package aksnodeconfig.v1

Get desktop application:
View/edit binary Protocol Buffers messages

Used in: Configuration

• string api_server_public_key = 1

  The certificate public key of the API server.

• string api_server_name = 2

  The name or endpoint URI of the API server.

Auth Config fields stored in azure.json used by cloud-provider-azure

Used in: Configuration

• string tenant_id = 1

  Tenant ID

• string subscription_id = 2

  Subscription ID

• string service_principal_id = 3

  Service Principal ID. set to aadClientId

• string service_principal_secret = 4

  Service Principal Secret. set to aadClientSecret

• string assigned_identity_id = 5

  Assigned identity id, could be user or system assigned, depending on the type.

• bool use_managed_identity_extension = 6

  Specify if use managed identity extension, default to false

Used in: BootstrappingConfig

• BOOTSTRAPPING_AUTH_METHOD_UNSPECIFIED = 0

• BOOTSTRAPPING_AUTH_METHOD_BOOTSTRAP_TOKEN = 1

  This is the default K8s bootstrap authentication method - a time limited bootstrap token. It's stored as a secret with a particular type in the API server. nolint:gosec // this is a const string to use in switch statements, not hardcoded credentials

• BOOTSTRAPPING_AUTH_METHOD_SECURE_TLS_BOOTSTRAPPING = 2

  Secure TLS bootstrapping is a process where the node can use signed metadata from the Azure IMDS service to authenticate against the api server

• BOOTSTRAPPING_AUTH_METHOD_ARC_MSI = 3

  Nodes running outside Azure can use the Azure Arc MSI to authenticate to an API server. This only works when the cluster is using AAD authentication.

• BOOTSTRAPPING_AUTH_METHOD_AZURE_MSI = 4

  Nodes running inside Azure can use the Azure Arc MSI to authenticate to an API server. This only works when the cluster is using AAD authentication.

Used in: Configuration

• BootstrappingAuthMethod bootstrapping_auth_method = 1

  Method to authenticate the node to the API server

• ClusterJoinMethod cluster_join_method = 2

  how the node should join and communicate with the API server after authentication

• optional string tls_bootstrapping_token = 3

  Only required until Secure TLS bootstrapping in place. Would use kubelet identity after that.

• optional string custom_aad_resource = 4

  Only used when secure TLS bootstrapping is enabled or one of the Azure/Arc methods. This is the appserver appid that the node will use to bootstrap.

• optional string custom_aad_client_id = 5

  Only used when one of the Azure/Arc methods is enabled. This is the client ID of the MSI that the node will use to bootstrap.

Cluster Config fields stored in azure.json used by cloud-provider-azure

Used in: Configuration

• optional ClusterNetworkConfig cluster_network_config = 1

  Cluster network config. We assumed network mode is always "transparent" now so it's removed from the contract.

• optional LoadBalancerConfig load_balancer_config = 2

  Load balancer config

• string resource_group = 3

  Rescource group name

• string location = 4

  Location

• VmType vm_type = 5

  VM type

  default to standard for v1.27 and below versions and vmss for v1.28+ versions

• string primary_availability_set = 6

  Primary availability set name

• string primary_scale_set = 7

  Primary scale set name

• bool use_instance_metadata = 8

  Specifiy if it uses instance metadata

  default to false

Used in: BootstrappingConfig

• CLUSTER_JOIN_METHOD_UNSPECIFIED = 0

• CLUSTER_JOIN_METHOD_GENERATE_CSR = 1

  The default behaviour is for the node to make a certificate signing request (CSR) and then use that CSR for ongoing communication.

• CLUSTER_JOIN_METHOD_USE_BOOTSTRAPPING_AUTH = 2

  In some cases, the node will use the bootstrapping auth to register itself as a node and for ongoing communications.

Used in: ClusterConfig

• string vnet_name = 1

  Virtual network name

• string vnet_resource_group = 2

  Virtual network resource group

• string subnet = 3

  Subnet name

• string security_group_name = 4

  Network security group name

• string route_table = 5

  Route table name

• string version = 1

  Version of configuration

• optional KubeBinaryConfig kube_binary_config = 2

  Kube binary URL config

• optional CustomCloudConfig custom_cloud_config = 3

  Custom cloud config

• optional ApiServerConfig api_server_config = 4

  Kubernetes API server configuration

• optional ClusterConfig cluster_config = 5

  Various Kubernetes cluster level configuration

• optional BootstrappingConfig bootstrapping_config = 6

  TLS bootstrap config

• optional AuthConfig auth_config = 7

  Authentication configuration

• optional RuncConfig runc_config = 8

  The CLI tool runc configuration

• optional ContainerdConfig containerd_config = 9

  Containerd configuration

• optional TeleportConfig teleport_config = 10

  Teleport configuration

• optional KubeletConfig kubelet_config = 11

  Kubelet configuration

• optional CustomSearchDomainConfig custom_search_domain_config = 12

  Custom search domain configurations

• optional CustomLinuxOsConfig custom_linux_os_config = 13

  Custom Linux OS configurations including SwapFile, SysCtl configs, etc.

• optional HttpProxyConfig http_proxy_config = 14

  HTTP/HTTPS proxy configuration for the node

• optional GpuConfig gpu_config = 15

  GPU configuration for the node

• optional NetworkConfig network_config = 16

  Network configuration for the node

• string kubernetes_ca_cert = 17

  Kubernetes certificate authority (CA) certificate, required by the node to establish TLS with the API server

• string kubernetes_version = 18

  Kubernetes version

• string kube_proxy_url = 19

  Kube proxy URL

• string vm_size = 20

  The VM size of the node

• string linux_admin_username = 21

  Linux admin username. If not specified, the default value is "azureuser"

• optional bool is_vhd = 22

  Specifies whether the node is a VHD node. This is still needed for some customized scenarios. This is labeled as optional (explicit presence) so that we know whether it's set or not. If it's not set, the default value will be nil.

• optional bool enable_ssh = 23

  Specifies whether SSH is enabled or disabled on the VM node This is labeled as optional (explicit presence) so that we know whether it's set or not. If it's not set, the default value will be nil, but will be set to true on the VHD.

• bool enable_unattended_upgrade = 24

  Specifies whether unattended upgrade is enabled or disabled on the VM node

• string message_of_the_day = 25

  The message of the day that is displayed on the VM node when a user logs in

• bool enable_hosts_config_agent = 26

  Specifies whether the hosts config agent is enabled or disabled on the VM node

• repeated string custom_ca_certs = 27

  Custom CA certificates to be added to the system trust store

• string provision_output = 28

  A local file path where cluster provision cse output should be stored

• WorkloadRuntime workload_runtime = 29

  Workload runtime, e.g., either "OCIContainer" or "WasmWasi", currently.

• bool ipv6_dual_stack_enabled = 30

  Specifies whether IPv6 dual stack is enabled or disabled on the VM node

• string outbound_command = 31

  Command to use for outbound traffic

• string azure_private_registry_server = 32

  Azure private registry server URI

• string private_egress_proxy_address = 33

  Private egress proxy address

• bool enable_artifact_streaming = 34

  Specifies whether artifact streaming is enabled or disabled on the VM node

• bool is_kata = 35

  Specifies if it is a Kata node

• optional bool needs_cgroupv2 = 36

  Specifies whether the node needs cgroupv2. Labeled as optional (explicit presence) so that we know whether it's set or not. If it's not set, the default value will be nil and we will get the value on the VHD during bootstrapping.

• bool disable_custom_data = 37

  Specified whether the node wants to disable custom data scripts for bootstrapping

• string bootstrap_profile_container_registry_server = 38

  Bootstrap profile container registry server URI

• optional ImdsRestrictionConfig imds_restriction_config = 39

  IMDS restriction configuration

Used in: Configuration

• string containerd_download_url_base = 1

  The base URL for downloading containerd.

• string containerd_version = 2

  The version of containerd to download.

• string containerd_package_url = 3

  The URL for downloading the containerd package.

Used in: Configuration

• string custom_cloud_env_name = 1

  Name of custom cloud

• string repo_depot_endpoint = 2

  RepoDepotEndpoint is the endpoint of the repo depot

• string custom_env_json_content = 3

  Base64 encoded JSON string of custom cloud environment

• string container_registry_dns_suffix = 4

  AKSCustomCloudContainerRegistryDNSSuffix specifies a custom cloud container registry dns suffix for credential provider

Custom Linux Node OS Config

Used in: Configuration

• optional SysctlConfig sysctl_config = 1

  Sysctl settings for Linux agent nodes

• optional UlimitConfig ulimit_config = 2

  Ulimit settings for Linux agent nodes

• bool enable_swap_config = 3

  Enable or disable swap configuration

• int32 swap_file_size = 4

  The size in MB of a swap file that will be created on each node

• string transparent_hugepage_support = 5

  Valid values are "always", "defer", "defer+madvise", "madvise" and "never" If it's unset or set to empty string, it will use the default value in the VHD "always"

• string transparent_defrag = 6

  Valid values are "always", "madvise" and "never" If it's unset or set to empty string, it will use the default value in the VHD "madvise"

Used in: Configuration

• string domain_name = 1

  The name of the custom search domain.

• string realm_user = 2

  The user name for the custom search domain.

• string realm_password = 3

  The password for the custom search domain.

Used in: Configuration

• optional bool enable_nvidia = 1

  Specifies whether any nvidia configurations should be applied for GPU nodes. False when vm size is not a GPU node or driver install is skipped and no GPU configuration is needed. Making optional so that default will be set to IsNvidiaEnabledSku(vmSize) instead of false

• bool config_gpu_driver = 2

  Specifies whether bootstrap process should install and configure the GPU driver when necessary. Configuration includes appropriate set up of components like the fabric manager where applicable.

• bool gpu_device_plugin = 3

  Specifies whether special config is needed for MIG GPUs that use GPU dedicated VHDs and enable the device plugin (for all GPU dedicated VHDs)

• string gpu_instance_profile = 4

  Represents the GPU instance profile.

• optional bool enable_amd_gpu = 5

  Same as enable_nvidia, but for AMD GPUs.

Used in: Configuration

• string http_proxy = 1

  Proxy endpoint/URL using HTTP through which the traffic should be routed for making HTTP connections outside the cluster

• string https_proxy = 2

  Proxy endpoint/URL using HTTPS through which the traffic should be routed for making HTTPS connections outside the cluster

• repeated string no_proxy_entries = 3

  A list of entries including IPs, domains, or other network CIDRs that should not be accessed through the proxy

• string proxy_trusted_ca = 4

  Custom CA certificate that should be trusted by the proxy

Used in: Configuration

• bool enable_imds_restriction = 1

  Enable IMDS restriction for the node.

• bool insert_imds_restriction_rule_to_mangle_table = 2

  Insert IMDS restriction rule to mangle table.

Kube Binary Config

Used in: Configuration

• string kube_binary_url = 1

  default kube binary url

• string custom_kube_binary_url = 2

  user's custom kube binary url

• string private_kube_binary_url = 3

  privately cached kube binary url

• string pod_infra_container_image_url = 4

  full path to the "pause" image. Used for --pod-infra-container-image.

• string linux_credential_provider_url = 5

  Full path to the Linux credential provider (tar.gz) to use.

Used in: KubeletAuthentication

• bool enabled = 1

  enabled allows anonymous requests to the kubelet server. Requests that are not rejected by another authentication method are treated as anonymous requests. Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated. +optional.

Used in: KubeletConfigFileConfig

• optional KubeletX509Authentication x509 = 1

  x509 contains settings related to x509 client certificate authentication. +optional.

• optional KubeletWebhookAuthentication webhook = 2

  webhook contains settings related to webhook bearer token authentication. +optional.

• optional KubeletAnonymousAuthentication anonymous = 3

  anonymous contains settings related to anonymous authentication. +optional.

Used in: KubeletConfigFileConfig

• string mode = 1

  mode is the authorization mode to apply to requests to the kubelet server. Valid values are AlwaysAllow and Webhook. Webhook mode uses the SubjectAccessReview API to determine authorization. +optional.

• optional KubeletWebhookAuthorization webhook = 2

  webhook contains settings related to Webhook authorization. +optional.

Used in: Configuration

• map<string, string> kubelet_flags = 1

  A map of kubelet flags to their values. The map is sorted by key.

• map<string, string> kubelet_node_labels = 2

  A map of node labels to their values.

• KubeletDisk kubelet_disk_type = 3

  The type of disk to use for the kubelet.

• bool enable_kubelet_config_file = 4

  Whether kubelet config should be enabled.

• optional KubeletConfigFileConfig kubelet_config_file_config = 5

  content of the kubelet config file.

• string kubelet_client_key = 6

  Kubelet client private key

• string kubelet_client_cert_content = 7

  The content of the kubelet client certificate file.

• string container_data_dir = 8

  The path used to mount docker images, emptyDir volumes, and kubelet data.

Used in: KubeletConfig

• string kind = 1

  Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds. +optional.

• string api_version = 2

  APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

• string static_pod_path = 3

  staticPodPath is the path to the directory containing local (static) pods to run, or the path to a single static pod file. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that the set of static pods specified at the new path may be different than the ones the Kubelet initially started with, and this may disrupt your node. Default: "" +optional.

• string address = 4

  address is the IP address for the Kubelet to serve on (set to 0.0.0.0 for all interfaces). Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that interact with the Kubelet server. Default: "0.0.0.0" +optional.

• int32 read_only_port = 5

  readOnlyPort is the read-only port for the Kubelet to serve on with no authentication/authorization. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that interact with the Kubelet server. Default: 0 (disabled) +optional.

• string tls_cert_file = 6

  tlsCertFile is the file containing x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If tlsCertFile and tlsPrivateKeyFile are not provided, a self-signed certificate and key are generated for the public address and saved to the directory passed to the Kubelet's --cert-dir flag. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that interact with the Kubelet server. Default: "" +optional.

• string tls_private_key_file = 7

  tlsPrivateKeyFile is the file containing x509 private key matching tlsCertFile Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that interact with the Kubelet server. Default: "" +optional.

• repeated string tls_cipher_suites = 8

  TLSCipherSuites is the list of allowed cipher suites for the server. Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that interact with the Kubelet server. Default: nil +optional.

• bool rotate_certificates = 9

  rotateCertificates enables client certificate rotation. The Kubelet will request a new certificate from the certificates.k8s.io API. This requires an approver to approve the certificate signing requests. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that disabling it may disrupt the Kubelet's ability to authenticate with the API server after the current certificate expires. Default: false +optional.

• bool server_tls_bootstrap = 10

  serverTLSBootstrap enables server certificate bootstrap. Instead of self signing a serving certificate, the Kubelet will request a certificate from the 'certificates.k8s.io' API. This requires an approver to approve the certificate signing requests (CSR). The RotateKubeletServerCertificate feature must be enabled when setting this field. Default: false +optional

• optional KubeletAuthentication authentication = 11

  authentication specifies how requests to the Kubelet's server are authenticated Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that interact with the Kubelet server. Defaults: anonymous: enabled: false webhook: enabled: true cacheTTL: "2m" +optional.

• optional KubeletAuthorization authorization = 12

  authorization specifies how requests to the Kubelet's server are authorized Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that interact with the Kubelet server. Defaults: mode: Webhook webhook: cacheAuthorizedTTL: "5m" cacheUnauthorizedTTL: "30s" +optional.

• optional int32 event_record_qps = 13

  eventRecordQPS is the maximum event creations per second. If 0, there is no limit enforced. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact scalability by changing the amount of traffic produced by event creations. Default: 5 +optional.

• string cluster_domain = 14

  clusterDomain is the DNS domain for this cluster. If set, kubelet will configure all containers to search this domain in addition to the host's search domains. Dynamic Kubelet Config (beta): Dynamically updating this field is not recommended, as it should be kept in sync with the rest of the cluster. Default: "" +optional.

• repeated string cluster_dns = 15

  clusterDNS is a list of IP addresses for the cluster DNS server. If set, kubelet will configure all containers to use this for DNS resolution instead of the host's DNS servers. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that changes will only take effect on Pods created after the update. Draining the node is recommended before changing this field. Default: nil +optional.

• string streaming_connection_idle_timeout = 16

  streamingConnectionIdleTimeout is the maximum time a streaming connection can be idle before the connection is automatically closed. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact components that rely on infrequent updates over streaming connections to the Kubelet server. Default: "4h" +optional.

• string node_status_update_frequency = 17

  nodeStatusUpdateFrequency is the frequency that kubelet computes node status. If node lease feature is not enabled, it is also the frequency that kubelet posts node status to master. Note: When node lease feature is not enabled, be cautious when changing the constant, it must work with nodeMonitorGracePeriod in nodecontroller. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact node scalability, and also that the node controller's nodeMonitorGracePeriod must be set to N*NodeStatusUpdateFrequency, where N is the number of retries before the node controller marks the node unhealthy. Default: "10s" +optional.

• string node_status_report_frequency = 18

  nodeStatusReportFrequency is the frequency that kubelet posts node status to master if node status does not change. Kubelet will ignore this frequency and post node status immediately if any change is detected. It is only used when node lease feature is enabled. nodeStatusReportFrequency's default value is 5m. But if nodeStatusUpdateFrequency is set explicitly, nodeStatusReportFrequency's default value will be set to nodeStatusUpdateFrequency for backward compatibility. Default: "5m" +optional.

• optional int32 image_gc_high_threshold_percent = 19

  imageGCHighThresholdPercent is the percent of disk usage after which image garbage collection is always run. The percent is calculated as this field value out of 100. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may trigger or delay garbage collection, and may change the image overhead on the node. Default: 85 +optional.

• optional int32 image_gc_low_threshold_percent = 20

  imageGCLowThresholdPercent is the percent of disk usage before which image garbage collection is never run. Lowest disk usage to garbage collect to. The percent is calculated as this field value out of 100. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may trigger or delay garbage collection, and may change the image overhead on the node. Default: 80 +optional.

• optional bool cgroups_per_qos = 21

  Enable QoS based Cgroup hierarchy: top level cgroups for QoS Classes And all Burstable and BestEffort pods are brought up under their specific top level QoS cgroup. Dynamic Kubelet Config (beta): This field should not be updated without a full node reboot. It is safest to keep this value the same as the local config. Default: true +optional.

• string cpu_manager_policy = 22

  CPUManagerPolicy is the name of the policy to use. Requires the CPUManager feature gate to be enabled. Dynamic Kubelet Config (beta): This field should not be updated without a full node reboot. It is safest to keep this value the same as the local config. Default: "none" +optional.

• string topology_manager_policy = 23

  TopologyManagerPolicy is the name of the policy to use. Policies other than "none" require the TopologyManager feature gate to be enabled. Dynamic Kubelet Config (beta): This field should not be updated without a full node reboot. It is safest to keep this value the same as the local config. Default: "none" +optional.

• optional int32 max_pods = 24

  maxPods is the number of pods that can run on this Kubelet. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that changes may cause Pods to fail admission on Kubelet restart, and may change the value reported in Node.Status.Capacity[v1.ResourcePods], thus affecting future scheduling decisions. Increasing this value may also decrease performance, as more Pods can be packed into a single node. Default: 110 +optional.

• optional int32 pod_pids_limit = 25

  PodPidsLimit is the maximum number of pids in any pod. Requires the SupportPodPidsLimit feature gate to be enabled. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that lowering it may prevent container processes from forking after the change. Default: -1 +optional.

• string resolv_conf = 26

  ResolvConf is the resolver configuration file used as the basis for the container DNS resolution configuration. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that changes will only take effect on Pods created after the update. Draining the node is recommended before changing this field. Default: "/etc/resolv.conf" +optional.

• optional bool cpu_cfs_quota = 27

  cpuCFSQuota enables CPU CFS quota enforcement for containers that specify CPU limits. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that disabling it may reduce node stability. Default: true +optional.

• string cpu_cfs_quota_period = 28

  CPUCFSQuotaPeriod is the CPU CFS quota period value, cpu.cfs_period_us. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that limits set for containers will result in different cpu.cfs_quota settings. This will trigger container restarts on the node being reconfigured. Default: "100ms" +optional.

• map<string, string> eviction_hard = 29

  Map of signal names to quantities that defines hard eviction thresholds. For example: {"memory.available": "300Mi"}. To explicitly disable, pass a 0% or 100% threshold on an arbitrary resource. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may trigger or delay Pod evictions. Default: memory.available: "100Mi" nodefs.available: "10%" nodefs.inodesFree: "5%" imagefs.available: "15%" +optional.

• bool protect_kernel_defaults = 30

  protectKernelDefaults, if true, causes the Kubelet to error if kernel flags are not as it expects. Otherwise the Kubelet will attempt to modify kernel flags to match its expectation. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that enabling it may cause the Kubelet to crash-loop if the Kernel is not configured as Kubelet expects. Default: false +optional.

• map<string, bool> feature_gates = 31

  featureGates is a map of feature names to bools that enable or disable alpha/experimental features. This field modifies piecemeal the built-in default values from "k8s.io/kubernetes/pkg/features/kube_features.go". Dynamic Kubelet Config (beta): If dynamically updating this field, consider the documentation for the features you are enabling or disabling. While we encourage feature developers to make it possible to dynamically enable and disable features, some changes may require node reboots, and some features may require careful coordination to retroactively disable. Default: nil +optional.

• optional bool fail_swap_on = 32

  failSwapOn tells the Kubelet to fail to start if swap is enabled on the node. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that setting it to true will cause the Kubelet to crash-loop if swap is enabled. Default: true +optional.

• string container_log_max_size = 33

  A quantity defines the maximum size of the container log file before it is rotated. For example: "5Mi" or "256Ki". Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may trigger log rotation. Default: "10Mi" +optional.

• optional int32 container_log_max_files = 34

  Maximum number of container log files that can be present for a container. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that lowering it may cause log files to be deleted. Default: 5 +optional.

• map<string, string> system_reserved = 35

  systemReserved is a set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=150G) pairs that describe resources reserved for non-kubernetes components. Currently only cpu and memory are supported. See http://kubernetes.io/docs/user-guide/compute-resources for more detail. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may not be possible to increase the reserved resources, because this requires resizing cgroups. Always look for a NodeAllocatableEnforced event after updating this field to ensure that the update was successful. Default: nil +optional.

• map<string, string> kube_reserved = 36

  A set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=150G) pairs that describe resources reserved for kubernetes system components. Currently cpu, memory and local storage for root file system are supported. See http://kubernetes.io/docs/user-guide/compute-resources for more detail. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may not be possible to increase the reserved resources, because this requires resizing cgroups. Always look for a NodeAllocatableEnforced event after updating this field to ensure that the update was successful. Default: nil +optional.

• repeated string enforce_node_allocatable = 37

  This flag specifies the various Node Allocatable enforcements that Kubelet needs to perform. This flag accepts a list of options. Acceptable options are `none`, `pods`, `system-reserved` & `kube-reserved`. If `none` is specified, no other options may be specified. Refer to [Node Allocatable](https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md) doc for more information. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that removing enforcements may reduce the stability of the node. Alternatively, adding enforcements may reduce the stability of components which were using more than the reserved amount of resources; for example, enforcing kube-reserved may cause Kubelets to OOM if it uses more than the reserved resources, and enforcing system-reserved may cause system daemons to OOM if they use more than the reserved resources. Default: ["pods"] +optional.

• repeated string allowed_unsafe_sysctls = 38

  A comma separated whitelist of unsafe sysctls or sysctl patterns (ending in *). Unsafe sysctl groups are kernel.shm*, kernel.msg*, kernel.sem, fs.mqueue.*, and net.*. These sysctls are namespaced but not allowed by default. For example: "kernel.msg*,net.ipv4.route.min_pmtu" Default: [] +optional.

• optional bool serialize_image_pulls = 39

  serializeImagePulls when enabled, tells the Kubelet to pull images one at a time. We recommend *not* changing the default value on nodes that run docker daemon with version < 1.9 or an Aufs storage backend. Issue #10959 has more details. Default: true +optional

• bool seccomp_default = 40

  SeccompDefault enables the use of `RuntimeDefault` as the default seccomp profile for all workloads. Default: false +optional

Used in: KubeletConfig

• KUBELET_DISK_UNSPECIFIED = 0

• KUBELET_DISK_OS_DISK = 1

• KUBELET_DISK_TEMP_DISK = 2

Used in: KubeletAuthentication

• bool enabled = 1

  enabled allows bearer token authentication backed by the tokenreviews.authentication.k8s.io API. +optional.

• string cache_ttl = 2

  cacheTTL enables caching of authentication results. +optional.

Used in: KubeletAuthorization

• string cache_authorized_ttl = 1

  cacheAuthorizedTTL is the duration to cache 'authorized' responses from the webhook authorizer. +optional.

• string cache_unauthorized_ttl = 2

  cacheUnauthorizedTTL is the duration to cache 'unauthorized' responses from the webhook authorizer. +optional.

Used in: KubeletAuthentication

• string client_ca_file = 1

  clientCAFile is the path to a PEM-encoded certificate bundle. If set, any request presenting a client certificate signed by one of the authorities in the bundle is authenticated with a username corresponding to the CommonName, and groups corresponding to the Organization in the client certificate. +optional.

Used in: ClusterConfig

• LoadBalancerSku load_balancer_sku = 1

  Load balancer sku, default to basic

• optional bool exclude_master_from_standard_load_balancer = 2

  Specify if master node should be excluded from standard load balancer, default to true

• optional int32 max_load_balancer_rule_count = 3

  Maximum number of load balancer rules, default to 148

• bool disable_outbound_snat = 4

  Disable outbound SNAT (Source Network Address Translation) for load balancer, default to false

Used in: LoadBalancerConfig

• LOAD_BALANCER_SKU_UNSPECIFIED = 0

• LOAD_BALANCER_SKU_BASIC = 1

• LOAD_BALANCER_SKU_STANDARD = 2

Used in: Configuration

• NetworkPlugin network_plugin = 1

  Network plugin to be used by the cluster. Options are NONE, AZURE, KUBENET.

• NetworkPolicy network_policy = 2

  Network policy to be used by the cluster. This is still needed to compute ENSURE_NO_DUPE_PROMISCUOUS_BRIDGE. Other than that, it is not used by others. See the discussions here https://github.com/Azure/AgentBaker/pull/4241#discussion_r1554283228

• string vnet_cni_plugins_url = 3

  URL to the vnet cni plugins tarball.

• string cni_plugins_url = 4

  URL to the cni plugins tarball.

Used in: NetworkConfig

• NETWORK_PLUGIN_UNSPECIFIED = 0

• NETWORK_PLUGIN_NONE = 1

• NETWORK_PLUGIN_AZURE = 2

• NETWORK_PLUGIN_KUBENET = 3

Used in: NetworkConfig

• NETWORK_POLICY_UNSPECIFIED = 0

• NETWORK_POLICY_NONE = 1

• NETWORK_POLICY_AZURE = 2

• NETWORK_POLICY_CALICO = 3

Used in: Configuration

• string runc_version = 1

  The version of runc to use.

• string runc_package_url = 2

  The URL to download the runc package from.

Used in: CustomLinuxOsConfig

• optional int32 net_core_somaxconn = 1

  using optional here to allow detecting if the field is set or not (explicit presence in proto3)

• optional int32 net_core_netdev_max_backlog = 2

• optional int32 net_core_rmem_default = 3

• optional int32 net_core_rmem_max = 4

• optional int32 net_core_wmem_default = 5

• optional int32 net_core_wmem_max = 6

• optional int32 net_core_optmem_max = 7

• optional int32 net_ipv4_tcp_max_syn_backlog = 8

• optional int32 net_ipv4_tcp_max_tw_buckets = 9

• optional int32 net_ipv4_tcp_fin_timeout = 10

• optional int32 net_ipv4_tcp_keepalive_time = 11

• optional int32 net_ipv4_tcp_keepalive_probes = 12

• optional int32 net_ipv4_tcpkeepalive_intvl = 13

• optional bool net_ipv4_tcp_tw_reuse = 14

• optional string net_ipv4_ip_local_port_range = 15

• optional int32 net_ipv4_neigh_default_gc_thresh1 = 16

• optional int32 net_ipv4_neigh_default_gc_thresh2 = 17

• optional int32 net_ipv4_neigh_default_gc_thresh3 = 18

• optional int32 net_netfilter_nf_conntrack_max = 19

• optional int32 net_netfilter_nf_conntrack_buckets = 20

• optional int32 fs_inotify_max_user_watches = 21

• optional int32 fs_file_max = 22

• optional int32 fs_aio_max_nr = 23

• optional int32 fs_nr_open = 24

• optional int32 kernel_threads_max = 25

• optional int32 vm_max_map_count = 26

• optional int32 vm_swappiness = 27

• optional int32 vm_vfs_cache_pressure = 28

Used in: Configuration

• bool status = 1

  The status of the teleportd plugin. If true, the plugin is enabled.

• string teleportd_plugin_download_url = 2

  The URL to download the teleportd plugin.

Used in: CustomLinuxOsConfig

• optional string no_file = 1

  using optional here to allow detecting if the field is set or not (explicit presence in proto3)

• optional string max_locked_memory = 2

Used in: ClusterConfig

• VM_TYPE_UNSPECIFIED = 0

• VM_TYPE_STANDARD = 1

• VM_TYPE_VMSS = 2

Used in: Configuration

• WORKLOAD_RUNTIME_UNSPECIFIED = 0

• WORKLOAD_RUNTIME_OCI_CONTAINER = 1

• WORKLOAD_RUNTIME_WASM_WASI = 2