CRD Reference
All resources are namespaced and live in
thurkube.thurbeen.eu/v1alpha1
. Print the canonical YAML at any time with:
$ cargo run -- --crd
# or, from the published image:
$ docker run --rm ghcr.io/thurbeen/thurkube:latest --crdAgentJob #
Short name:
aj
. The orchestration unit. References every other resource and defines the prompt and
schedule.
Spec
| Field | Type | Default | Description |
|---|---|---|---|
schedule |
string | — | Cron expression. Omit for a one-shot Job. |
timezone |
string | Etc/UTC |
IANA timezone for the schedule. |
suspend |
bool | false |
Suspend future executions without deleting the resource. |
runtimeRef |
string | required | Name of an AgentRuntime in the same namespace. |
authRef |
string | required | Name of an AgentAuth in the same namespace. |
roleRef |
string | required | Name of an AgentRole in the same namespace. |
skillRef |
string | — | Optional AgentSkill name. |
clusterAccessRef |
string | — | Optional ClusterAccess name. |
mcpServerRefs |
[]string | [] |
List of McpServer names. |
repositoryRefs |
[]string | [] |
List of Repository names. |
prompt |
string | required | The prompt text sent to the agent. |
instructions |
string | — | Project-context file contents (e.g. CLAUDE.md). Mounted alongside the rendered config. |
model |
string | — |
Model override (e.g.
sonnet
,
opus
).
|
resources |
k8s
ResourceRequirements
|
— | Container requests/limits. |
timeoutSeconds |
uint32 | 3600 |
Job timeout in seconds. |
env |
[]
EnvVar
|
[] |
Native Kubernetes env vars. |
envFrom |
[]
EnvFromSource
|
[] |
Bulk env injection from Secrets/ConfigMaps. |
persist |
bool | false |
Provision a PVC mounted at the runtime's persistPath. |
Status
| Field | Type | Description |
|---|---|---|
phase |
string | One of Pending, Running, Succeeded, Failed, Suspended. |
lastRunTime |
RFC3339 string | Last time the controller scheduled a run. |
lastCompletionTime |
RFC3339 string | Last time the controller observed a completion. |
message |
string | Human-readable status message. |
observedGeneration |
int64 | Generation last reconciled. |
configHash |
string | Hash of the rendered ConfigMap, used for drift detection. |
ownedResources |
[]
{kind, name}
|
Children the controller manages. |
conditions |
[]Condition | Standard Kubernetes-style conditions. |
AgentRuntime #
Short name:
ar
. Defines the container image and the path conventions for mounted config and
persistence.
| Field | Type | Description |
|---|---|---|
image |
string | Container image (e.g. ghcr.io/thurbeen/claude-code-job:latest). |
command |
[]string | Optional entrypoint override. |
authEnvVar |
string | Name of the env var that receives the auth token. |
configPath |
string | Read-only mount path for the rendered ConfigMap. |
persistPath |
string | Mount path for the PVC when persistence is enabled. |
AgentAuth #
Short name:
aa
. References a Kubernetes
Secret
key holding the agent's auth token. The controller wires the value into the env var
named by the runtime's
authEnvVar
.
| Field | Type | Description |
|---|---|---|
secretRef.name |
string | Secret name in the same namespace. |
secretRef.key |
string | Key within that Secret. |
AgentRole #
Short name:
arl
. Defines which tools the agent is allowed to use.
| Field | Type | Description |
|---|---|---|
allowedTools |
[]string |
Tool names. Supports glob wildcards (e.g.
mcp__gmail__*
).
|
AgentSkill #
Short name:
ask
. Reusable skill from a GitHub repository.
| Field | Type | Default | Description |
|---|---|---|---|
repo |
string | required |
GitHub repository in
owner/repo
format.
|
name |
string | required | Skill directory name within the repository. |
ref |
string | main |
Git ref (branch, tag, SHA) to check out. |
McpServer #
Short name:
mcp
. An MCP server: either a local command or a remote URL. The two are mutually exclusive.
| Field | Type | Description |
|---|---|---|
command |
string |
Command to start a local MCP server (e.g.
npx
).
|
args |
[]string | Arguments for the command. |
url |
string | URL of a remote MCP server. |
Repository #
Short name:
repo
. A GitHub repository the agent should clone, optionally with a token.
| Field | Type | Description |
|---|---|---|
owner |
string | GitHub organization or user. |
name |
string | Repository name. |
tokenSecretRef |
{name, key}
|
Optional Secret-key reference for the GitHub token. |
ClusterAccess #
Short name:
ca
. Kubernetes RBAC rules to grant the agent. When referenced by an
AgentJob
, the controller materializes a per-job ServiceAccount, ClusterRole, and
ClusterRoleBinding.
| Field | Type | Description |
|---|---|---|
rules |
[]
PolicyRule
|
Same syntax as a ClusterRole's
rules
field.
|
ClusterRoles are cluster-scoped. Treat
ClusterAccess
specs as security-sensitive and review them before applying.