Minimal manifest
Example manifest
Field reference
Resource kind. The value is case-sensitive.
Value Job
Top-level workload metadata.
Optional namespace scope embedded in the manifest. CLI flags override these values.
Resolved from CLI context or flags can provide scope
Account that owns the namespace. The CLI can resolve this from context or —account-id.
Format 12-digit account ID
Namespace name. The CLI can resolve this from context or —namespace.
Subnet name or slug where the workload should run.
Resolved from —subnet or context can provide it
Stable workload name within the namespace.
User-defined labels for grouping, filtering, and ownership metadata.
User-defined annotations for descriptive metadata that is not used for identity.
Desired Job configuration.
Number of successful pod completions required before the Job is complete.
Maximum number of pods the Job may run at the same time.
Number of failed pod attempts allowed before the Job is considered failed.
Pod template used by the Job.
Metadata copied to pods created from this template.
Labels copied to pods created from this template.
Annotations copied to pods created from this template.
Pod spec used by this template.
Container restart behavior.
Possible enum values:
alwayson_failurenever
Platform identifies the workload OS and architecture. If omitted, IDYL resolves platform from policy and available capacity.
Possible enum values:
linux/amd64linux/arm64
Isolation identifies the requested execution boundary. If omitted, IDYL resolves isolation from subnet policy.
Possible enum values:
containermicrovm
Class is the requested execution isolation boundary.
Possible enum values:
containermicrovm
Network identifies workload network intent. If omitted, the workload has no explicit network posture unless policy requires network intent.
Possible enum values:
nonerestricted-egressunrestricted
Class is the requested workload network policy.
Possible enum values:
nonerestricted-egressunrestricted
Egress defines allowed outbound destinations for restricted-egress workloads.
Format Restricted egress allow rules
Allow contains structured allow rules such as “dns” or “tcp:443:api.example.com”. TCP targets must be DNS hostnames, not IP literals.
Possible enum values:
dnstcp:<port>:<dns-hostname>
DenyLocalNetworks must be true when network.egress.allow is set. Local networks remain denied while the listed destinations are allowed.
Value true
Pod-level GPU requirement. GPU is a physical host device requirement, not a per-container resource. All containers in the pod share GPU access.
Examples h100, 2:h100, nvidia:24Gi
Require specifies host-level capability requirements (e.g., cuda: ”>=13.0”). Pods will only be scheduled on nodes that satisfy all requirements.
Format Exact version or >= minimum version
Containers that run in the pod.
Requirement At least one container
Container name, unique within the pod.
Container image reference, such as nginx:latest, ubuntu:22.04, or a private registry image.
ImageDigest is the optional digest for image verification (e.g., “sha256:abc123…”) When provided, it’s appended to registry images as “image@sha256:abc123”
Example sha256:…
When the runtime should pull the image.
Possible enum values:
alwaysneverif_not_present
ImagePullCredentials specifies credentials for pulling from private registries. If nil, no authentication is used (public registry or pre-configured daemon auth).
Username for registry authentication (e.g., “AWS” for ECR, “_json_key” for GCR)
Password or token for registry authentication
Command overrides the container image’s ENTRYPOINT. If empty, the image’s default ENTRYPOINT is used. If set without Args, the image’s default CMD is still used with the new entrypoint.
Args overrides the container image’s CMD. If empty, the image’s default CMD is used.
Env is a list of environment variables to set in the container.
Environment variable name.
Pattern [a-zA-Z_][a-zA-Z0-9_]*
Environment variable value.
Container resource requests and limits.
Requirement CPU or memory must be set on at least one container
Resources used for scheduling. If a request is omitted but a limit is set for that resource, the limit is used as the effective request.
CPU quantity for this resource entry.
Examples 500m, 0.5, 1
Memory quantity for this resource entry.
Examples 256Mi, 1Gi
Disk quantity for this resource entry.
Examples 1Gi, 10G
Maximum resources allowed for the container.
CPU quantity for this resource entry.
Examples 500m, 0.5, 1
Memory quantity for this resource entry.
Examples 256Mi, 1Gi
Disk quantity for this resource entry.
Examples 1Gi, 10G
Size of the shared volume mounted for the pod.
Format Memory/disk units
Read-only fields
IDYL can return these fields when you inspect a workload. Do not include them in authored manifests.| Field | Description |
|---|---|
metadata.id | IDYL-assigned resource ID. |
metadata.namespace.id | IDYL-assigned namespace ID. |
metadata.subnetSlug | Resolved subnet slug returned by IDYL. |
metadata.ownerReferences | Parent workload relationship, such as a ReplicaSet owned by a Deployment. |
metadata.createdAt | Creation timestamp. |
metadata.updatedAt | Last update timestamp. |
metadata.deletedAt | Deletion timestamp, when present. |
metadata.revision | Revision information returned by IDYL. |
status | Current observed state returned by IDYL. |
Validation notes
kindvalues are case-sensitive.- At least one container is required in every pod spec.
- At least one container must specify CPU or memory in
resources.requestsorresources.limits, unless the CLI fills those values from configured defaults before sending the workload. - GPU requirements belong at the pod spec
gpupath, not under per-container resources. - Environment variable names must be unique within a container and must match
[a-zA-Z_][a-zA-Z0-9_]*.