2017-06-22 01:12:44 +00:00
---
2018-02-18 19:29:37 +00:00
reviewers:
2017-06-22 01:12:44 +00:00
- erictune
- mikedanese
- thockin
title: Configure a Security Context for a Pod or Container
2018-05-05 16:00:51 +00:00
content_template: templates/task
2018-05-20 04:43:52 +00:00
weight: 80
2017-06-22 01:12:44 +00:00
---
2018-05-05 16:00:51 +00:00
{{% capture overview %}}
2017-06-22 01:12:44 +00:00
A security context defines privilege and access control settings for
a Pod or Container. Security context settings include:
* Discretionary Access Control: Permission to access an object, like a file, is based on
[user ID (UID) and group ID (GID) ](https://wiki.archlinux.org/index.php/users_and_groups ).
* [Security Enhanced Linux (SELinux) ](https://en.wikipedia.org/wiki/Security-Enhanced_Linux ): Objects are assigned security labels.
* Running as privileged or unprivileged.
* [Linux Capabilities ](https://linux-audit.com/linux-capabilities-hardening-linux-binaries-by-removing-setuid/ ): Give a process some privileges, but not all the privileges of the root user.
* [AppArmor ](/docs/tutorials/clusters/apparmor/ ): Use program profiles to restrict the capabilities of individual programs.
2018-04-12 21:38:59 +00:00
* [Seccomp ](https://en.wikipedia.org/wiki/Seccomp ): Filter a process's system calls.
2017-06-22 01:12:44 +00:00
Release 1.8 (#5659)
* GC now supports non-core resources
* Add two examples about how to analysis audits of kube-apiserver (#4264)
* Deprecate system:nodes binding
* [1.8] StatefulSet `initialized` annotation is now ignored.
* inits the kubeadm upgrade docs
addresses kubernetes/kubernetes.github.io/issues/4689
* adds kubeadm upgrade cmd to ToC
addresses kubernetes/kubernetes.github.io/issues/4689
* add workload placement docs
* ScaleIO - document udpate for 1.8
* Add documentation on storageClass.mountOptions and PV.mountOptions (#5254)
* Add documentation on storageClass.mountOptions and PV.mountOptions
* convert notes into callouts
* Add docs for CustomResource validation
add info about supported fields
* advanced audit beta features (#5300)
* Update job workload doc with backoff failure policy (#5319)
Add to the Jobs documentation how to use the new backoffLimit field that
limit the number of Pod failure before considering the Job as failed.
* Documented additional AWS Service annotations (#4864)
* Add device plugin doc under concepts/cluster-administration. (#5261)
* Add device plugin doc under concepts/cluster-administration.
* Update device-plugins.md
* Update device-plugins.md
Add meta description. Fix typo. Change bare metal deployment to manual deployment.
* Update device-plugins.md
Fix typo again.
* Update page.version. (#5341)
* Add documentation on storageClass.reclaimPolicy (#5171)
* [Advanced audit] use new herf for audit-api (#5349)
This tag contains all the changes in v1beta1 version. Update it now.
* Added documentation around creating the InitializerConfiguration for the persistent volume label controller in the cloud-controller-manager (#5255)
* Documentation for kubectl plugins (#5294)
* Documentation for kubectl plugins
* Update kubectl-plugins.md
* Update kubectl-plugins.md
* Updated CPU manager docs to match implementation. (#5332)
* Noted limitation of alpha static cpumanager.
* Updated CPU manager docs to match implementation.
- Removed references to CPU pressure node condition and evictions.
- Added note about new --cpu-manager-reconcile-period flag.
- Added note about node allocatable requirements for static policy.
- Noted limitation of alpha static cpumanager.
* Move cpu-manager task link to rsc mgmt section.
* init containers annotation removed in 1.8 (#5390)
* Add documentation for TaintNodesByCondition (#5352)
* Add documentation for TaintNodesByCondition
* Update nodes.md
* Update taint-and-toleration.md
* Update daemonset.md
* Update nodes.md
* Update taint-and-toleration.md
* Update daemonset.md
* Fix deployments (#5421)
* Document extended resources and OIR deprecation. (#5399)
* Document extended resources and OIR deprecation.
* Updated extended resources doc per reviews.
* reverts extra spacing in _data/tasks.yml
* addresses `kubeadm upgrade` review comments
Feedback from @chenopis, @luxas, and @steveperry-53 addressed with this commit
* HugePages documentation (#5419)
* Update cpu-management-policies.md (#5407)
Fixed the bad link.
Modified "cpu" to "CPU".
Added more 'yaml' as supplement.
* Update RBAC docs for v1 (#5445)
* Add user docs for pod priority and preemption (#5328)
* Add user docs for pod priority and preemption
* Update pod-priority-preemption.md
* More updates
* Update docs/admin/kubeadm.md for 1.8 (#5440)
- Made a couple of minor wording changes (not strictly 1.8 related).
- Did some reformatting (not strictly 1.8 related).
- Updated references to the default token TTL (was infinite, now 24 hours).
- Documented the new `--discovery-token-ca-cert-hash` and `--discovery-token-unsafe-skip-ca-verification` flags for `kubeadm join`.
- Added references to the new `--discovery-token-ca-cert-hash` flag in all the default examples.
- Added a new _Security model_ section that describes the security tradeoffs of the various discovery modes.
- Documented the new `--groups` flag for `kubeadm token create`.
- Added a note of caution under _Automating kubeadm_ that references the _Security model_ section.
- Updated the component version table to drop 1.6 and add 1.8.
- Update `_data/reference.yml` to try to get the sidebar fixed up and more consistent with `kubefed`.
* Update StatefulSet Basics for 1.8 release (#5398)
* addresses `kubeadm upgrade` review comments
2nd iteration review comments by @luxas
* adds kubelet upgrade section to kubeadm upgrade
* Fix a bulleted list on docs/admin/kubeadm.md. (#5458)
I updated this doc yesterday and I was absolutely sure I fixed this, but I just saw that this commit got lost somehow.
This was introduced recently in https://github.com/kubernetes/kubernetes.github.io/pull/5440.
* Clarify the API to check for device plugins
* Moving Flexvolume to separate out-of-tree section
* addresses `kubeadm upgrade` review comments
CC: @luxas
* fixes kubeadm upgrade index
* Update Stackdriver Logging documentation (#5495)
* Re-update WordPress and MySQL PV doc to use apps/v1beta2 APIs (#5526)
* Update statefulset concepts doc to use apps/v1beta2 APIs (#5420)
* add document on kubectl's behavior regarding initializers (#5505)
* Update docs/admin/kubeadm.md to cover self-hosting in 1.8. (#5497)
This is a new beta feature in 1.8.
* Update kubectl patch doc to use apps/v1beta2 APIs (#5422)
* [1.8] Update "Run Applications" tasks to apps/v1beta2. (#5525)
* Update replicated stateful application task for 1.8.
* Update single instance stateful app task for 1.8.
* Update stateless app task for 1.8.
* Update kubectl patch task for 1.8.
* fix the link of persistent storage (#5515)
* update the admission-controllers.md index.md what-is-kubernetes.md link
* fix the link of persistent storage
* Add quota support for local ephemeral storage (#5493)
* Add quota support for local ephemeral storage
update the doc to this alpha feature
* Update resource-quotas.md
* Updated Deployments concepts doc (#5491)
* Updated Deployments concepts doc
* Addressed comments
* Addressed more comments
* Modify allocatable storage to ephemeral-storage (#5490)
Update the doc to use ephemeral-storage instead of storage
* Revamped concepts doc for ReplicaSet (#5463)
* Revamped concepts doc for ReplicaSet
* Minor changes to call out specific versions for selector defaulting and
immutability
* Addressed doc review comments
* Remove petset documentations (#5395)
* Update docs to use batch/v1beta1 cronjobs (#5475)
* add federation job doc (#5485)
* add federation job doc
* Update job.md
Edits for clarity and consistency
* Update job.md
Fixed a typo
* update DaemonSet concept for 1.8 release (#5397)
* update DaemonSet concept for 1.8 release
* Update daemonset.md
Fix typo. than -> then
* Update bootstrap tokens doc for 1.8. (#5479)
* Update bootstrap tokens doc for 1.8.
This has some changes I missed when I was updating the main kubeadm documention:
- Bootstrap tokens are now beta, not alpha (https://github.com/kubernetes/features/issues/130)
- The apiserver flag to enable the authenticator changedin 1.8 (https://github.com/kubernetes/kubernetes/pull/51198)
- Added `auth-extra-groups` documentaion (https://github.com/kubernetes/kubernetes/pull/50933)
- Updated the _Token Management with `kubeadm`_ section to link to the main kubeadm docs, since it was just duplicated information.
* Update bootstrap-tokens.md
* Updated the Cassandra tutorial to use apps/v1beta2 (#5548)
* add docs for AllowPrivilegeEscalation (#5448)
Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
* Add local ephemeral storage alpha feature in managing compute resource (#5522)
* Add local ephemeral storage alpha feature in managing compute resource
Since 1.8, we add the local ephemeral storage alpha feature as one
resource type to manage. Add this feature into the doc.
* Update manage-compute-resources-container.md
* Update manage-compute-resources-container.md
* Update manage-compute-resources-container.md
* Update manage-compute-resources-container.md
* Update manage-compute-resources-container.md
* Update manage-compute-resources-container.md
* Added documentation for Metrics Server (#5560)
* authorization: improve authorization debugging docs (#5549)
* Document mount propagation (#5544)
* Update /docs/setup/independent/create-cluster-kubeadm.md for 1.8. (#5524)
This introduction needed a couple of small tweaks to cover the `--discovery-token-ca-cert-hash` flag added in https://github.com/kubernetes/kubernetes/pull/49520 and some version bumps.
* Add task doc for alpha dynamic kubelet configuration (#5523)
* Fix input/output of selfsubjectaccess review (#5593)
* Add docs for implementing resize (#5528)
* Add docs for implementing resize
* Update admission-controllers.md
* Added link to PVC section
* minor typo fixes
* Update NetworkPolicy concept guide with egress and CIDR changes (#5529)
* update zookeeper tutorial for 1.8 release
* add doc for hostpath type (#5503)
* Federated Hpa feature doc (#5487)
* Federated Hpa feature doc
* Federated Hpa feature doc review fixes
* Update hpa.md
* Update hpa.md
* update cloud controller manager docs for v1.8
* Update cronjob with defaults information (#5556)
* Kubernetes 1.8 reference docs (#5632)
* Kubernetes 1.8 reference docs
* Kubectl reference docs for 1.8
* Update side bar with 1.8 kubectl and api ref docs links
* remove petset.md
* update on state of HostAlias in 1.8 with hostNetwork Pod support (#5644)
* Fix cron job deletion section (#5655)
* update imported docs (#5656)
* Add documentation for certificate rotation. (#5639)
* Link to using kubeadm page
* fix the command output
fix the command output
* fix typo in api/resources reference: "Worloads"
* Add documentation for certificate rotation.
* Create TOC entry for cloud controller manager. (#5662)
* Updates for new versions of API types
* Followup 5655: fix link to garbage collection (#5666)
* Temporarily redirect resources-reference to api-reference. (#5668)
* Update config for 1.8 release. (#5661)
* Update config for 1.8 release.
* Address reviewer comments.
* Switch references in HPA docs from alpha to beta (#5671)
The HPA docs still referenced the alpha version. This switches them to
talk about v2beta1, which is the appropriate version for Kubernetes 1.8
* Deprecate openstack heat (#5670)
* Fix typo in pod preset conflict example
Move container port definition to the correct line.
* Highlight openstack-heat provider deprecation
The openstack-heat provider for kube-up is being deprecated and will be
removed in a future release.
* Temporarily fix broken links by redirecting. (#5672)
* Fix broken links. (#5675)
* Fix render of code block (#5674)
* Fix broken links. (#5677)
* Add a small note about auto-bootstrapped CSR ClusterRoles (#5660)
* Update kubeadm install doc for v1.8 (#5676)
* add draft workloads api content for 1.8 (#5650)
* add draft workloads api content for 1.8
* edits per review, add tables, for 1.8 workloads api doc
* fix typo
* Minor fixes to kubeadm 1.8 upgrade guide. (#5678)
- The kubelet upgrade instructions should be done on every host, not
just worker nodes.
- We should just upgrade all packages, instead of calling out kubelet
specifically. This will also upgrade kubectl, kubeadm, and
kubernetes-cni, if installed.
- Draining nodes should also ignore daemonsets, and master errors can be
ignored.
- Make sure that the new kubeadm download is chmoded correctly.
- Add a step to run `kubeadm version` to verify after downloading.
- Manually approve new kubelet CSRs if rotation is enabled (known issue).
* Release 1.8 (#5680)
* Fix versions for 1.8 API ref docs
* Updates for 1.8 kubectl reference docs
* Kubeadm /docs/admin/kubeadm.md cleanup, editing. (#5681)
* Update docs/admin/kubeadm.md (mostly 1.8 related).
This is Fabrizio's work, which I'm committing along with my edits (in a commit on top of this).
* A few of my own edits to clarify and clean up some Markdown.
2017-09-29 04:46:51 +00:00
* AllowPrivilegeEscalation: Controls whether a process can gain more privileges than its parent process. This bool directly controls whether the [`no_new_privs` ](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt ) flag gets set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged OR 2) has `CAP_SYS_ADMIN` .
2017-06-22 01:12:44 +00:00
For more information about security mechanisms in Linux, see
[Overview of Linux Kernel Security Features ](https://www.linux.com/learn/overview-linux-kernel-security-features )
2018-05-05 16:00:51 +00:00
{{% /capture %}}
2017-06-22 01:12:44 +00:00
2018-05-05 16:00:51 +00:00
{{% capture prerequisites %}}
2017-06-22 01:12:44 +00:00
2018-05-05 16:00:51 +00:00
{{< include " task-tutorial-prereqs . md " > }} {{< version-check > }}
2017-06-22 01:12:44 +00:00
2018-05-05 16:00:51 +00:00
{{% /capture %}}
2017-06-22 01:12:44 +00:00
2018-05-05 16:00:51 +00:00
{{% capture steps %}}
2017-06-22 01:12:44 +00:00
## Set the security context for a Pod
To specify security settings for a Pod, include the `securityContext` field
in the Pod specification. The `securityContext` field is a
2018-05-05 16:00:51 +00:00
[PodSecurityContext ](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podsecuritycontext-v1-core ) object.
2017-06-22 01:12:44 +00:00
The security settings that you specify for a Pod apply to all Containers in the Pod.
Here is a configuration file for a Pod that has a `securityContext` and an `emptyDir` volume:
2018-05-05 16:00:51 +00:00
{{< code file = "security-context.yaml" > }}
2017-06-22 01:12:44 +00:00
In the configuration file, the `runAsUser` field specifies that for any Containers in
the Pod, the first process runs with user ID 1000. The `fsGroup` field specifies that
group ID 2000 is associated with all Containers in the Pod. Group ID 2000 is also
associated with the volume mounted at `/data/demo` and with any files created in that
volume.
Create the Pod:
```shell
kubectl create -f https://k8s.io/docs/tasks/configure-pod-container/security-context.yaml
```
Verify that the Pod's Container is running:
```shell
kubectl get pod security-context-demo
```
Get a shell to the running Container:
```shell
kubectl exec -it security-context-demo -- sh
```
In your shell, list the running processes:
```shell
ps aux
```
2017-08-01 09:05:09 +00:00
The output shows that the processes are running as user 1000, which is the value of `runAsUser` :
2017-06-22 01:12:44 +00:00
```shell
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
1000 1 0.0 0.0 4336 724 ? Ss 18:16 0:00 /bin/sh -c node server.js
1000 5 0.2 0.6 772124 22768 ? Sl 18:16 0:00 node server.js
...
```
In your shell, navigate to `/data` , and list the one directory:
```shell
cd /data
ls -l
```
The output shows that the `/data/demo` directory has group ID 2000, which is
the value of `fsGroup` .
```shell
drwxrwsrwx 2 root 2000 4096 Jun 6 20:08 demo
```
In your shell, navigate to `/data/demo` , and create a file:
```shell
cd demo
echo hello > testfile
```
List the file in the `/data/demo` directory:
```shell
ls -l
```
The output shows that `testfile` has group ID 2000, which is the value of `fsGroup` .
```shell
-rw-r--r-- 1 1000 2000 6 Jun 6 20:08 testfile
```
Exit your shell:
```shell
exit
```
## Set the security context for a Container
To specify security settings for a Container, include the `securityContext` field
in the Container manifest. The `securityContext` field is a
2018-05-05 16:00:51 +00:00
[SecurityContext ](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#securitycontext-v1-core ) object.
2017-06-22 01:12:44 +00:00
Security settings that you specify for a Container apply only to
the individual Container, and they override settings made at the Pod level when
there is overlap. Container settings do not affect the Pod's Volumes.
Here is the configuration file for a Pod that has one Container. Both the Pod
and the Container have a `securityContext` field:
2018-05-05 16:00:51 +00:00
{{< code file = "security-context-2.yaml" > }}
2017-06-22 01:12:44 +00:00
Create the Pod:
```shell
kubectl create -f https://k8s.io/docs/tasks/configure-pod-container/security-context-2.yaml
```
Verify that the Pod's Container is running:
```shell
kubectl get pod security-context-demo-2
```
Get a shell into the running Container:
```shell
kubectl exec -it security-context-demo-2 -- sh
```
In your shell, list the running processes:
```
ps aux
```
The output shows that the processes are running as user 2000. This is the value
of `runAsUser` specified for the Container. It overrides the value 1000 that is
specified for the Pod.
```
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
2000 1 0.0 0.0 4336 764 ? Ss 20:36 0:00 /bin/sh -c node server.js
2000 8 0.1 0.5 772124 22604 ? Sl 20:36 0:00 node server.js
...
```
Exit your shell:
```shell
exit
```
## Set capabilities for a Container
With [Linux capabilities ](http://man7.org/linux/man-pages/man7/capabilities.7.html ),
you can grant certain privileges to a process without granting all the privileges
of the root user. To add or remove Linux capabilities for a Container, include the
`capabilities` field in the `securityContext` section of the Container manifest.
First, see what happens when you don't include a `capabilities` field.
Here is configuration file that does not add or remove any Container capabilities:
2018-05-05 16:00:51 +00:00
{{< code file = "security-context-3.yaml" > }}
2017-06-22 01:12:44 +00:00
Create the Pod:
```shell
kubectl create -f https://k8s.io/docs/tasks/configure-pod-container/security-context-3.yaml
```
Verify that the Pod's Container is running:
```shell
kubectl get pod security-context-demo-3
```
Get a shell into the running Container:
```shell
kubectl exec -it security-context-demo-3 -- sh
```
In your shell, list the running processes:
```shell
ps aux
```
The output shows the process IDs (PIDs) for the Container:
```shell
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 4336 796 ? Ss 18:17 0:00 /bin/sh -c node server.js
root 5 0.1 0.5 772124 22700 ? Sl 18:17 0:00 node server.js
```
In your shell, view the status for process 1:
```shell
cd /proc/1
cat status
```
The output shows the capabilities bitmap for the process:
```
...
CapPrm: 00000000a80425fb
CapEff: 00000000a80425fb
...
```
Make a note of the capabilities bitmap, and then exit your shell:
```shell
exit
```
Next, run a Container that is the same as the preceding container, except
that it has additional capabilities set.
Here is the configuration file for a Pod that runs one Container. The configuration
adds the `CAP_NET_ADMIN` and `CAP_SYS_TIME` capabilities:
2018-05-05 16:00:51 +00:00
{{< code file = "security-context-4.yaml" > }}
2017-06-22 01:12:44 +00:00
Create the Pod:
```shell
kubectl create -f https://k8s.io/docs/tasks/configure-pod-container/security-context-4.yaml
```
Get a shell into the running Container:
```shell
kubectl exec -it security-context-demo-4 -- sh
```
In your shell, view the capabilities for process 1:
```shell
cd /proc/1
cat status
```
The output shows capabilities bitmap for the process:
```shell
...
CapPrm: 00000000aa0435fb
CapEff: 00000000aa0435fb
...
```
Compare the capabilities of the two Containers:
```
00000000a80425fb
2017-07-25 16:37:19 +00:00
00000000aa0435fb
2017-06-22 01:12:44 +00:00
```
In the capability bitmap of the first container, bits 12 and 25 are clear. In the second container,
bits 12 and 25 are set. Bit 12 is `CAP_NET_ADMIN` , and bit 25 is `CAP_SYS_TIME` .
See [capability.h ](https://github.com/torvalds/linux/blob/master/include/uapi/linux/capability.h )
for definitions of the capability constants.
2018-05-05 16:00:51 +00:00
{{< note > }}
2017-08-17 23:19:24 +00:00
**Note:** Linux capability constants have the form `CAP_XXX` . But when you list capabilities in your Container manifest, you must omit the `CAP_` portion of the constant. For example, to add `CAP_SYS_TIME` , include `SYS_TIME` in your list of capabilities.
2018-05-05 16:00:51 +00:00
{{< / note > }}
2017-06-22 01:12:44 +00:00
## Assign SELinux labels to a Container
To assign SELinux labels to a Container, include the `seLinuxOptions` field in
the `securityContext` section of your Pod or Container manifest. The
`seLinuxOptions` field is an
2018-05-05 16:00:51 +00:00
[SELinuxOptions ](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#selinuxoptions-v1-core )
2017-06-22 01:12:44 +00:00
object. Here's an example that applies an SELinux level:
```yaml
...
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
```
2018-05-05 16:00:51 +00:00
{{< note > }}
2017-08-17 23:19:24 +00:00
**Note:** To assign SELinux labels, the SELinux security module must be loaded on the host operating system.
2018-05-05 16:00:51 +00:00
{{< / note > }}
2017-06-22 01:12:44 +00:00
## Discussion
The security context for a Pod applies to the Pod's Containers and also to
the Pod's Volumes when applicable. Specifically `fsGroup` and `seLinuxOptions` are
applied to Volumes as follows:
* `fsGroup` : Volumes that support ownership management are modified to be owned
and writable by the GID specified in `fsGroup` . See the
2017-09-21 13:20:58 +00:00
[Ownership Management design document ](https://git.k8s.io/community/contributors/design-proposals/storage/volume-ownership-management.md )
2017-06-22 01:12:44 +00:00
for more details.
* `seLinuxOptions` : Volumes that support SELinux labeling are relabeled to be accessible
by the label specified under `seLinuxOptions` . Usually you only
need to set the `level` section. This sets the
[Multi-Category Security (MCS) ](https://selinuxproject.org/page/NB_MLS )
label given to all Containers in the Pod as well as the Volumes.
2018-05-05 16:00:51 +00:00
{{< warning > }}
2017-08-21 22:48:56 +00:00
**Warning:** After you specify an MCS label for a Pod, all Pods with the same label can access the Volume. If you need inter-Pod protection, you must assign a unique MCS label to each Pod.
2018-05-05 16:00:51 +00:00
{{< / warning > }}
2017-06-22 01:12:44 +00:00
2018-05-05 16:00:51 +00:00
{{% /capture %}}
2017-06-22 01:12:44 +00:00
2018-05-05 16:00:51 +00:00
{{% capture whatsnext %}}
2017-06-22 01:12:44 +00:00
2018-05-05 16:00:51 +00:00
* [PodSecurityContext ](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podsecuritycontext-v1-core )
* [SecurityContext ](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#securitycontext-v1-core )
2017-06-22 01:12:44 +00:00
* [Tuning Docker with the newest security enhancements ](https://opensource.com/business/15/3/docker-security-tuning )
2017-09-20 13:29:58 +00:00
* [Security Contexts design document ](https://git.k8s.io/community/contributors/design-proposals/auth/security_context.md )
2017-09-21 13:20:58 +00:00
* [Ownership Management design document ](https://git.k8s.io/community/contributors/design-proposals/storage/volume-ownership-management.md )
2017-07-10 22:13:19 +00:00
* [Pod Security Policies ](/docs/concepts/policy/pod-security-policy/ )
Release 1.8 (#5659)
* GC now supports non-core resources
* Add two examples about how to analysis audits of kube-apiserver (#4264)
* Deprecate system:nodes binding
* [1.8] StatefulSet `initialized` annotation is now ignored.
* inits the kubeadm upgrade docs
addresses kubernetes/kubernetes.github.io/issues/4689
* adds kubeadm upgrade cmd to ToC
addresses kubernetes/kubernetes.github.io/issues/4689
* add workload placement docs
* ScaleIO - document udpate for 1.8
* Add documentation on storageClass.mountOptions and PV.mountOptions (#5254)
* Add documentation on storageClass.mountOptions and PV.mountOptions
* convert notes into callouts
* Add docs for CustomResource validation
add info about supported fields
* advanced audit beta features (#5300)
* Update job workload doc with backoff failure policy (#5319)
Add to the Jobs documentation how to use the new backoffLimit field that
limit the number of Pod failure before considering the Job as failed.
* Documented additional AWS Service annotations (#4864)
* Add device plugin doc under concepts/cluster-administration. (#5261)
* Add device plugin doc under concepts/cluster-administration.
* Update device-plugins.md
* Update device-plugins.md
Add meta description. Fix typo. Change bare metal deployment to manual deployment.
* Update device-plugins.md
Fix typo again.
* Update page.version. (#5341)
* Add documentation on storageClass.reclaimPolicy (#5171)
* [Advanced audit] use new herf for audit-api (#5349)
This tag contains all the changes in v1beta1 version. Update it now.
* Added documentation around creating the InitializerConfiguration for the persistent volume label controller in the cloud-controller-manager (#5255)
* Documentation for kubectl plugins (#5294)
* Documentation for kubectl plugins
* Update kubectl-plugins.md
* Update kubectl-plugins.md
* Updated CPU manager docs to match implementation. (#5332)
* Noted limitation of alpha static cpumanager.
* Updated CPU manager docs to match implementation.
- Removed references to CPU pressure node condition and evictions.
- Added note about new --cpu-manager-reconcile-period flag.
- Added note about node allocatable requirements for static policy.
- Noted limitation of alpha static cpumanager.
* Move cpu-manager task link to rsc mgmt section.
* init containers annotation removed in 1.8 (#5390)
* Add documentation for TaintNodesByCondition (#5352)
* Add documentation for TaintNodesByCondition
* Update nodes.md
* Update taint-and-toleration.md
* Update daemonset.md
* Update nodes.md
* Update taint-and-toleration.md
* Update daemonset.md
* Fix deployments (#5421)
* Document extended resources and OIR deprecation. (#5399)
* Document extended resources and OIR deprecation.
* Updated extended resources doc per reviews.
* reverts extra spacing in _data/tasks.yml
* addresses `kubeadm upgrade` review comments
Feedback from @chenopis, @luxas, and @steveperry-53 addressed with this commit
* HugePages documentation (#5419)
* Update cpu-management-policies.md (#5407)
Fixed the bad link.
Modified "cpu" to "CPU".
Added more 'yaml' as supplement.
* Update RBAC docs for v1 (#5445)
* Add user docs for pod priority and preemption (#5328)
* Add user docs for pod priority and preemption
* Update pod-priority-preemption.md
* More updates
* Update docs/admin/kubeadm.md for 1.8 (#5440)
- Made a couple of minor wording changes (not strictly 1.8 related).
- Did some reformatting (not strictly 1.8 related).
- Updated references to the default token TTL (was infinite, now 24 hours).
- Documented the new `--discovery-token-ca-cert-hash` and `--discovery-token-unsafe-skip-ca-verification` flags for `kubeadm join`.
- Added references to the new `--discovery-token-ca-cert-hash` flag in all the default examples.
- Added a new _Security model_ section that describes the security tradeoffs of the various discovery modes.
- Documented the new `--groups` flag for `kubeadm token create`.
- Added a note of caution under _Automating kubeadm_ that references the _Security model_ section.
- Updated the component version table to drop 1.6 and add 1.8.
- Update `_data/reference.yml` to try to get the sidebar fixed up and more consistent with `kubefed`.
* Update StatefulSet Basics for 1.8 release (#5398)
* addresses `kubeadm upgrade` review comments
2nd iteration review comments by @luxas
* adds kubelet upgrade section to kubeadm upgrade
* Fix a bulleted list on docs/admin/kubeadm.md. (#5458)
I updated this doc yesterday and I was absolutely sure I fixed this, but I just saw that this commit got lost somehow.
This was introduced recently in https://github.com/kubernetes/kubernetes.github.io/pull/5440.
* Clarify the API to check for device plugins
* Moving Flexvolume to separate out-of-tree section
* addresses `kubeadm upgrade` review comments
CC: @luxas
* fixes kubeadm upgrade index
* Update Stackdriver Logging documentation (#5495)
* Re-update WordPress and MySQL PV doc to use apps/v1beta2 APIs (#5526)
* Update statefulset concepts doc to use apps/v1beta2 APIs (#5420)
* add document on kubectl's behavior regarding initializers (#5505)
* Update docs/admin/kubeadm.md to cover self-hosting in 1.8. (#5497)
This is a new beta feature in 1.8.
* Update kubectl patch doc to use apps/v1beta2 APIs (#5422)
* [1.8] Update "Run Applications" tasks to apps/v1beta2. (#5525)
* Update replicated stateful application task for 1.8.
* Update single instance stateful app task for 1.8.
* Update stateless app task for 1.8.
* Update kubectl patch task for 1.8.
* fix the link of persistent storage (#5515)
* update the admission-controllers.md index.md what-is-kubernetes.md link
* fix the link of persistent storage
* Add quota support for local ephemeral storage (#5493)
* Add quota support for local ephemeral storage
update the doc to this alpha feature
* Update resource-quotas.md
* Updated Deployments concepts doc (#5491)
* Updated Deployments concepts doc
* Addressed comments
* Addressed more comments
* Modify allocatable storage to ephemeral-storage (#5490)
Update the doc to use ephemeral-storage instead of storage
* Revamped concepts doc for ReplicaSet (#5463)
* Revamped concepts doc for ReplicaSet
* Minor changes to call out specific versions for selector defaulting and
immutability
* Addressed doc review comments
* Remove petset documentations (#5395)
* Update docs to use batch/v1beta1 cronjobs (#5475)
* add federation job doc (#5485)
* add federation job doc
* Update job.md
Edits for clarity and consistency
* Update job.md
Fixed a typo
* update DaemonSet concept for 1.8 release (#5397)
* update DaemonSet concept for 1.8 release
* Update daemonset.md
Fix typo. than -> then
* Update bootstrap tokens doc for 1.8. (#5479)
* Update bootstrap tokens doc for 1.8.
This has some changes I missed when I was updating the main kubeadm documention:
- Bootstrap tokens are now beta, not alpha (https://github.com/kubernetes/features/issues/130)
- The apiserver flag to enable the authenticator changedin 1.8 (https://github.com/kubernetes/kubernetes/pull/51198)
- Added `auth-extra-groups` documentaion (https://github.com/kubernetes/kubernetes/pull/50933)
- Updated the _Token Management with `kubeadm`_ section to link to the main kubeadm docs, since it was just duplicated information.
* Update bootstrap-tokens.md
* Updated the Cassandra tutorial to use apps/v1beta2 (#5548)
* add docs for AllowPrivilegeEscalation (#5448)
Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
* Add local ephemeral storage alpha feature in managing compute resource (#5522)
* Add local ephemeral storage alpha feature in managing compute resource
Since 1.8, we add the local ephemeral storage alpha feature as one
resource type to manage. Add this feature into the doc.
* Update manage-compute-resources-container.md
* Update manage-compute-resources-container.md
* Update manage-compute-resources-container.md
* Update manage-compute-resources-container.md
* Update manage-compute-resources-container.md
* Update manage-compute-resources-container.md
* Added documentation for Metrics Server (#5560)
* authorization: improve authorization debugging docs (#5549)
* Document mount propagation (#5544)
* Update /docs/setup/independent/create-cluster-kubeadm.md for 1.8. (#5524)
This introduction needed a couple of small tweaks to cover the `--discovery-token-ca-cert-hash` flag added in https://github.com/kubernetes/kubernetes/pull/49520 and some version bumps.
* Add task doc for alpha dynamic kubelet configuration (#5523)
* Fix input/output of selfsubjectaccess review (#5593)
* Add docs for implementing resize (#5528)
* Add docs for implementing resize
* Update admission-controllers.md
* Added link to PVC section
* minor typo fixes
* Update NetworkPolicy concept guide with egress and CIDR changes (#5529)
* update zookeeper tutorial for 1.8 release
* add doc for hostpath type (#5503)
* Federated Hpa feature doc (#5487)
* Federated Hpa feature doc
* Federated Hpa feature doc review fixes
* Update hpa.md
* Update hpa.md
* update cloud controller manager docs for v1.8
* Update cronjob with defaults information (#5556)
* Kubernetes 1.8 reference docs (#5632)
* Kubernetes 1.8 reference docs
* Kubectl reference docs for 1.8
* Update side bar with 1.8 kubectl and api ref docs links
* remove petset.md
* update on state of HostAlias in 1.8 with hostNetwork Pod support (#5644)
* Fix cron job deletion section (#5655)
* update imported docs (#5656)
* Add documentation for certificate rotation. (#5639)
* Link to using kubeadm page
* fix the command output
fix the command output
* fix typo in api/resources reference: "Worloads"
* Add documentation for certificate rotation.
* Create TOC entry for cloud controller manager. (#5662)
* Updates for new versions of API types
* Followup 5655: fix link to garbage collection (#5666)
* Temporarily redirect resources-reference to api-reference. (#5668)
* Update config for 1.8 release. (#5661)
* Update config for 1.8 release.
* Address reviewer comments.
* Switch references in HPA docs from alpha to beta (#5671)
The HPA docs still referenced the alpha version. This switches them to
talk about v2beta1, which is the appropriate version for Kubernetes 1.8
* Deprecate openstack heat (#5670)
* Fix typo in pod preset conflict example
Move container port definition to the correct line.
* Highlight openstack-heat provider deprecation
The openstack-heat provider for kube-up is being deprecated and will be
removed in a future release.
* Temporarily fix broken links by redirecting. (#5672)
* Fix broken links. (#5675)
* Fix render of code block (#5674)
* Fix broken links. (#5677)
* Add a small note about auto-bootstrapped CSR ClusterRoles (#5660)
* Update kubeadm install doc for v1.8 (#5676)
* add draft workloads api content for 1.8 (#5650)
* add draft workloads api content for 1.8
* edits per review, add tables, for 1.8 workloads api doc
* fix typo
* Minor fixes to kubeadm 1.8 upgrade guide. (#5678)
- The kubelet upgrade instructions should be done on every host, not
just worker nodes.
- We should just upgrade all packages, instead of calling out kubelet
specifically. This will also upgrade kubectl, kubeadm, and
kubernetes-cni, if installed.
- Draining nodes should also ignore daemonsets, and master errors can be
ignored.
- Make sure that the new kubeadm download is chmoded correctly.
- Add a step to run `kubeadm version` to verify after downloading.
- Manually approve new kubelet CSRs if rotation is enabled (known issue).
* Release 1.8 (#5680)
* Fix versions for 1.8 API ref docs
* Updates for 1.8 kubectl reference docs
* Kubeadm /docs/admin/kubeadm.md cleanup, editing. (#5681)
* Update docs/admin/kubeadm.md (mostly 1.8 related).
This is Fabrizio's work, which I'm committing along with my edits (in a commit on top of this).
* A few of my own edits to clarify and clean up some Markdown.
2017-09-29 04:46:51 +00:00
* [AllowPrivilegeEscalation design
document](https://git.k8s.io/community/contributors/design-proposals/auth/no-new-privs.md)
2017-06-22 01:12:44 +00:00
2018-05-05 16:00:51 +00:00
{{% /capture %}}
2017-06-22 01:12:44 +00:00
