API reference

metadata defines ObjectMeta as the metadata that all persisted resources.

spec defines the specification of the desired behavior of the Alertmanager cluster. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status

status defines the most recent observed status of the Alertmanager cluster. Read-only. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status

metadata defines ObjectMeta as the metadata that all persisted resources.

spec defines the specification of desired Pod selection for target discovery by Prometheus.

status defines the status subresource. It is under active development and is updated only when the “StatusForConfigurationResources” feature gate is enabled.

Most recent observed status of the PodMonitor. Read-only. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status

metadata defines ObjectMeta as the metadata that all persisted resources.

spec defines the specification of desired Ingress selection for target discovery by Prometheus.

status defines the status subresource. It is under active development and is updated only when the “StatusForConfigurationResources” feature gate is enabled.

Most recent observed status of the Probe. Read-only. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status

metadata defines ObjectMeta as the metadata that all persisted resources.

spec defines the specification of the desired behavior of the Prometheus cluster. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status

status defines the most recent observed status of the Prometheus cluster. Read-only. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status

metadata defines ObjectMeta as the metadata that all persisted resources.

spec defines the specification of desired alerting rule definitions for Prometheus.

metadata defines ObjectMeta as the metadata that all persisted resources.

spec defines the specification of desired Service selection for target discovery by Prometheus.

status defines the status subresource. It is under active development and is updated only when the “StatusForConfigurationResources” feature gate is enabled.

Most recent observed status of the ServiceMonitor. Read-only. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status

metadata defines ObjectMeta as the metadata that all persisted resources.

spec defines the specification of the desired behavior of the ThanosRuler cluster. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status

status defines the most recent observed status of the ThanosRuler cluster. Read-only. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status

host defines the Kubernetes API address consisting of a hostname or IP address followed by an optional port number.

basicAuth configuration for the API server.

Cannot be set at the same time as authorization, bearerToken, or bearerTokenFile.

bearerTokenFile defines the file to read bearer token for accessing apiserver.

Cannot be set at the same time as basicAuth, authorization, or bearerToken.

Deprecated: this will be removed in a future release. Prefer using authorization.

tlsConfig to use for the API server.

authorization section for the API server.

Cannot be set at the same time as basicAuth, bearerToken, or bearerTokenFile.

bearerToken is deprecated: this will be removed in a future release. Warning: this field shouldn’t be used because the token value appears in clear-text. Prefer using authorization.

proxyUrl defines the HTTP proxy server to use.

noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names that should be excluded from proxying. IP and domain names can contain port numbers.

It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.

proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).

It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.

proxyConnectHeader optionally specifies headers to send to proxies during CONNECT requests.

It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.

"OnResource"

Automatically add a label selector that will select all pods matching the same Prometheus/PrometheusAgent resource (irrespective of their shards).

"OnShard"

Automatically add a label selector that will select all pods matching the same shard.

alertmanagers endpoints where Prometheus should send alerts to.

"V1"

"V2"

type defines the strategy used by AlertmanagerConfig objects to match alerts in the routes and inhibition rules.

The default value is OnNamespace.

"None"

With None, the route and inhibition rules of an AlertmanagerConfig object process all incoming alerts.

"OnNamespace"

With OnNamespace, the route and inhibition rules of an AlertmanagerConfig object only process alerts that have a namespace label equal to the namespace of the object.

"OnNamespaceExceptForAlertmanagerNamespace"

With OnNamespaceExceptForAlertmanagerNamespace, the route and inhibition rules of an AlertmanagerConfig object only process alerts that have a namespace label equal to the namespace of the object, unless the AlertmanagerConfig object is in the same namespace as the Alertmanager object, where it will process all alerts.

name defines the name of the AlertmanagerConfig custom resource which is used to generate the Alertmanager configuration. It must be defined in the same namespace as the Alertmanager object. The operator will not enforce a namespace label for routes and inhibition rules.

global defines the global parameters of the Alertmanager configuration.

templates defines the custom notification templates.

namespace of the Endpoints object.

If not set, the object will be discovered in the namespace of the Prometheus object.

name of the Endpoints object in the namespace.

port on which the Alertmanager API is exposed.

scheme to use when firing alerts.

pathPrefix defines the prefix for the HTTP path alerts are pushed to.

tlsConfig to use for Alertmanager.

basicAuth configuration for Alertmanager.

Cannot be set at the same time as bearerTokenFile, authorization or sigv4.

bearerTokenFile defines the file to read bearer token for Alertmanager.

Cannot be set at the same time as basicAuth, authorization, or sigv4.

Deprecated: this will be removed in a future release. Prefer using authorization.

authorization section for Alertmanager.

Cannot be set at the same time as basicAuth, bearerTokenFile or sigv4.

sigv4 defines AWS’s Signature Verification 4 for the URL.

It requires Prometheus >= v2.48.0.

Cannot be set at the same time as basicAuth, bearerTokenFile or authorization.

proxyUrl defines the HTTP proxy server to use.

noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names that should be excluded from proxying. IP and domain names can contain port numbers.

It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.

proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).

It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.

proxyConnectHeader optionally specifies headers to send to proxies during CONNECT requests.

It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.

apiVersion defines the version of the Alertmanager API that Prometheus uses to send alerts. It can be “V1” or “V2”. The field has no effect for Prometheus >= v3.0.0 because only the v2 API is supported.

timeout defines a per-target Alertmanager timeout when pushing alerts.

enableHttp2 defines whether to enable HTTP2.

relabelings defines the relabel configuration applied to the discovered Alertmanagers.

alertRelabelings defines the relabeling configs applied before sending alerts to a specific Alertmanager. It requires Prometheus >= v2.51.0.

smtp defines global SMTP parameters.

resolveTimeout defines the default value used by alertmanager if the alert does not include EndsAt, after this time passes it can declare the alert as resolved if it has not been updated. This has no impact on alerts from Prometheus, as they always include EndsAt.

httpConfig defines the default HTTP configuration.

slackApiUrl defines the default Slack API URL.

opsGenieApiUrl defines the default OpsGenie API URL.

opsGenieApiKey defines the default OpsGenie API Key.

pagerdutyUrl defines the default Pagerduty URL.

telegram defines the default Telegram config

jira defines the default configuration for Jira.

victorops defines the default configuration for VictorOps.

rocketChat defines the default configuration for Rocket Chat.

webex defines the default configuration for Jira.

wechat defines the default WeChat Config

maxSilences defines the maximum number active and pending silences. This corresponds to the Alertmanager’s --silences.max-silences flag. It requires Alertmanager >= v0.28.0.

maxPerSilenceBytes defines the maximum size of an individual silence as stored on disk. This corresponds to the Alertmanager’s --silences.max-per-silence-bytes flag. It requires Alertmanager >= v0.28.0.

podMetadata defines labels and annotations which are propagated to the Alertmanager pods.

The following items are reserved and cannot be overridden: * “alertmanager” label, set to the name of the Alertmanager instance. * “app.kubernetes.io/instance” label, set to the name of the Alertmanager instance. * “app.kubernetes.io/managed-by” label, set to “prometheus-operator”. * “app.kubernetes.io/name” label, set to “alertmanager”. * “app.kubernetes.io/version” label, set to the Alertmanager version. * “kubectl.kubernetes.io/default-container” annotation, set to “alertmanager”.

image if specified has precedence over baseImage, tag and sha combinations. Specifying the version is still necessary to ensure the Prometheus Operator knows what version of Alertmanager is being configured.

imagePullPolicy for the ‘alertmanager’, ‘init-config-reloader’ and ‘config-reloader’ containers. See https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy for more details.

version the cluster should be on.

tag of Alertmanager container image to be deployed. Defaults to the value of version. Version is ignored if Tag is set. Deprecated: use ‘image’ instead. The image tag can be specified as part of the image URL.

sha of Alertmanager container image to be deployed. Defaults to the value of version. Similar to a tag, but the SHA explicitly deploys an immutable container image. Version and Tag are ignored if SHA is set. Deprecated: use ‘image’ instead. The image digest can be specified as part of the image URL.

baseImage that is used to deploy pods, without tag. Deprecated: use ‘image’ instead.

imagePullSecrets An optional list of references to secrets in the same namespace to use for pulling prometheus and alertmanager images from registries see https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

secrets is a list of Secrets in the same namespace as the Alertmanager object, which shall be mounted into the Alertmanager Pods. Each Secret is added to the StatefulSet definition as a volume named secret-<secret-name>. The Secrets are mounted into /etc/alertmanager/secrets/<secret-name> in the ‘alertmanager’ container.

configMaps defines a list of ConfigMaps in the same namespace as the Alertmanager object, which shall be mounted into the Alertmanager Pods. Each ConfigMap is added to the StatefulSet definition as a volume named configmap-<configmap-name>. The ConfigMaps are mounted into /etc/alertmanager/configmaps/<configmap-name> in the ‘alertmanager’ container.

configSecret defines the name of a Kubernetes Secret in the same namespace as the Alertmanager object, which contains the configuration for this Alertmanager instance. If empty, it defaults to alertmanager-<alertmanager-name>.

The Alertmanager configuration should be available under the alertmanager.yaml key. Additional keys from the original secret are copied to the generated secret and mounted into the /etc/alertmanager/config directory in the alertmanager container.

If either the secret or the alertmanager.yaml key is missing, the operator provisions a minimal Alertmanager configuration with one empty receiver (effectively dropping alert notifications).

logLevel for Alertmanager to be configured with.

logFormat for Alertmanager to be configured with.

replicas defines the expected size of the alertmanager cluster. The controller will eventually make the size of the running cluster equal to the expected size.

retention defines the time duration Alertmanager shall retain data for. Default is ‘120h’, and must match the regular expression [0-9]+(ms|s|m|h) (milliseconds seconds minutes hours).

storage defines the definition of how storage will be used by the Alertmanager instances.

volumes allows configuration of additional volumes on the output StatefulSet definition. Volumes specified will be appended to other volumes that are generated as a result of StorageSpec objects.

volumeMounts allows configuration of additional VolumeMounts on the output StatefulSet definition. VolumeMounts specified will be appended to other VolumeMounts in the alertmanager container, that are generated as a result of StorageSpec objects.

persistentVolumeClaimRetentionPolicy controls if and how PVCs are deleted during the lifecycle of a StatefulSet. The default behavior is all PVCs are retained. This is an alpha field from kubernetes 1.23 until 1.26 and a beta field from 1.26. It requires enabling the StatefulSetAutoDeletePVC feature gate.

externalUrl defines the URL used to access the Alertmanager web service. This is necessary to generate correct URLs. This is necessary if Alertmanager is not served from root of a DNS name.

routePrefix Alertmanager registers HTTP handlers for. This is useful, if using ExternalURL and a proxy is rewriting HTTP routes of a request, and the actual ExternalURL is still true, but the server serves requests under a different route prefix. For example for use with kubectl proxy.

paused if set to true all actions on the underlying managed objects are not going to be performed, except for delete actions.

nodeSelector defines which Nodes the Pods are scheduled on.

resources defines the resource requests and limits of the Pods.

affinity defines the pod’s scheduling constraints.

tolerations defines the pod’s tolerations.

topologySpreadConstraints defines the Pod’s topology spread constraints.

securityContext holds pod-level security attributes and common container settings. This defaults to the default PodSecurityContext.

dnsPolicy defines the DNS policy for the pods.

dnsConfig defines the DNS configuration for the pods.

enableServiceLinks defines whether information about services should be injected into pod’s environment variables

serviceName defines the service name used by the underlying StatefulSet(s) as the governing service. If defined, the Service must be created before the Alertmanager resource in the same namespace and it must define a selector that matches the pod labels. If empty, the operator will create and manage a headless service named alertmanager-operated for Alertmanager resources. When deploying multiple Alertmanager resources in the same namespace, it is recommended to specify a different value for each. See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#stable-network-id for more details.

serviceAccountName is the name of the ServiceAccount to use to run the Prometheus Pods.

listenLocal defines the Alertmanager server listen on loopback, so that it does not bind against the Pod IP. Note this is only for the Alertmanager UI, not the gossip communication.

containers allows injecting additional containers. This is meant to allow adding an authentication proxy to an Alertmanager pod. Containers described here modify an operator generated container if they share the same name and modifications are done via a strategic merge patch. The current container names are: alertmanager and config-reloader. Overriding containers is entirely outside the scope of what the maintainers will support and by doing so, you accept that this behaviour may break at any time without notice.

initContainers allows adding initContainers to the pod definition. Those can be used to e.g. fetch secrets for injection into the Alertmanager configuration from external sources. Any errors during the execution of an initContainer will lead to a restart of the Pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ InitContainers described here modify an operator generated init containers if they share the same name and modifications are done via a strategic merge patch. The current init container name is: init-config-reloader. Overriding init containers is entirely outside the scope of what the maintainers will support and by doing so, you accept that this behaviour may break at any time without notice.

priorityClassName assigned to the Pods

additionalPeers allows injecting a set of additional Alertmanagers to peer with to form a highly available cluster.

clusterAdvertiseAddress defines the explicit address to advertise in cluster. Needs to be provided for non RFC1918 1 addresses. [1] RFC1918: https://tools.ietf.org/html/rfc1918

clusterGossipInterval defines the interval between gossip attempts.

clusterLabel defines the identifier that uniquely identifies the Alertmanager cluster. You should only set it when the Alertmanager cluster includes Alertmanager instances which are external to this Alertmanager resource. In practice, the addresses of the external instances are provided via the .spec.additionalPeers field.

clusterPushpullInterval defines the interval between pushpull attempts.

clusterPeerTimeout defines the timeout for cluster peering.

portName defines the port’s name for the pods and governing service. Defaults to web.

forceEnableClusterMode ensures Alertmanager does not deactivate the cluster mode when running with a single replica. Use case is e.g. spanning an Alertmanager cluster across Kubernetes clusters with a single replica in each.

alertmanagerConfigSelector defines the selector to be used for to merge and configure Alertmanager with.

alertmanagerConfigNamespaceSelector defines the namespaces to be selected for AlertmanagerConfig discovery. If nil, only check own namespace.

alertmanagerConfigMatcherStrategy defines how AlertmanagerConfig objects process incoming alerts.

minReadySeconds defines the minimum number of seconds for which a newly created pod should be ready without any of its container crashing for it to be considered available.

If unset, pods will be considered available as soon as they are ready.

hostAliases Pods configuration

web defines the web command line flags when starting Alertmanager.

limits defines the limits command line flags when starting Alertmanager.

clusterTLS defines the mutual TLS configuration for the Alertmanager cluster’s gossip protocol.

It requires Alertmanager >= 0.24.0.

alertmanagerConfiguration defines the configuration of Alertmanager.

If defined, it takes precedence over the configSecret field.

This is an experimental feature, it may change in any upcoming release in a breaking way.

automountServiceAccountToken defines whether a service account token should be automatically mounted in the pod. If the service account has automountServiceAccountToken: true, set the field to false to opt out of automounting API credentials.

enableFeatures defines the Alertmanager’s feature flags. By default, no features are enabled. Enabling features which are disabled by default is entirely outside the scope of what the maintainers will support and by doing so, you accept that this behaviour may break at any time without notice.

It requires Alertmanager >= 0.27.0.

additionalArgs allows setting additional arguments for the ‘Alertmanager’ container. It is intended for e.g. activating hidden flags which are not supported by the dedicated configuration options yet. The arguments are passed as-is to the Alertmanager container which may cause issues if they are invalid or not supported by the given Alertmanager version.

terminationGracePeriodSeconds defines the Optional duration in seconds the pod needs to terminate gracefully. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down) which may lead to data corruption.

Defaults to 120 seconds.

hostUsers supports the user space in Kubernetes.

More info: https://kubernetes.io/docs/tasks/configure-pod-container/user-namespaces/

The feature requires at least Kubernetes 1.28 with the UserNamespacesSupport feature gate enabled. Starting Kubernetes 1.33, the feature is enabled by default.

paused defines whether any actions on the underlying managed objects are being performed. Only delete actions will be performed.

replicas defines the total number of non-terminated pods targeted by this Alertmanager object (their labels match the selector).

updatedReplicas defines the total number of non-terminated pods targeted by this Alertmanager object that have the desired version spec.

availableReplicas defines the total number of available pods (ready for at least minReadySeconds) targeted by this Alertmanager cluster.

unavailableReplicas defines the total number of unavailable pods targeted by this Alertmanager object.

selector used to match the pods targeted by this Alertmanager object.

conditions defines the current state of the Alertmanager object.

tlsConfig defines the TLS parameters for HTTPS.

httpConfig defines HTTP parameters for web server.

getConcurrency defines the maximum number of GET requests processed concurrently. This corresponds to the Alertmanager’s --web.get-concurrency flag.

timeout for HTTP requests. This corresponds to the Alertmanager’s --web.timeout flag.

deny prevents service monitors from accessing arbitrary files on the file system. When true, service monitors cannot use file-based configurations like BearerTokenFile that could potentially access sensitive files. When false (default), such access is allowed. Setting this to true enhances security by preventing potential credential theft attacks.

name of the argument, e.g. “scrape.discovery-reload-interval”.

value defines the argument value, e.g. 30s. Can be empty for name-only arguments (e.g. –storage.tsdb.no-lockfile)

node when set to true, Prometheus attaches node metadata to the discovered targets.

The Prometheus service account must have the list and watch permissions on the Nodes objects.

type defines the authentication type. The value is case-insensitive.

“Basic” is not a supported value.

Default: “Bearer”

credentials defines a key of a Secret in the namespace that contains the credentials for authentication.

credentialsFile defines the file to read a secret from, mutually exclusive with credentials.

cloud defines the Azure Cloud. Options are ‘AzurePublic’, ‘AzureChina’, or ‘AzureGovernment’.

managedIdentity defines the Azure User-assigned Managed identity. Cannot be set at the same time as oauth or sdk.

oauth defines the oauth config that is being used to authenticate. Cannot be set at the same time as managedIdentity or sdk.

It requires Prometheus >= v2.48.0 or Thanos >= v0.31.0.

sdk defines the Azure SDK config that is being used to authenticate. See https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication Cannot be set at the same time as oauth or managedIdentity.

It requires Prometheus >= v2.52.0 or Thanos >= v0.36.0.

clientId defines the clientId of the Azure Active Directory application that is being used to authenticate.

clientSecret specifies a key of a Secret containing the client secret of the Azure Active Directory application that is being used to authenticate.

tenantId is the tenant ID of the Azure Active Directory application that is being used to authenticate.

tenantId defines the tenant ID of the azure active directory application that is being used to authenticate.

username defines a key of a Secret containing the username for authentication.

password defines a key of a Secret containing the password for authentication.

server defines the server-side configuration for mutual TLS.

client defines the client-side configuration for mutual TLS.

podMetadata defines labels and annotations which are propagated to the Prometheus pods.

The following items are reserved and cannot be overridden: * “prometheus” label, set to the name of the Prometheus object. * “app.kubernetes.io/instance” label, set to the name of the Prometheus object. * “app.kubernetes.io/managed-by” label, set to “prometheus-operator”. * “app.kubernetes.io/name” label, set to “prometheus”. * “app.kubernetes.io/version” label, set to the Prometheus version. * “operator.prometheus.io/name” label, set to the name of the Prometheus object. * “operator.prometheus.io/shard” label, set to the shard number of the Prometheus object. * “kubectl.kubernetes.io/default-container” annotation, set to “prometheus”.

serviceMonitorSelector defines the serviceMonitors to be selected for target discovery. An empty label selector matches all objects. A null label selector matches no objects.

If spec.serviceMonitorSelector, spec.podMonitorSelector, spec.probeSelector and spec.scrapeConfigSelector are null, the Prometheus configuration is unmanaged. The Prometheus operator will ensure that the Prometheus configuration’s Secret exists, but it is the responsibility of the user to provide the raw gzipped Prometheus configuration under the prometheus.yaml.gz key. This behavior is deprecated and will be removed in the next major version of the custom resource definition. It is recommended to use spec.additionalScrapeConfigs instead.

serviceMonitorNamespaceSelector defines the namespaces to match for ServicedMonitors discovery. An empty label selector matches all namespaces. A null label selector (default value) matches the current namespace only.

podMonitorSelector defines the podMonitors to be selected for target discovery. An empty label selector matches all objects. A null label selector matches no objects.

If spec.serviceMonitorSelector, spec.podMonitorSelector, spec.probeSelector and spec.scrapeConfigSelector are null, the Prometheus configuration is unmanaged. The Prometheus operator will ensure that the Prometheus configuration’s Secret exists, but it is the responsibility of the user to provide the raw gzipped Prometheus configuration under the prometheus.yaml.gz key. This behavior is deprecated and will be removed in the next major version of the custom resource definition. It is recommended to use spec.additionalScrapeConfigs instead.

podMonitorNamespaceSelector defines the namespaces to match for PodMonitors discovery. An empty label selector matches all namespaces. A null label selector (default value) matches the current namespace only.

probeSelector defines the probes to be selected for target discovery. An empty label selector matches all objects. A null label selector matches no objects.

If spec.serviceMonitorSelector, spec.podMonitorSelector, spec.probeSelector and spec.scrapeConfigSelector are null, the Prometheus configuration is unmanaged. The Prometheus operator will ensure that the Prometheus configuration’s Secret exists, but it is the responsibility of the user to provide the raw gzipped Prometheus configuration under the prometheus.yaml.gz key. This behavior is deprecated and will be removed in the next major version of the custom resource definition. It is recommended to use spec.additionalScrapeConfigs instead.

probeNamespaceSelector defines the namespaces to match for Probe discovery. An empty label selector matches all namespaces. A null label selector matches the current namespace only.

scrapeConfigSelector defines the scrapeConfigs to be selected for target discovery. An empty label selector matches all objects. A null label selector matches no objects.

If spec.serviceMonitorSelector, spec.podMonitorSelector, spec.probeSelector and spec.scrapeConfigSelector are null, the Prometheus configuration is unmanaged. The Prometheus operator will ensure that the Prometheus configuration’s Secret exists, but it is the responsibility of the user to provide the raw gzipped Prometheus configuration under the prometheus.yaml.gz key. This behavior is deprecated and will be removed in the next major version of the custom resource definition. It is recommended to use spec.additionalScrapeConfigs instead.

Note that the ScrapeConfig custom resource definition is currently at Alpha level.

scrapeConfigNamespaceSelector defines the namespaces to match for ScrapeConfig discovery. An empty label selector matches all namespaces. A null label selector matches the current namespace only.

Note that the ScrapeConfig custom resource definition is currently at Alpha level.

version of Prometheus being deployed. The operator uses this information to generate the Prometheus StatefulSet + configuration files.

If not specified, the operator assumes the latest upstream version of Prometheus available at the time when the version of the operator was released.

paused defines when a Prometheus deployment is paused, no actions except for deletion will be performed on the underlying objects.

image defines the container image name for Prometheus. If specified, it takes precedence over the spec.baseImage, spec.tag and spec.sha fields.

Specifying spec.version is still necessary to ensure the Prometheus Operator knows which version of Prometheus is being configured.

If neither spec.image nor spec.baseImage are defined, the operator will use the latest upstream version of Prometheus available at the time when the operator was released.

imagePullPolicy defines the image pull policy for the ‘prometheus’, ‘init-config-reloader’ and ‘config-reloader’ containers. See https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy for more details.

imagePullSecrets defines an optional list of references to Secrets in the same namespace to use for pulling images from registries. See http://kubernetes.io/docs/user-guide/images#specifying-imagepullsecrets-on-a-pod

replicas defines the number of replicas of each shard to deploy for a Prometheus deployment. spec.replicas multiplied by spec.shards is the total number of Pods created.

Default: 1

shards defines the number of shards to distribute the scraped targets onto.

spec.replicas multiplied by spec.shards is the total number of Pods being created.

When not defined, the operator assumes only one shard.

Note that scaling down shards will not reshard data onto the remaining instances, it must be manually moved. Increasing shards will not reshard data either but it will continue to be available from the same instances. To query globally, use either * Thanos sidecar + querier for query federation and Thanos Ruler for rules. * Remote-write to send metrics to a central location.

By default, the sharding of targets is performed on: * The __address__ target’s metadata label for PodMonitor, ServiceMonitor and ScrapeConfig resources. * The __param_target__ label for Probe resources.

Users can define their own sharding implementation by setting the __tmp_hash label during the target discovery with relabeling configuration (either in the monitoring resources or via scrape class).

You can also disable sharding on a specific target by setting the __tmp_disable_sharding label with relabeling configuration. When the label value isn’t empty, all Prometheus shards will scrape the target.

replicaExternalLabelName defines the name of Prometheus external label used to denote the replica name. The external label will not be added when the field is set to the empty string ("").

Default: “prometheus_replica”

prometheusExternalLabelName defines the name of Prometheus external label used to denote the Prometheus instance name. The external label will not be added when the field is set to the empty string ("").

Default: “prometheus”

logLevel for Prometheus and the config-reloader sidecar.

logFormat for Log level for Prometheus and the config-reloader sidecar.

scrapeInterval defines interval between consecutive scrapes.

Default: “30s”

scrapeTimeout defines the number of seconds to wait until a scrape request times out. The value cannot be greater than the scrape interval otherwise the operator will reject the resource.

scrapeProtocols defines the protocols to negotiate during a scrape. It tells clients the protocols supported by Prometheus in order of preference (from most to least preferred).

If unset, Prometheus uses its default value.

It requires Prometheus >= v2.49.0.

PrometheusText1.0.0 requires Prometheus >= v3.0.0.

externalLabels defines the labels to add to any time series or alerts when communicating with external systems (federation, remote storage, Alertmanager). Labels defined by spec.replicaExternalLabelName and spec.prometheusExternalLabelName take precedence over this list.

enableRemoteWriteReceiver defines the Prometheus to be used as a receiver for the Prometheus remote write protocol.

WARNING: This is not considered an efficient way of ingesting samples. Use it with caution for specific low-volume use cases. It is not suitable for replacing the ingestion via scraping and turning Prometheus into a push-based metrics collection system. For more information see https://prometheus.io/docs/prometheus/latest/querying/api/#remote-write-receiver

It requires Prometheus >= v2.33.0.

enableOTLPReceiver defines the Prometheus to be used as a receiver for the OTLP Metrics protocol.

Note that the OTLP receiver endpoint is automatically enabled if .spec.otlpConfig is defined.

It requires Prometheus >= v2.47.0.

remoteWriteReceiverMessageVersions list of the protobuf message versions to accept when receiving the remote writes.

It requires Prometheus >= v2.54.0.

enableFeatures enables access to Prometheus feature flags. By default, no features are enabled.

Enabling features which are disabled by default is entirely outside the scope of what the maintainers will support and by doing so, you accept that this behaviour may break at any time without notice.

For more information see https://prometheus.io/docs/prometheus/latest/feature_flags/

externalUrl defines the external URL under which the Prometheus service is externally available. This is necessary to generate correct URLs (for instance if Prometheus is accessible behind an Ingress resource).

routePrefix defines the route prefix Prometheus registers HTTP handlers for.

This is useful when using spec.externalURL, and a proxy is rewriting HTTP routes of a request, and the actual ExternalURL is still true, but the server serves requests under a different route prefix. For example for use with kubectl proxy.

storage defines the storage used by Prometheus.

volumes allows the configuration of additional volumes on the output StatefulSet definition. Volumes specified will be appended to other volumes that are generated as a result of StorageSpec objects.

volumeMounts allows the configuration of additional VolumeMounts.

VolumeMounts will be appended to other VolumeMounts in the ‘prometheus’ container, that are generated as a result of StorageSpec objects.

persistentVolumeClaimRetentionPolicy defines the field controls if and how PVCs are deleted during the lifecycle of a StatefulSet. The default behavior is all PVCs are retained. This is an alpha field from kubernetes 1.23 until 1.26 and a beta field from 1.26. It requires enabling the StatefulSetAutoDeletePVC feature gate.

web defines the configuration of the Prometheus web server.

resources defines the resources requests and limits of the ‘prometheus’ container.

nodeSelector defines on which Nodes the Pods are scheduled.

serviceAccountName is the name of the ServiceAccount to use to run the Prometheus Pods.

automountServiceAccountToken defines whether a service account token should be automatically mounted in the pod. If the field isn’t set, the operator mounts the service account token by default.

Warning: be aware that by default, Prometheus requires the service account token for Kubernetes service discovery. It is possible to use strategic merge patch to project the service account token into the ‘prometheus’ container.

secrets defines a list of Secrets in the same namespace as the Prometheus object, which shall be mounted into the Prometheus Pods. Each Secret is added to the StatefulSet definition as a volume named secret-<secret-name>. The Secrets are mounted into /etc/prometheus/secrets/ in the ‘prometheus’ container.

configMaps defines a list of ConfigMaps in the same namespace as the Prometheus object, which shall be mounted into the Prometheus Pods. Each ConfigMap is added to the StatefulSet definition as a volume named configmap-<configmap-name>. The ConfigMaps are mounted into /etc/prometheus/configmaps/ in the ‘prometheus’ container.

affinity defines the Pods’ affinity scheduling rules if specified.

tolerations defines the Pods’ tolerations if specified.

topologySpreadConstraints defines the pod’s topology spread constraints if specified.

remoteWrite defines the list of remote write configurations.

otlp defines the settings related to the OTLP receiver feature. It requires Prometheus >= v2.55.0.

securityContext holds pod-level security attributes and common container settings. This defaults to the default PodSecurityContext.

dnsPolicy defines the DNS policy for the pods.

dnsConfig defines the DNS configuration for the pods.

listenLocal when true, the Prometheus server listens on the loopback address instead of the Pod IP’s address.

enableServiceLinks defines whether information about services should be injected into pod’s environment variables

containers allows injecting additional containers or modifying operator generated containers. This can be used to allow adding an authentication proxy to the Pods or to change the behavior of an operator generated container. Containers described here modify an operator generated container if they share the same name and modifications are done via a strategic merge patch.

The names of containers managed by the operator are: * prometheus * config-reloader * thanos-sidecar

Overriding containers is entirely outside the scope of what the maintainers will support and by doing so, you accept that this behaviour may break at any time without notice.

initContainers allows injecting initContainers to the Pod definition. Those can be used to e.g. fetch secrets for injection into the Prometheus configuration from external sources. Any errors during the execution of an initContainer will lead to a restart of the Pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ InitContainers described here modify an operator generated init containers if they share the same name and modifications are done via a strategic merge patch.

The names of init container name managed by the operator are: * init-config-reloader.

Overriding init containers is entirely outside the scope of what the maintainers will support and by doing so, you accept that this behaviour may break at any time without notice.

additionalScrapeConfigs allows specifying a key of a Secret containing additional Prometheus scrape configurations. Scrape configurations specified are appended to the configurations generated by the Prometheus Operator. Job configurations specified must have the form as specified in the official Prometheus documentation: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config. As scrape configs are appended, the user is responsible to make sure it is valid. Note that using this feature may expose the possibility to break upgrades of Prometheus. It is advised to review Prometheus release notes to ensure that no incompatible scrape configs are going to break Prometheus after the upgrade.

apiserverConfig allows specifying a host and auth methods to access the Kuberntees API server. If null, Prometheus is assumed to run inside of the cluster: it will discover the API servers automatically and use the Pod’s CA certificate and bearer token file at /var/run/secrets/kubernetes.io/serviceaccount/.

priorityClassName assigned to the Pods.

portName used for the pods and governing service. Default: “web”

arbitraryFSAccessThroughSMs when true, ServiceMonitor, PodMonitor and Probe object are forbidden to reference arbitrary files on the file system of the ‘prometheus’ container. When a ServiceMonitor’s endpoint specifies a bearerTokenFile value (e.g. ‘/var/run/secrets/kubernetes.io/serviceaccount/token’), a malicious target can get access to the Prometheus service account’s token in the Prometheus’ scrape request. Setting spec.arbitraryFSAccessThroughSM to ‘true’ would prevent the attack. Users should instead provide the credentials using the spec.bearerTokenSecret field.

overrideHonorLabels when true, Prometheus resolves label conflicts by renaming the labels in the scraped data to “exported_” for all targets created from ServiceMonitor, PodMonitor and ScrapeConfig objects. Otherwise the HonorLabels field of the service or pod monitor applies. In practice,OverrideHonorLabels:true enforces honorLabels:false for all ServiceMonitor, PodMonitor and ScrapeConfig objects.

overrideHonorTimestamps when true, Prometheus ignores the timestamps for all the targets created from service and pod monitors. Otherwise the HonorTimestamps field of the service or pod monitor applies.

ignoreNamespaceSelectors when true, spec.namespaceSelector from all PodMonitor, ServiceMonitor and Probe objects will be ignored. They will only discover targets within the namespace of the PodMonitor, ServiceMonitor and Probe object.

enforcedNamespaceLabel when not empty, a label will be added to:

1. All metrics scraped from ServiceMonitor, PodMonitor, Probe and ScrapeConfig objects.
2. All metrics generated from recording rules defined in PrometheusRule objects.
3. All alerts generated from alerting rules defined in PrometheusRule objects.
4. All vector selectors of PromQL expressions defined in PrometheusRule objects.

The label will not added for objects referenced in spec.excludedFromEnforcement.

The label’s name is this field’s value. The label’s value is the namespace of the ServiceMonitor, PodMonitor, Probe, PrometheusRule or ScrapeConfig object.

enforcedSampleLimit when defined specifies a global limit on the number of scraped samples that will be accepted. This overrides any spec.sampleLimit set by ServiceMonitor, PodMonitor, Probe objects unless spec.sampleLimit is greater than zero and less than spec.enforcedSampleLimit.

It is meant to be used by admins to keep the overall number of samples/series under a desired limit.

When both enforcedSampleLimit and sampleLimit are defined and greater than zero, the following rules apply: * Scrape objects without a defined sampleLimit value will inherit the global sampleLimit value (Prometheus >= 2.45.0) or the enforcedSampleLimit value (Prometheus < v2.45.0). If Prometheus version is >= 2.45.0 and the enforcedSampleLimit is greater than the sampleLimit, the sampleLimit will be set to enforcedSampleLimit. * Scrape objects with a sampleLimit value less than or equal to enforcedSampleLimit keep their specific value. * Scrape objects with a sampleLimit value greater than enforcedSampleLimit are set to enforcedSampleLimit.

enforcedTargetLimit when defined specifies a global limit on the number of scraped targets. The value overrides any spec.targetLimit set by ServiceMonitor, PodMonitor, Probe objects unless spec.targetLimit is greater than zero and less than spec.enforcedTargetLimit.

It is meant to be used by admins to to keep the overall number of targets under a desired limit.

When both enforcedTargetLimit and targetLimit are defined and greater than zero, the following rules apply: * Scrape objects without a defined targetLimit value will inherit the global targetLimit value (Prometheus >= 2.45.0) or the enforcedTargetLimit value (Prometheus < v2.45.0). If Prometheus version is >= 2.45.0 and the enforcedTargetLimit is greater than the targetLimit, the targetLimit will be set to enforcedTargetLimit. * Scrape objects with a targetLimit value less than or equal to enforcedTargetLimit keep their specific value. * Scrape objects with a targetLimit value greater than enforcedTargetLimit are set to enforcedTargetLimit.

enforcedLabelLimit when defined specifies a global limit on the number of labels per sample. The value overrides any spec.labelLimit set by ServiceMonitor, PodMonitor, Probe objects unless spec.labelLimit is greater than zero and less than spec.enforcedLabelLimit.

It requires Prometheus >= v2.27.0.

When both enforcedLabelLimit and labelLimit are defined and greater than zero, the following rules apply: * Scrape objects without a defined labelLimit value will inherit the global labelLimit value (Prometheus >= 2.45.0) or the enforcedLabelLimit value (Prometheus < v2.45.0). If Prometheus version is >= 2.45.0 and the enforcedLabelLimit is greater than the labelLimit, the labelLimit will be set to enforcedLabelLimit. * Scrape objects with a labelLimit value less than or equal to enforcedLabelLimit keep their specific value. * Scrape objects with a labelLimit value greater than enforcedLabelLimit are set to enforcedLabelLimit.

enforcedLabelNameLengthLimit when defined specifies a global limit on the length of labels name per sample. The value overrides any spec.labelNameLengthLimit set by ServiceMonitor, PodMonitor, Probe objects unless spec.labelNameLengthLimit is greater than zero and less than spec.enforcedLabelNameLengthLimit.

It requires Prometheus >= v2.27.0.

When both enforcedLabelNameLengthLimit and labelNameLengthLimit are defined and greater than zero, the following rules apply: * Scrape objects without a defined labelNameLengthLimit value will inherit the global labelNameLengthLimit value (Prometheus >= 2.45.0) or the enforcedLabelNameLengthLimit value (Prometheus < v2.45.0). If Prometheus version is >= 2.45.0 and the enforcedLabelNameLengthLimit is greater than the labelNameLengthLimit, the labelNameLengthLimit will be set to enforcedLabelNameLengthLimit. * Scrape objects with a labelNameLengthLimit value less than or equal to enforcedLabelNameLengthLimit keep their specific value. * Scrape objects with a labelNameLengthLimit value greater than enforcedLabelNameLengthLimit are set to enforcedLabelNameLengthLimit.

enforcedLabelValueLengthLimit when not null defines a global limit on the length of labels value per sample. The value overrides any spec.labelValueLengthLimit set by ServiceMonitor, PodMonitor, Probe objects unless spec.labelValueLengthLimit is greater than zero and less than spec.enforcedLabelValueLengthLimit.

It requires Prometheus >= v2.27.0.

When both enforcedLabelValueLengthLimit and labelValueLengthLimit are defined and greater than zero, the following rules apply: * Scrape objects without a defined labelValueLengthLimit value will inherit the global labelValueLengthLimit value (Prometheus >= 2.45.0) or the enforcedLabelValueLengthLimit value (Prometheus < v2.45.0). If Prometheus version is >= 2.45.0 and the enforcedLabelValueLengthLimit is greater than the labelValueLengthLimit, the labelValueLengthLimit will be set to enforcedLabelValueLengthLimit. * Scrape objects with a labelValueLengthLimit value less than or equal to enforcedLabelValueLengthLimit keep their specific value. * Scrape objects with a labelValueLengthLimit value greater than enforcedLabelValueLengthLimit are set to enforcedLabelValueLengthLimit.

enforcedKeepDroppedTargets when defined specifies a global limit on the number of targets dropped by relabeling that will be kept in memory. The value overrides any spec.keepDroppedTargets set by ServiceMonitor, PodMonitor, Probe objects unless spec.keepDroppedTargets is greater than zero and less than spec.enforcedKeepDroppedTargets.

It requires Prometheus >= v2.47.0.

When both enforcedKeepDroppedTargets and keepDroppedTargets are defined and greater than zero, the following rules apply: * Scrape objects without a defined keepDroppedTargets value will inherit the global keepDroppedTargets value (Prometheus >= 2.45.0) or the enforcedKeepDroppedTargets value (Prometheus < v2.45.0). If Prometheus version is >= 2.45.0 and the enforcedKeepDroppedTargets is greater than the keepDroppedTargets, the keepDroppedTargets will be set to enforcedKeepDroppedTargets. * Scrape objects with a keepDroppedTargets value less than or equal to enforcedKeepDroppedTargets keep their specific value. * Scrape objects with a keepDroppedTargets value greater than enforcedKeepDroppedTargets are set to enforcedKeepDroppedTargets.

enforcedBodySizeLimit when defined specifies a global limit on the size of uncompressed response body that will be accepted by Prometheus. Targets responding with a body larger than this many bytes will cause the scrape to fail.

It requires Prometheus >= v2.28.0.

When both enforcedBodySizeLimit and bodySizeLimit are defined and greater than zero, the following rules apply: * Scrape objects without a defined bodySizeLimit value will inherit the global bodySizeLimit value (Prometheus >= 2.45.0) or the enforcedBodySizeLimit value (Prometheus < v2.45.0). If Prometheus version is >= 2.45.0 and the enforcedBodySizeLimit is greater than the bodySizeLimit, the bodySizeLimit will be set to enforcedBodySizeLimit. * Scrape objects with a bodySizeLimit value less than or equal to enforcedBodySizeLimit keep their specific value. * Scrape objects with a bodySizeLimit value greater than enforcedBodySizeLimit are set to enforcedBodySizeLimit.

nameValidationScheme defines the validation scheme for metric and label names.

It requires Prometheus >= v2.55.0.

nameEscapingScheme defines the character escaping scheme that will be requested when scraping for metric and label names that do not conform to the legacy Prometheus character set.

It requires Prometheus >= v3.4.0.

convertClassicHistogramsToNHCB defines whether to convert all scraped classic histograms into a native histogram with custom buckets.

It requires Prometheus >= v3.4.0.

scrapeClassicHistograms defines whether to scrape a classic histogram that is also exposed as a native histogram.

Notice: scrapeClassicHistograms corresponds to the always_scrape_classic_histograms field in the Prometheus configuration.

It requires Prometheus >= v3.5.0.

minReadySeconds defines the minimum number of seconds for which a newly created Pod should be ready without any of its container crashing for it to be considered available.

If unset, pods will be considered available as soon as they are ready.

hostAliases defines the optional list of hosts and IPs that will be injected into the Pod’s hosts file if specified.

additionalArgs allows setting additional arguments for the ‘prometheus’ container.

It is intended for e.g. activating hidden flags which are not supported by the dedicated configuration options yet. The arguments are passed as-is to the Prometheus container which may cause issues if they are invalid or not supported by the given Prometheus version.

In case of an argument conflict (e.g. an argument which is already set by the operator itself) or when providing an invalid argument, the reconciliation will fail and an error will be logged.

walCompression defines the compression of the write-ahead log (WAL) using Snappy.

WAL compression is enabled by default for Prometheus >= 2.20.0

Requires Prometheus v2.11.0 and above.

excludedFromEnforcement defines the list of references to PodMonitor, ServiceMonitor, Probe and PrometheusRule objects to be excluded from enforcing a namespace label of origin.

It is only applicable if spec.enforcedNamespaceLabel set to true.

hostNetwork defines the host’s network namespace if true.

Make sure to understand the security implications if you want to enable it (https://kubernetes.io/docs/concepts/configuration/overview/ ).

When hostNetwork is enabled, this will set the DNS policy to ClusterFirstWithHostNet automatically (unless .spec.DNSPolicy is set to a different value).

podTargetLabels are appended to the spec.podTargetLabels field of all PodMonitor and ServiceMonitor objects.

tracingConfig defines tracing in Prometheus.

This is an experimental feature, it may change in any upcoming release in a breaking way.

bodySizeLimit defines per-scrape on response body size. Only valid in Prometheus versions 2.45.0 and newer.

Note that the global limit only applies to scrape objects that don’t specify an explicit limit value. If you want to enforce a maximum limit for all scrape objects, refer to enforcedBodySizeLimit.

sampleLimit defines per-scrape limit on number of scraped samples that will be accepted. Only valid in Prometheus versions 2.45.0 and newer.

Note that the global limit only applies to scrape objects that don’t specify an explicit limit value. If you want to enforce a maximum limit for all scrape objects, refer to enforcedSampleLimit.

targetLimit defines a limit on the number of scraped targets that will be accepted. Only valid in Prometheus versions 2.45.0 and newer.

Note that the global limit only applies to scrape objects that don’t specify an explicit limit value. If you want to enforce a maximum limit for all scrape objects, refer to enforcedTargetLimit.

labelLimit defines per-scrape limit on number of labels that will be accepted for a sample. Only valid in Prometheus versions 2.45.0 and newer.

Note that the global limit only applies to scrape objects that don’t specify an explicit limit value. If you want to enforce a maximum limit for all scrape objects, refer to enforcedLabelLimit.

labelNameLengthLimit defines the per-scrape limit on length of labels name that will be accepted for a sample. Only valid in Prometheus versions 2.45.0 and newer.

Note that the global limit only applies to scrape objects that don’t specify an explicit limit value. If you want to enforce a maximum limit for all scrape objects, refer to enforcedLabelNameLengthLimit.

labelValueLengthLimit defines the per-scrape limit on length of labels value that will be accepted for a sample. Only valid in Prometheus versions 2.45.0 and newer.

Note that the global limit only applies to scrape objects that don’t specify an explicit limit value. If you want to enforce a maximum limit for all scrape objects, refer to enforcedLabelValueLengthLimit.

keepDroppedTargets defines the per-scrape limit on the number of targets dropped by relabeling that will be kept in memory. 0 means no limit.

It requires Prometheus >= v2.47.0.

Note that the global limit only applies to scrape objects that don’t specify an explicit limit value. If you want to enforce a maximum limit for all scrape objects, refer to enforcedKeepDroppedTargets.

reloadStrategy defines the strategy used to reload the Prometheus configuration. If not specified, the configuration is reloaded using the /-/reload HTTP endpoint.

maximumStartupDurationSeconds defines the maximum time that the prometheus container’s startup probe will wait before being considered failed. The startup probe will return success after the WAL replay is complete. If set, the value should be greater than 60 (seconds). Otherwise it will be equal to 600 seconds (15 minutes).

scrapeClasses defines the list of scrape classes to expose to scraping objects such as PodMonitors, ServiceMonitors, Probes and ScrapeConfigs.

This is an experimental feature, it may change in any upcoming release in a breaking way.

serviceDiscoveryRole defines the service discovery role used to discover targets from ServiceMonitor objects and Alertmanager endpoints.

If set, the value should be either “Endpoints” or “EndpointSlice”. If unset, the operator assumes the “Endpoints” role.

tsdb defines the runtime reloadable configuration of the timeseries database(TSDB). It requires Prometheus >= v2.39.0 or PrometheusAgent >= v2.54.0.

scrapeFailureLogFile defines the file to which scrape failures are logged. Reloading the configuration will reopen the file.

If the filename has an empty path, e.g. ‘file.log’, The Prometheus Pods will mount the file into an emptyDir volume at /var/log/prometheus. If a full path is provided, e.g. ‘/var/log/prometheus/file.log’, you must mount a volume in the specified directory and it must be writable. It requires Prometheus >= v2.55.0.

serviceName defines the name of the service name used by the underlying StatefulSet(s) as the governing service. If defined, the Service must be created before the Prometheus/PrometheusAgent resource in the same namespace and it must define a selector that matches the pod labels. If empty, the operator will create and manage a headless service named prometheus-operated for Prometheus resources, or prometheus-agent-operated for PrometheusAgent resources. When deploying multiple Prometheus/PrometheusAgent resources in the same namespace, it is recommended to specify a different value for each. See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#stable-network-id for more details.

runtime defines the values for the Prometheus process behavior

terminationGracePeriodSeconds defines the optional duration in seconds the pod needs to terminate gracefully. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down) which may lead to data corruption.

Defaults to 600 seconds.

hostUsers supports the user space in Kubernetes.

More info: https://kubernetes.io/docs/tasks/configure-pod-container/user-namespaces/

The feature requires at least Kubernetes 1.28 with the UserNamespacesSupport feature gate enabled. Starting Kubernetes 1.33, the feature is enabled by default.

type of the condition being reported.

status of the condition.

lastTransitionTime is the time of the last update to the current status property.

reason for the condition’s last transition.

message defines human-readable message indicating details for the condition’s last transition.

observedGeneration defines the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

"Degraded"

"False"

"True"

"Unknown"

"Accepted"

Accepted indicates whether the workload controller has successfully accepted the configuration resource and updated the configuration of the workload accordingly. The possible status values for this condition type are: - True: the configuration resource was successfully accepted by the controller and written to the configuration secret. - False: the controller rejected the configuration due to an error. - Unknown: the operator couldn’t determine the condition status.

"Available"

Available indicates whether enough pods are ready to provide the service. The possible status values for this condition type are: - True: all pods are running and ready, the service is fully available. - Degraded: some pods aren’t ready, the service is partially available. - False: no pods are running, the service is totally unavailable. - Unknown: the operator couldn’t determine the condition status.

"Reconciled"

Reconciled indicates whether the operator has reconciled the state of the underlying resources with the object’s spec. The possible status values for this condition type are: - True: the reconciliation was successful. - False: the reconciliation failed. - Unknown: the operator couldn’t determine the condition status.

type of the condition being reported. Currently, only “Accepted” is supported.

status of the condition.

lastTransitionTime defines the time of the last update to the current status property.

reason for the condition’s last transition.

message defines the human-readable message indicating details for the condition’s last transition.

observedGeneration defines the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[].observedGeneration is 9, the condition is out of date with respect to the current state of the object.

bindings defines the list of workload resources (Prometheus or PrometheusAgent) which select the configuration resource.

MaxSkew describes the degree to which pods may be unevenly distributed. When whenUnsatisfiable=DoNotSchedule, it is the maximum permitted difference between the number of matching pods in the target topology and the global minimum. The global minimum is the minimum number of matching pods in an eligible domain or zero if the number of eligible domains is less than MinDomains. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 2/2/1: In this case, the global minimum is 1. | zone1 | zone2 | zone3 | | P P | P P | P | - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) violate MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled onto any zone. When whenUnsatisfiable=ScheduleAnyway, it is used to give higher precedence to topologies that satisfy it. It’s a required field. Default value is 1 and 0 is not allowed.

TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each as a “bucket”, and try to put balanced number of pods into each bucket. We define a domain as a particular instance of a topology. Also, we define an eligible domain as a domain whose nodes meet the requirements of nodeAffinityPolicy and nodeTaintsPolicy. e.g. If TopologyKey is “kubernetes.io/hostname”, each Node is a domain of that topology. And, if TopologyKey is “topology.kubernetes.io/zone”, each zone is a domain of that topology. It’s a required field.

WhenUnsatisfiable indicates how to deal with a pod if it doesn’t satisfy the spread constraint. - DoNotSchedule (default) tells the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to schedule the pod in any location, but giving higher precedence to topologies that would help reduce the skew. A constraint is considered “Unsatisfiable” for an incoming pod if and only if every possible node assignment for that pod would violate “MaxSkew” on some topology. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler won’t make it more imbalanced. It’s a required field.

LabelSelector is used to find matching pods. Pods that match this label selector are counted to determine the number of pods in their corresponding topology domain.

MinDomains indicates a minimum number of eligible domains. When the number of eligible domains with matching topology keys is less than minDomains, Pod Topology Spread treats “global minimum” as 0, and then the calculation of Skew is performed. And when the number of eligible domains with matching topology keys equals or greater than minDomains, this value has no effect on scheduling. As a result, when the number of eligible domains is less than minDomains, scheduler won’t schedule more than maxSkew Pods to those domains. If value is nil, the constraint behaves as if MinDomains is equal to 1. Valid values are integers greater than 0. When value is not nil, WhenUnsatisfiable must be DoNotSchedule.

For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same labelSelector spread as 2/2/2: | zone1 | zone2 | zone3 | | P P | P P | P P | The number of domains is less than 5(MinDomains), so “global minimum” is treated as 0. In this situation, new pod with the same labelSelector cannot be scheduled, because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, it will violate MaxSkew.

NodeAffinityPolicy indicates how we will treat Pod’s nodeAffinity/nodeSelector when calculating pod topology spread skew. Options are: - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.

If this value is nil, the behavior is equivalent to the Honor policy.

NodeTaintsPolicy indicates how we will treat node taints when calculating pod topology spread skew. Options are: - Honor: nodes without taints, along with tainted nodes for which the incoming pod has a toleration, are included. - Ignore: node taints are ignored. All nodes are included.

If this value is nil, the behavior is equivalent to the Ignore policy.

MatchLabelKeys is a set of pod label keys to select the pods over which spreading will be calculated. The keys are used to lookup values from the incoming pod labels, those key-value labels are ANDed with labelSelector to select the group of existing pods over which spreading will be calculated for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. MatchLabelKeys cannot be set when LabelSelector isn’t set. Keys that don’t exist in the incoming pod labels will be ignored. A null or empty list means only match against labelSelector.

This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).

"ClusterFirst"

DNSClusterFirst defines that the pod should use cluster DNS first unless hostNetwork is true, if it is available, then fall back on the default (as determined by kubelet) DNS settings.

"ClusterFirstWithHostNet"

DNSClusterFirstWithHostNet defines that the pod should use cluster DNS first, if it is available, then fall back on the default (as determined by kubelet) DNS settings.

"Default"

DNSDefault defines that the pod should use the default (as determined by kubelet) DNS settings.

"None"

DNSNone defines that the pod should use empty DNS settings. DNS parameters such as nameservers and search paths should be defined via DNSConfig.

name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/

labels define the map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/

annotations defines an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

metadata defines EmbeddedMetadata contains metadata relevant to an EmbeddedResource.

spec defines the specification of the characteristics of a volume requested by a pod author. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims

status is deprecated: this field is never set.

port defines the name of the Service port which this endpoint refers to.

It takes precedence over targetPort.

targetPort defines the name or number of the target port of the Pod object behind the Service. The port must be specified with the container’s port property.

path defines the HTTP path from which to scrape for metrics.

If empty, Prometheus uses the default value (e.g. /metrics).

scheme defines the HTTP scheme to use for scraping.

http and https are the expected values unless you rewrite the __scheme__ label via relabeling.

If empty, Prometheus uses the default value http.

params define optional HTTP URL parameters.

interval at which Prometheus scrapes the metrics from the target.

If empty, Prometheus uses the global scrape interval.

scrapeTimeout defines the timeout after which Prometheus considers the scrape to be failed.

If empty, Prometheus uses the global scrape timeout unless it is less than the target’s scrape interval value in which the latter is used. The value cannot be greater than the scrape interval otherwise the operator will reject the resource.

tlsConfig defines the TLS configuration to use when scraping the target.

bearerTokenFile defines the file to read bearer token for scraping the target.

Deprecated: use authorization instead.

bearerTokenSecret defines a key of a Secret containing the bearer token for scraping targets. The secret needs to be in the same namespace as the ServiceMonitor object and readable by the Prometheus Operator.

Deprecated: use authorization instead.

authorization configures the Authorization header credentials to use when scraping the target.

Cannot be set at the same time as basicAuth, or oauth2.

honorLabels defines when true the metric’s labels when they collide with the target’s labels.

honorTimestamps defines whether Prometheus preserves the timestamps when exposed by the target.

trackTimestampsStaleness defines whether Prometheus tracks staleness of the metrics that have an explicit timestamp present in scraped data. Has no effect if honorTimestamps is false.

It requires Prometheus >= v2.48.0.

basicAuth defines the Basic Authentication credentials to use when scraping the target.

Cannot be set at the same time as authorization, or oauth2.

oauth2 defines the OAuth2 settings to use when scraping the target.

It requires Prometheus >= 2.27.0.

Cannot be set at the same time as authorization, or basicAuth.

metricRelabelings defines the relabeling rules to apply to the samples before ingestion.

relabelings defines the relabeling rules to apply the target’s metadata labels.

The Operator automatically adds relabelings for a few standard Kubernetes fields.

The original scrape job’s name is available via the __tmp_prometheus_job_name label.

More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config

proxyUrl defines the HTTP proxy server to use.

noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names that should be excluded from proxying. IP and domain names can contain port numbers.

It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.

proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).

It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.

proxyConnectHeader optionally specifies headers to send to proxies during CONNECT requests.

It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.

followRedirects defines whether the scrape requests should follow HTTP 3xx redirects.

enableHttp2 can be used to disable HTTP2 when scraping the target.

filterRunning when true, the pods which are not running (e.g. either in Failed or Succeeded state) are dropped during the target discovery.

If unset, the filtering is enabled.

More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase

maxSize defines the maximum number of exemplars stored in memory for all series.

exemplar-storage itself must be enabled using the spec.enableFeature option for exemplars to be scraped in the first place.

If not set, Prometheus uses its default value. A value of zero or less than zero disables the storage.

apiURL defines the default Jira API URL.

It requires Alertmanager >= v0.28.0.

apiURL defines the default Rocket Chat API URL.

It requires Alertmanager >= v0.28.0.

token defines the default Rocket Chat token.

It requires Alertmanager >= v0.28.0.

tokenID defines the default Rocket Chat Token ID.

It requires Alertmanager >= v0.28.0.

from defines the default SMTP From header field.

smartHost defines the default SMTP smarthost used for sending emails.

hello defines the default hostname to identify to the SMTP server.

authUsername represents SMTP Auth using CRAM-MD5, LOGIN and PLAIN. If empty, Alertmanager doesn’t authenticate to the SMTP server.

authPassword represents SMTP Auth using LOGIN and PLAIN.

authIdentity represents SMTP Auth using PLAIN

authSecret represents SMTP Auth using CRAM-MD5.

requireTLS defines the default SMTP TLS requirement. Note that Go does not support unencrypted connections to remote SMTP endpoints.

tlsConfig defines the default TLS configuration for SMTP receivers

apiURL defines he default Telegram API URL.

It requires Alertmanager >= v0.24.0.

apiURL defines the default VictorOps API URL.

apiKey defines the default VictorOps API Key.

apiURL defines he default WeChat API URL. The default value is “https://qyapi.weixin.qq.com/cgi-bin/”

apiSecret defines the default WeChat API Secret.

apiCorpID defines the default WeChat API Corporate ID.

apiURL defines the is the default Webex API URL.

It requires Alertmanager >= v0.25.0.

authorization defines the header configuration for the client. This is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+.

basicAuth defines basicAuth for the client. This is mutually exclusive with Authorization. If both are defined, BasicAuth takes precedence.

oauth2 defines the client credentials used to fetch a token for the targets.

bearerTokenSecret defines the secret’s key that contains the bearer token to be used by the client for authentication. The secret needs to be in the same namespace as the Alertmanager object and accessible by the Prometheus Operator.

tlsConfig defines the TLSConfig for the client.

proxyUrl defines the HTTP proxy server to use.

noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names that should be excluded from proxying. IP and domain names can contain port numbers.

It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.

proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).

It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.

proxyConnectHeader optionally specifies headers to send to proxies during CONNECT requests.

It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.

followRedirects defines whether the client should follow HTTP 3xx redirects.

ip defines the IP address of the host file entry.

hostnames defines hostnames for the above IP address.

host defines the host’s address, it can be a DNS name or a literal IP address.

port defines the host’s port, it can be a literal port number or a port name.

clientId defines defines the Azure User-assigned Managed identity.

send defines whether metric metadata is sent to the remote storage or not.

sendInterval defines how frequently metric metadata is sent to the remote storage.

maxSamplesPerSend defines the maximum number of metadata samples per send.

It requires Prometheus >= v2.29.0.

"AllowUTF8"

"Dots"

"Underscores"

"Values"

"Legacy"

"UTF8"

any defines the boolean describing whether all namespaces are selected in contrast to a list restricting them.

matchNames defines the list of namespace names to select from.

scrapeClassicHistograms defines whether to scrape a classic histogram that is also exposed as a native histogram. It requires Prometheus >= v2.45.0.

Notice: scrapeClassicHistograms corresponds to the always_scrape_classic_histograms field in the Prometheus configuration.

nativeHistogramBucketLimit defines ff there are more than this many buckets in a native histogram, buckets will be merged to stay within the limit. It requires Prometheus >= v2.45.0.

nativeHistogramMinBucketFactor defines if the growth factor of one bucket to the next is smaller than this, buckets will be merged to increase the factor sufficiently. It requires Prometheus >= v2.50.0.

convertClassicHistogramsToNHCB defines whether to convert all scraped classic histograms into a native histogram with custom buckets. It requires Prometheus >= v3.0.0.

clientId defines a key of a Secret or ConfigMap containing the OAuth2 client’s ID.

clientSecret defines a key of a Secret containing the OAuth2 client’s secret.

tokenUrl defines the URL to fetch the token from.

scopes defines the OAuth2 scopes used for the token request.

endpointParams configures the HTTP parameters to append to the token URL.

tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. It requires Prometheus >= v2.43.0.

proxyUrl defines the HTTP proxy server to use.

noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names that should be excluded from proxying. IP and domain names can contain port numbers.

It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.

proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).

It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.

proxyConnectHeader optionally specifies headers to send to proxies during CONNECT requests.

It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0.

promoteAllResourceAttributes promotes all resource attributes to metric labels except the ones defined in ignoreResourceAttributes.

Cannot be true when promoteResourceAttributes is defined. It requires Prometheus >= v3.5.0.

ignoreResourceAttributes defines the list of OpenTelemetry resource attributes to ignore when promoteAllResourceAttributes is true.

It requires promoteAllResourceAttributes to be true. It requires Prometheus >= v3.5.0.

promoteResourceAttributes defines the list of OpenTelemetry Attributes that should be promoted to metric labels, defaults to none. Cannot be defined when promoteAllResourceAttributes is true.

translationStrategy defines how the OTLP receiver endpoint translates the incoming metrics.

It requires Prometheus >= v3.0.0.

keepIdentifyingResourceAttributes enables adding service.name, service.namespace and service.instance.id resource attributes to the target_info metric, on top of converting them into the instance and job labels.

It requires Prometheus >= v3.1.0.

convertHistogramsToNHCB defines optional translation of OTLP explicit bucket histograms into native histograms with custom buckets. It requires Prometheus >= v3.4.0.