API Reference
Packages:
pkg.internal/v1beta1
Resource Types:
Datalab
A Datalab is a tenant-facing, namespaced composite resource. It defines ownership, membership, and optional file bundles to materialize in the environment.
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | pkg.internal/v1beta1 | true |
| kind | string | Datalab | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the `metadata` field. | true |
| spec | object |
Desired configuration of the datalab. |
true |
| status | object |
Current observed state of the datalab. |
false |
Datalab.spec
Desired configuration of the datalab.
| Name | Type | Description | Required |
|---|---|---|---|
| users | []string |
Users associated with this datalab. Default: [] |
true |
| data | object |
Optional settings for the Data component. When enabled, the composition provisions the data service UI and mounts workspace storage into it at /data. Default: map[] |
false |
| databases | map[string]object |
Optional PostgreSQL hosts (PostgresCluster instances) to provision for this datalab. Each host defines a data volume size and a pgBackRest repository size, plus a list of logical PostgreSQL databases to create inside that cluster. Ownership and privileges are derived from spec.users by the Composition. Default: map[] |
false |
| files | []object |
File bundles to fetch from remote sources and copy into the environment. Supports image, git, and http sources, path filtering, and optional credentials. Default: [] |
false |
| quota | object |
Optional per-datalab session quota overrides. If a field is not specified here, the composition falls back to EnvironmentConfig at `spec.defaults.quota`, and then to hard defaults. Effective defaults (when neither XR nor EnvironmentConfig provides a value): memory=2Gi, storage=1Gi, budget=medium. |
false |
| secretName | string |
Name of the Secret containing the credentials to access the storage associated with this Datalab. The Secret must exist in the same namespace as the Datalab. |
false |
| security | object |
Optional per-datalab session security settings. If a field is not specified here, the composition falls back to EnvironmentConfig at `spec.defaults.security`, and then to hard defaults. Effective defaults (when neither XR nor EnvironmentConfig provides a value): policy=baseline, kubernetesAccess=true, kubernetesRole=edit. When policy is "privileged", Docker is automatically enabled with 20Gi storage. |
false |
| sessions | []string |
Sessions to be started for this datalab. Default: [] |
false |
| userOverrides | map[string]object |
Optional per-user override configuration.
Default: map[] |
false |
| vcluster | boolean |
Whether to provision an isolated vcluster for each datalab session. Default: false |
false |
Datalab.spec.data
Optional settings for the Data component. When enabled, the composition provisions the data service UI and mounts workspace storage into it at /data.
| Name | Type | Description | Required |
|---|---|---|---|
| enabled | boolean |
Whether to provision the Data component for this Datalab session. Effective default: true. Default: true |
false |
| readOnlyMount | boolean |
Whether the workspace storage should be mounted read-only in the Data component. Effective default: false. Default: false |
false |
Datalab.spec.databases[key]
| Name | Type | Description | Required |
|---|---|---|---|
| backupStorage | string |
Storage size for the pgBackRest repository PVC (backup volume, including WAL archive) as a Kubernetes quantity (e.g., "10Gi", "100Gi"). |
true |
| names | []string |
Logical PostgreSQL database names to create within this host (e.g., "prod", "dev"). |
true |
| storage | string |
Storage size for the PostgreSQL data PVC of this PostgresCluster as a Kubernetes quantity (e.g., "1Gi", "10Gi"). |
true |
Datalab.spec.files[index]
| Name | Type | Description | Required |
|---|---|---|---|
| excludePaths | []string |
Glob patterns to exclude from the source. |
false |
| git | object |
Git repository source configuration. |
false |
| http | object |
HTTP source configuration for downloading an asset or archive. |
false |
| image | object |
Container image source configuration. |
false |
| includePaths | []string |
Glob patterns to include from the source. |
false |
| newRootPath | string |
Subdirectory within the source to treat as the root. |
false |
| path | string |
Destination directory for extracted files. Default: . |
false |
Datalab.spec.files[index].git
Git repository source configuration.
| Name | Type | Description | Required |
|---|---|---|---|
| lfsSkipSmudge | boolean |
If true, do not fetch Git LFS objects. |
false |
| ref | string |
Branch, tag, or commit to fetch. |
false |
| refSelection | object |
Resolve an explicit ref by semver selection. |
false |
| secretRef | object |
Optional credentials for the Git server. |
false |
| url | string |
Git repository URL (HTTPS or SSH). |
false |
| verification | object |
GPG signature verification options. |
false |
Datalab.spec.files[index].git.refSelection
Resolve an explicit ref by semver selection.
| Name | Type | Description | Required |
|---|---|---|---|
| semver | object |
|
false |
Datalab.spec.files[index].git.refSelection.semver
| Name | Type | Description | Required |
|---|---|---|---|
| constraints | string |
|
false |
| prereleases | object |
|
false |
Datalab.spec.files[index].git.refSelection.semver.prereleases
| Name | Type | Description | Required |
|---|---|---|---|
| identifiers | []string |
|
false |
Datalab.spec.files[index].git.secretRef
Optional credentials for the Git server.
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Name of a Secret with auth (ssh-privatekey/knownhosts or username/password). |
false |
| namespace | string |
Namespace of the Secret. |
false |
Datalab.spec.files[index].git.verification
GPG signature verification options.
| Name | Type | Description | Required |
|---|---|---|---|
| publicKeysSecretRef | object |
|
false |
Datalab.spec.files[index].git.verification.publicKeysSecretRef
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Secret containing GPG public keys. |
false |
| namespace | string |
Namespace of the Secret. |
false |
Datalab.spec.files[index].http
HTTP source configuration for downloading an asset or archive.
| Name | Type | Description | Required |
|---|---|---|---|
| secretRef | object |
Optional basic-auth credentials for the HTTP server. |
false |
| sha256 | string |
Optional checksum for verification of the downloaded asset. |
false |
| url | string |
HTTP(S) URL to file or archive; archives are unpacked automatically. |
false |
Datalab.spec.files[index].http.secretRef
Optional basic-auth credentials for the HTTP server.
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Secret containing username/password. |
false |
| namespace | string |
Namespace of the Secret. |
false |
Datalab.spec.files[index].image
Container image source configuration.
| Name | Type | Description | Required |
|---|---|---|---|
| dangerousSkipTLSVerify | boolean |
Skip TLS verification when pulling from the registry. |
false |
| secretRef | object |
Optional credentials for the image registry. |
false |
| tagSelection | object |
Optional semantic-version tag selection policy. |
false |
| url | string |
OCI image reference (e.g., ghcr.io/org/repo:tag or @sha256:...). |
false |
Datalab.spec.files[index].image.secretRef
Optional credentials for the image registry.
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Name of a Secret containing registry credentials. |
false |
| namespace | string |
Namespace of the Secret. |
false |
Datalab.spec.files[index].image.tagSelection
Optional semantic-version tag selection policy.
| Name | Type | Description | Required |
|---|---|---|---|
| semver | object |
|
false |
Datalab.spec.files[index].image.tagSelection.semver
| Name | Type | Description | Required |
|---|---|---|---|
| constraints | string |
Semver constraint string. |
false |
| prereleases | object |
|
false |
Datalab.spec.files[index].image.tagSelection.semver.prereleases
| Name | Type | Description | Required |
|---|---|---|---|
| identifiers | []string |
|
false |
Datalab.spec.quota
Optional per-datalab session quota overrides. If a field is not specified here, the composition falls back to EnvironmentConfig at spec.defaults.quota, and then to hard defaults. Effective defaults (when neither XR nor EnvironmentConfig provides a value): memory=2Gi, storage=1Gi, budget=medium.
| Name | Type | Description | Required |
|---|---|---|---|
| budget | enum |
Namespace budget class determining available compute resources. Accepted values correspond to standard Educates resource budgets. Effective default (if not set here or in EnvironmentConfig): "medium". Enum: small, medium, large, x-large, xx-large, xxx-large |
false |
| memory | string |
Memory request for the session environment as a Kubernetes quantity (e.g., "2Gi", "512Mi"). Effective default (if not set here or in EnvironmentConfig): "2Gi". |
false |
| storage | string |
Storage size for the session as a Kubernetes quantity (e.g., "1Gi"). Effective default (if not set here or in EnvironmentConfig): "1Gi". |
false |
Datalab.spec.security
Optional per-datalab session security settings. If a field is not specified here, the composition falls back to EnvironmentConfig at spec.defaults.security, and then to hard defaults. Effective defaults (when neither XR nor EnvironmentConfig provides a value): policy=baseline, kubernetesAccess=true, kubernetesRole=edit. When policy is "privileged", Docker is automatically enabled with 20Gi storage.
| Name | Type | Description | Required |
|---|---|---|---|
| kubernetesAccess | boolean |
Whether a Kubernetes service account token should be made available within the session. Effective default (if not set here or in EnvironmentConfig): true. |
false |
| kubernetesRole | enum |
Session namespace RBAC role. Accepted values: "admin", "edit", "view". Effective default (if not set here or in EnvironmentConfig): "edit". Enum: admin, edit, view |
false |
| policy | enum |
Pod Security Standard policy level. Accepted values: "restricted", "baseline", "privileged". Effective default (if not set here or in EnvironmentConfig): "baseline". Enum: restricted, baseline, privileged |
false |
Datalab.spec.userOverrides[key]
| Name | Type | Description | Required |
|---|---|---|---|
| grantedAt | string |
RFC3339 timestamp indicating when the role became active.
Format: date-time |
false |
| role | enum |
Assigned role for the user. Enum: admin, user |
false |
Datalab.status
Current observed state of the datalab.
| Name | Type | Description | Required |
|---|---|---|---|
| sessions | map[string]object |
Map of session IDs and their current state. |
false |
Datalab.status.sessions[key]
Observed state of a single datalab session.
| Name | Type | Description | Required |
|---|---|---|---|
| url | string |
Public URL of the active session. |
false |