[View a larger version of this image](/images/embedded-cluster-v3-install-wizard-login.png)
### `icon`
A file with the icon to use in the customer-facing UI. Typically, this is the application's logo.
The icon can be a remote URL or a Base64 encoded image. Air gap installations require Base64 encoded images.
#### Limitation
The `icon` property doesn't support Go templating.
#### Examples
##### Remote URL
```yaml
apiVersion: kots.io/v1beta1
kind: Application
metadata:
name: your-application
spec:
icon: https://support.io/img/logo.png
```
##### Base64-encoded image
```yaml
apiVersion: kots.io/v1beta1
kind: Application
metadata:
name: your-application
spec:
icon: data:image/svg+xml;base64,PHNy4xMDwM...# based64-encoded image
```
### `releaseNotes`
The release notes for this application version. You can also set the release notes from the Vendor Portal or Replicated CLI when you promote a release.
#### Limitation
The `releaseNotes` property doesn't support Go templating.
#### Example
```yaml
apiVersion: kots.io/v1beta1
kind: Application
metadata:
name: your-application
spec:
releaseNotes: Fixes a bug and adds a new feature.
```
### `allowRollback`
Enable this flag to create a **Rollback** button on the Admin Console **Version History** page. By default, `allowRollback` is false.
If your application does not introduce backwards-incompatible versions, such as through database migrations, you can use `allowRollback`. This flag lets end users roll back to previous versions from the Admin Console.
Rollback does not revert any state. Rather, it recovers the YAML manifests applied to the cluster.
#### Limitations
* The `allowRollback` property doesn't support Go templating.
* Embedded Cluster v3 doesn't support the `allowRollback` property.
* Embedded Cluster v2 supports rolling back the application version only. It doesn't support rolling back the Embedded Cluster version. Users can roll back to an earlier application version only when the Embedded Cluster version stays the same. For example, after upgrading to 1.1.0, users can roll back to version 1.0.0 only if both 1.0.0 and 1.1.0 use the same Embedded Cluster version.
#### Example
```yaml
apiVersion: kots.io/v1beta1
kind: Application
metadata:
name: your-application
spec:
allowRollback: true
```
### `additionalNamespaces`
An array of additional namespaces as strings for KOTS to create in the cluster. For more information, see [Defining Additional Namespaces](/vendor/operator-defining-additional-namespaces).
In each additional namespace, KOTS creates the application secret.
KOTS ensures that the application secret can pull all application images. This includes images in use and any images that you add in the [`additionalImages`](#additionalimages) property.
This pull secret is automatically added to all manifest files that use private images.
For dynamically created namespaces, specify `"*"`.
#### Limitations
* The `additionalNamespaces` property doesn't support Go templating.
* Embedded Cluster v3 doesn't support the `additionalNamespaces` property.
#### Example
```yaml
apiVersion: kots.io/v1beta1
kind: Application
metadata:
name: your-application
spec:
additionalNamespaces:
- "*"
```
### `additionalImages`
An array of strings that reference images to include in air gap bundles and push to the local registry during installation.
KOTS detects images from the PodSpecs in the application. Some applications, such as Operators, might need to include additional images that are not referenced until runtime. For more information, see [Defining Additional Images](/vendor/operator-defining-additional-images).
#### Limitations
* The `additionalImages` property doesn't support Go templating.
* Embedded Cluster v3 doesn't support the `additionalImages` property.
#### Example
```yaml
apiVersion: kots.io/v1beta1
kind: Application
metadata:
name: your-application
spec:
additionalImages:
- jenkins/jenkins:lts
```
### `excludedImages`
An array of strings that reference images to exclude from air gap bundles.
#### Limitations
* The `excludedImages` property doesn't support Go templating.
* Embedded Cluster v3 doesn't support the `excludedImages` property.
#### Example
```yaml
apiVersion: kots.io/v1beta1
kind: Application
metadata:
name: your-application
spec:
excludedImages:
- auto # This image does not exist but is imported by the Istio Gateway chart
```
### `requireMinimalRBACPrivileges`
When true, `requireMinimalRBACPrivileges` requires minimal role-based access control (RBAC) for KOTS. When set to `true`, KOTS creates a namespace-scoped Role and RoleBinding instead of the default cluster-scoped ClusterRole and ClusterRoleBinding. By default, `requireMinimalRBACPrivileges` is false.
For additional requirements and limitations related to using namespace-scoped RBAC, see [About Namespace-scoped RBAC](/vendor/packaging-rbac#min-rbac) in _Configuring KOTS RBAC_.
#### Limitations
* The `requireMinimalRBACPrivileges` property doesn't support Go templating.
* Supported for KOTS existing cluster installations only. Embedded Cluster doesn't support the `requireMinimalRBACPrivileges` property.
#### Example
```yaml
apiVersion: kots.io/v1beta1
kind: Application
metadata:
name: your-application
spec:
requireMinimalRBACPrivileges: true
```
### `supportMinimalRBACPrivileges`
Allows minimal role-based access control (RBAC) for all customer installations. When set to `true`, KOTS supports creating a namespace-scoped Role and RoleBinding instead of the default cluster-scoped ClusterRole and ClusterRoleBinding. By default, `supportMinimalRBACPrivileges` is false.
Minimal RBAC is not used by default. KOTS uses minimal RBAC only when you pass the `--use-minimal-rbac` flag to the `kots install` command.
For additional requirements and limitations related to using namespace-scoped RBAC, see [About Namespace-scoped RBAC](/vendor/packaging-rbac#min-rbac) in _Configuring KOTS RBAC_.
#### Limitations
* The `supportMinimalRBACPrivileges` property doesn't support Go templating.
* Supported for KOTS existing cluster installations only. Embedded Cluster doesn't support the `supportMinimalRBACPrivileges` property.
#### Example
```yaml
apiVersion: kots.io/v1beta1
kind: Application
metadata:
name: your-application
spec:
supportMinimalRBACPrivileges: true
```
### `ports`
Extra ports, in addition to the `8800` Admin Console port, that are port-forwarded when running the `kubectl kots admin-console` command. With ports specified, KOTS can establish port forwarding to simplify connections to the deployed application. When the application starts and the service is ready, the KOTS CLI prints the URL to access the port-forwarded service. For more information, see [Port Forwarding Services with KOTS](/vendor/admin-console-port-forward).
:::note
KOTS does not automatically create port forwards for installations on VMs or bare metal servers with Replicated Embedded Cluster or Replicated kURL. This is because it cannot be verified that the ports are secure and authenticated. Instead, Embedded Cluster or kURL creates a NodePort service to make the Admin Console accessible on a port on the node (port `8800` for kURL or port `30000` for Embedded Cluster).
You can expose additional ports on the node for Embedded Cluster or kURL installations by creating NodePort services. For more information, see [Exposing Services Using NodePorts](/vendor/kurl-nodeport-services).
:::
The `ports` key has the following fields:
ports.serviceName: The name of the service that receives the traffic.ports.servicePort: The containerPort of the Pod where the service is running.
ports.localPort: The port to map on the local workstation.(Optional) ports.applicationUrl: When set to the same URL that is specified in the `descriptor.links.url` field of the Kubernetes SIG Application custom resource, KOTS adds a link on the Admin Console dashboard where the given service can be accessed. This process automatically links to the hostname in the browser (where the Admin Console is being accessed) and appends the specified `localPort`.
If not set, then the URL defined in the `descriptor.links.url` field of the Kubernetes SIG Application is linked on the Admin Console dashboard.