RunService

Property	Value
Google Cloud Service Name	Run
Google Cloud Service Documentation	/run/docs/
Google Cloud REST Resource Name	v2.projects.locations.services
Google Cloud REST Resource Documentation	/run/docs/reference/rest/v2/projects.locations.services
Config Connector Resource Short Names	gcprunservice gcprunservices runservice
Config Connector Service Name	run.googleapis.com
Config Connector Resource Fully Qualified Name	runservices.run.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember	Yes
Supports IAM Conditions	No
Supports IAM Audit Configs	No
IAM External Reference Format	projects/{{project}}/locations/{{location}}/services/{{name}}
Config Connector Default Average Reconcile Interval In Seconds	600

Custom Resource Definition Properties

Spec

Schema

annotations:  string: string binaryAuthorization:  breakglassJustification: string  useDefault: boolean client: string clientVersion: string customAudiences: - string description: string ingress: string launchStage: string location: string projectRef:  external: string  name: string  namespace: string resourceID: string template:  annotations:  string: string  containers:  - args:  - string  command:  - string  dependsOn:  - string  env:  - name: string  value: string  valueSource:  secretKeyRef:  secretRef:  external: string  name: string  namespace: string  versionRef:  external: string  name: string  namespace: string  image: string  livenessProbe:  failureThreshold: integer  grpc:  port: integer  service: string  httpGet:  httpHeaders:  - name: string  value: string  path: string  port: integer  initialDelaySeconds: integer  periodSeconds: integer  timeoutSeconds: integer  name: string  ports:  - containerPort: integer  name: string  resources:  cpuIdle: boolean  limits:  string: string  startupCpuBoost: boolean  startupProbe:  failureThreshold: integer  grpc:  port: integer  service: string  httpGet:  httpHeaders:  - name: string  value: string  path: string  port: integer  initialDelaySeconds: integer  periodSeconds: integer  tcpSocket:  port: integer  timeoutSeconds: integer  volumeMounts:  - mountPath: string  name: string  workingDir: string  encryptionKeyRef:  external: string  name: string  namespace: string  executionEnvironment: string  labels:  string: string  maxInstanceRequestConcurrency: integer  revision: string  scaling:  maxInstanceCount: integer  minInstanceCount: integer  serviceAccountRef:  external: string  name: string  namespace: string  sessionAffinity: boolean  timeout: string  volumes:  - cloudSqlInstance:  instances:  - external: string  name: string  namespace: string  emptyDir:  medium: string  sizeLimit: string  name: string  secret:  defaultMode: integer  items:  - mode: integer  path: string  versionRef:  external: string  name: string  namespace: string  secretRef:  external: string  name: string  namespace: string  vpcAccess:  connectorRef:  external: string  name: string  namespace: string  egress: string  networkInterfaces:  - networkRef:  external: string  name: string  namespace: string  subnetworkRef:  external: string  name: string  namespace: string  tags:  - string traffic: - percent: integer  revision: string  tag: string  type: string

Fields

Fields
`annotations` Optional	`map (key: string, value: string)` Unstructured key value map that may be set by external tools to store and arbitrary metadata. They are not queryable and should be preserved when modifying objects. Cloud Run API v2 does not support annotations with 'run.googleapis.com', 'cloud.googleapis.com', 'serving.knative.dev', or 'autoscaling.knative.dev' namespaces, and they will be rejected in new resources. All system annotations in v1 now have a corresponding field in v2 Service. This field follows Kubernetes annotations' namespacing, limits, and rules.
`binaryAuthorization` Optional	`object` Settings for the Binary Authorization feature.
`binaryAuthorization.breakglassJustification` Optional	`string` If present, indicates to use Breakglass using this justification. If useDefault is False, then it must be empty. For more information on breakglass, see https://cloud.google.com/binary-authorization/docs/using-breakglass.
`binaryAuthorization.useDefault` Optional	`boolean` If True, indicates to use the default project's binary authorization policy. If False, binary authorization will be disabled.
`client` Optional	`string` Arbitrary identifier for the API client.
`clientVersion` Optional	`string` Arbitrary version identifier for the API client.
`customAudiences` Optional	`list (string)` One or more custom audiences that you want this service to support. Specify each custom audience as the full URL in a string. The custom audiences are encoded in the token and used to authenticate requests. For more information, see https://cloud.google.com/run/docs/configuring/custom-audiences.
`customAudiences[]` Optional	`string`
`description` Optional	`string` User-provided description of the Service. This field currently has a 512-character limit.
`ingress` Optional	`string` Provides the ingress settings for this Service. On output, returns the currently observed ingress settings, or INGRESS_TRAFFIC_UNSPECIFIED if no revision is active. Possible values: ["INGRESS_TRAFFIC_ALL", "INGRESS_TRAFFIC_INTERNAL_ONLY", "INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER"].
`launchStage` Optional	`string` The launch stage as defined by [Google Cloud Platform Launch Stages](https://cloud.google.com/products#product-launch-stages). Cloud Run supports ALPHA, BETA, and GA. If no value is specified, GA is assumed. Set the launch stage to a preview stage on input to allow use of preview features in that stage. On read (or output), describes whether the resource uses preview features. For example, if ALPHA is provided as input, but only BETA and GA-level features are used, this field will be BETA on output. Possible values: ["UNIMPLEMENTED", "PRELAUNCH", "EARLY_ACCESS", "ALPHA", "BETA", "GA", "DEPRECATED"].
`location` Required	`string` Immutable. The location of the cloud run service.
`projectRef` Required	`object` The project that this resource belongs to.
`projectRef.external` Optional	`string` Allowed value: The `name` field of a `Project` resource.
`projectRef.name` Optional	`string` Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
`projectRef.namespace` Optional	`string` Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
`resourceID` Optional	`string` Immutable. Optional. The name of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default.
`template` Required	`object` The template used to create revisions for this Service.
`template.annotations` Optional	`map (key: string, value: string)` Unstructured key value map that may be set by external tools to store and arbitrary metadata. They are not queryable and should be preserved when modifying objects. Cloud Run API v2 does not support annotations with 'run.googleapis.com', 'cloud.googleapis.com', 'serving.knative.dev', or 'autoscaling.knative.dev' namespaces, and they will be rejected. All system annotations in v1 now have a corresponding field in v2 RevisionTemplate. This field follows Kubernetes annotations' namespacing, limits, and rules.
`template.containers` Optional	`list (object)` Holds the containers that define the unit of execution for this Service.
`template.containers[]` Optional	`object`
`template.containers[].args` Optional	`list (string)` Arguments to the entrypoint. The docker image's CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell.
`template.containers[].args[]` Optional	`string`
`template.containers[].command` Optional	`list (string)` Entrypoint array. Not executed within a shell. The docker image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell.
`template.containers[].command[]` Optional	`string`
`template.containers[].dependsOn` Optional	`list (string)` Containers which should be started before this container. If specified the container will wait to start until all containers with the listed names are healthy.
`template.containers[].dependsOn[]` Optional	`string`
`template.containers[].env` Optional	`list (object)` List of environment variables to set in the container.
`template.containers[].env[]` Optional	`object`
`template.containers[].env[].name` Required*	`string` Name of the environment variable. Must be a C_IDENTIFIER, and mnay not exceed 32768 characters.
`template.containers[].env[].value` Optional	`string` Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any route environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "", and the maximum length is 32768 bytes.
`template.containers[].env[].valueSource` Optional	`object` Source for the environment variable's value.
`template.containers[].env[].valueSource.secretKeyRef` Optional	`object` Selects a secret and a specific version from Cloud Secret Manager.
`template.containers[].env[].valueSource.secretKeyRef.secretRef` Required*	`object` The name of the secret in Cloud Secret Manager. Format: {secretName} if the secret is in the same project. projects/{project}/secrets/{secretName} if the secret is in a different project.
`template.containers[].env[].valueSource.secretKeyRef.secretRef.external` Optional	`string` Allowed value: The `name` field of a `SecretManagerSecret` resource.
`template.containers[].env[].valueSource.secretKeyRef.secretRef.name` Optional	`string` Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
`template.containers[].env[].valueSource.secretKeyRef.secretRef.namespace` Optional	`string` Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
`template.containers[].env[].valueSource.secretKeyRef.versionRef` Optional	`object` The Cloud Secret Manager secret version. Can be 'latest' for the latest value or an integer for a specific version.
`template.containers[].env[].valueSource.secretKeyRef.versionRef.external` Optional	`string` Allowed value: The `version` field of a `SecretManagerSecretVersion` resource.
`template.containers[].env[].valueSource.secretKeyRef.versionRef.name` Optional	`string` Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
`template.containers[].env[].valueSource.secretKeyRef.versionRef.namespace` Optional	`string` Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
`template.containers[].image` Required*	`string` URL of the Container image in Google Container Registry or Google Artifact Registry. More info: https://kubernetes.io/docs/concepts/containers/images.
`template.containers[].livenessProbe` Optional	`object` Periodic probe of container liveness. Container will be restarted if the probe fails. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes.
`template.containers[].livenessProbe.failureThreshold` Optional	`integer` Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
`template.containers[].livenessProbe.grpc` Optional	`object` GRPC specifies an action involving a GRPC port.
`template.containers[].livenessProbe.grpc.port` Optional	`integer` Port number to access on the container. Number must be in the range 1 to 65535. If not specified, defaults to the same value as container.ports[0].containerPort.
`template.containers[].livenessProbe.grpc.service` Optional	`string` The name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). If this is not specified, the default behavior is defined by gRPC.
`template.containers[].livenessProbe.httpGet` Optional	`object` HTTPGet specifies the http request to perform.
`template.containers[].livenessProbe.httpGet.httpHeaders` Optional	`list (object)` Custom headers to set in the request. HTTP allows repeated headers.
`template.containers[].livenessProbe.httpGet.httpHeaders[]` Optional	`object`
`template.containers[].livenessProbe.httpGet.httpHeaders[].name` Required*	`string` The header field name.
`template.containers[].livenessProbe.httpGet.httpHeaders[].value` Optional	`string` The header field value.
`template.containers[].livenessProbe.httpGet.path` Optional	`string` Path to access on the HTTP server. Defaults to '/'.
`template.containers[].livenessProbe.httpGet.port` Optional	`integer` Port number to access on the container. Number must be in the range 1 to 65535. If not specified, defaults to the same value as container.ports[0].containerPort.
`template.containers[].livenessProbe.initialDelaySeconds` Optional	`integer` Number of seconds after the container has started before the probe is initiated. Defaults to 0 seconds. Minimum value is 0. Maximum value for liveness probe is 3600. Maximum value for startup probe is 240. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes.
`template.containers[].livenessProbe.periodSeconds` Optional	`integer` How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. Maximum value for liveness probe is 3600. Maximum value for startup probe is 240. Must be greater or equal than timeoutSeconds.
`template.containers[].livenessProbe.timeoutSeconds` Optional	`integer` Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. Maximum value is 3600. Must be smaller than periodSeconds. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes.
`template.containers[].name` Optional	`string` Name of the container specified as a DNS_LABEL.
`template.containers[].ports` Optional	`list (object)` List of ports to expose from the container. Only a single port can be specified. The specified ports must be listening on all interfaces (0.0.0.0) within the container to be accessible. If omitted, a port number will be chosen and passed to the container through the PORT environment variable for the container to listen on.
`template.containers[].ports[]` Optional	`object`
`template.containers[].ports[].containerPort` Optional	`integer` Port number the container listens on. This must be a valid TCP port number, 0 < containerPort < 65536.
`template.containers[].ports[].name` Optional	`string` If specified, used to specify which protocol to use. Allowed values are "http1" and "h2c".
`template.containers[].resources` Optional	`object` Compute Resource requirements by this container. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources.
`template.containers[].resources.cpuIdle` Optional	`boolean` Determines whether CPU should be throttled or not outside of requests.
`template.containers[].resources.limits` Optional	`map (key: string, value: string)` Only memory and CPU are supported. Note: The only supported values for CPU are '1', '2', '4', and '8'. Setting 4 CPU requires at least 2Gi of memory. The values of the map is string form of the 'quantity' k8s type: https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apimachinery/pkg/api/resource/quantity.go.
`template.containers[].resources.startupCpuBoost` Optional	`boolean` Determines whether CPU should be boosted on startup of a new container instance above the requested CPU threshold, this can help reduce cold-start latency.
`template.containers[].startupProbe` Optional	`object` Startup probe of application within the container. All other probes are disabled if a startup probe is provided, until it succeeds. Container will not be added to service endpoints if the probe fails. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes.
`template.containers[].startupProbe.failureThreshold` Optional	`integer` Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
`template.containers[].startupProbe.grpc` Optional	`object` GRPC specifies an action involving a GRPC port.
`template.containers[].startupProbe.grpc.port` Optional	`integer` Port number to access on the container. Number must be in the range 1 to 65535. If not specified, defaults to the same value as container.ports[0].containerPort.
`template.containers[].startupProbe.grpc.service` Optional	`string` The name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). If this is not specified, the default behavior is defined by gRPC.
`template.containers[].startupProbe.httpGet` Optional	`object` HTTPGet specifies the http request to perform. Exactly one of HTTPGet or TCPSocket must be specified.
`template.containers[].startupProbe.httpGet.httpHeaders` Optional	`list (object)` Custom headers to set in the request. HTTP allows repeated headers.
`template.containers[].startupProbe.httpGet.httpHeaders[]` Optional	`object`
`template.containers[].startupProbe.httpGet.httpHeaders[].name` Required*	`string` The header field name.
`template.containers[].startupProbe.httpGet.httpHeaders[].value` Optional	`string` The header field value.
`template.containers[].startupProbe.httpGet.path` Optional	`string` Path to access on the HTTP server. Defaults to '/'.
`template.containers[].startupProbe.httpGet.port` Optional	`integer` Port number to access on the container. Must be in the range 1 to 65535. If not specified, defaults to the same value as container.ports[0].containerPort.
`template.containers[].startupProbe.initialDelaySeconds` Optional	`integer` Number of seconds after the container has started before the probe is initiated. Defaults to 0 seconds. Minimum value is 0. Maximum value for liveness probe is 3600. Maximum value for startup probe is 240. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes.
`template.containers[].startupProbe.periodSeconds` Optional	`integer` How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. Maximum value for liveness probe is 3600. Maximum value for startup probe is 240. Must be greater or equal than timeoutSeconds.
`template.containers[].startupProbe.tcpSocket` Optional	`object` TCPSocket specifies an action involving a TCP port. Exactly one of HTTPGet or TCPSocket must be specified.
`template.containers[].startupProbe.tcpSocket.port` Optional	`integer` Port number to access on the container. Must be in the range 1 to 65535. If not specified, defaults to the same value as container.ports[0].containerPort.
`template.containers[].startupProbe.timeoutSeconds` Optional	`integer` Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. Maximum value is 3600. Must be smaller than periodSeconds. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes.
`template.containers[].volumeMounts` Optional	`list (object)` Volume to mount into the container's filesystem.
`template.containers[].volumeMounts[]` Optional	`object`
`template.containers[].volumeMounts[].mountPath` Required*	`string` Path within the container at which the volume should be mounted. Must not contain ':'. For Cloud SQL volumes, it can be left empty, or must otherwise be /cloudsql. All instances defined in the Volume will be available as /cloudsql/[instance]. For more information on Cloud SQL volumes, visit https://cloud.google.com/sql/docs/mysql/connect-run.
`template.containers[].volumeMounts[].name` Required*	`string` This must match the Name of a Volume.
`template.containers[].workingDir` Optional	`string` Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image.
`template.encryptionKeyRef` Optional	`object` A reference to a customer managed encryption key (CMEK) to use to encrypt this container image. For more information, go to https://cloud.google.com/run/docs/securing/using-cmek
`template.encryptionKeyRef.external` Optional	`string` Allowed value: The `selfLink` field of a `KMSCryptoKey` resource.
`template.encryptionKeyRef.name` Optional	`string` Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
`template.encryptionKeyRef.namespace` Optional	`string` Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
`template.executionEnvironment` Optional	`string` The sandbox environment to host this Revision. Possible values: ["EXECUTION_ENVIRONMENT_GEN1", "EXECUTION_ENVIRONMENT_GEN2"].
`template.labels` Optional	`map (key: string, value: string)` Unstructured key value map that can be used to organize and categorize objects. User-provided labels are shared with Google's billing system, so they can be used to filter, or break down billing charges by team, component, environment, state, etc. For more information, visit https://cloud.google.com/resource-manager/docs/creating-managing-labels or https://cloud.google.com/run/docs/configuring/labels. Cloud Run API v2 does not support labels with 'run.googleapis.com', 'cloud.googleapis.com', 'serving.knative.dev', or 'autoscaling.knative.dev' namespaces, and they will be rejected. All system labels in v1 now have a corresponding field in v2 RevisionTemplate.
`template.maxInstanceRequestConcurrency` Optional	`integer` Sets the maximum number of requests that each serving instance can receive.
`template.revision` Optional	`string` The unique name for the revision. If this field is omitted, it will be automatically generated based on the Service name.
`template.scaling` Optional	`object` Scaling settings for this Revision.
`template.scaling.maxInstanceCount` Optional	`integer` Maximum number of serving instances that this resource should have.
`template.scaling.minInstanceCount` Optional	`integer` Minimum number of serving instances that this resource should have.
`template.serviceAccountRef` Optional	`object` Email address of the IAM service account associated with the revision of the service. The service account represents the identity of the running revision, and determines what permissions the revision has. If not provided, the revision will use the project's default service account.
`template.serviceAccountRef.external` Optional	`string` Allowed value: The `email` field of an `IAMServiceAccount` resource.
`template.serviceAccountRef.name` Optional	`string` Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
`template.serviceAccountRef.namespace` Optional	`string` Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
`template.sessionAffinity` Optional	`boolean` Enables session affinity. For more information, go to https://cloud.google.com/run/docs/configuring/session-affinity.
`template.timeout` Optional	`string` Max allowed time for an instance to respond to a request. A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".
`template.volumes` Optional	`list (object)` A list of Volumes to make available to containers.
`template.volumes[]` Optional	`object`
`template.volumes[].cloudSqlInstance` Optional	`object` For Cloud SQL volumes, contains the specific instances that should be mounted. Visit https://cloud.google.com/sql/docs/mysql/connect-run for more information on how to connect Cloud SQL and Cloud Run.
`template.volumes[].cloudSqlInstance.instances` Optional	`list (object)`
`template.volumes[].cloudSqlInstance.instances[]` Optional	`object` The Cloud SQL instance connection names, as can be found in https://console.cloud.google.com/sql/instances. Visit https://cloud.google.com/sql/docs/mysql/connect-run for more information on how to connect Cloud SQL and Cloud Run. Format: {project}:{location}:{instance}
`template.volumes[].cloudSqlInstance.instances[].external` Optional	`string` Allowed value: The `connectionName` field of a `SQLInstance` resource.
`template.volumes[].cloudSqlInstance.instances[].name` Optional	`string` Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
`template.volumes[].cloudSqlInstance.instances[].namespace` Optional	`string` Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
`template.volumes[].emptyDir` Optional	`object` Ephemeral storage used as a shared volume.
`template.volumes[].emptyDir.medium` Optional	`string` The different types of medium supported for EmptyDir. Default value: "MEMORY" Possible values: ["MEMORY"].
`template.volumes[].emptyDir.sizeLimit` Optional	`string` Limit on the storage usable by this EmptyDir volume. The size limit is also applicable for memory medium. The maximum usage on memory medium EmptyDir would be the minimum value between the SizeLimit specified here and the sum of memory limits of all containers in a pod. This field's values are of the 'Quantity' k8s type: https://kubernetes.io/docs/reference/kubernetes-api/common-definitions/quantity/. The default is nil which means that the limit is undefined. More info: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir.
`template.volumes[].name` Required*	`string` Volume's name.
`template.volumes[].secret` Optional	`object` Secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret.
`template.volumes[].secret.defaultMode` Optional	`integer` Integer representation of mode bits to use on created files by default. Must be a value between 0000 and 0777 (octal), defaulting to 0444. Directories within the path are not affected by this setting.
`template.volumes[].secret.items` Optional	`list (object)` If unspecified, the volume will expose a file whose name is the secret, relative to VolumeMount.mount_path. If specified, the key will be used as the version to fetch from Cloud Secret Manager and the path will be the name of the file exposed in the volume. When items are defined, they must specify a path and a version.
`template.volumes[].secret.items[]` Optional	`object`
`template.volumes[].secret.items[].mode` Optional	`integer` Integer octal mode bits to use on this file, must be a value between 01 and 0777 (octal). If 0 or not set, the Volume's default mode will be used.
`template.volumes[].secret.items[].path` Required*	`string` The relative path of the secret in the container.
`template.volumes[].secret.items[].versionRef` Optional	`object` The Cloud Secret Manager secret version. Can be 'latest' for the latest value or an integer for a specific version
`template.volumes[].secret.items[].versionRef.external` Optional	`string` Allowed value: The `version` field of a `SecretManagerSecretVersion` resource.
`template.volumes[].secret.items[].versionRef.name` Optional	`string` Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
`template.volumes[].secret.items[].versionRef.namespace` Optional	`string` Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
`template.volumes[].secret.secretRef` Required*	`object` The name of the secret in Cloud Secret Manager. Format: {secret} if the secret is in the same project. projects/{project}/secrets/{secret} if the secret is in a different project.
`template.volumes[].secret.secretRef.external` Optional	`string` Allowed value: The `name` field of a `SecretManagerSecret` resource.
`template.volumes[].secret.secretRef.name` Optional	`string` Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
`template.volumes[].secret.secretRef.namespace` Optional	`string` Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
`template.vpcAccess` Optional	`object` VPC Access configuration to use for this Task. For more information, visit https://cloud.google.com/run/docs/configuring/connecting-vpc.
`template.vpcAccess.connectorRef` Optional	`object` VPC Access connector name. Format: projects/{project}/locations/{location}/connectors/{connector}, where {project} can be project id or number.
`template.vpcAccess.connectorRef.external` Optional	`string` Allowed value: The `selfLink` field of a `VPCAccessConnector` resource.
`template.vpcAccess.connectorRef.name` Optional	`string` Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
`template.vpcAccess.connectorRef.namespace` Optional	`string` Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
`template.vpcAccess.egress` Optional	`string` Traffic VPC egress settings. Possible values: ["ALL_TRAFFIC", "PRIVATE_RANGES_ONLY"].
`template.vpcAccess.networkInterfaces` Optional	`list (object)` Direct VPC egress settings. Currently only single network interface is supported.
`template.vpcAccess.networkInterfaces[]` Optional	`object`
`template.vpcAccess.networkInterfaces[].networkRef` Optional	`object` The VPC network that the Cloud Run resource will be able to send traffic to. At least one of network or subnetwork must be specified. If both network and subnetwork are specified, the given VPC subnetwork must belong to the given VPC network. If network is not specified, it will be looked up from the subnetwork.
`template.vpcAccess.networkInterfaces[].networkRef.external` Optional	`string` Allowed value: The `selfLink` field of a `ComputeNetwork` resource.
`template.vpcAccess.networkInterfaces[].networkRef.name` Optional	`string` Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
`template.vpcAccess.networkInterfaces[].networkRef.namespace` Optional	`string` Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
`template.vpcAccess.networkInterfaces[].subnetworkRef` Optional	`object` The VPC subnetwork that the Cloud Run resource will get IPs from. At least one of network or subnetwork must be specified. If both network and subnetwork are specified, the given VPC subnetwork must belong to the given VPC network. If subnetwork is not specified, the subnetwork with the same name with the network will be used.
`template.vpcAccess.networkInterfaces[].subnetworkRef.external` Optional	`string` Allowed value: The `selfLink` field of a `ComputeSubnetwork` resource.
`template.vpcAccess.networkInterfaces[].subnetworkRef.name` Optional	`string` Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
`template.vpcAccess.networkInterfaces[].subnetworkRef.namespace` Optional	`string` Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
`template.vpcAccess.networkInterfaces[].tags` Optional	`list (string)` Network tags applied to this Cloud Run service.
`template.vpcAccess.networkInterfaces[].tags[]` Optional	`string`
`traffic` Optional	`list (object)` Specifies how to distribute traffic over a collection of Revisions belonging to the Service. If traffic is empty or not provided, defaults to 100% traffic to the latest Ready Revision.
`traffic[]` Optional	`object`
`traffic[].percent` Optional	`integer` Specifies percent of the traffic to this Revision. This defaults to zero if unspecified.
`traffic[].revision` Optional	`string` Revision to which to send this portion of traffic, if traffic allocation is by revision.
`traffic[].tag` Optional	`string` Indicates a string to be part of the URI to exclusively reference this target.
`traffic[].type` Optional	`string` The allocation type for this traffic target. Possible values: ["TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST", "TRAFFIC_TARGET_ALLOCATION_TYPE_REVISION"].

annotations

Optional

map (key: string, value: string)

Unstructured key value map that may be set by external tools to store and arbitrary metadata. They are not queryable and should be preserved when modifying objects. Cloud Run API v2 does not support annotations with 'run.googleapis.com', 'cloud.googleapis.com', 'serving.knative.dev', or 'autoscaling.knative.dev' namespaces, and they will be rejected in new resources. All system annotations in v1 now have a corresponding field in v2 Service. This field follows Kubernetes annotations' namespacing, limits, and rules.

binaryAuthorization

Optional

object

Settings for the Binary Authorization feature.

binaryAuthorization.breakglassJustification

Optional

string

If present, indicates to use Breakglass using this justification. If useDefault is False, then it must be empty. For more information on breakglass, see https://cloud.google.com/binary-authorization/docs/using-breakglass.

binaryAuthorization.useDefault

Optional

boolean

If True, indicates to use the default project's binary authorization policy. If False, binary authorization will be disabled.

client

Optional

string

Arbitrary identifier for the API client.

clientVersion

Optional

string

Arbitrary version identifier for the API client.

customAudiences

Optional

list (string)

One or more custom audiences that you want this service to support. Specify each custom audience as the full URL in a string. The custom audiences are encoded in the token and used to authenticate requests. For more information, see https://cloud.google.com/run/docs/configuring/custom-audiences.

customAudiences[]

Optional

string

description

Optional

string

User-provided description of the Service. This field currently has a 512-character limit.

ingress

Optional

string

Provides the ingress settings for this Service. On output, returns the currently observed ingress settings, or INGRESS_TRAFFIC_UNSPECIFIED if no revision is active. Possible values: ["INGRESS_TRAFFIC_ALL", "INGRESS_TRAFFIC_INTERNAL_ONLY", "INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER"].

launchStage

Optional

string

The launch stage as defined by [Google Cloud Platform Launch Stages](https://cloud.google.com/products#product-launch-stages). Cloud Run supports ALPHA, BETA, and GA. If no value is specified, GA is assumed. Set the launch stage to a preview stage on input to allow use of preview features in that stage. On read (or output), describes whether the resource uses preview features. For example, if ALPHA is provided as input, but only BETA and GA-level features are used, this field will be BETA on output. Possible values: ["UNIMPLEMENTED", "PRELAUNCH", "EARLY_ACCESS", "ALPHA", "BETA", "GA", "DEPRECATED"].

location

Required

string

Immutable. The location of the cloud run service.

projectRef

Required

object

The project that this resource belongs to.

projectRef.external

Optional

string

Allowed value: The `name` field of a `Project` resource.

projectRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

projectRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

resourceID

Optional

string

Immutable. Optional. The name of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default.

template

Required

object

The template used to create revisions for this Service.

template.annotations

Optional

map (key: string, value: string)

Unstructured key value map that may be set by external tools to store and arbitrary metadata. They are not queryable and should be preserved when modifying objects. Cloud Run API v2 does not support annotations with 'run.googleapis.com', 'cloud.googleapis.com', 'serving.knative.dev', or 'autoscaling.knative.dev' namespaces, and they will be rejected. All system annotations in v1 now have a corresponding field in v2 RevisionTemplate. This field follows Kubernetes annotations' namespacing, limits, and rules.

template.containers

Optional

list (object)

Holds the containers that define the unit of execution for this Service.

template.containers[]

Optional

object

template.containers[].args

Optional

list (string)

Arguments to the entrypoint. The docker image's CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell.

template.containers[].args[]

Optional

string

template.containers[].command

Optional

list (string)

Entrypoint array. Not executed within a shell. The docker image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell.

template.containers[].command[]

Optional

string

template.containers[].dependsOn

Optional

list (string)

Containers which should be started before this container. If specified the container will wait to start until all containers with the listed names are healthy.

template.containers[].dependsOn[]

Optional

string

template.containers[].env

Optional

list (object)

List of environment variables to set in the container.

template.containers[].env[]

Optional

object

template.containers[].env[].name

Required*

string

Name of the environment variable. Must be a C_IDENTIFIER, and mnay not exceed 32768 characters.

template.containers[].env[].value

Optional

string

Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any route environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "", and the maximum length is 32768 bytes.

template.containers[].env[].valueSource

Optional

object

Source for the environment variable's value.

template.containers[].env[].valueSource.secretKeyRef

Optional

object

Selects a secret and a specific version from Cloud Secret Manager.

template.containers[].env[].valueSource.secretKeyRef.secretRef

Required*

object

The name of the secret in Cloud Secret Manager. Format: {secretName} if the secret is in the same project. projects/{project}/secrets/{secretName} if the secret is in a different project.

template.containers[].env[].valueSource.secretKeyRef.secretRef.external

Optional

string

Allowed value: The `name` field of a `SecretManagerSecret` resource.

template.containers[].env[].valueSource.secretKeyRef.secretRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

template.containers[].env[].valueSource.secretKeyRef.secretRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

template.containers[].env[].valueSource.secretKeyRef.versionRef

Optional

object

The Cloud Secret Manager secret version. Can be 'latest' for the latest value or an integer for a specific version.

template.containers[].env[].valueSource.secretKeyRef.versionRef.external

Optional

string

Allowed value: The `version` field of a `SecretManagerSecretVersion` resource.

template.containers[].env[].valueSource.secretKeyRef.versionRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

template.containers[].env[].valueSource.secretKeyRef.versionRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

template.containers[].image

Required*

string

URL of the Container image in Google Container Registry or Google Artifact Registry. More info: https://kubernetes.io/docs/concepts/containers/images.

template.containers[].livenessProbe

Optional

object

Periodic probe of container liveness. Container will be restarted if the probe fails. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes.

template.containers[].livenessProbe.failureThreshold

Optional

integer

Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.

template.containers[].livenessProbe.grpc

Optional

object

GRPC specifies an action involving a GRPC port.

template.containers[].livenessProbe.grpc.port

Optional

integer

Port number to access on the container. Number must be in the range 1 to 65535. If not specified, defaults to the same value as container.ports[0].containerPort.

template.containers[].livenessProbe.grpc.service

Optional

string

The name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). If this is not specified, the default behavior is defined by gRPC.

template.containers[].livenessProbe.httpGet

Optional

object

HTTPGet specifies the http request to perform.

template.containers[].livenessProbe.httpGet.httpHeaders

Optional

list (object)

Custom headers to set in the request. HTTP allows repeated headers.

template.containers[].livenessProbe.httpGet.httpHeaders[]

Optional

object

template.containers[].livenessProbe.httpGet.httpHeaders[].name

Required*

string

The header field name.

template.containers[].livenessProbe.httpGet.httpHeaders[].value

Optional

string

The header field value.

template.containers[].livenessProbe.httpGet.path

Optional

string

Path to access on the HTTP server. Defaults to '/'.

template.containers[].livenessProbe.httpGet.port

Optional

integer

Port number to access on the container. Number must be in the range 1 to 65535. If not specified, defaults to the same value as container.ports[0].containerPort.

template.containers[].livenessProbe.initialDelaySeconds

Optional

integer

Number of seconds after the container has started before the probe is initiated. Defaults to 0 seconds. Minimum value is 0. Maximum value for liveness probe is 3600. Maximum value for startup probe is 240. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes.

template.containers[].livenessProbe.periodSeconds

Optional

integer

How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. Maximum value for liveness probe is 3600. Maximum value for startup probe is 240. Must be greater or equal than timeoutSeconds.

template.containers[].livenessProbe.timeoutSeconds

Optional

integer

Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. Maximum value is 3600. Must be smaller than periodSeconds. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes.

template.containers[].name

Optional

string

Name of the container specified as a DNS_LABEL.

template.containers[].ports

Optional

list (object)

List of ports to expose from the container. Only a single port can be specified. The specified ports must be listening on all interfaces (0.0.0.0) within the container to be accessible. If omitted, a port number will be chosen and passed to the container through the PORT environment variable for the container to listen on.

template.containers[].ports[]

Optional

object

template.containers[].ports[].containerPort

Optional

integer

Port number the container listens on. This must be a valid TCP port number, 0 < containerPort < 65536.

template.containers[].ports[].name

Optional

string

If specified, used to specify which protocol to use. Allowed values are "http1" and "h2c".

template.containers[].resources

Optional

object

Compute Resource requirements by this container. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources.

template.containers[].resources.cpuIdle

Optional

boolean

Determines whether CPU should be throttled or not outside of requests.

template.containers[].resources.limits

Optional

map (key: string, value: string)

Only memory and CPU are supported. Note: The only supported values for CPU are '1', '2', '4', and '8'. Setting 4 CPU requires at least 2Gi of memory. The values of the map is string form of the 'quantity' k8s type: https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apimachinery/pkg/api/resource/quantity.go.

template.containers[].resources.startupCpuBoost

Optional

boolean

Determines whether CPU should be boosted on startup of a new container instance above the requested CPU threshold, this can help reduce cold-start latency.

template.containers[].startupProbe

Optional

object

Startup probe of application within the container. All other probes are disabled if a startup probe is provided, until it succeeds. Container will not be added to service endpoints if the probe fails. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes.

template.containers[].startupProbe.failureThreshold

Optional

integer

Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.

template.containers[].startupProbe.grpc

Optional

object

GRPC specifies an action involving a GRPC port.

template.containers[].startupProbe.grpc.port

Optional

integer

Port number to access on the container. Number must be in the range 1 to 65535. If not specified, defaults to the same value as container.ports[0].containerPort.

template.containers[].startupProbe.grpc.service

Optional

string

template.containers[].startupProbe.httpGet

Optional

object

HTTPGet specifies the http request to perform. Exactly one of HTTPGet or TCPSocket must be specified.

template.containers[].startupProbe.httpGet.httpHeaders

Optional

list (object)

Custom headers to set in the request. HTTP allows repeated headers.

template.containers[].startupProbe.httpGet.httpHeaders[]

Optional

object

template.containers[].startupProbe.httpGet.httpHeaders[].name

Required*

string

The header field name.

template.containers[].startupProbe.httpGet.httpHeaders[].value

Optional

string

The header field value.

template.containers[].startupProbe.httpGet.path

Optional

string

Path to access on the HTTP server. Defaults to '/'.

template.containers[].startupProbe.httpGet.port

Optional

integer

Port number to access on the container. Must be in the range 1 to 65535. If not specified, defaults to the same value as container.ports[0].containerPort.

template.containers[].startupProbe.initialDelaySeconds

Optional

integer

template.containers[].startupProbe.periodSeconds

Optional

integer

template.containers[].startupProbe.tcpSocket

Optional

object

TCPSocket specifies an action involving a TCP port. Exactly one of HTTPGet or TCPSocket must be specified.

template.containers[].startupProbe.tcpSocket.port

Optional

integer

Port number to access on the container. Must be in the range 1 to 65535. If not specified, defaults to the same value as container.ports[0].containerPort.

template.containers[].startupProbe.timeoutSeconds

Optional

integer

template.containers[].volumeMounts

Optional

list (object)

Volume to mount into the container's filesystem.

template.containers[].volumeMounts[]

Optional

object

template.containers[].volumeMounts[].mountPath

Required*

string

Path within the container at which the volume should be mounted. Must not contain ':'. For Cloud SQL volumes, it can be left empty, or must otherwise be /cloudsql. All instances defined in the Volume will be available as /cloudsql/[instance]. For more information on Cloud SQL volumes, visit https://cloud.google.com/sql/docs/mysql/connect-run.

template.containers[].volumeMounts[].name

Required*

string

This must match the Name of a Volume.

template.containers[].workingDir

Optional

string

Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image.

template.encryptionKeyRef

Optional

object

A reference to a customer managed encryption key (CMEK) to use to encrypt this container image. For more information, go to https://cloud.google.com/run/docs/securing/using-cmek

template.encryptionKeyRef.external

Optional

string

Allowed value: The `selfLink` field of a `KMSCryptoKey` resource.

template.encryptionKeyRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

template.encryptionKeyRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

template.executionEnvironment

Optional

string

The sandbox environment to host this Revision. Possible values: ["EXECUTION_ENVIRONMENT_GEN1", "EXECUTION_ENVIRONMENT_GEN2"].

template.labels

Optional

map (key: string, value: string)

Unstructured key value map that can be used to organize and categorize objects. User-provided labels are shared with Google's billing system, so they can be used to filter, or break down billing charges by team, component, environment, state, etc. For more information, visit https://cloud.google.com/resource-manager/docs/creating-managing-labels or https://cloud.google.com/run/docs/configuring/labels. Cloud Run API v2 does not support labels with 'run.googleapis.com', 'cloud.googleapis.com', 'serving.knative.dev', or 'autoscaling.knative.dev' namespaces, and they will be rejected. All system labels in v1 now have a corresponding field in v2 RevisionTemplate.

template.maxInstanceRequestConcurrency

Optional

integer

Sets the maximum number of requests that each serving instance can receive.

template.revision

Optional

string

The unique name for the revision. If this field is omitted, it will be automatically generated based on the Service name.

template.scaling

Optional

object

Scaling settings for this Revision.

template.scaling.maxInstanceCount

Optional

integer

Maximum number of serving instances that this resource should have.

template.scaling.minInstanceCount

Optional

integer

Minimum number of serving instances that this resource should have.

template.serviceAccountRef

Optional

object

Email address of the IAM service account associated with the revision of the service. The service account represents the identity of the running revision, and determines what permissions the revision has. If not provided, the revision will use the project's default service account.

template.serviceAccountRef.external

Optional

string

Allowed value: The `email` field of an `IAMServiceAccount` resource.

template.serviceAccountRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

template.serviceAccountRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

template.sessionAffinity

Optional

boolean

Enables session affinity. For more information, go to https://cloud.google.com/run/docs/configuring/session-affinity.

template.timeout

Optional

string

Max allowed time for an instance to respond to a request. A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

template.volumes

Optional

list (object)

A list of Volumes to make available to containers.

template.volumes[]

Optional

object

template.volumes[].cloudSqlInstance

Optional

object

For Cloud SQL volumes, contains the specific instances that should be mounted. Visit https://cloud.google.com/sql/docs/mysql/connect-run for more information on how to connect Cloud SQL and Cloud Run.

template.volumes[].cloudSqlInstance.instances

Optional

list (object)

template.volumes[].cloudSqlInstance.instances[]

Optional

object

The Cloud SQL instance connection names, as can be found in https://console.cloud.google.com/sql/instances. Visit https://cloud.google.com/sql/docs/mysql/connect-run for more information on how to connect Cloud SQL and Cloud Run. Format: {project}:{location}:{instance}

template.volumes[].cloudSqlInstance.instances[].external

Optional

string

Allowed value: The `connectionName` field of a `SQLInstance` resource.

template.volumes[].cloudSqlInstance.instances[].name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

template.volumes[].cloudSqlInstance.instances[].namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

template.volumes[].emptyDir

Optional

object

Ephemeral storage used as a shared volume.

template.volumes[].emptyDir.medium

Optional

string

The different types of medium supported for EmptyDir. Default value: "MEMORY" Possible values: ["MEMORY"].

template.volumes[].emptyDir.sizeLimit

Optional

string

Limit on the storage usable by this EmptyDir volume. The size limit is also applicable for memory medium. The maximum usage on memory medium EmptyDir would be the minimum value between the SizeLimit specified here and the sum of memory limits of all containers in a pod. This field's values are of the 'Quantity' k8s type: https://kubernetes.io/docs/reference/kubernetes-api/common-definitions/quantity/. The default is nil which means that the limit is undefined. More info: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir.

template.volumes[].name

Required*

string

Volume's name.

template.volumes[].secret

Optional

object

Secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret.

template.volumes[].secret.defaultMode

Optional

integer

Integer representation of mode bits to use on created files by default. Must be a value between 0000 and 0777 (octal), defaulting to 0444. Directories within the path are not affected by this setting.

template.volumes[].secret.items

Optional

list (object)

If unspecified, the volume will expose a file whose name is the secret, relative to VolumeMount.mount_path. If specified, the key will be used as the version to fetch from Cloud Secret Manager and the path will be the name of the file exposed in the volume. When items are defined, they must specify a path and a version.

template.volumes[].secret.items[]

Optional

object

template.volumes[].secret.items[].mode

Optional

integer

Integer octal mode bits to use on this file, must be a value between 01 and 0777 (octal). If 0 or not set, the Volume's default mode will be used.

template.volumes[].secret.items[].path

Required*

string

The relative path of the secret in the container.

template.volumes[].secret.items[].versionRef

Optional

object

The Cloud Secret Manager secret version. Can be 'latest' for the latest value or an integer for a specific version

template.volumes[].secret.items[].versionRef.external

Optional

string

Allowed value: The `version` field of a `SecretManagerSecretVersion` resource.

template.volumes[].secret.items[].versionRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

template.volumes[].secret.items[].versionRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

template.volumes[].secret.secretRef

Required*

object

The name of the secret in Cloud Secret Manager. Format: {secret} if the secret is in the same project. projects/{project}/secrets/{secret} if the secret is in a different project.

template.volumes[].secret.secretRef.external

Optional

string

Allowed value: The `name` field of a `SecretManagerSecret` resource.

template.volumes[].secret.secretRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

template.volumes[].secret.secretRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

template.vpcAccess

Optional

object

VPC Access configuration to use for this Task. For more information, visit https://cloud.google.com/run/docs/configuring/connecting-vpc.

template.vpcAccess.connectorRef

Optional

object

VPC Access connector name. Format: projects/{project}/locations/{location}/connectors/{connector}, where {project} can be project id or number.

template.vpcAccess.connectorRef.external

Optional

string

Allowed value: The `selfLink` field of a `VPCAccessConnector` resource.

template.vpcAccess.connectorRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

template.vpcAccess.connectorRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

template.vpcAccess.egress

Optional

string

Traffic VPC egress settings. Possible values: ["ALL_TRAFFIC", "PRIVATE_RANGES_ONLY"].

template.vpcAccess.networkInterfaces

Optional

list (object)

Direct VPC egress settings. Currently only single network interface is supported.

template.vpcAccess.networkInterfaces[]

Optional

object

template.vpcAccess.networkInterfaces[].networkRef

Optional

object

The VPC network that the Cloud Run resource will be able to send traffic to. At least one of network or subnetwork must be specified. If both network and subnetwork are specified, the given VPC subnetwork must belong to the given VPC network. If network is not specified, it will be looked up from the subnetwork.

template.vpcAccess.networkInterfaces[].networkRef.external

Optional

string

Allowed value: The `selfLink` field of a `ComputeNetwork` resource.

template.vpcAccess.networkInterfaces[].networkRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

template.vpcAccess.networkInterfaces[].networkRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

template.vpcAccess.networkInterfaces[].subnetworkRef

Optional

object

The VPC subnetwork that the Cloud Run resource will get IPs from. At least one of network or subnetwork must be specified. If both network and subnetwork are specified, the given VPC subnetwork must belong to the given VPC network. If subnetwork is not specified, the subnetwork with the same name with the network will be used.

template.vpcAccess.networkInterfaces[].subnetworkRef.external

Optional

string

Allowed value: The `selfLink` field of a `ComputeSubnetwork` resource.

template.vpcAccess.networkInterfaces[].subnetworkRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

template.vpcAccess.networkInterfaces[].subnetworkRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

template.vpcAccess.networkInterfaces[].tags

Optional

list (string)

Network tags applied to this Cloud Run service.

template.vpcAccess.networkInterfaces[].tags[]

Optional

string

traffic

Optional

list (object)

Specifies how to distribute traffic over a collection of Revisions belonging to the Service. If traffic is empty or not provided, defaults to 100% traffic to the latest Ready Revision.

traffic[]

Optional

object

traffic[].percent

Optional

integer

Specifies percent of the traffic to this Revision. This defaults to zero if unspecified.

traffic[].revision

Optional

string

Revision to which to send this portion of traffic, if traffic allocation is by revision.

traffic[].tag

Optional

string

Indicates a string to be part of the URI to exclusively reference this target.

traffic[].type

Optional

string

The allocation type for this traffic target. Possible values: ["TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST", "TRAFFIC_TARGET_ALLOCATION_TYPE_REVISION"].

* Field is required when parent field is specified

Status

Schema

conditions: - lastTransitionTime: string  message: string  reason: string  status: string  type: string createTime: string creator: string deleteTime: string etag: string expireTime: string lastModifier: string latestCreatedRevision: string latestReadyRevision: string observedGeneration: integer reconciling: boolean terminalCondition:  lastTransitionTime: string  message: string  reason: string  revisionReason: string  severity: string  state: string  type: string trafficStatuses: - percent: integer  revision: string  tag: string  type: string  uri: string uid: string updateTime: string uri: string

Fields
`conditions`	`list (object)` Conditions represent the latest available observation of the resource's current state.
`conditions[]`	`object`
`conditions[].lastTransitionTime`	`string` Last time the condition transitioned from one status to another.
`conditions[].message`	`string` Human-readable message indicating details about last transition.
`conditions[].reason`	`string` Unique, one-word, CamelCase reason for the condition's last transition.
`conditions[].status`	`string` Status is the status of the condition. Can be True, False, Unknown.
`conditions[].type`	`string` Type is the type of the condition.
`createTime`	`string` The creation time.
`creator`	`string` Email address of the authenticated creator.
`deleteTime`	`string` The deletion time.
`etag`	`string` A system-generated fingerprint for this version of the resource. May be used to detect modification conflict during updates.
`expireTime`	`string` For a deleted resource, the time after which it will be permamently deleted.
`lastModifier`	`string` Email address of the last authenticated modifier.
`latestCreatedRevision`	`string` Name of the last created revision. See comments in reconciling for additional information on reconciliation process in Cloud Run.
`latestReadyRevision`	`string` Name of the latest revision that is serving traffic. See comments in reconciling for additional information on reconciliation process in Cloud Run.
`observedGeneration`	`integer` ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource.
`reconciling`	`boolean` Returns true if the Service is currently being acted upon by the system to bring it into the desired state. When a new Service is created, or an existing one is updated, Cloud Run will asynchronously perform all necessary steps to bring the Service to the desired serving state. This process is called reconciliation. While reconciliation is in process, observedGeneration, latest_ready_revison, trafficStatuses, and uri will have transient values that might mismatch the intended state: Once reconciliation is over (and this field is false), there are two possible outcomes: reconciliation succeeded and the serving state matches the Service, or there was an error, and reconciliation failed. This state can be found in terminalCondition.state. If reconciliation succeeded, the following fields will match: traffic and trafficStatuses, observedGeneration and generation, latestReadyRevision and latestCreatedRevision. If reconciliation failed, trafficStatuses, observedGeneration, and latestReadyRevision will have the state of the last serving revision, or empty for newly created Services. Additional information on the failure can be found in terminalCondition and conditions.
`terminalCondition`	`object` The Condition of this Service, containing its readiness status, and detailed error information in case it did not reach a serving state. See comments in reconciling for additional information on reconciliation process in Cloud Run.
`terminalCondition.lastTransitionTime`	`string` Last time the condition transitioned from one status to another.
`terminalCondition.message`	`string` Human readable message indicating details about the current status.
`terminalCondition.reason`	`string` A common (service-level) reason for this condition.
`terminalCondition.revisionReason`	`string` A reason for the revision condition.
`terminalCondition.severity`	`string` How to interpret failures of this condition, one of Error, Warning, Info.
`terminalCondition.state`	`string` State of the condition.
`terminalCondition.type`	`string` type is used to communicate the status of the reconciliation process. See also: https://github.com/knative/serving/blob/main/docs/spec/errors.md#error-conditions-and-reporting Types common to all resources include: * "Ready": True when the Resource is ready.
`trafficStatuses`	`list (object)` Detailed status information for corresponding traffic targets. See comments in reconciling for additional information on reconciliation process in Cloud Run.
`trafficStatuses[]`	`object`
`trafficStatuses[].percent`	`integer` Specifies percent of the traffic to this Revision.
`trafficStatuses[].revision`	`string` Revision to which this traffic is sent.
`trafficStatuses[].tag`	`string` Indicates the string used in the URI to exclusively reference this target.
`trafficStatuses[].type`	`string` The allocation type for this traffic target.
`trafficStatuses[].uri`	`string` Displays the target URI.
`uid`	`string` Server assigned unique identifier for the trigger. The value is a UUID4 string and guaranteed to remain unchanged until the resource is deleted.
`updateTime`	`string` The last-modified time.
`uri`	`string` The main URI in which this Service is serving traffic.

Sample YAML(s)

Run Service Basic

# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: run.cnrm.cloud.google.com/v1beta1 kind: RunService metadata:  name: runservice-sample-basic spec:  ingress: "INGRESS_TRAFFIC_ALL"  launchStage: "GA"  location: "us-central1"  projectRef:  # Replace ${PROJECT_ID?} with your project ID.  external: projects/${PROJECT_ID?}  template:  containers:  - env:  - name: "FOO"  value: "bar]"  image: "gcr.io/cloudrun/hello"  scaling:  maxInstanceCount: 2  traffic:  - percent: 100  type: "TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST"

Run Service Encryptionkey

# Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: run.cnrm.cloud.google.com/v1beta1 kind: RunService metadata:  name: runservice-sample-encryptionkey spec:  ingress: "INGRESS_TRAFFIC_ALL"  launchStage: "GA"  location: "us-central1"  projectRef:  # Replace ${PROJECT_ID?} with your project ID.  external: projects/${PROJECT_ID?}  template:  containers:  - image: "gcr.io/cloudrun/hello"  encryptionKeyRef:  name: runservice-dep-encryptionkey --- # Replace ${PROJECT_ID?} and ${PROJECT_NUMBER?} below with your desired project # ID and project number. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata:  name: runservice-dep-encryptionkey spec:  member: serviceAccount:service-${PROJECT_NUMBER?}@serverless-robot-prod.iam.gserviceaccount.com  role: roles/cloudkms.cryptoKeyEncrypterDecrypter # required by cloud run service agent to access KMS keys  resourceRef:  apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1  kind: Project  external: projects/${PROJECT_ID?} --- apiVersion: kms.cnrm.cloud.google.com/v1beta1 kind: KMSCryptoKey metadata:  name: runservice-dep-encryptionkey spec:  keyRingRef:  name: runservice-dep-encryptionkey  purpose: ENCRYPT_DECRYPT --- apiVersion: kms.cnrm.cloud.google.com/v1beta1 kind: KMSKeyRing metadata:  name: runservice-dep-encryptionkey spec:  location: us-central1

Run Service Multicontainer

# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: run.cnrm.cloud.google.com/v1beta1 kind: RunService metadata:  name: runservice-sample-multicontainer spec:  ingress: "INGRESS_TRAFFIC_ALL"  launchStage: "BETA"  location: "us-central1"  projectRef:  # Replace ${PROJECT_ID?} with your project ID.  external: projects/${PROJECT_ID?}  template:  containers:  - name: "hello-1"  image: "gcr.io/cloudrun/hello"  ports:  - containerPort: 8080  volumeMounts:  - name: "empty-dir-volume"  mountPath: "/mnt"  - name: "hello-2"  image: "gcr.io/cloudrun/hello"  volumes:  - name: "empty-dir-volume"  emptyDir:  medium: "MEMORY"  sizeLimit: "256Mi"

Run Service Probes

# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: run.cnrm.cloud.google.com/v1beta1 kind: RunService metadata:  name: runservice-sample-serviceprobes spec:  ingress: "INGRESS_TRAFFIC_ALL"  launchStage: "GA"  location: "us-central1"  projectRef:  # Replace ${PROJECT_ID?} with your project ID.  external: projects/${PROJECT_ID?}  template:  containers:  - image: "gcr.io/cloudrun/hello"  startupProbe:  initialDelaySeconds: 0  timeoutSeconds: 1  periodSeconds: 3  failureThreshold: 1  tcpSocket:  port: 8080  livenessProbe:  httpGet:  path: "/"

Run Service SQL

# Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: run.cnrm.cloud.google.com/v1beta1 kind: RunService metadata:  name: runservice-sample-sql spec:  ingress: "INGRESS_TRAFFIC_ALL"  launchStage: "GA"  location: "us-central1"  projectRef:  # Replace ${PROJECT_ID?} with your project ID.  external: projects/${PROJECT_ID?}  template:  volumes:  - name: "cloudsql"  cloudSqlInstance:  instances:  - name: runservice-dep-sql  containers:  - image: "gcr.io/cloudrun/hello"  volumeMounts:  - name: "cloudsql"  mountPath: "/cloudsql" --- apiVersion: sql.cnrm.cloud.google.com/v1beta1 kind: SQLInstance metadata:  name: runservice-dep-sql spec:  region: us-central1  databaseVersion: MYSQL_5_7  settings:  tier: db-n1-standard-1

Run Service Secret

# Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: run.cnrm.cloud.google.com/v1beta1 kind: RunService metadata:  name: runservice-sample-secret spec:  ingress: "INGRESS_TRAFFIC_ALL"  launchStage: "GA"  location: "us-central1"  projectRef:  # Replace ${PROJECT_ID?} with your project ID.  external: projects/${PROJECT_ID?}  template:  containers:  - image: "gcr.io/cloudrun/hello"  volumeMounts:  - name: "a-volume"  mountPath: "/secrets"  volumes:  - name: "a-volume"  secret:  secretRef:  name: runservice-dep-secret  defaultMode: 292 # 0444  items:  - versionRef:  name: runservice-dep-secret  path: "my-secret"  mode: 256 # 0400 --- # Replace ${PROJECT_ID?} and ${PROJECT_NUMBER?} below with your desired project # ID and project number. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata:  name: runservice-dep-secret spec:  member: serviceAccount:${PROJECT_NUMBER?}-compute@developer.gserviceaccount.com  role: roles/secretmanager.secretAccessor # required by default service account to access secrets  resourceRef:  apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1  kind: Project  external: projects/${PROJECT_ID?} --- apiVersion: v1 kind: Secret metadata:  name: runservice-dep-secret data:  secretData: SSBhbHdheXMgbG92ZWQgc3BhcnJpbmcgd2l0aCBnaWFudCBjYW5keSBzd29yZHMsIGJ1dCBJIGhhZCBubyBpZGVhIHRoYXQgd2FzIG15IHN1cGVyIHNlY3JldCBpbmZvcm1hdGlvbiE= --- apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1 kind: SecretManagerSecret metadata:  name: runservice-dep-secret spec:  replication:  automatic: true --- apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1 kind: SecretManagerSecretVersion metadata:  name: runservice-dep-secret spec:  enabled: true  secretData:  valueFrom:  secretKeyRef:  key: secretData  name: runservice-dep-secret  secretRef:  name: runservice-dep-secret

Run Service Serviceaccount

apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata:  name: runservice-dep-serviceaccount --- apiVersion: run.cnrm.cloud.google.com/v1beta1 kind: RunService metadata:  name: runservice-sample-serviceaccount spec:  ingress: "INGRESS_TRAFFIC_ALL"  launchStage: "GA"  location: "us-central1"  projectRef:  # Replace ${PROJECT_ID?} with your project ID.  external: projects/${PROJECT_ID?}  template:  containers:  - image: "gcr.io/cloudrun/hello"  serviceAccountRef:  name: runservice-dep-serviceaccount

Run Service VPCAccess

# Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: run.cnrm.cloud.google.com/v1beta1 kind: RunService metadata:  name: runservice-sample-vpcaccess spec:  ingress: "INGRESS_TRAFFIC_ALL"  launchStage: "GA"  location: "us-central1"  projectRef:  # Replace ${PROJECT_ID?} with your project ID.  external: projects/${PROJECT_ID?}  template:  containers:  - image: "gcr.io/cloudrun/hello"  vpcAccess:  connectorRef:  name: runservice-dep-vpcaccess  egress: "ALL_TRAFFIC" --- apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeNetwork metadata:  name: runservice-dep-vpcaccess spec:  autoCreateSubnetworks: false --- apiVersion: vpcaccess.cnrm.cloud.google.com/v1beta1 kind: VPCAccessConnector metadata:  name: runservice-dep-vpcaccess spec:  location: "us-central1"  networkRef:  name: runservice-dep-vpcaccess  ipCidrRange: "10.132.0.0/28"  projectRef:  # Replace ${PROJECT_ID?} with your project ID  external: ${PROJECT_ID?}