Configuring the Serving Operator Custom Resource

    Because the operator manages the Knative Serving installation, it will overwrite any updates to the which are used to configure Knative Serving. The KnativeServing custom resource allows you to set values for these ConfigMaps via the operator. Knative Serving has multiple ConfigMaps named with the prefix config-. The spec.config in KnativeServing has one entry <name> for each ConfigMap named config-<name>, with a value which will be used for the ConfigMap’s data.

    In the , you can see the content of the ConfigMap config-domain is:

    Using the operator, specify the ConfigMap config-domain using the operator CR:

    1. apiVersion: operator.knative.dev/v1alpha1
    2. kind: KnativeServing
    3. metadata:
    4.   name: knative-serving
    5.   namespace: knative-serving
    6. spec:
    7.   config:
    8.     domain:
    9.       example.org: |
    10.         selector:
    11.           app: prod
    12.       example.com: ""

    You can apply values to multiple ConfigMaps. This example sets stable-window to 60s in config-autoscaler as well as specifying config-domain:

    1. apiVersion: operator.knative.dev/v1alpha1
    2. kind: KnativeServing
    3. metadata:
    4.   name: knative-serving
    5.   namespace: knative-serving
    6. spec:
    7.   config:
    8.     domain:
    9.       example.org: |
    10.         selector:
    11.           app: prod
    12.       example.com: ""
    13.     autoscaler:
    14.       stable-window: "60s"

    All the ConfigMaps are created in the same namespace as the operator CR. You can use the operator CR as the unique entry point to edit all of them.

    Private repository and private secrets

    You can use the spec.registry section of the operator CR to change the image references to point to a private registry or :

    • default: this field defines a image reference template for all Knative images. The format is example-registry.io/custom/path/${NAME}:{CUSTOM-TAG}. If you use the same tag for all your images, the only difference is the image name. ${NAME} is a pre-defined variable in the operator corresponding to the container name. If you name the images in your private repo to align with the container names ( activator, autoscaler, controller, webhook, autoscaler-hpa, networking-istio, and queue-proxy), the default argument should be sufficient.

    • override: a map from container name to the full registry location. This section is only needed when the registry images do not match the common naming format. For containers whose name matches a key, the value is used in preference to the image name calculated by default. If a container’s name does not match a key in override, the template in default is used.

    • imagePullSecrets: a list of Secret names used when pulling Knative container images. The Secrets must be created in the same namespace as the Knative Serving Deployments. See deploying images from a private container registry for configuration details.

    This example shows how you can define custom image links that can be defined in the CR using the simplified format docker.io/knative-images/${NAME}:{CUSTOM-TAG}.

    In the example below:

    • all image links are accessible without using secrets
    • images are pushed as docker.io/knative-images/${NAME}:{CUSTOM-TAG}

    Then, you need to define your operator CR with following content:

    1. apiVersion: operator.knative.dev/v1alpha1
    2. kind: KnativeServing
    3. metadata:
    4.   name: knative-serving
    5.   namespace: knative-serving
    6. spec:
    7.   registry:
    8.     default: docker.io/knative-images/${NAME}:v0.13.0

    Download images individually without secrets:

    If your custom image links are not defined in a uniform format by default, you will need to individually include each link in the CR.

    For example, to given the following images:

    ContainerDocker Image
    activatordocker.io/knative-images-repo1/activator:v0.13.0
    autoscalerdocker.io/knative-images-repo2/autoscaler:v0.13.0
    controllerdocker.io/knative-images-repo3/controller:v0.13.0
    webhookdocker.io/knative-images-repo4/webhook:v0.13.0
    autoscaler-hpadocker.io/knative-images-repo5/autoscaler-hpa:v0.13.0
    networking-istiodocker.io/knative-images-repo6/prefix-networking-istio:v0.13.0
    queue-proxydocker.io/knative-images-repo7/queue-proxy-suffix:v0.13.0

    The operator CR should be modified to include the full list:

    If your image repository requires private secrets for access, include the imagePullSecrets attribute.

    This example uses a secret named regcred. You must create your own private secrets if these are required:

    After you create this secret, edit your operator CR by appending the content below:

    1. apiVersion: operator.knative.dev/v1alpha1
    2. kind: KnativeServing
    3. metadata:
    4.   name: knative-serving
    5.   namespace: knative-serving
    6. spec:
    7.   registry:
    8.     ...
    9.     imagePullSecrets:
    10.       - name: regcred

    The field imagePullSecrets expects a list of secrets. You can add multiple secrets to access the images as below:

    1. apiVersion: operator.knative.dev/v1alpha1
    2. kind: KnativeServing
    3. metadata:
    4.   name: knative-serving
    5.   namespace: knative-serving
    6. spec:
    7.   registry:
    8.     ...
    9.     imagePullSecrets:
    10.       - name: regcred
    11.       - name: regcred-2
    12.       ...

    To , the Knative Serving controller needs to access the container registry. To allow the controller to trust a self-signed registry cert, you can use the Operator to specify the certificate using a ConfigMap or Secret.

    Specify the following fields in spec.controller-custom-certs to select a custom registry certificate:

    • name: the name of the ConfigMap or Secret.
    • type: either the string “ConfigMap” or “Secret”.

    If you create a ConfigMap named testCert containing the certificate, change your CR:

    1. apiVersion: operator.knative.dev/v1alpha1
    2. kind: KnativeServing
    3. metadata:
    4.   name: knative-serving
    5.   namespace: knative-serving
    6. spec:
    7.   controller-custom-certs:
    8.     name: testCert
    9.     type: ConfigMap

    Configuration of Knative ingress gateway

    Step 2: Update the Knative gateway

    Update spec.knative-ingress-gateway to select the labels of the new ingress gateway:

    Additionally, you will need to update the Istio ConfigMap:

    1. apiVersion: operator.knative.dev/v1alpha1
    2. kind: KnativeServing
    3. metadata:
    4.   name: knative-serving
    5. spec:
    6.   knative-ingress-gateway:
    7.     selector:
    9.   config:
    10.     istio:
    11.       gateway.knative-serving.knative-ingress-gateway: "custom-ingressgateway.istio-system.svc.cluster.local"

    The key in spec.config.istio is in the format of gateway.{{gateway_namespace}}.{{gateway_name}}.

    Update spec.cluster-local-gateway to select the labels of the new cluster-local ingress gateway:

    Default local gateway name:

    Go through the guide to use local cluster gateway, if you use the default gateway called cluster-local-gateway.

    If you create custom local gateway with a name other than cluster-local-gateway, update config.istio and the cluster-local-gateway selector:

    This example shows a service and deployment custom-local-gateway in the namespace istio-system, with the label custom: custom-local-gw:

    1. apiVersion: operator.knative.dev/v1alpha1
    2. kind: KnativeServing
    3. metadata:
    4.   name: knative-serving
    5.   namespace: knative-serving
    6. spec:
    7.   cluster-local-gateway:
    8.     selector:
    9.       custom: custom-local-gateway
    10.   config:
    11.     istio:
    12.       local-gateway.knative-serving.cluster-local-gateway: "custom-local-gateway.istio-system.svc.cluster.local"

    High availability

    By default, Knative Serving runs a single instance of each controller. The spec.high-availability field allows you to configure the number of replicas for the following master-elected controllers: controller, autoscaler-hpa, networking-istio. This field also configures the HorizontalPodAutoscaler resources for the data plane (activator):

    The following configuration specifies a replica count of 3 for the controllers and a minimum of 3 activators (which may scale higher if needed):

    1. apiVersion: operator.knative.dev/v1alpha1
    2. kind: KnativeServing
    3. metadata:
    4.   name: knative-serving
    5.   namespace: knative-serving
    6. spec:
    7.   high-availability:
    8.     replicas: 3

    The operator custom resource allows you allows you to configure system resources for the Knative system containers. Requests and limits can be configured for the following containers: activator, autoscaler, controller, webhook, autoscaler-hpa, networking-istio and queue-proxy.

    To override resource settings for a specific container, create an entry in the spec.resources list with the container name and the .

    If you would like to add another container autoscaler with the same configuration, you need to change your CR as below:

    1. apiVersion: operator.knative.dev/v1alpha1
    2. kind: KnativeServing
    3. metadata:
    4.   name: knative-serving
    5.   namespace: knative-serving
    6. spec:
    7.   resources:
    8.   - container: activator
    9.     requests:
    10.       cpu: 300m
    11.       memory: 100Mi
    12.     limits:
    13.       cpu: 1000m
    14.       memory: 250Mi
    15.       ephemeral-storage: 4Gi
    16.   - container: autoscaler
    17.     requests:
    18.       cpu: 300m
    19.       memory: 100Mi
    20.     limits:
    21.       cpu: 1000m
    23.       ephemeral-storage: 4Gi