Custom Resource Definition (CRD) Reference#

The NVIDIA Nsight Operator uses Custom Resource Definitions (CRDs) as its configuration API. When you install the operator using Helm, the Helm values are templated into CRD instances (Custom Resources). After installation, you can also create or modify CRs directly using kubectl.

Two ways to configure:

During installation: Set Helm values which get templated into CRs.
After installation: Create/modify CRs directly with kubectl apply.

The sections below document each CRD field along with its corresponding Helm value path (where applicable).

NsightCoordinator#

API Version: nvidia.com/v1alpha1 | Kind: NsightCoordinator

Manages the coordinator deployment for profiling session control. The operator controller reconciles this CR to deploy coordinator pods and services.

Field	Description	Default	Helm Value
`spec.resources`	Resource limits and requests for the coordinator container	`{}`	`nsight-coordinator.resources`
`spec.service.type`	Kubernetes service type (LoadBalancer, NodePort, ClusterIP)	`ClusterIP`	`nsight-coordinator.service.type`
`spec.service.annotations`	Annotations for the coordinator service	`{}`	`nsight-coordinator.service.annotations`
`spec.service.labels`	Labels for the coordinator service	`{}`	`nsight-coordinator.service.labels`
`spec.restAPI.enabled`	Enable REST API for the coordinator	`false`	`nsight-coordinator.restAPI.enabled`
`spec.restAPI.servicePort`	Port for the REST API service	`80`	`nsight-coordinator.restAPI.servicePort`
`spec.restAPI.numWorkers`	Number of REST API workers	`3`	`nsight-coordinator.restAPI.numWorkers`
`spec.restAPI.ingress.enabled`	Enable Ingress for the REST API	`false`	`nsight-coordinator.restAPI.ingress.enabled`
`spec.authentication.type`	Authentication type for the coordinator	`basic`	`nsight-coordinator.authentication.type`
`spec.curveEncryption.enabled`	Enable ZeroMQ CURVE encryption for secure communication	`true`	`nsight-coordinator.curveEncryption.enabled`
`spec.curveEncryption.useCustomKeys`	Use custom encryption keys instead of auto-generated	`false`	`nsight-coordinator.curveEncryption.useCustomKeys`
`spec.nodeSelector`	Node selector for pod assignment	`{}`	`nsight-coordinator.nodeSelector`
`spec.tolerations`	Tolerations for pod assignment	`[]`	`nsight-coordinator.tolerations`
`spec.affinity`	Affinity rules for pod assignment	`{}`	`nsight-coordinator.affinity`
`spec.topologySpreadConstraints`	Topology spread constraints for pods	`[]`	`nsight-coordinator.topologySpreadConstraints`
`spec.securityContext`	Pod-level security context (inherits from `global.nsightCloud.securityContext.pod` if unset)	(inherits global)	`nsight-coordinator.securityContext`
`spec.containerSecurityContext`	Container-level security context (inherits from `global.nsightCloud.securityContext.container` if unset)	(inherits global)	`nsight-coordinator.containerSecurityContext`

Example:

apiVersion: nvidia.com/v1alpha1
kind: NsightCoordinator
metadata:
  name: nsight-coordinator
  namespace: my-namespace
spec:
  service:
    type: LoadBalancer
  curveEncryption:
    enabled: true
  resources:
    requests:
      cpu: 100m
      memory: 128Mi

NsightCloudStorageConfig#

API Version: nvidia.com/v1alpha1 | Kind: NsightCloudStorageConfig

Configures cloud storage (S3/MinIO) for profiling results. When MinIO is enabled, the operator deploys and manages MinIO instances.

Field	Description	Default	Helm Value
`spec.enabled`	Enable this storage configuration	–	`cloudStorage.enabled`
`spec.storage_type`	Storage backend type: `s3` or `local`	`s3`	`cloudStorage.storage_type`
`spec.bucketName`	S3 bucket name for storing reports	`nsight-reports`	`cloudStorage.bucketName`
`spec.mountPath`	Path where storage config is mounted in pods	`/mnt/nv/secrets/nsight-cloud-storage`	`cloudStorage.mountPath`
`spec.secretRef.name`	Reference to external S3 credentials secret	(auto-generated)	`cloudStorage.secretRef.name`
`spec.minio.enabled`	Enable operator-managed MinIO deployment. The CRD default is `false`; the parent Helm chart sets this to `true`, so stock installs get an in-cluster MinIO out of the box.	`false`	`cloudStorage.minio.enabled`
`spec.minio.persistence.enabled`	Enable persistent storage for MinIO	`false`	`cloudStorage.minio.persistence.enabled`
`spec.minio.persistence.storageClassName`	Storage class for the PVC	`""`	`cloudStorage.minio.persistence.storageClassName`
`spec.minio.persistence.size`	Size of the persistent volume	`10Gi`	`cloudStorage.minio.persistence.size`
`spec.minio.resources`	Resource limits for MinIO container	`{}`	`cloudStorage.minio.resources`
`spec.minio.service.type`	MinIO service type	`ClusterIP`	`cloudStorage.minio.service.type`
`spec.minio.service.port`	MinIO API port	`9000`	`cloudStorage.minio.service.port`
`spec.minio.service.consolePort`	MinIO console port	`9001`	`cloudStorage.minio.service.consolePort`

Example:

apiVersion: nvidia.com/v1alpha1
kind: NsightCloudStorageConfig
metadata:
  name: nsight-cloud-storage
  namespace: my-namespace
spec:
  enabled: true
  storage_type: s3
  bucketName: my-profiling-results
  minio:
    enabled: true
    persistence:
      enabled: true
      storageClassName: gp2
      size: 20Gi

NsightOtelCollector#

API Version: nvidia.com/v1alpha1 | Kind: NsightOtelCollector | Short Name: noc

Configures OTLP collector infrastructure for trace mirroring. Creates a StatefulSet with the OpenTelemetry collector and optional converter sidecar.

Field	Description	Default	Helm Value
`spec.replicas`	Number of replicas for the collector StatefulSet	`1`	`nsight-otel-collector.replicas`
`spec.resources`	Resource limits for the collector container	`{}`	`nsight-otel-collector.resources`
`spec.service.type`	Kubernetes service type	`ClusterIP`	`nsight-otel-collector.service.type`
`spec.receivers.otlpGRPCPort`	OTLP gRPC receiver port	`4317`	`nsight-otel-collector.receivers.otlpGRPCPort`
`spec.receivers.otlpHTTPPort`	OTLP HTTP receiver port	`4318`	`nsight-otel-collector.receivers.otlpHTTPPort`
`spec.persistentStorage.enabled`	Enable persistent storage for OTLP data	`true`	`nsight-otel-collector.persistentStorage.enabled`
`spec.persistentStorage.size`	Size of the persistent volume	`10Gi`	`nsight-otel-collector.persistentStorage.size`
`spec.otlpConverter.enabled`	Enable OTLP-to-Nsight report converter sidecar	`false`	`nsight-otel-collector.otlpConverter.enabled`
`spec.otlpConverter.resources`	Resource limits for the converter container	`{}`	`nsight-otel-collector.otlpConverter.resources`
`spec.otlpConverter.pollIntervalSeconds`	How often to check for conversion requests	`5`	–
`spec.otlpConverter.conversionGracePeriodSeconds`	Grace period for conversion completion	`10`	`nsight-otel-collector.otlpConverter.conversionGracePeriodSeconds`

Example:

apiVersion: nvidia.com/v1alpha1
kind: NsightOtelCollector
metadata:
  name: nsight-otel-collector
  namespace: my-namespace
spec:
  replicas: 1
  receivers:
    otlpGRPCPort: 4317
    otlpHTTPPort: 4318
  persistentStorage:
    enabled: true
    size: 20Gi
  otlpConverter:
    enabled: true
    conversionGracePeriodSeconds: 10

OTLPProxyConfig#

API Version: nvidia.com/v1alpha1 | Kind: OTLPProxyConfig | Short Name: opc

Configures OTLP proxy injection for pods. The injector webhook uses this to inject Envoy sidecars for trace mirroring.

Field	Description	Default	Helm Value
`spec.enabled`	Enable OTLP proxy injection	`true`	`otlpProxyConfig.enabled`
`spec.proxyImage`	Container image for the OTLP proxy sidecar	`envoyproxy/envoy:v1.28-latest`	–
`spec.nsightCollectorEndpoint`	Endpoint of the Nsight OTel Collector (auto-discovered if empty)	(auto-discovered)	–
`spec.resources`	Resource requirements for the proxy sidecar	`{}`	–

Example:

apiVersion: nvidia.com/v1alpha1
kind: OTLPProxyConfig
metadata:
  name: nsight-otlp-proxy-config
  namespace: my-namespace
spec:
  enabled: true
  resources:
    requests:
      memory: 50Mi
      cpu: 100m
    limits:
      memory: 200Mi
      cpu: 500m

NsightAnalysis#

API Version: nvidia.com/v1alpha1 | Kind: NsightAnalysis

Configures Nsight Analysis service infrastructure for running recipes.

Field	Description	Default	Helm Value
`spec.resources`	Resource requirements for the analysis container	`{}`	`nsight-analysis.resources`
`spec.service.type`	Kubernetes service type	`ClusterIP`	`nsight-analysis.service.type`
`spec.service.port`	Port for the REST API service	`8000`	`nsight-analysis.service.port`
`spec.service.annotations`	Annotations for the analysis service	`{}`	`nsight-analysis.service.annotations`
`spec.nodeSelector`	Node selector for pod assignment	`{}`	`nsight-analysis.nodeSelector`
`spec.tolerations`	Tolerations for pod assignment	`[]`	`nsight-analysis.tolerations`
`spec.affinity`	Affinity rules	`{}`	`nsight-analysis.affinity`
`spec.topologySpreadConstraints`	Topology spread constraints for pods	`[]`	`nsight-analysis.topologySpreadConstraints`

Example:

apiVersion: nvidia.com/v1alpha1
kind: NsightAnalysis
metadata:
  name: nsight-analysis
  namespace: my-namespace
spec:
  resources:
    requests:
      cpu: 1000m
      memory: 1Gi

NsightStreamer#

API Version: nvidia.com/v1alpha1 | Kind: NsightStreamer | Short Name: ns

Deploys a browser-based Nsight Systems viewer for profiling reports stored in the cluster. Nsight Operator integrates with Nsight Systems only; the upstream streamer container can host other Nsight tools, but they are out of scope for the operator.

Field	Description	Default	Helm Value
`spec.tool`	Nsight tool to run. Only `nsys` is supported by the operator.	`nsys`	`nsight-streamer.tool`
`spec.service.type`	Kubernetes service type	`ClusterIP`	`nsight-streamer.service.type`
`spec.service.httpPort`	HTTP port for web interface	`30080`	`nsight-streamer.service.httpPort`
`spec.service.turnPort`	WebRTC TURN port	`30478`	`nsight-streamer.service.turnPort`
`spec.enableResize`	Enable resizing to fit remote resolution to client window	`true`	`nsight-streamer.enableResize`
`spec.maxResolution`	Maximum resolution for streaming	`1920x1080`	`nsight-streamer.maxResolution`
`spec.webUsername`	Username for browser authentication (string or secret ref)	`nvidia`	`nsight-streamer.webUsername`
`spec.webPassword`	Password for browser authentication (string or secret ref). Warning The `nvidia` / `nvidia` defaults shown for `spec.webUsername` and `spec.webPassword` are for demos only – replace them before any production use. See Authentication for the Secret-reference form.	`nvidia`	`nsight-streamer.webPassword`
`spec.preserveConfig`	Preserve Nsight Tool configuration between restarts	`true`	`nsight-streamer.preserveConfig`
`spec.cloudStorageConfigRef`	Reference to NsightCloudStorageConfig for report access	–	(auto-configured)
`spec.resources`	Resource limits (set `nvidia.com/gpu` for hardware acceleration)	`{}`	`nsight-streamer.resources`
`spec.runtimeClassName`	RuntimeClass for GPU acceleration (set to `nvidia`)	–	`nsight-streamer.runtimeClassName`
`spec.volumes`	Additional volumes for mounting report files	`[]`	`nsight-streamer.volumes`
`spec.volumeMounts`	Volume mounts for the streamer container	`[]`	`nsight-streamer.volumeMounts`

Note

SecurityContext is intentionally not configurable. Nsight Streamer runs as the nvidia user internally and requires write access to its home directory.

Example:

apiVersion: nvidia.com/v1alpha1
kind: NsightStreamer
metadata:
  name: nsight-viewer
  namespace: my-namespace
spec:
  service:
    type: ClusterIP
    httpPort: 30080
    turnPort: 30478
  enableResize: true
  maxResolution: "1920x1080"
  # Placeholders only -- for production, reference credentials from a
  # Kubernetes Secret (see the "Example with Kubernetes Secret" below).
  webUsername:
    value: "<USERNAME>"
  webPassword:
    value: "<PASSWORD>"
  cloudStorageConfigRef:
    name: nsight-cloud-storage

Example with GPU Hardware Acceleration:

See Hardware Acceleration Prerequisites for the GPU, driver, and runtime requirements.

apiVersion: nvidia.com/v1alpha1
kind: NsightStreamer
metadata:
  name: nsight-viewer-gpu
  namespace: my-namespace
spec:
  runtimeClassName: nvidia
  resources:
    limits:
      nvidia.com/gpu: 1
  cloudStorageConfigRef:
    name: nsight-cloud-storage

Example with Kubernetes Secret:

Store webUsername / webPassword in a Kubernetes Secret rather than inline plaintext:

apiVersion: nvidia.com/v1alpha1
kind: NsightStreamer
metadata:
  name: nsight-viewer
  namespace: my-namespace
spec:
  webUsername:
    secretName: nsight-streamer-auth
    secretKey: username
  webPassword:
    secretName: nsight-streamer-auth
    secretKey: password
  cloudStorageConfigRef:
    name: nsight-cloud-storage

NsightGateway#

API Version: nvidia.com/v1alpha1 | Kind: NsightGateway | Short Name: ngw

Deploys an Envoy-based gateway that provides a unified HTTP entry point for the Coordinator and Analysis REST APIs. The operator controller reconciles this CR to create a Deployment, Service, and Envoy configuration ConfigMap. The gateway automatically discovers NsightCoordinator and NsightAnalysis CRs in the same namespace and routes traffic to them.

Field	Description	Default	Helm Value
`spec.image`	Container image for the Envoy gateway	`nvcr.io/nvidia/devtools/envoy:v1.37.0`	`nsight-gateway.image`
`spec.port`	Gateway service port	`8888`	`nsight-gateway.port`
`spec.domains`	Virtual host domains for routing	`["*"]`	`nsight-gateway.domains`
`spec.tlsSecretRef.name`	Reference to a Kubernetes TLS secret to enable HTTPS. The secret must contain `tls.crt` and `tls.key`.	–	`nsight-gateway.tlsSecretRef.name`
`spec.service.type`	Kubernetes service type (ClusterIP, NodePort, LoadBalancer)	`ClusterIP`	`nsight-gateway.service.type`
`spec.service.annotations`	Annotations for the gateway service	`{}`	`nsight-gateway.service.annotations`
`spec.authentication.jwt.enabled`	Enable JWT authentication	`false`	`nsight-gateway.authentication.jwt.enabled`
`spec.authentication.jwt.issuer`	Expected JWT issuer (iss claim)	`""`	`nsight-gateway.authentication.jwt.issuer`
`spec.authentication.jwt.audiences`	Expected JWT audiences (aud claim)	`[]`	`nsight-gateway.authentication.jwt.audiences`
`spec.authentication.jwt.jwksSecretRef`	Reference to a Secret containing the JWKS (key: `jwks`)	–	`nsight-gateway.authentication.jwt.jwksSecretRef`
`spec.authentication.apikey.enabled`	Enable API key authentication	`false`	`nsight-gateway.authentication.apikey.enabled`
`spec.authentication.apikey.key`	API key value (prefer `keySecretRef` for production)	`""`	`nsight-gateway.authentication.apikey.key`
`spec.authentication.apikey.keySecretRef`	Reference to a Secret containing the API key	–	`nsight-gateway.authentication.apikey.keySecretRef`
`spec.authentication.oauth2.enabled`	Enable OAuth2 authentication	`false`	`nsight-gateway.authentication.oauth2.enabled`
`spec.authentication.oauth2.issuer`	OIDC issuer URL. Endpoints and JWKS are auto-discovered.	`""`	`nsight-gateway.authentication.oauth2.issuer`
`spec.authentication.oauth2.clientId`	OAuth2 client ID	`""`	`nsight-gateway.authentication.oauth2.clientId`
`spec.authentication.oauth2.clientSecretRef`	Reference to a Kubernetes Secret containing the OAuth2 client secret and HMAC secret. The secret must have keys named `client_secret.key` and `hmac.key`.	–	Chart-managed from `nsight-gateway.authentication.oauth2.clientSecret` and `nsight-gateway.authentication.oauth2.hmac`
`spec.authentication.oauth2.scopes`	OAuth2 scopes to request	`[openid, profile, email]`	`nsight-gateway.authentication.oauth2.scopes`
`spec.routing.coordinatorPrefix`	URL prefix for coordinator routes	`/coordinator/`	`nsight-gateway.routing.coordinatorPrefix`
`spec.routing.analysisPrefix`	URL prefix for analysis routes	`/analysis/`	`nsight-gateway.routing.analysisPrefix`
`spec.routing.tenantOperatorPrefix`	URL prefix for NsightTenantOperator routes (used by the NsightCloudUI)	`/tenant-operator/`	`nsight-gateway.routing.tenantOperatorPrefix`
`spec.routing.streamerPrefix`	URL prefix for NsightStreamer routes (used by the NsightCloudUI to reach launched streamers)	`/streamer/`	`nsight-gateway.routing.streamerPrefix`
`spec.coordinatorRef`	Reference to a NsightCoordinator CR (auto-discovered if not set)	(auto-discovered)	–
`spec.analysisRef`	Reference to a NsightAnalysis CR (auto-discovered if not set)	(auto-discovered)	–
`spec.resources`	Resource limits and requests for the gateway container	`{}`	`nsight-gateway.resources`

Example with JWT authentication:

apiVersion: nvidia.com/v1alpha1
kind: NsightGateway
metadata:
  name: nsight-operator-gateway
  namespace: my-namespace
spec:
  port: 8888
  service:
    type: LoadBalancer
  authentication:
    jwt:
      enabled: true
      issuer: https://example.com
      audiences:
      - nsight-cloud
      jwksSecretRef:
        name: my-jwks-secret

Example with API key authentication:

apiVersion: nvidia.com/v1alpha1
kind: NsightGateway
metadata:
  name: nsight-operator-gateway
  namespace: my-namespace
spec:
  service:
    type: ClusterIP
  authentication:
    apikey:
      enabled: true
      keySecretRef:
        name: my-apikey-secret
        key: api-key

Example with TLS and OAuth2 authentication:

apiVersion: nvidia.com/v1alpha1
kind: NsightGateway
metadata:
  name: nsight-operator-gateway
  namespace: my-namespace
spec:
  service:
    type: LoadBalancer
  tlsSecretRef:
    name: gateway-tls
  authentication:
    oauth2:
      enabled: true
      issuer: https://login.example.com
      clientId: "<client-id>"
      clientSecretRef:
        name: gateway-oauth2
      scopes:
      - openid
      - profile
      - email

NsightTenantOperator#

API Version: nvidia.com/v1alpha1 | Kind: NsightTenantOperator | Short Name: nto

Deploys the tenant-scoped FastAPI service that manages per-session Nsight Streamer launches for the Nsight Cloud UI. The operator controller reconciles this CR into a Deployment, Service, ServiceAccount, Role, and RoleBinding that allow the service to create and delete NsightStreamer resources in its namespace.

Field	Description	Default	Helm Value
`spec.image`	Container image for the tenant operator service	(operator default)	`nsight-tenant-operator.image`
`spec.imagePullPolicy`	Image pull policy	`IfNotPresent`	`nsight-tenant-operator.imagePullPolicy`
`spec.imagePullSecrets`	References to image pull secrets	`[]`	`nsight-tenant-operator.imagePullSecrets`
`spec.service.type`	Kubernetes service type	`ClusterIP`	`nsight-tenant-operator.service.type`
`spec.service.port`	Service port for the tenant operator API	`8001`	`nsight-tenant-operator.service.port`
`spec.service.annotations`	Annotations for the service	`{}`	`nsight-tenant-operator.service.annotations`
`spec.cloudStorageConfigRef.name`	Reference to a NsightCloudStorageConfig used for storage-backed session discovery	(auto-discovered)	–
`spec.streamerLaunch.maxActive`	Maximum number of concurrently active streamers launched by the API. The CRD default is `1`; when the resource is generated by the parent Helm chart, this is set to `10`.	`1`	`nsight-streamer.launchLimit.multiTenantMaxActivePerNamespace`
`spec.streamerLaunch.env`	Additional environment variables to inject into launched streamer containers	`[]`	–
`spec.resources`	Resource requirements for the tenant operator container	`{}`	`nsight-tenant-operator.resources`
`spec.nodeSelector`	Node selector for pod assignment	`{}`	`nsight-tenant-operator.nodeSelector`
`spec.tolerations`	Tolerations for pod assignment	`[]`	`nsight-tenant-operator.tolerations`
`spec.affinity`	Affinity rules for pod assignment	`{}`	`nsight-tenant-operator.affinity`
`spec.topologySpreadConstraints`	Topology spread constraints for pods	`[]`	`nsight-tenant-operator.topologySpreadConstraints`
`spec.securityContext`	Pod-level security context	(inherits global)	`nsight-tenant-operator.securityContext`
`spec.containerSecurityContext`	Container-level security context	(inherits global)	`nsight-tenant-operator.containerSecurityContext`

REST API#

When the service is reachable via the gateway (prefixed by spec.routing.tenantOperatorPrefix on NsightGateway, default /tenant-operator/) it exposes the following endpoints:

Method	Path	Description
`POST`	`/api/v1/streamers`	Launch a streamer for a session. The request body describes the tool, credentials, and session ID. The controller creates a corresponding NsightStreamer CR subject to the `streamerLaunch.maxActive` cap.
`GET`	`/api/v1/streamers/session/{session}`	Return the streamer associated with the given session ID, including its URL and status.
`DELETE`	`/api/v1/streamers/session/{session}`	Terminate and delete the streamer for the given session ID.
`GET`	`/healthz`	Liveness / readiness probe.

Example:

apiVersion: nvidia.com/v1alpha1
kind: NsightTenantOperator
metadata:
  name: nsight-tenant-operator
  namespace: my-team-ns
spec:
  service:
    type: ClusterIP
    port: 8001
  streamerLaunch:
    maxActive: 3
  cloudStorageConfigRef:
    name: nsight-cloud-storage
  resources:
    requests:
      cpu: 100m
      memory: 256Mi

NsightCloudUI#

API Version: nvidia.com/v1alpha1 | Kind: NsightCloudUI | Short Name: nui

Deploys the Nsight Cloud UI, a static single-page web application for browsing profiling sessions, collections, and analysis jobs. The UI is served behind the NsightGateway and talks to the NsightTenantOperator to launch per-session streamers.

Field	Description	Default	Helm Value
`spec.image`	Container image for the UI service	(operator default)	`nsight-cloud-ui.image`
`spec.imagePullPolicy`	Image pull policy	`IfNotPresent`	`nsight-cloud-ui.imagePullPolicy`
`spec.imagePullSecrets`	References to image pull secrets	`[]`	`nsight-cloud-ui.imagePullSecrets`
`spec.replicas`	Number of UI replicas	`1`	`nsight-cloud-ui.replicas`
`spec.service.type`	Kubernetes service type	`ClusterIP`	`nsight-cloud-ui.service.type`
`spec.service.port`	Service port	`80`	`nsight-cloud-ui.service.port`
`spec.service.targetPort`	Container target port	`8080`	`nsight-cloud-ui.service.targetPort`
`spec.service.annotations`	Annotations for the service	`{}`	`nsight-cloud-ui.service.annotations`
`spec.service.labels`	Labels for the service	`{}`	`nsight-cloud-ui.service.labels`
`spec.tenantOperatorUrl`	URL or gateway-relative path the UI uses to reach the tenant operator. Injected into the UI as `NSIGHT_TENANT_OPERATOR_URL`.	`/tenant-operator`	–
`spec.resources`	Resource requirements for the UI container	`{}`	`nsight-cloud-ui.resources`
`spec.nodeSelector`	Node selector for pod assignment	`{}`	`nsight-cloud-ui.nodeSelector`
`spec.tolerations`	Tolerations for pod assignment	`[]`	`nsight-cloud-ui.tolerations`
`spec.affinity`	Affinity rules for pod assignment	`{}`	`nsight-cloud-ui.affinity`
`spec.topologySpreadConstraints`	Topology spread constraints for pods	`[]`	`nsight-cloud-ui.topologySpreadConstraints`
`spec.securityContext`	Pod-level security context	(inherits global)	`nsight-cloud-ui.securityContext`
`spec.containerSecurityContext`	Container-level security context	(inherits global)	`nsight-cloud-ui.containerSecurityContext`

Accessing the UI#

When the gateway is enabled (default), the UI is served at the gateway root on the configured gateway port (8888 by default). The gateway’s tenantOperatorPrefix (default /tenant-operator/) and streamerPrefix (default /streamer/) allow the UI to reach the tenant operator and launch per-session streamers without additional configuration.

Example:

apiVersion: nvidia.com/v1alpha1
kind: NsightCloudUI
metadata:
  name: nsight-cloud-ui
  namespace: my-team-ns
spec:
  replicas: 1
  service:
    type: ClusterIP
    port: 80
    targetPort: 8080
  tenantOperatorUrl: "/tenant-operator"
  resources:
    requests:
      cpu: 100m
      memory: 128Mi
    limits:
      cpu: 500m
      memory: 512Mi

NsightOperatorProfileConfig#

API Version: nvidia.com/v1 | Kind: NsightOperatorProfileConfig | Short Name: nopc

Defines profiling configurations and injection rules. Namespace-scoped, allowing per-tenant customization. This CRD is managed by the Injector Webhook.

Field	Description	Default	Helm Value
`spec.defaultNsightToolConfigRef`	Default profile name from nsightToolConfigs	–	`nsight-injector.injectionConfig.defaultNsightToolConfigRef`
`spec.nsightToolConfigs`	List of reusable nsight tool configurations	`[]`	`nsight-injector.injectionConfig.nsightToolConfigs`
`spec.nsightToolConfigs[].name`	Unique name identifying the profile	–	–
`spec.nsightToolConfigs[].nsightToolArgs`	Arguments for Nsight Systems	–	`nsight-injector.nsightToolConfig.nsightToolArgs`
`spec.nsightToolConfigs[].injectionIncludePatterns`	Regex patterns for processes to profile	`[".*"]`	`nsight-injector.nsightToolConfig.injectionIncludePatterns`
`spec.nsightToolConfigs[].injectionExcludePatterns`	Regex patterns for processes to exclude	`[]`	`nsight-injector.nsightToolConfig.injectionExcludePatterns`
`spec.nsightToolConfigs[].coordinator`	Enable coordinator mode	`true`	`nsight-injector.nsightToolConfig.coordinator`
`spec.nsightToolConfigs[].coordinatorService.name`	Coordinator service name (format: `name.namespace` for cross-namespace)	(auto-discovered)	–
`spec.nsightToolConfigs[].volumes`	Volumes to inject into profiled containers	`[]`	`nsight-injector.nsightToolConfig.volumes`
`spec.nsightToolConfigs[].volumeMounts`	Volume mounts to inject	`[]`	`nsight-injector.nsightToolConfig.volumeMounts`
`spec.nsightToolConfigs[].env`	Environment variables for profiled process only	`[]`	`nsight-injector.nsightToolConfig.env`
`spec.nsightToolConfigs[].containerEnv`	Environment variables for container (visible to all processes)	`[]`	`nsight-injector.nsightToolConfig.containerEnv`
`spec.nsightToolConfigs[].logOutput`	Logging output: `stdout`, `stderr`, or file path	–	–
`spec.nsightToolConfigs[].otlpMirroringEnabled`	Enable OTLP mirroring (injects Envoy proxy). The CRD itself has no default; when the default profile is generated from the parent Helm chart, this is set to `true`.	–	`nsight-injector.nsightToolConfig.otlpMirroringEnabled`
`spec.injectionRules`	List of injection rules	`[]`	`nsight-injector.injectionConfig.injectionRules`
`spec.injectionRules[].name`	Unique name for this injection rule	–	–
`spec.injectionRules[].nsightToolConfigRef`	Profile to use for matched pods	–	–
`spec.injectionRules[].enabled`	Enable/disable this rule	`true`	–
`spec.injectionRules[].namespaceSelector.matchLabels`	Match namespaces by labels	–	–
`spec.injectionRules[].objectSelector.matchLabels`	Match pods by labels	–	–
`spec.injectionRules[].matchConditions`	CEL expressions for advanced matching	`[]`	–

Example:

apiVersion: nvidia.com/v1
kind: NsightOperatorProfileConfig
metadata:
  name: team-profile-config
  namespace: my-team-ns
spec:
  defaultNsightToolConfigRef: "default-profile"
  nsightToolConfigs:
    - name: "default-profile"
      coordinator: true
      nsightToolArgs: "--python-sampling=true --cuda-graph-trace=node"
      injectionIncludePatterns:
        - ".*python.*"
        - ".*myapp.*"
      otlpMirroringEnabled: true
  injectionRules:
    - name: "profile-labeled-pods"
      objectSelector:
        matchLabels:
          nvidia-nsight-profile: enabled