spec.storage.builtin.obsLoggerLevel | string | No | debug | ObsLoggerLevel specifies the RustFS log level |
spec.storage.builtin.persistence | object | No | - | Persistence configures storage persistence |
spec.storage.builtin.persistence.size | integer|string | No | 20Gi | Size specifies the storage size |
spec.storage.builtin.persistence.storageClass | string | No | - | StorageClass specifies the storage class (empty for default) |
spec.storage.builtin.port | integer | No | 9000 | Port specifies the RustFS API port |
spec.storage.builtin.region | string | No | us-east-1 | Region specifies the default region for builtin storage |
spec.storage.builtin.statefulResourcePolicy | string | No | Retain | StatefulResourcePolicy controls what happens to the builtin PVC and generated credentials secret when the builtin storage is disabled or replaced by an external storage backend. Allowed values: Retain, Delete. |
spec.storage.builtin.volumes | string | No | /data | Volumes specifies the RustFS data path |
spec.storage.gcs | object | No | - | GCS configures Google Cloud Storage using native GCS credentials. |
spec.storage.gcs.bucket | string | Yes | - | Bucket specifies the GCS bucket name. |
spec.storage.oss | object | No | - | OSS configures Aliyun OSS storage |
spec.storage.oss.bucket | string | Yes | - | Bucket specifies the OSS bucket name |
spec.storage.oss.credentialsSecret | object | Yes | - | CredentialsSecret references the secret containing Aliyun credentials |
spec.storage.oss.credentialsSecret.accessKeyKey | string | No | accessKeyId | AccessKeyKey is the key for access key ID |
spec.storage.oss.credentialsSecret.name | string | Yes | - | Name is the name of the secret |
spec.storage.oss.credentialsSecret.secretKeyKey | string | No | accessKeySecret | SecretKeyKey is the key for access key secret |
spec.storage.oss.endpoint | string | Yes | - | Endpoint specifies the OSS endpoint |
spec.storage.oss.region | string | Yes | - | Region specifies the Aliyun region |
spec.storage.s3 | object | No | - | S3 configures S3 or S3-compatible storage |
spec.storage.s3.bucket | string | Yes | - | Bucket specifies the S3 bucket name |
spec.storage.s3.credentialsSecret | object | Yes | - | CredentialsSecret references the secret containing AWS credentials |
spec.storage.s3.credentialsSecret.accessKeyKey | string | No | accessKeyId | AccessKeyKey is the key for access key ID |
spec.storage.s3.credentialsSecret.name | string | Yes | - | Name is the name of the secret |
spec.storage.s3.credentialsSecret.secretKeyKey | string | No | secretAccessKey | SecretKeyKey is the key for secret access key |
spec.storage.s3.endpoint | string | No | - | Endpoint specifies the S3 endpoint (optional for AWS) |
spec.storage.s3.region | string | Yes | - | Region specifies the AWS region |
spec.storage.s3.sessionTokenKey | string | No | - | SessionTokenKey is the key for session token in the secret (optional) |
spec.storage.type | string | No | builtin | Type specifies the storage type: builtin, s3, oss, or gcs. Allowed values: builtin, s3, oss, gcs. |
Registryspec.registry84 fieldsRegistry configures the container registry
Registry
spec.registry
84 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.registry | object | No | - | Registry configures the container registry |
spec.registry.aliyun | object | No | - | Aliyun configures Aliyun registry integration. |
spec.registry.aliyun.credentialsSecret | object | Yes | - | CredentialsSecret references Aliyun credentials for short-lived tokens. |
spec.registry.aliyun.credentialsSecret.accessKeyKey | string | No | accessKeyId | AccessKeyKey is the key for access key ID. |
spec.registry.aliyun.credentialsSecret.name | string | Yes | - | Name is the name of the secret. |
spec.registry.aliyun.credentialsSecret.secretKeyKey | string | No | accessKeySecret | SecretKeyKey is the key for secret access key. |
spec.registry.aliyun.instanceId | string | Yes | - | InstanceID specifies the ACR instance ID. |
spec.registry.aliyun.pullSecret | object | Yes | - | PullSecret references the dockerconfigjson secret to use for image pulls. |
spec.registry.aliyun.pullSecret.key | string | No | .dockerconfigjson | Key is the key in the secret. |
spec.registry.aliyun.pullSecret.name | string | Yes | - | Name is the name of the secret. |
spec.registry.aliyun.region | string | Yes | - | Region specifies the Aliyun region. |
spec.registry.aliyun.registry | string | Yes | - | Registry specifies the registry hostname. |
spec.registry.aws | object | No | - | AWS configures AWS registry integration. |
spec.registry.aws.assumeRoleArn | string | No | - | AssumeRoleARN optionally scopes registry pushes through an assumed IAM role. |
spec.registry.aws.credentialsSecret | object | Yes | - | CredentialsSecret references AWS credentials for short-lived tokens. |
spec.registry.aws.credentialsSecret.accessKeyKey | string | No | accessKeyId | AccessKeyKey is the key for access key ID. |
spec.registry.aws.credentialsSecret.name | string | Yes | - | Name is the name of the secret. |
spec.registry.aws.credentialsSecret.secretKeyKey | string | No | secretAccessKey | SecretKeyKey is the key for secret access key. |
spec.registry.aws.credentialsSecret.sessionTokenKey | string | No | - | SessionTokenKey is the key for session token (optional). |
spec.registry.aws.externalId | string | No | - | ExternalID is passed to STS AssumeRole when assumeRoleArn is configured. |
spec.registry.aws.pullSecret | object | Yes | - | PullSecret references the dockerconfigjson secret to use for image pulls. |
spec.registry.aws.pullSecret.key | string | No | .dockerconfigjson | Key is the key in the secret. |
spec.registry.aws.pullSecret.name | string | Yes | - | Name is the name of the secret. |
spec.registry.aws.region | string | Yes | - | Region specifies the AWS region. |
spec.registry.aws.registry | string | No | - | Registry specifies the registry hostname. |
spec.registry.aws.registryId | string | No | - | RegistryID specifies the AWS account ID (optional). |
spec.registry.azure | object | No | - | Azure configures Azure registry integration. |
spec.registry.azure.credentialsSecret | object | Yes | - | CredentialsSecret references the client credentials for ACR. |
spec.registry.azure.credentialsSecret.clientIdKey | string | No | clientId | ClientIDKey is the key for client ID. |
spec.registry.azure.credentialsSecret.clientSecretKey | string | No | clientSecret | ClientSecretKey is the key for client secret. |
spec.registry.azure.credentialsSecret.name | string | Yes | - | Name is the name of the secret. |
spec.registry.azure.credentialsSecret.tenantIdKey | string | No | tenantId | TenantIDKey is the key for tenant ID. |
spec.registry.azure.pullSecret | object | Yes | - | PullSecret references the dockerconfigjson secret to use for image pulls. |
spec.registry.azure.pullSecret.key | string | No | .dockerconfigjson | Key is the key in the secret. |
spec.registry.azure.pullSecret.name | string | Yes | - | Name is the name of the secret. |
spec.registry.azure.registry | string | Yes | - | Registry specifies the registry hostname. |
spec.registry.builtin | object | No | - | Builtin configures the built-in registry. |
spec.registry.builtin.credentialsSecret | object | No | - | CredentialsSecret references the secret containing registry credentials. If omitted, the operator will generate a secret named "<infra-name>-registry-credentials". |
spec.registry.builtin.credentialsSecret.name | string | Yes | - | Name is the name of the secret. |
spec.registry.builtin.credentialsSecret.passwordKey | string | No | password | PasswordKey is the key for password. |
spec.registry.builtin.credentialsSecret.usernameKey | string | No | username | UsernameKey is the key for username. |
spec.registry.builtin.enabled | boolean | No | true | Enabled enables the built-in registry. |
spec.registry.builtin.image | string | No | registry:2.8.3 | Image specifies the registry image. |
spec.registry.builtin.ingress | object | No | - | Ingress configures ingress settings for external registry access. |
spec.registry.builtin.ingress.annotations | object | No | - | Annotations specifies provider-specific ingress annotations. |
spec.registry.builtin.ingress.className | string | No | - | ClassName specifies the ingress class name |
spec.registry.builtin.ingress.enabled | boolean | No | false | Enabled enables ingress |
spec.registry.builtin.ingress.extraHosts | array<string> | No | - | ExtraHosts specifies additional ingress hosts routed to the same backend. |
spec.registry.builtin.ingress.extraHosts[] | string | No | - | - |
spec.registry.builtin.ingress.host | string | No | - | Host specifies the ingress host |
spec.registry.builtin.ingress.tls | array<object> | No | - | TLS specifies host groups and their backing TLS secrets. When set, TLS takes precedence over TLSSecret. |
spec.registry.builtin.ingress.tls[] | object | No | - | IngressTLSConfig defines one TLS certificate binding for ingress hosts. |
spec.registry.builtin.ingress.tls[].hosts | array<string> | No | - | Hosts specifies the hosts covered by this TLS secret. |
spec.registry.builtin.ingress.tls[].hosts[] | string | No | - | - |
spec.registry.builtin.ingress.tls[].secretName | string | No | - | SecretName specifies the Kubernetes TLS secret name. |
spec.registry.builtin.ingress.tlsSecret | string | No | - | TLSSecret specifies the TLS secret name |
spec.registry.builtin.persistence | object | No | - | Persistence configures registry persistence. |
spec.registry.builtin.persistence.size | integer|string | No | 20Gi | Size specifies the storage size |
spec.registry.builtin.persistence.storageClass | string | No | - | StorageClass specifies the storage class (empty for default) |
spec.registry.builtin.port | integer | No | 5000 | Port specifies the registry port. |
spec.registry.builtin.pushEndpoint | string | No | - | PushEndpoint overrides the external registry endpoint used for image push credentials. Use host[:port] format, without scheme. |
spec.registry.builtin.service | object | No | - | Service configures the registry service exposure. |
spec.registry.builtin.service.annotations | object | No | - | Annotations declares Service metadata annotations. Use this for cloud-provider specific load balancer configuration such as ACM certificate attachment on AWS. |
spec.registry.builtin.service.port | integer | No | 80 | Port specifies the service port |
spec.registry.builtin.service.type | string | No | ClusterIP | Type specifies the service type |
spec.registry.builtin.statefulResourcePolicy | string | No | Retain | StatefulResourcePolicy controls what happens to the builtin registry PVC when the builtin registry is disabled or replaced by an external registry provider. Allowed values: Retain, Delete. |
spec.registry.gcp | object | No | - | GCP configures GCP registry integration. |
spec.registry.gcp.pullSecret | object | No | - | PullSecret references the dockerconfigjson secret to use for image pulls. Omit this on GKE when nodes or workload identity can already pull from Artifact Registry without a namespace-local imagePullSecret. |
spec.registry.gcp.pullSecret.key | string | No | .dockerconfigjson | Key is the key in the secret. |
spec.registry.gcp.pullSecret.name | string | Yes | - | Name is the name of the secret. |
spec.registry.gcp.registry | string | Yes | - | Registry specifies the registry hostname. |
spec.registry.gcp.serviceAccountSecret | object | No | - | ServiceAccountSecret references the service account JSON key. Omit this to use application default credentials inside manager. |
spec.registry.gcp.serviceAccountSecret.key | string | No | serviceAccount.json | Key is the key in the secret. |
spec.registry.gcp.serviceAccountSecret.name | string | Yes | - | Name is the name of the secret. |
spec.registry.harbor | object | No | - | Harbor configures Harbor registry integration. |
spec.registry.harbor.credentialsSecret | object | Yes | - | CredentialsSecret references Harbor credentials for push authentication. |
spec.registry.harbor.credentialsSecret.name | string | Yes | - | Name is the name of the secret. |
spec.registry.harbor.credentialsSecret.passwordKey | string | No | password | PasswordKey is the key for password. |
spec.registry.harbor.credentialsSecret.usernameKey | string | No | username | UsernameKey is the key for username. |
spec.registry.harbor.pullSecret | object | Yes | - | PullSecret references the dockerconfigjson secret to use for image pulls. |
spec.registry.harbor.pullSecret.key | string | No | .dockerconfigjson | Key is the key in the secret. |
spec.registry.harbor.pullSecret.name | string | Yes | - | Name is the name of the secret. |
spec.registry.harbor.registry | string | Yes | - | Registry specifies the registry hostname. |
spec.registry.imagePullSecretName | string | No | sandbox0-registry-pull | ImagePullSecretName is the secret name to create in template namespaces. |
spec.registry.provider | string | No | builtin | Provider specifies the registry provider: builtin, aws, gcp, azure, aliyun, or harbor. |
Control Planespec.controlPlane4 fieldsControlPlane configures external control plane connection.
Control Plane
spec.controlPlane
4 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.controlPlane | object | No | - | ControlPlane configures external control plane connection. |
spec.controlPlane.internalAuthPublicKeySecret | object | Yes | - | InternalAuthPublicKeySecret references the secret containing control plane's public key |
spec.controlPlane.internalAuthPublicKeySecret.key | string | No | password | Key is the key in the secret |
spec.controlPlane.internalAuthPublicKeySecret.name | string | No | - | Name is the name of the secret |
spec.controlPlane.url | string | Yes | - | URL is the control plane regional-gateway URL |
Internal Authspec.internalAuth12 fieldsInternalAuth configures internal authentication keys
Internal Auth
spec.internalAuth
12 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.internalAuth | object | No | - | InternalAuth configures internal authentication keys |
spec.internalAuth.controlPlane | object | No | - | ControlPlane configures control plane key pair |
spec.internalAuth.controlPlane.generate | boolean | No | true | Generate enables automatic key generation |
spec.internalAuth.controlPlane.secretRef | object | No | - | SecretRef references an existing secret containing the key pair |
spec.internalAuth.controlPlane.secretRef.name | string | Yes | - | Name is the name of the secret |
spec.internalAuth.controlPlane.secretRef.privateKeyKey | string | No | private.key | PrivateKeyKey is the key for private key |
spec.internalAuth.controlPlane.secretRef.publicKeyKey | string | No | public.key | PublicKeyKey is the key for public key |
spec.internalAuth.dataPlane | object | No | - | DataPlane configures data plane key pair |
spec.internalAuth.dataPlane.generate | boolean | No | true | Generate enables automatic key generation |
spec.internalAuth.dataPlane.secretRef | object | No | - | SecretRef references an existing secret containing the key pair |
spec.internalAuth.dataPlane.secretRef.name | string | Yes | - | Name is the name of the secret |
spec.internalAuth.dataPlane.secretRef.privateKeyKey | string | No | private.key | PrivateKeyKey is the key for private key |
spec.internalAuth.dataPlane.secretRef.publicKeyKey | string | No | public.key | PublicKeyKey is the key for public key |
Public Exposurespec.publicExposure3 fieldsPublicExposure configures public URL exposure for sandboxes
Public Exposure
spec.publicExposure
3 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.publicExposure | object | No | - | PublicExposure configures public URL exposure for sandboxes |
spec.publicExposure.enabled | boolean | No | true | Enabled enables public exposure routing |
spec.publicExposure.regionId | string | No | aws-us-east-1 | RegionID is the DNS-safe region label used in public URLs. It is not the canonical multi-region tenancy identifier. |
spec.publicExposure.rootDomain | string | No | sandbox0.app | RootDomain is the root domain for public exposure URLs |
Clusterspec.cluster10 fieldsCluster configures cluster identification and capacity
Cluster
spec.cluster
10 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.cluster | object | No | - | Cluster configures cluster identification and capacity |
spec.cluster.capacity | object | No | - | Capacity specifies cluster resource capacity |
spec.cluster.capacity.cpu | object | No | - | CPU specifies CPU capacity |
spec.cluster.capacity.cpu.available | string | No | - | Available is the available capacity |
spec.cluster.capacity.cpu.total | string | No | - | Total is the total capacity |
spec.cluster.capacity.maxSandboxes | integer | No | - | MaxSandboxes is the maximum number of sandboxes |
spec.cluster.capacity.memory | object | No | - | Memory specifies memory capacity |
spec.cluster.capacity.memory.available | string | No | - | Available is the available capacity |
spec.cluster.capacity.memory.total | string | No | - | Total is the total capacity |
spec.cluster.id | string | Yes | - | ID is the unique Sandbox0 data-plane cluster identifier used in routing and sandbox names. It is separate from the provider cluster name and must stay short enough for sandbox name encoding. |
spec.cluster.name | string | No | - | Name is the human-readable cluster name |
Initial Admin Userspec.initUser6 fieldsInitUser configures the initial admin user
Initial Admin User
spec.initUser
6 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.initUser | object | No | - | InitUser configures the initial admin user |
spec.initUser.email | string | No | - | Email is the admin user's email |
spec.initUser.homeRegionId | string | No | - | HomeRegionID is required for global-gateway init users so the bootstrap team is routable. |
spec.initUser.name | string | No | - | Name is the admin user's display name |
spec.initUser.passwordSecret | object | No | - | PasswordSecret references the secret containing the password |
spec.initUser.passwordSecret.key | string | No | password | Key is the key in the secret |
spec.initUser.passwordSecret.name | string | No | - | Name is the name of the secret |
Builtin Templatesspec.builtinTemplates8 fieldsBuiltinTemplates defines system builtin templates to seed the template store
Builtin Templates
spec.builtinTemplates
8 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.builtinTemplates | array<object> | No | [] | BuiltinTemplates defines system builtin templates to seed the template store |
spec.builtinTemplates[] | object | No | - | BuiltinTemplateConfig defines a system builtin template. |
spec.builtinTemplates[].description | string | No | - | - |
spec.builtinTemplates[].displayName | string | No | - | - |
spec.builtinTemplates[].image | string | No | - | - |
spec.builtinTemplates[].pool | object | No | - | BuiltinTemplatePoolConfig holds pool defaults for builtin templates. |
spec.builtinTemplates[].pool.maxIdle | integer | No | 5 | - |
spec.builtinTemplates[].pool.minIdle | integer | No | 1 | - |
spec.builtinTemplates[].templateId | string | Yes | - | - |
Sandbox Node Placementspec.sandboxNodePlacement8 fieldsSandboxNodePlacement configures the shared node placement used by
sandbox workloads and node-local sandbox services.
Sandbox Node Placement
spec.sandboxNodePlacement
8 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.sandboxNodePlacement | object | No | - | SandboxNodePlacement configures the shared node placement used by sandbox workloads and node-local sandbox services. |
spec.sandboxNodePlacement.nodeSelector | object | No | - | NodeSelector constrains sandbox workloads and node-local sandbox services onto a specific node set. |
spec.sandboxNodePlacement.tolerations | array<object> | No | - | Tolerations allow sandbox workloads and node-local sandbox services to run on tainted sandbox nodes. |
spec.sandboxNodePlacement.tolerations[] | object | No | - | The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>. |
spec.sandboxNodePlacement.tolerations[].effect | string | No | - | Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. |
spec.sandboxNodePlacement.tolerations[].key | string | No | - | Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. |
spec.sandboxNodePlacement.tolerations[].operator | string | No | - | Operator represents a key's relationship to the value. Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators). |
spec.sandboxNodePlacement.tolerations[].tolerationSeconds | integer | No | - | TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. |
spec.sandboxNodePlacement.tolerations[].value | string | No | - | Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. |
Service: regionalGatewayspec.services.regionalGateway79 fieldsRegionalGateway configures the regional-gateway service (control plane)
Service: regionalGateway
spec.services.regionalGateway
79 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.services.regionalGateway | object | No | - | RegionalGateway configures the regional-gateway service (control plane) |
spec.services.regionalGateway.config | object | No | - | Config contains regional-gateway specific configuration |
spec.services.regionalGateway.config.authMode | string | No | self_hosted | Allowed values: self_hosted, federated_global. |
spec.services.regionalGateway.config.baseUrl | string | No | http://localhost:8080 | BaseURL sets the external base URL used by browser-facing auth flows. |
spec.services.regionalGateway.config.builtInAuth | object | No | - | BuiltInAuth configures local email/password authentication. |
spec.services.regionalGateway.config.builtInAuth.adminOnly | boolean | No | - | AdminOnly restricts built-in auth to admin accounts only. |
spec.services.regionalGateway.config.builtInAuth.allowRegistration | boolean | No | - | AllowRegistration allows new users to register. |
spec.services.regionalGateway.config.builtInAuth.emailVerificationRequired | boolean | No | - | EmailVerificationRequired requires email verification. |
spec.services.regionalGateway.config.builtInAuth.enabled | boolean | No | true | Enabled enables built-in email/password authentication. |
spec.services.regionalGateway.config.clusterCacheTtl | string | No | 30s | - |
spec.services.regionalGateway.config.databaseMaxConns | integer | No | 30 | - |
spec.services.regionalGateway.config.databaseMinConns | integer | No | 8 | - |
spec.services.regionalGateway.config.defaultTeamName | string | No | Personal Team | Identity and Teams |
spec.services.regionalGateway.config.edition | string | No | self-hosted | - |
spec.services.regionalGateway.config.httpPort | integer | No | 8080 | - |
spec.services.regionalGateway.config.internalAuthCaller | string | No | regional-gateway | - |
spec.services.regionalGateway.config.internalAuthTtl | string | No | 30s | - |
spec.services.regionalGateway.config.jwtAccessTokenTTL | string | No | 15m | - |
spec.services.regionalGateway.config.jwtIssuer | string | No | - | JWTIssuer sets the JWT issuer for gateway-issued tokens. |
spec.services.regionalGateway.config.jwtPrivateKeyFile | string | No | - | JWTPrivateKeyFile points at a PEM-encoded Ed25519 private key file used to sign user-facing JWTs. |
spec.services.regionalGateway.config.jwtPrivateKeyPEM | string | No | - | JWTPrivateKeyPEM sets the PEM-encoded Ed25519 private key used to sign user-facing JWTs. |
spec.services.regionalGateway.config.jwtPublicKeyFile | string | No | - | JWTPublicKeyFile points at a PEM-encoded Ed25519 public key file used to verify user-facing JWTs. |
spec.services.regionalGateway.config.jwtPublicKeyPEM | string | No | - | JWTPublicKeyPEM sets the PEM-encoded Ed25519 public key used to verify user-facing JWTs. |
spec.services.regionalGateway.config.jwtRefreshTokenTTL | string | No | 168h | - |
spec.services.regionalGateway.config.logLevel | string | No | info | - |
spec.services.regionalGateway.config.oidcProviders | array<object> | No | - | OIDCProviders configures external identity providers. |
spec.services.regionalGateway.config.oidcProviders[] | object | No | - | OIDCProviderConfig configures an OIDC identity provider. |
spec.services.regionalGateway.config.oidcProviders[].autoProvision | boolean | No | - | - |
spec.services.regionalGateway.config.oidcProviders[].clientId | string | No | - | - |
spec.services.regionalGateway.config.oidcProviders[].clientSecret | string | No | - | - |
spec.services.regionalGateway.config.oidcProviders[].discoveryUrl | string | No | - | - |
spec.services.regionalGateway.config.oidcProviders[].enabled | boolean | No | - | - |
spec.services.regionalGateway.config.oidcProviders[].externalAuthPortalUrl | string | No | - | - |
spec.services.regionalGateway.config.oidcProviders[].id | string | No | - | - |
spec.services.regionalGateway.config.oidcProviders[].name | string | No | - | - |
spec.services.regionalGateway.config.oidcProviders[].scopes | array<string> | No | [openid, email, profile] | - |
spec.services.regionalGateway.config.oidcProviders[].scopes[] | string | No | - | - |
spec.services.regionalGateway.config.oidcProviders[].teamMapping | object | No | - | TeamMappingConfig configures automatic team mapping for OIDC users. |
spec.services.regionalGateway.config.oidcProviders[].teamMapping.defaultRole | string | No | - | - |
spec.services.regionalGateway.config.oidcProviders[].teamMapping.defaultTeamId | string | No | - | - |
spec.services.regionalGateway.config.oidcProviders[].teamMapping.domain | string | No | - | - |
spec.services.regionalGateway.config.oidcProviders[].tokenEndpointAuthMethod | string | No | - | - |
spec.services.regionalGateway.config.oidcStateCleanupInterval | string | No | 5m | - |
spec.services.regionalGateway.config.oidcStateTtl | string | No | 10m | - |
spec.services.regionalGateway.config.proxyTimeout | string | No | 10s | - |
spec.services.regionalGateway.config.rateLimitBurst | integer | No | 200 | - |
spec.services.regionalGateway.config.rateLimitCleanupInterval | string | No | 10m | - |
spec.services.regionalGateway.config.rateLimitRps | integer | No | 100 | Rate limiting |
spec.services.regionalGateway.config.schedulerEnabled | boolean | No | - | - |
spec.services.regionalGateway.config.schedulerUrl | string | No | - | - |
spec.services.regionalGateway.config.serverIdleTimeout | string | No | 120s | - |
spec.services.regionalGateway.config.serverReadTimeout | string | No | 30s | - |
spec.services.regionalGateway.config.serverWriteTimeout | string | No | 60s | - |
spec.services.regionalGateway.config.shutdownTimeout | string | No | 30s | - |
spec.services.regionalGateway.enabled | boolean | No | false | Enabled enables or disables the service |
spec.services.regionalGateway.ingress | object | No | - | Ingress configures ingress settings |
spec.services.regionalGateway.ingress.annotations | object | No | - | Annotations specifies provider-specific ingress annotations. |
spec.services.regionalGateway.ingress.className | string | No | - | ClassName specifies the ingress class name |
spec.services.regionalGateway.ingress.enabled | boolean | No | false | Enabled enables ingress |
spec.services.regionalGateway.ingress.extraHosts | array<string> | No | - | ExtraHosts specifies additional ingress hosts routed to the same backend. |
spec.services.regionalGateway.ingress.extraHosts[] | string | No | - | - |
spec.services.regionalGateway.ingress.host | string | No | - | Host specifies the ingress host |
spec.services.regionalGateway.ingress.tls | array<object> | No | - | TLS specifies host groups and their backing TLS secrets. When set, TLS takes precedence over TLSSecret. |
spec.services.regionalGateway.ingress.tls[] | object | No | - | IngressTLSConfig defines one TLS certificate binding for ingress hosts. |
spec.services.regionalGateway.ingress.tls[].hosts | array<string> | No | - | Hosts specifies the hosts covered by this TLS secret. |
spec.services.regionalGateway.ingress.tls[].hosts[] | string | No | - | - |
spec.services.regionalGateway.ingress.tls[].secretName | string | No | - | SecretName specifies the Kubernetes TLS secret name. |
spec.services.regionalGateway.ingress.tlsSecret | string | No | - | TLSSecret specifies the TLS secret name |
spec.services.regionalGateway.replicas | integer | No | 1 | Replicas specifies the number of replicas |
spec.services.regionalGateway.resources | object | No | - | Resources specifies resource requirements |
spec.services.regionalGateway.resources.claims | array<object> | No | - | Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. This field depends on the DynamicResourceAllocation feature gate. This field is immutable. It can only be set for containers. |
spec.services.regionalGateway.resources.claims[] | object | No | - | ResourceClaim references one entry in PodSpec.ResourceClaims. |
spec.services.regionalGateway.resources.claims[].name | string | Yes | - | Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container. |
spec.services.regionalGateway.resources.claims[].request | string | No | - | Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request. |
spec.services.regionalGateway.resources.limits | object | No | - | Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
spec.services.regionalGateway.resources.requests | object | No | - | Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
spec.services.regionalGateway.service | object | No | - | Service configures the Kubernetes service |
spec.services.regionalGateway.service.annotations | object | No | - | Annotations declares Service metadata annotations. Use this for cloud-provider specific load balancer configuration such as ACM certificate attachment on AWS. |
spec.services.regionalGateway.service.port | integer | No | 80 | Port specifies the service port |
spec.services.regionalGateway.service.type | string | No | ClusterIP | Type specifies the service type |
Service: schedulerspec.services.scheduler28 fieldsScheduler configures the scheduler service (control plane)
Service: scheduler
spec.services.scheduler
28 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.services.scheduler | object | No | - | Scheduler configures the scheduler service (control plane) |
spec.services.scheduler.config | object | No | - | Config contains scheduler specific configuration |
spec.services.scheduler.config.databasePool | object | No | - | DatabasePoolConfig defines scheduler database pool settings. |
spec.services.scheduler.config.databasePool.maxConnIdleTime | string | No | 5m | - |
spec.services.scheduler.config.databasePool.maxConnLifetime | string | No | 30m | - |
spec.services.scheduler.config.databasePool.maxConns | integer | No | 10 | - |
spec.services.scheduler.config.databasePool.minConns | integer | No | 2 | - |
spec.services.scheduler.config.httpPort | integer | No | 8080 | - |
spec.services.scheduler.config.idleTimeout | string | No | 120s | - |
spec.services.scheduler.config.logLevel | string | No | info | - |
spec.services.scheduler.config.podsPerNode | integer | No | 50 | - |
spec.services.scheduler.config.proxyTimeout | string | No | 10s | - |
spec.services.scheduler.config.readTimeout | string | No | 30s | - |
spec.services.scheduler.config.reconcileInterval | string | No | 30s | - |
spec.services.scheduler.config.shutdownTimeout | string | No | 30s | - |
spec.services.scheduler.config.writeTimeout | string | No | 60s | - |
spec.services.scheduler.enabled | boolean | No | false | Enabled enables or disables the service |
spec.services.scheduler.replicas | integer | No | 1 | Replicas specifies the number of replicas |
spec.services.scheduler.resources | object | No | - | Resources specifies resource requirements |
spec.services.scheduler.resources.claims | array<object> | No | - | Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. This field depends on the DynamicResourceAllocation feature gate. This field is immutable. It can only be set for containers. |
spec.services.scheduler.resources.claims[] | object | No | - | ResourceClaim references one entry in PodSpec.ResourceClaims. |
spec.services.scheduler.resources.claims[].name | string | Yes | - | Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container. |
spec.services.scheduler.resources.claims[].request | string | No | - | Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request. |
spec.services.scheduler.resources.limits | object | No | - | Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
spec.services.scheduler.resources.requests | object | No | - | Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
spec.services.scheduler.service | object | No | - | Service configures the Kubernetes service |
spec.services.scheduler.service.annotations | object | No | - | Annotations declares Service metadata annotations. Use this for cloud-provider specific load balancer configuration such as ACM certificate attachment on AWS. |
spec.services.scheduler.service.port | integer | No | 80 | Port specifies the service port |
spec.services.scheduler.service.type | string | No | ClusterIP | Type specifies the service type |
Service: clusterGatewayspec.services.clusterGateway64 fieldsClusterGateway configures the cluster-gateway service (data plane)
Service: clusterGateway
spec.services.clusterGateway
64 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.services.clusterGateway | object | No | - | ClusterGateway configures the cluster-gateway service (data plane) |
spec.services.clusterGateway.config | object | No | - | Config contains cluster-gateway specific configuration |
spec.services.clusterGateway.config.allowedCallers | array<string> | No | [regional-gateway, scheduler] | - |
spec.services.clusterGateway.config.allowedCallers[] | string | No | - | - |
spec.services.clusterGateway.config.authMode | string | No | internal | Allowed values: internal, public, both. |
spec.services.clusterGateway.config.baseUrl | string | No | http://localhost:8080 | BaseURL sets the external base URL used by browser-facing auth flows. |
spec.services.clusterGateway.config.builtInAuth | object | No | - | BuiltInAuth configures local email/password authentication. |
spec.services.clusterGateway.config.builtInAuth.adminOnly | boolean | No | - | AdminOnly restricts built-in auth to admin accounts only. |
spec.services.clusterGateway.config.builtInAuth.allowRegistration | boolean | No | - | AllowRegistration allows new users to register. |
spec.services.clusterGateway.config.builtInAuth.emailVerificationRequired | boolean | No | - | EmailVerificationRequired requires email verification. |
spec.services.clusterGateway.config.builtInAuth.enabled | boolean | No | true | Enabled enables built-in email/password authentication. |
spec.services.clusterGateway.config.databaseMaxConns | integer | No | 30 | - |
spec.services.clusterGateway.config.databaseMinConns | integer | No | 8 | - |
spec.services.clusterGateway.config.defaultTeamName | string | No | Personal Team | Identity and Teams |
spec.services.clusterGateway.config.healthCheckPeriod | string | No | 10s | - |
spec.services.clusterGateway.config.httpPort | integer | No | 8443 | - |
spec.services.clusterGateway.config.jwtAccessTokenTTL | string | No | 15m | - |
spec.services.clusterGateway.config.jwtIssuer | string | No | - | JWTIssuer sets the JWT issuer for gateway-issued tokens. |
spec.services.clusterGateway.config.jwtPrivateKeyFile | string | No | - | JWTPrivateKeyFile points at a PEM-encoded Ed25519 private key file used to sign user-facing JWTs. |
spec.services.clusterGateway.config.jwtPrivateKeyPEM | string | No | - | JWTPrivateKeyPEM sets the PEM-encoded Ed25519 private key used to sign user-facing JWTs. |
spec.services.clusterGateway.config.jwtPublicKeyFile | string | No | - | JWTPublicKeyFile points at a PEM-encoded Ed25519 public key file used to verify user-facing JWTs. |
spec.services.clusterGateway.config.jwtPublicKeyPEM | string | No | - | JWTPublicKeyPEM sets the PEM-encoded Ed25519 public key used to verify user-facing JWTs. |
spec.services.clusterGateway.config.jwtRefreshTokenTTL | string | No | 168h | - |
spec.services.clusterGateway.config.logLevel | string | No | info | - |
spec.services.clusterGateway.config.oidcProviders | array<object> | No | - | OIDCProviders configures external identity providers. |
spec.services.clusterGateway.config.oidcProviders[] | object | No | - | OIDCProviderConfig configures an OIDC identity provider. |
spec.services.clusterGateway.config.oidcProviders[].autoProvision | boolean | No | - | - |
spec.services.clusterGateway.config.oidcProviders[].clientId | string | No | - | - |
spec.services.clusterGateway.config.oidcProviders[].clientSecret | string | No | - | - |
spec.services.clusterGateway.config.oidcProviders[].discoveryUrl | string | No | - | - |
spec.services.clusterGateway.config.oidcProviders[].enabled | boolean | No | - | - |
spec.services.clusterGateway.config.oidcProviders[].externalAuthPortalUrl | string | No | - | - |
spec.services.clusterGateway.config.oidcProviders[].id | string | No | - | - |
spec.services.clusterGateway.config.oidcProviders[].name | string | No | - | - |
spec.services.clusterGateway.config.oidcProviders[].scopes | array<string> | No | [openid, email, profile] | - |
spec.services.clusterGateway.config.oidcProviders[].scopes[] | string | No | - | - |
spec.services.clusterGateway.config.oidcProviders[].teamMapping | object | No | - | TeamMappingConfig configures automatic team mapping for OIDC users. |
spec.services.clusterGateway.config.oidcProviders[].teamMapping.defaultRole | string | No | - | - |
spec.services.clusterGateway.config.oidcProviders[].teamMapping.defaultTeamId | string | No | - | - |
spec.services.clusterGateway.config.oidcProviders[].teamMapping.domain | string | No | - | - |
spec.services.clusterGateway.config.oidcProviders[].tokenEndpointAuthMethod | string | No | - | - |
spec.services.clusterGateway.config.oidcStateCleanupInterval | string | No | 5m | - |
spec.services.clusterGateway.config.oidcStateTtl | string | No | 10m | - |
spec.services.clusterGateway.config.procdStoragePermissions | array<string> | No | [sandboxvolume:read, sandboxvolume:write] | - |
spec.services.clusterGateway.config.procdStoragePermissions[] | string | No | - | - |
spec.services.clusterGateway.config.proxyTimeout | string | No | 10s | - |
spec.services.clusterGateway.config.rateLimitBurst | integer | No | 200 | - |
spec.services.clusterGateway.config.rateLimitCleanupInterval | string | No | 10m | - |
spec.services.clusterGateway.config.rateLimitRps | integer | No | 100 | Rate limiting |
spec.services.clusterGateway.config.schedulerPermissions | array<string> | No | [*:*] | - |
spec.services.clusterGateway.config.schedulerPermissions[] | string | No | - | - |
spec.services.clusterGateway.config.shutdownTimeout | string | No | 30s | - |
spec.services.clusterGateway.enabled | boolean | No | false | Enabled enables or disables the service |
spec.services.clusterGateway.replicas | integer | No | 1 | Replicas specifies the number of replicas |
spec.services.clusterGateway.resources | object | No | - | Resources specifies resource requirements |
spec.services.clusterGateway.resources.claims | array<object> | No | - | Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. This field depends on the DynamicResourceAllocation feature gate. This field is immutable. It can only be set for containers. |
spec.services.clusterGateway.resources.claims[] | object | No | - | ResourceClaim references one entry in PodSpec.ResourceClaims. |
spec.services.clusterGateway.resources.claims[].name | string | Yes | - | Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container. |
spec.services.clusterGateway.resources.claims[].request | string | No | - | Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request. |
spec.services.clusterGateway.resources.limits | object | No | - | Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
spec.services.clusterGateway.resources.requests | object | No | - | Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
spec.services.clusterGateway.service | object | No | - | Service configures the Kubernetes service |
spec.services.clusterGateway.service.annotations | object | No | - | Annotations declares Service metadata annotations. Use this for cloud-provider specific load balancer configuration such as ACM certificate attachment on AWS. |
spec.services.clusterGateway.service.port | integer | No | 80 | Port specifies the service port |
spec.services.clusterGateway.service.type | string | No | ClusterIP | Type specifies the service type |
Service: managerspec.services.manager64 fieldsManager configures the manager service (data plane)
Service: manager
spec.services.manager
64 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.services.manager | object | No | - | Manager configures the manager service (data plane) |
spec.services.manager.config | object | No | - | Config contains manager specific configuration |
spec.services.manager.config.autoscaler | object | No | - | AutoscalerConfig defines manager autoscaler settings. |
spec.services.manager.config.autoscaler.maxScaleStep | integer | No | 10 | - |
spec.services.manager.config.autoscaler.minIdleBuffer | integer | No | 2 | - |
spec.services.manager.config.autoscaler.minScaleInterval | string | No | 100ms | - |
spec.services.manager.config.autoscaler.noTrafficScaleDownAfter | string | No | 10m | - |
spec.services.manager.config.autoscaler.scaleDownPercent | string | No | 0.1 | - |
spec.services.manager.config.autoscaler.scaleUpFactor | string | No | 1.5 | - |
spec.services.manager.config.autoscaler.targetIdleRatio | string | No | 0.2 | - |
spec.services.manager.config.cleanupInterval | string | No | 60s | - |
spec.services.manager.config.databaseMaxConns | integer | No | 10 | - |
spec.services.manager.config.databaseMinConns | integer | No | 2 | - |
spec.services.manager.config.defaultSandboxTtl | string | No | 0s | - |
spec.services.manager.config.httpPort | integer | No | 8080 | - |
spec.services.manager.config.kubeConfig | string | No | - | - |
spec.services.manager.config.leaderElection | boolean | No | true | - |
spec.services.manager.config.logLevel | string | No | info | - |
spec.services.manager.config.metricsPort | integer | No | 9090 | - |
spec.services.manager.config.netdPolicyApplyPollInterval | string | No | 500ms | - |
spec.services.manager.config.netdPolicyApplyTimeout | string | No | 30s | - |
spec.services.manager.config.pauseMemoryBufferRatio | string | No | 1.1 | - |
spec.services.manager.config.pauseMinCpu | string | No | 10m | - |
spec.services.manager.config.pauseMinMemoryLimit | string | No | 32Mi | - |
spec.services.manager.config.pauseMinMemoryRequest | string | No | 10Mi | - |
spec.services.manager.config.procdClientTimeout | string | No | 30s | - |
spec.services.manager.config.procdConfig | object | No | - | ProcdConfig defines user-facing procd settings managed by manager. |
spec.services.manager.config.procdConfig.cacheMaxBytes | integer | No | 104857600 | - |
spec.services.manager.config.procdConfig.cacheTtl | string | No | 30s | - |
spec.services.manager.config.procdConfig.contextCleanupInterval | string | No | 30s | - |
spec.services.manager.config.procdConfig.contextFinishedTtl | string | No | 0s | - |
spec.services.manager.config.procdConfig.contextIdleTimeout | string | No | 0s | - |
spec.services.manager.config.procdConfig.contextMaxLifetime | string | No | 0s | - |
spec.services.manager.config.procdConfig.httpPort | integer | No | 49983 | - |
spec.services.manager.config.procdConfig.juicefsBufferSize | string | No | 300 | - |
spec.services.manager.config.procdConfig.juicefsCacheSize | string | No | 100 | - |
spec.services.manager.config.procdConfig.juicefsPrefetch | integer | No | 3 | - |
spec.services.manager.config.procdConfig.juicefsWriteback | boolean | No | true | - |
spec.services.manager.config.procdConfig.logLevel | string | No | info | - |
spec.services.manager.config.procdConfig.rootPath | string | No | /workspace | - |
spec.services.manager.config.procdConfig.webhookBaseBackoff | string | No | 500ms | - |
spec.services.manager.config.procdConfig.webhookMaxRetries | integer | No | 3 | - |
spec.services.manager.config.procdConfig.webhookQueueSize | integer | No | 256 | - |
spec.services.manager.config.procdConfig.webhookRequestTimeout | string | No | 5s | - |
spec.services.manager.config.procdInitTimeout | string | No | 6s | - |
spec.services.manager.config.resyncPeriod | string | No | 30s | - |
spec.services.manager.config.sandboxRuntimeClassName | string | No | - | - |
spec.services.manager.config.shutdownTimeout | string | No | 30s | - |
spec.services.manager.config.teamTemplateMemoryPerCpu | string | No | 4Gi | - |
spec.services.manager.config.webhookCertPath | string | No | /tmp/k8s-webhook-server/serving-certs/tls.crt | - |
spec.services.manager.config.webhookKeyPath | string | No | /tmp/k8s-webhook-server/serving-certs/tls.key | - |
spec.services.manager.config.webhookPort | integer | No | 9443 | - |
spec.services.manager.enabled | boolean | No | false | Enabled enables or disables the service |
spec.services.manager.replicas | integer | No | 1 | Replicas specifies the number of replicas |
spec.services.manager.resources | object | No | - | Resources specifies resource requirements |
spec.services.manager.resources.claims | array<object> | No | - | Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. This field depends on the DynamicResourceAllocation feature gate. This field is immutable. It can only be set for containers. |
spec.services.manager.resources.claims[] | object | No | - | ResourceClaim references one entry in PodSpec.ResourceClaims. |
spec.services.manager.resources.claims[].name | string | Yes | - | Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container. |
spec.services.manager.resources.claims[].request | string | No | - | Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request. |
spec.services.manager.resources.limits | object | No | - | Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
spec.services.manager.resources.requests | object | No | - | Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
spec.services.manager.service | object | No | - | Service configures the Kubernetes service |
spec.services.manager.service.annotations | object | No | - | Annotations declares Service metadata annotations. Use this for cloud-provider specific load balancer configuration such as ACM certificate attachment on AWS. |
spec.services.manager.service.port | integer | No | 80 | Port specifies the service port |
spec.services.manager.service.type | string | No | ClusterIP | Type specifies the service type |
Service: storageProxyspec.services.storageProxy57 fieldsStorageProxy configures the storage-proxy service (data plane)
Service: storageProxy
spec.services.storageProxy
57 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.services.storageProxy | object | No | - | StorageProxy configures the storage-proxy service (data plane) |
spec.services.storageProxy.config | object | No | - | Config contains storage-proxy specific configuration |
spec.services.storageProxy.config.auditFile | string | No | /var/log/storage-proxy/audit.log | - |
spec.services.storageProxy.config.auditLog | boolean | No | true | - |
spec.services.storageProxy.config.cacheDir | string | No | /var/lib/storage-proxy/cache | - |
spec.services.storageProxy.config.cleanupInterval | string | No | 60s | - |
spec.services.storageProxy.config.databaseMaxConns | integer | No | 30 | - |
spec.services.storageProxy.config.databaseMinConns | integer | No | 5 | - |
spec.services.storageProxy.config.databaseSchema | string | No | storage_proxy | - |
spec.services.storageProxy.config.defaultCacheSize | string | No | 1G | - |
spec.services.storageProxy.config.directVolumeFileIdleTTL | string | No | 30s | - |
spec.services.storageProxy.config.flushTimeout | string | No | 30s | - |
spec.services.storageProxy.config.grpcAddr | string | No | 0.0.0.0 | - |
spec.services.storageProxy.config.grpcPort | integer | No | 8080 | - |
spec.services.storageProxy.config.heartbeatInterval | string | No | 5s | - |
spec.services.storageProxy.config.heartbeatTimeout | integer | No | 15 | - |
spec.services.storageProxy.config.httpAddr | string | No | 0.0.0.0 | - |
spec.services.storageProxy.config.httpIdleTimeout | string | No | 60s | - |
spec.services.storageProxy.config.httpPort | integer | No | 8081 | - |
spec.services.storageProxy.config.httpReadTimeout | string | No | 15s | - |
spec.services.storageProxy.config.httpWriteTimeout | string | No | 15s | - |
spec.services.storageProxy.config.juicefsAttrTimeout | string | No | 1s | - |
spec.services.storageProxy.config.juicefsBlockSize | integer | No | 4096 | - |
spec.services.storageProxy.config.juicefsCompression | string | No | lz4 | - |
spec.services.storageProxy.config.juicefsDirEntryTimeout | string | No | 1s | - |
spec.services.storageProxy.config.juicefsEncryptionAlgo | string | No | aes256gcm-rsa | - |
spec.services.storageProxy.config.juicefsEncryptionEnabled | boolean | No | false | - |
spec.services.storageProxy.config.juicefsEncryptionPassphrase | string | No | - | - |
spec.services.storageProxy.config.juicefsEntryTimeout | string | No | 1s | - |
spec.services.storageProxy.config.juicefsMaxUpload | integer | No | 20 | - |
spec.services.storageProxy.config.juicefsMetaRetries | integer | No | 10 | - |
spec.services.storageProxy.config.juicefsName | string | No | sandbox0 | - |
spec.services.storageProxy.config.juicefsTrashDays | integer | No | 1 | - |
spec.services.storageProxy.config.kubeconfigPath | string | No | - | - |
spec.services.storageProxy.config.logLevel | string | No | info | - |
spec.services.storageProxy.config.maxBytesPerSecond | integer | No | 1073741824 | - |
spec.services.storageProxy.config.maxOpsPerSecond | integer | No | 10000 | - |
spec.services.storageProxy.config.metricsEnabled | boolean | No | true | - |
spec.services.storageProxy.config.metricsPort | integer | No | 9090 | - |
spec.services.storageProxy.config.restoreRemountTimeout | string | No | 30s | - |
spec.services.storageProxy.config.syncCompactionInterval | string | No | 10m | - |
spec.services.storageProxy.config.syncJournalRetainEntries | integer | No | 10000 | - |
spec.services.storageProxy.config.syncRequestRetention | string | No | 24h | - |
spec.services.storageProxy.config.watchEventQueueSize | integer | No | 256 | - |
spec.services.storageProxy.config.watchEventsEnabled | boolean | No | true | - |
spec.services.storageProxy.enabled | boolean | No | false | Enabled enables or disables the service |
spec.services.storageProxy.replicas | integer | No | 1 | Replicas specifies the number of replicas |
spec.services.storageProxy.resources | object | No | - | Resources specifies resource requirements |
spec.services.storageProxy.resources.claims | array<object> | No | - | Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. This field depends on the DynamicResourceAllocation feature gate. This field is immutable. It can only be set for containers. |
spec.services.storageProxy.resources.claims[] | object | No | - | ResourceClaim references one entry in PodSpec.ResourceClaims. |
spec.services.storageProxy.resources.claims[].name | string | Yes | - | Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container. |
spec.services.storageProxy.resources.claims[].request | string | No | - | Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request. |
spec.services.storageProxy.resources.limits | object | No | - | Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
spec.services.storageProxy.resources.requests | object | No | - | Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
spec.services.storageProxy.service | object | No | - | Service configures the Kubernetes service |
spec.services.storageProxy.service.annotations | object | No | - | Annotations declares Service metadata annotations. Use this for cloud-provider specific load balancer configuration such as ACM certificate attachment on AWS. |
spec.services.storageProxy.service.port | integer | No | 80 | Port specifies the service port |
spec.services.storageProxy.service.type | string | No | ClusterIP | Type specifies the service type |
Service: netdspec.services.netd51 fieldsNetd configures the netd service (data plane)
Service: netd
spec.services.netd
51 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.services.netd | object | No | - | Netd configures the netd service (data plane) |
spec.services.netd.config | object | No | - | Config contains netd specific configuration |
spec.services.netd.config.auditLogMaxBackups | integer | No | 5 | - |
spec.services.netd.config.auditLogMaxBytes | integer | No | 104857600 | - |
spec.services.netd.config.auditLogPath | string | No | - | - |
spec.services.netd.config.bpfFsPath | string | No | - | - |
spec.services.netd.config.bpfPinPath | string | No | - | - |
spec.services.netd.config.burstRatio | string | No | 0.125 | - |
spec.services.netd.config.dnsPort | integer | No | 53 | - |
spec.services.netd.config.edtHorizon | string | No | 200ms | - |
spec.services.netd.config.egressAuthEnabled | boolean | No | false | - |
spec.services.netd.config.egressAuthFailurePolicy | string | No | fail-closed | - |
spec.services.netd.config.egressAuthResolverTimeout | string | No | 2s | - |
spec.services.netd.config.egressAuthResolverUrl | string | No | - | - |
spec.services.netd.config.failClosed | boolean | No | true | - |
spec.services.netd.config.healthPort | integer | No | 8081 | - |
spec.services.netd.config.logLevel | string | No | info | - |
spec.services.netd.config.meteringReportInterval | string | No | 10s | - |
spec.services.netd.config.metricsPort | integer | No | 9091 | - |
spec.services.netd.config.metricsReportInterval | string | No | 10s | - |
spec.services.netd.config.mitmLeafTtl | string | No | 1h | - |
spec.services.netd.config.nodeName | string | No | - | - |
spec.services.netd.config.platformAllowedCidrs | array<string> | No | - | - |
spec.services.netd.config.platformAllowedCidrs[] | string | No | - | - |
spec.services.netd.config.platformAllowedDomains | array<string> | No | - | - |
spec.services.netd.config.platformAllowedDomains[] | string | No | - | - |
spec.services.netd.config.platformDeniedCidrs | array<string> | No | - | - |
spec.services.netd.config.platformDeniedCidrs[] | string | No | - | - |
spec.services.netd.config.platformDeniedDomains | array<string> | No | - | - |
spec.services.netd.config.platformDeniedDomains[] | string | No | - | - |
spec.services.netd.config.preferNft | boolean | No | true | - |
spec.services.netd.config.proxyHeaderLimit | integer | No | - | - |
spec.services.netd.config.proxyHttpPort | integer | No | 18080 | - |
spec.services.netd.config.proxyHttpsPort | integer | No | 18443 | - |
spec.services.netd.config.proxyListenAddr | string | No | 0.0.0.0 | - |
spec.services.netd.config.proxyUpstreamTimeout | string | No | 30s | - |
spec.services.netd.config.resyncPeriod | string | No | 30s | - |
spec.services.netd.config.shutdownDelay | string | No | 2s | - |
spec.services.netd.config.useEbpf | boolean | No | - | - |
spec.services.netd.config.useEdt | boolean | No | - | - |
spec.services.netd.config.vethPrefix | string | No | - | - |
spec.services.netd.enabled | boolean | No | false | Enabled enables or disables the service |
spec.services.netd.mitmCaSecretName | string | No | - | MITMCASecretName overrides the operator-managed cluster-local MITM CA secret for HTTPS interception. Expected keys are ca.crt and ca.key. When unset, infra-operator generates and reuses a managed secret. |
spec.services.netd.nodeSelector | object | No | - | NodeSelector constrains netd onto a specific node set. Deprecated: use spec.sandboxNodePlacement.nodeSelector instead. This field remains as a backward-compatible alias when the shared placement is unset. |
spec.services.netd.runtimeClassName | string | No | - | RuntimeClassName specifies the Kubernetes runtime class for the netd daemonset. Use a host-compatible runtime such as runc. Do not run netd on gVisor or Kata. |
spec.services.netd.tolerations | array<object> | No | - | Tolerations allow netd to run on tainted sandbox nodes. Deprecated: use spec.sandboxNodePlacement.tolerations instead. This field remains as a backward-compatible alias when the shared placement is unset. |
spec.services.netd.tolerations[] | object | No | - | The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>. |
spec.services.netd.tolerations[].effect | string | No | - | Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. |
spec.services.netd.tolerations[].key | string | No | - | Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. |
spec.services.netd.tolerations[].operator | string | No | - | Operator represents a key's relationship to the value. Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators). |
spec.services.netd.tolerations[].tolerationSeconds | integer | No | - | TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. |
spec.services.netd.tolerations[].value | string | No | - | Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. |
Practical Rules#
- Pin the
infra-operatorchart version in production instead of relying on floating tags. - Prefer external PostgreSQL and external object storage for serious deployments.
- Enable
storageProxyonly when you need volume and snapshot features. - Enable
netdonly on Linux nodes and only when you need network policy enforcement. - Use
sandboxNodePlacementto keep sandbox workloads and node-local sandbox services on the same node set. - Treat
sandbox0.ai/data-plane-readyas operator-owned; use your own labels undersandboxNodePlacementand letinfra-operatormanage readiness. - If sandbox workloads use
gvisororkata, keepservices.netd.runtimeClassNameon a host-compatible runtime such as the cluster default runtime. - Keep control-plane and data-plane components in the same storage and latency domain for a given region.