Provide feedback at the survey
- Reference for
kustomization.yaml
Kustomization.yaml Reference
Terms:
- Generators: Provide Resource Config to Kustomize - e.g.
resources,bases,secretGenerators. - Transformers: Modify Resource Config by adding, updating or deleting fields - e.g.
namespace,commonLabels,images. - Meta: Configure behavior of Generators and Transformers - e.g. generatorOptions, crds, configurations.
Table of Contents
| Name | Type | Descriptions | Guides |
|---|---|---|---|
| bases | Generator | Add Resource Configs from another kustomization.yaml |
Bases and Variants |
| commonAnnotations | Transformer | Set annotations on all Resources and Selectors. | Labels and Annotations |
| commonLabels | Transformer | Set labels on all Resources and Selectors. | Labels and Annotations |
| configMapGenerator | Generator | Generate ConfigMap Resources. | Secrets and ConfigMaps |
| configurations | Meta | Extend functionality of builtin Transformers to work with additional types (e.g. CRDs). | |
| generatorOptions | Meta | Configure how ConfigMaps and Secrets are generated. | |
| images | Transformer | Override image names and tags. | Container Images |
| namespace | Transformer | Override namespaces on all Resources. | Namespaces and Names |
| namePrefix | Transformer | Add a prefix to the names of all Resources and References. | Namespaces and Names |
| nameSuffix | Transformer | Add a suffix to the name of all Resources and References. | Namespaces and Names |
| patchesJson6902 | Transformer | Patch Resource Config using json patch. | Customizing Resource Fields |
| patchesStrategicMerge | Transformer | Patch Resource Config using an overlay. | Customizing Resource Fields |
| resources | Generator | Add Raw Resource Configs. | Apply |
| secretGenerator | Generator | Generate Secret Resources. | Secrets and ConfigMaps |
| vars | Transformer | Substitute Resource Config field values into Pod Arguments. | Config Reflection |
See this example kustomization.yaml
Resource Generators
Resource Generators provide Resource Configs to Kustomize from sources such as files, urls, or
kustomization.yaml fields.
bases
bases contains a list of paths to directories or git repositories containing kustomization.yamls.
bases produce Resource Config by running Kustomize against the target. The provided Resource Config
will then have Transformers from the current kustomization.yaml applied.
bases are conceptually similar to a base image referenced by FROM in a Dockerfile.
| Name | Type | Desc |
|---|---|---|
| base | []string | List of paths must point to directories or git repositories containing kustomization.yamls. |
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
bases:
- path/to/dir/with/kust/
- https://github.com/org/repo/dir/
configMapGenerator
configMapGenerator contains a list of ConfigMaps to generate.
By default, generated ConfigMaps will have a hash appended to the name. The ConfigMap hash is
appended after a nameSuffix, if one is specified. Changes to ConfigMap data will cause a ConfigMap
with a new name to be generated, triggering a rolling update to Workloads referencing the ConfigMap.
Resources such as PodTemplates should reference ConfigMaps by the name ConfigMapGenerator field,
and Kustomize will update the reference to match the generated name,
as well as namePrefix's and nameSuffix's.
Note: Hash suffix generation can be disabled for a subset of ConfigMaps by creating a separate
kustomization.yaml and generating these ConfigMaps there. This kustomization.yaml must set
generatorOptions.disableNameSuffixHash=true, and be used as a base. See
generatorOptions for more details.
| Name | Type | Desc |
|---|---|---|
| configMapGenerator | []ConfigMapGeneratorArgs | List of ConfigMaps to generate. |
ConfigMapGeneratorArgs
| Name | Type | Desc |
|---|---|---|
| behavior | string | Merge behavior when the ConfigMap generator is defined in a base. May be one of create, replace, `merge. |
| env | string | Single file to generate ConfigMap data entries from. Should be a path to a local env file, e.g. path/to/file.env, where each line of the file is a key=value pair. Each line will appear as an entry in the ConfigMap data field. |
| files | []string | List of files to generate ConfigMap data entries from. Each item should be a path to a local file, e.g. path/to/file.config, and the filename will appear as an entry in the ConfigMap data field with its contents as a value. |
| literals | []string | List of literal ConfigMap data entries. Each item should be a key and literal value, e.g. somekey=somevalue, and the key/value will appear as an entry in the ConfigMap data field. |
| name | string | Name for the ConfigMap. Modified by the namePrefix and nameSuffix fields. |
| namespace | string | Namespace for the ConfigMap. Overridden by kustomize-wide namespace field. |
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
configMapGenerator:
# generate a ConfigMap named my-java-server-props-<some-hash> where each file
# in the list appears as a data entry (keyed by base filename).
- name: my-java-server-props
files:
- application.properties
- more.properties
# generate a ConfigMap named my-java-server-env-vars-<some-hash> where each literal
# in the list appears as a data entry (keyed by literal key).
- name: my-java-server-env-vars
literals:
- JAVA_HOME=/opt/java/jdk
- JAVA_TOOL_OPTIONS=-agentlib:hprof
# generate a ConfigMap named my-system-env-<some-hash> where each key/value pair in the
# env.txt appears as a data entry (separated by \n).
- name: my-system-env
env: env.txt
resources
resources contains a list of Resource Config file paths to be customized. Each file may contain multiple
Resource Config definitions separated by \n---\n.
| Name | Type | Desc |
|---|---|---|
| resources | []string | Paths to Resource Config files. |
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
# list of files containing Resource Config to add
resources:
- path/to/resource.yaml
- another/path/to/resource.yaml
secretGenerator
secretGenerator contains a list of Secrets to generate.
By default, generated Secrets will have a hash appended to the name. The Secrets hash is
appended after a nameSuffix, if one is specified. Changes to Secrets data will cause a Secrets
with a new name to be generated, triggering a rolling update to Workloads referencing the Secrets.
Resources such as PodTemplates should reference Secrets by the name secretsGenerator field,
and Kustomize will update the reference to match the generated name,
as well as namePrefix's and nameSuffix's.
Note: Hash suffix generation can be disabled for a subset of Secret by creating a separate
kustomization.yaml and generating these Secret there. This kustomization.yaml must set
generatorOptions.disableNameSuffixHash=true, and be used as a base. See
generatorOptions for more details.
| Name | Type | Desc |
|---|---|---|
| secretGenerator | []SecretGeneratorArgs | List of Secrets to generate. |
SecretGeneratorArgs
| Name | Type | Desc |
|---|---|---|
| behavior | string | Merge behavior when the Secret generator is defined in a base. May be one of create, replace, `merge. |
| env | string | Single file to generate Secret data entries from. Should be a path to a local env file, e.g. path/to/file.env, where each line of the file is a key=value pair. Each line will appear as an entry in the Secret data field. |
| files | []string | List of files to generate Secret data entries from. Each item should be a path to a local file, e.g. path/to/file.config, and the filename will appear as an entry in the ConfigMap data field with its contents as a value. |
| literals | []string | List of literal Secret data entries. Each item should be a key and literal value, e.g. somekey=somevalue, and the key/value will appear as an entry in the Secret data field. |
| name | string | Name for the Secret. Modified by the namePrefix and nameSuffix fields. |
| namespace | string | Namespace for the Secret. Overridden by kustomize-wide namespace field. |
| type | string | Type of Secret. If type is "kubernetes.io/tls", then "literals" or "files" must have exactly two keys: "tls.key" and "tls.crt". |
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
secretGenerator:
# generate a tls Secret
- name: app-tls
files:
- secret/tls.cert
- secret/tls.key
type: "kubernetes.io/tls"
- name: env_file_secret
# env is a path to a file to read lines of key=val
# you can only specify one env file per secret.
env: env.txt
type: Opaque
Transformers
Transformers modify Resources by adding, updating or deleting fields. Transformers work against Generated Resource Config - e.g.
resourcesbasesconfigMapGeneratorsecretGenerator
commonAnnotations
commonAnnotations sets annotations on all Resources. commonAnnotations's from bases will stack - e.g.
if a commonAnnotations was set in a base, the new commonAnnotations will be added
to or override the base commonAnnotations.
| Name | Type | Desc |
|---|---|---|
| commonAnnotations | map[string]string | Keys/Values for annotations. |
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonAnnotations:
annotationKey1: "annotationValue2"
annotationKey2: "annotationValue2"
commonLabels
This field sets labels on all Resources. commonLabels's from bases will stack - e.g.
if a commonLabels was set in a base, the new commonLabels will be added
to or override the base commonLabels.
commonLabels will also be applied both to Label Selector fields and Label fields in PodTemplates.
Note: Because commonLabels are applied to Selectors, they cannot be changed for some objects.
| Name | Type | Desc |
|---|---|---|
| commonLabels | map[string]string | Keys/Values for labels. |
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonLabels:
labelKey1: "labelValue1"
labelKey2: "labelValue2"
images
images overrides image names and tags in all [spec.template.]spec.containers.image fields matching the
name. This is an alternative to creating patches to change images.
| Name | Type | Desc |
|---|---|---|
| images | []Image | Images to override. |
Image
Definitions:
- name: portion of the
imagefield value before the:- e.g. forfoo:v1the name would befoo. - tag: portion of the
imagefield value after the:- e.g. forfoo:v1the name would bev1. - digest: alternative to tag for referencing an image.
| Name | Type | Desc |
|---|---|---|
| name | string | Match all image fields with this value for the name |
| nameName | string | Replace the image field name with this value. |
| newTag | string | Replace the image field tag with this tag value. |
| digest | string | Replace the image field tag with this digest value. Includes the sha256: portion of the digest. |
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
images:
- name: postgres
newName: my-registry/my-postgres
newTag: v1
- name: nginx
newTag: 1.8.0
- name: my-demo-app
newName: my-app
- name: alpine
digest: sha256:24a0c4b4a4c0eb97a1aabb8e29f18e917d05abfe1b7a7c07857230879ce7d3d3
patchesJson6902
Each entry in this list should resolve to a kubernetes object and a JSON patch that will be applied to the object. The JSON patch schema is documented at https://tools.ietf.org/html/rfc6902
| Name | Type | Desc |
|---|---|---|
| patchesJson6902 | []Json6902 | List of patch definitions. |
Json6902
Target field points to a kubernetes object by the object's group, version, kind, name and namespace. Path field is a relative file path of a JSON patch file. File contents can be either json or yaml.
| Name | Type | Desc |
|---|---|---|
| target | Target | Target Resource for the patch. |
| path | string | Path to json patch file. Maybe json or yaml. |
Example patch file:
- op: add
path: /some/new/path
value: value
- op: replace
path: /some/existing/path
value: new value
Target
| Name | Type | Desc |
|---|---|---|
| group | string | Group of the Resource to patch. |
| kind | string | Kind of the Resource to patch. |
| name | string | Name of the Resource to patch. |
| namespace | string | Namespace of the Resource to patch. |
| version | string | Version of the Resource to patch. |
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
patchesJson6902:
- target:
version: v1
kind: Deployment
name: my-deployment
path: add_init_container.yaml
- target:
version: v1
kind: Service
name: my-service
path: add_service_annotation.yaml
patchesStrategicMerge
patchesStrategicMerge applies patches to the matching Resource Config (by Group/Version/Kind + Name/Namespace). Patch
files contain sparse Resource Config definitions - i.e. containing only the Resource Config fields to
add or override. Strategic merge patches are also called overlays.
Small patches that do one thing are best, e.g. modify a memory request/limit. Small patches are easy to review and easy to compose together.
| Name | Type | Desc |
|---|---|---|
| patchesStrategicMerge | []string | Paths to files containing sparse Resource Config. |
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
patchesStrategicMerge:
- service_port_8888.yaml
- deployment_increase_replicas.yaml
- deployment_increase_memory.yaml
namespace
This field sets the namespace of all namespaced Resources. If the namespace has already been set in the
Resource Config, this will override the namespace.
| Name | Type | Desc |
|---|---|---|
| namespace | String | Namespace |
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: "my-app-namespace"
namePrefix
namePrefix sets a name prefix on all Resources. namePrefix's from bases will stack -
e.g. if a namePrefix was set in a base, the new namePrefix will be pre-prended to the namePrefix in the
base.
Fields that references another Resource will also have the namePrefix applied so that the reference is
updated.
| Name | Type | Desc |
|---|---|---|
| namePrefix | String | Value to prepend to all Resource names and references. |
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namePrefix: "my-app-name-prefix-"
nameSuffix
nameSuffix sets a nameSuffix on all Resources. nameSuffix's from bases will stack -
e.g. if a nameSuffix was set in a base, the new nameSuffix will be appended to the nameSuffix in the
base.
Fields that references another Resource will also have the nameSuffix applied so that the reference is
updated.
| Name | Type | Desc |
|---|---|---|
| nameSuffix | String | Value to append to all Resource names and references. |
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
nameSuffix: "-my-app-name-suffix"
vars
vars defines values that can be substituted into Pod container arguments and environment variables.
This is necessary for wiring post-transformed fields into container arguments and environment variables.
e.g. Services names may be transformed by namePrefix and containers may need to refer to Service names
at runtime.
Vars are similar to the Kubernetes Downward API in that they allow Pods to reference information about the environment in which they are run.
Variables are referenced from container argument using $(MY_VAR_NAME)
Example:
containers:
- image: myimage
command: ["start", "--host", "$(MY_SERVICE_NAME)"]
env:
- name: SECRET_TOKEN
value: $(SOME_SECRET_NAME)
| Name | Type | Desc |
|---|---|---|
| vars | []Var | List of variable declarations that may be referenced in container arguments. |
Var
| Name | Type | Desc |
|---|---|---|
| name | string | Name of the variable. Referenced by $(NAME). |
| objref | string | Reference to the object containing the field to be referenced. ObjRef should use the unTransformed object name |
| fieldref | string | Reference to the field in the object. Defaults to metadata.name if unspecified. |
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
vars:
- name: SOME_SECRET_NAME
objref:
kind: Secret
name: my-secret
apiVersion: v1
- name: MY_SERVICE_NAME
objref:
kind: Service
name: my-service
apiVersion: v1
fieldref:
fieldpath: metadata.name
- name: ANOTHER_DEPLOYMENTS_POD_RESTART_POLICY
objref:
kind: Deployment
name: my-deployment
apiVersion: apps/v1
fieldref:
fieldpath: spec.template.spec.restartPolicy
Meta Options
Meta Options control how Kustomize generates and transforms Resource Config.
configurations
configurations is used to configure the built-in Kustomize Transformers to work with CRDs. The built-in
Kustomize configurations can be found here
Examples:
- images that should be updated by the
imagesTransformer - object references that should be updated by
namePrefix,nameSuffix - secret and configmap references that should be updated by
secretGeneratorandconfigMapGenerator
| Name | Type | Desc |
|---|---|---|
| configurations | []string | List of paths to yaml files containing Kustomize meta configuration. |
kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
configurations:
- mykind_configuration.yaml
commonAnnotations
Specify commonAnnotations in the configuration file to configure the Kustomize commonAnnotations field
to find additional annotation fields on CRDs.
| Name | Type | Desc |
|---|---|---|
| commonAnnotations | []Annotation | List of paths to annotations fields. |
| Name | Type | Desc |
|---|---|---|
| create | bool | If true, create the annotation field if it is not present on the Resource Config. |
| group | string | API Group of the object to add the annotation to. If unset, applies to all API Groups. |
| kind | string | Kind of the object to add the annotation to. If unset, applies to all Kinds. |
| path | string | Path to annotation field. |
| version | string | API Version of the object to add the annotation to. If unset, applies to all Versions. |
mykind_configuration.yaml file referenced by the configurations field
commonAnnotations:
# set labels at metadata.annotations for all types
- path: metadata/annotations
# create metadata.annotations if it doesn't exist
create: true
commonLabels
Specify commonLabels in the configuration file to configure the Kustomize commonLabels field find
additional labels and selector fields on CRDs.
| Name | Type | Desc |
|---|---|---|
| commonLabels | []Label | List of paths to label fields. |
| Name | Type | Desc |
|---|---|---|
| create | bool | If true, create the label field if it is not present on the Resource Config. |
| group | string | API Group of the object to add the label to. If unset, applies to all API Groups. |
| kind | string | Kind of the object to add the label to. If unset, applies to all Kinds. |
| path | string | Path to label field. |
| version | string | API Version of the object to add the label to. If unset, applies to all Versions. |
mykind_configuration.yaml file referenced by the configurations field
commonLabels:
# set labels at metadata.labels for all types
- path: metadata/labels
# create metadata.annotations if it doesn't exist
create: true
# set labels at spec.selector for v1.Service types
- path: spec/selector
create: true
version: v1
kind: Service
# set labels at spec.selector.matchLabels for Deployment types
- path: spec/selector/matchLabels
create: true
kind: Deployment
# set labels at spec...podAffinity...matchLabels for apps.Deployment types
- path: spec/template/spec/affinity/podAffinity/preferredDuringSchedulingIgnoredDuringExecution/podAffinityTerm/labelSelector/matchLabels
# do NOT create spec...podAffinity...matchLabels if it doesn't exist on the Deployment Resource Config
create: false
group: apps
kind: Deployment
images
Specify images in the configuration file to configure the Kustomize images field find additional
image fields on CRDs.
| Name | Type | Desc |
|---|---|---|
| images | []Image | List of paths to image fields. |
| Name | Type | Desc |
|---|---|---|
| group | string | API Group of the object to add the label to. If unset, applies to all API Groups. |
| kind | string | Kind of the object to add the label to. If unset, applies to all Kinds. |
| path | string | Path to label field. |
| version | string | API Version of the object to add the label to. If unset, applies to all Versions. |
mykind_configuration.yaml file referenced by the configurations field
images:
# set images at spec.runLatest.container.image for MyKind types
- path: spec/runLatest/container/image
kind: MyKind
Name References
Specify nameReference in the configuration file for CRDs that reference other objects by name - e.g.
Secrets, ConfigMaps, Services, etc.
nameReference registers for a given type, that it is referenced by name from another type - e.g.
Secrets are referenced by Pods.
Doing so will configure Generators and Transformers to update the field value with a new name when
names are modified - e.g. namePrefix, secretGenerator.
| Name | Type | Desc |
|---|---|---|
| nameReference | []Reference | List of types of objects that are referenced by other objects. |
| Name | Type | Desc |
|---|---|---|
| group | string | API Group of the object that is being referenced. If unset, applies to all API Groups. |
| kind | string | Kind of the object to that is being referenced - e.g. Secret, ConfigMap. |
| fieldSpecs | []FieldSpec | Object types that reference this object type. |
| version | string | API Version of the object that is being referenced. If unset, applies to all Versions. |
| Name | Type | Desc |
|---|---|---|
| group | string | API Group of the object that contains a reference. If unset, applies to all API Groups. |
| kind | string | Kind of the object that contains a reference - e.g. Pod, Deployment*. If unset, applies to all Kinds. |
| path | string | Path to the name field that is a reference. |
| version | string | API Version of the object that contains a reference*. If unset, applies to all Versions. |
mykind_configuration.yaml file referenced by the configurations field
nameReference:
# Configure named references to Secret objects to be updated by Transformers and Generators - e.g. namePrefix, secretGenerator, etc
- kind: Secret
version: v1
fieldSpecs:
# v1.Pods that reference a Secret in spec.volumes.secret.secretName will have it updated
- path: spec/volumes/secret/secretName
version: v1
kind: Pod
# v1.Pods that reference a Secret in spec.containers.env.valueFrom.secretKeyRef.name will have it updated
- path: spec/containers/env/valueFrom/secretKeyRef/name
version: v1
kind: Pod
generatorOptions
generatorOptions modifies behavior of all ConfigMap and Secret generators in the current kustomization.yaml.
generatorOptions from bases apply only to the Secrets and ConfigMaps generated within the same
kustomization.yaml.
Note It is possible to define generatorOptions for a subset of generated Resources by defining a base to generate
the Resources and setting the options there. This supports generating some ConfigMaps with hash-suffixes, and some
without.
| Name | Type | Desc |
|---|---|---|
| generatorOptions | GeneratorOptions | Options to define how Secrets and ConfigMaps are generated. |
GeneratorOptions
| Name | Type | Desc |
|---|---|---|
| labels | map[string]string | Labels to add to all Resources generated from this kustomization.yaml. |
| annotations | map[string]annotations | Annotations to add to all Resources generated from this kustomization.yaml. |
| disableNameSuffixHash | bool | If set to true, don't add a hash suffix to any Resources generated from this kustomization.yaml. |
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
generatorOptions:
# labels to add to all generated resources
labels:
kustomize.generated.resources: somevalue
# annotations to add to all generated resources
annotations:
kustomize.generated.resource: somevalue
# disableNameSuffixHash is true disables the default behavior of adding a
# suffix to the names of generated resources that is a hash of
# the resource contents.
disableNameSuffixHash: true