2017-06-28 23:38:44 +00:00
---
2018-02-22 22:07:43 +00:00
reviewers:
2017-06-28 23:38:44 +00:00
- smarterclayton
- lavalamp
- whitlockjc
2017-08-01 06:15:39 +00:00
- caesarxuchao
2018-03-15 01:40:25 +00:00
- deads2k
2017-06-28 23:38:44 +00:00
title: Dynamic Admission Control
2018-06-22 18:26:06 +00:00
content_template: templates/concept
2018-05-23 17:58:32 +00:00
weight: 40
2017-06-28 23:38:44 +00:00
---
2018-06-22 18:26:06 +00:00
{{% capture overview %}}
The [admission controllers documentation ](/docs/reference/access-authn-authz/admission-controllers/ )
2017-06-28 23:38:44 +00:00
introduces how to use standard, plugin-style admission controllers. However,
plugin admission controllers are not flexible enough for all use cases, due to
the following:
* They need to be compiled into kube-apiserver.
* They are only configurable when the apiserver starts up.
2018-03-15 01:40:25 +00:00
Two features, *Admission Webhooks* (beta in 1.9) and *Initializers* (alpha),
address these limitations. They allow admission controllers to be developed
out-of-tree and configured at runtime.
2017-06-28 23:38:44 +00:00
2018-03-15 01:40:25 +00:00
This page describes how to use Admission Webhooks and Initializers.
2018-06-22 18:26:06 +00:00
{{% /capture %}}
2018-03-15 01:40:25 +00:00
2018-06-22 18:26:06 +00:00
{{% capture body %}}
2018-03-15 01:40:25 +00:00
## Admission Webhooks
### What are admission webhooks?
Admission webhooks are HTTP callbacks that receive admission requests and do
something with them. You can define two types of admission webhooks,
2018-10-23 15:41:30 +00:00
[validating admission Webhook ](/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook )
2018-03-15 01:40:25 +00:00
and
2018-10-23 15:41:30 +00:00
[mutating admission webhook ](/docs/reference/access-authn-authz/admission-controllers/#mutatingadmissionwebhook ).
2018-04-30 11:39:16 +00:00
With validating admission Webhooks, you may reject requests to enforce custom
admission policies. With mutating admission Webhooks, you may change requests to
2018-03-15 01:40:25 +00:00
enforce custom defaults.
### Experimenting with admission webhooks
Admission webhooks are essentially part of the cluster control-plane. You should
write and deploy them with great caution. Please read the [user
2018-06-22 18:26:06 +00:00
guides](/docs/reference/access-authn-authz/extensible-admission-controllers/#write-an-admission-webhook-server) for
2018-03-15 01:40:25 +00:00
instructions if you intend to write/deploy production-grade admission webhooks.
In the following, we describe how to quickly experiment with admission webhooks.
### Prerequisites
* Ensure that the Kubernetes cluster is at least as new as v1.9.
* Ensure that MutatingAdmissionWebhook and ValidatingAdmissionWebhook
admission controllers are enabled.
2018-06-22 18:26:06 +00:00
[Here ](/docs/reference/access-authn-authz/admission-controllers/#is-there-a-recommended-set-of-admission-controllers-to-use )
2018-03-15 01:40:25 +00:00
is a recommended set of admission controllers to enable in general.
* Ensure that the admissionregistration.k8s.io/v1beta1 API is enabled.
### Write an admission webhook server
Please refer to the implementation of the [admission webhook
server](https://github.com/kubernetes/kubernetes/blob/v1.10.0-beta.1/test/images/webhook/main.go)
that is validated in a Kubernetes e2e test. The webhook handles the
`admissionReview` requests sent by the apiservers, and sends back its decision
wrapped in `admissionResponse` .
The example admission webhook server leaves the `ClientAuth` field
[empty ](https://github.com/kubernetes/kubernetes/blob/v1.10.0-beta.1/test/images/webhook/config.go#L48-L49 ),
which defaults to `NoClientCert` . This means that the webhook server does not
authenticate the identity of the clients, supposedly apiservers. If you need
mutual TLS or other ways to authenticate the clients, see
how to [authenticate apiservers ](#authenticate-apiservers ).
### Deploy the admission webhook service
The webhook server in the e2e test is deployed in the Kubernetes cluster, via
2018-05-05 16:00:51 +00:00
the [deployment API ](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#deployment-v1beta1-apps ).
The test also creates a [service ](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#service-v1-core )
2018-03-15 01:40:25 +00:00
as the front-end of the webhook server. See
[code ](https://github.com/kubernetes/kubernetes/blob/v1.10.0-beta.1/test/e2e/apimachinery/webhook.go#L196 ).
You may also deploy your webhooks outside of the cluster. You will need to update
your [webhook client configurations ](https://github.com/kubernetes/kubernetes/blob/v1.10.0-beta.1/staging/src/k8s.io/api/admissionregistration/v1beta1/types.go#L218 ) accordingly.
### Configure admission webhooks on the fly
You can dynamically configure what resources are subject to what admission
webhooks via
[ValidatingWebhookConfiguration ](https://github.com/kubernetes/kubernetes/blob/v1.10.0-beta.1/staging/src/k8s.io/api/admissionregistration/v1beta1/types.go#L68 )
or
2018-07-18 21:39:25 +00:00
[MutatingWebhookConfiguration ](https://github.com/kubernetes/kubernetes/blob/v1.10.0-beta.1/staging/src/k8s.io/api/admissionregistration/v1beta1/types.go#L98 ).
2018-03-15 01:40:25 +00:00
The following is an example `validatingWebhookConfiguration` , a mutating webhook
configuration is similar.
```yaml
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: < name of this configuration object >
webhooks:
- name: < webhook name , e . g ., pod-policy . example . io >
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
resources:
- pods
clientConfig:
service:
namespace: < namespace of the front-end service >
name: < name of the front-end service >
caBundle: < pem encoded ca cert that signs the server cert used by the webhook >
```
2018-06-22 18:26:06 +00:00
{{< note > }}
**Note:** When using `clientConfig.service` , the server cert must be valid for
2018-04-13 09:23:59 +00:00
`<svc_name>.<svc_namespace>.svc` .
2018-06-22 18:26:06 +00:00
{{< / note > }}
2018-04-13 09:23:59 +00:00
2018-03-15 01:40:25 +00:00
When an apiserver receives a request that matches one of the `rules` , the
apiserver sends an `admissionReview` request to webhook as specified in the
`clientConfig` .
After you create the webhook configuration, the system will take a few seconds
to honor the new configuration.
2018-05-05 16:00:51 +00:00
{{< note > }}
2018-06-22 18:26:06 +00:00
**Note:** When the webhook plugin is deployed into the Kubernetes cluster as a
2018-04-30 01:39:16 +00:00
service, it has to expose its service on the 443 port. The communication
between the API server and the webhook service may fail if a different port
is used.
2018-05-05 16:00:51 +00:00
{{< / note > }}
2018-04-30 01:39:16 +00:00
2018-03-15 01:40:25 +00:00
### Authenticate apiservers
If your admission webhooks require authentication, you can configure the
apiservers to use basic auth, bearer token, or a cert to authenticate itself to
the webhooks. There are three steps to complete the configuration.
* When starting the apiserver, specify the location of the admission control
configuration file via the `--admission-control-config-file` flag.
* In the admission control configuration file, specify where the
MutatingAdmissionWebhook controller and ValidatingAdmissionWebhook controller
should read the credentials. The credentials are stored in kubeConfig files
(yes, the same schema that's used by kubectl), so the field name is
`kubeConfigFile` . Here is an example admission control configuration file:
```yaml
apiVersion: apiserver.k8s.io/v1alpha1
kind: AdmissionConfiguration
plugins:
- name: ValidatingAdmissionWebhook
configuration:
apiVersion: apiserver.config.k8s.io/v1alpha1
kind: WebhookAdmission
kubeConfigFile: < path-to-kubeconfig-file >
- name: MutatingAdmissionWebhook
configuration:
apiVersion: apiserver.config.k8s.io/v1alpha1
kind: WebhookAdmission
kubeConfigFile: < path-to-kubeconfig-file >
```
The schema of `admissionConfiguration` is defined
[here ](https://github.com/kubernetes/kubernetes/blob/v1.10.0-beta.0/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go#L27 ).
* In the kubeConfig file, provide the credentials:
```yaml
apiVersion: v1
kind: Config
users:
# DNS name of webhook service, i.e., <service name>.<namespace>.svc, or the URL
# of the webhook server.
- name: 'webhook1.ns1.svc'
user:
client-certificate-data: < pem encoded certificate >
client-key-data: < pem encoded key >
# The `name` supports using * to wildmatch prefixing segments.
- name: '*.webhook-company.org'
user:
password: < password >
username: < name >
# '*' is the default match.
- name: '*'
user:
token: < token >
```
Of course you need to set up the webhook server to handle these authentications.
2017-06-28 23:38:44 +00:00
## Initializers
### What are initializers?
2017-06-29 05:03:44 +00:00
*Initializer* has two meanings:
2017-06-28 23:38:44 +00:00
* A list of pending pre-initialization tasks, stored in every object's metadata
(e.g., "AddMyCorporatePolicySidecar").
2017-08-15 05:58:11 +00:00
* A user customized controller, which actually performs those tasks. The name of the task
2017-06-28 23:38:44 +00:00
corresponds to the controller which performs the task. For clarity, we call
2017-06-29 05:03:44 +00:00
them *initializer controllers* in this page.
2017-06-28 23:38:44 +00:00
Once the controller has performed its assigned task, it removes its name from
the list. For example, it may send a PATCH that inserts a container in a pod and
2017-08-01 06:15:39 +00:00
also removes its name from `metadata.initializers.pending` . Initializers may make
2017-06-28 23:38:44 +00:00
mutations to objects.
Objects which have a non-empty initializer list are considered uninitialized,
2017-06-29 05:03:44 +00:00
and are not visible in the API unless specifically requested by using the query parameter,
`?includeUninitialized=true` .
2017-06-28 23:38:44 +00:00
### When to use initializers?
Initializers are useful for admins to force policies (e.g., the
2018-06-22 18:26:06 +00:00
[AlwaysPullImages ](/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages )
2017-06-28 23:38:44 +00:00
admission controller), or to inject defaults (e.g., the
2018-06-22 18:26:06 +00:00
[DefaultStorageClass ](/docs/reference/access-authn-authz/admission-controllers/#defaultstorageclass )
2017-06-28 23:38:44 +00:00
admission controller), etc.
2018-06-22 18:26:06 +00:00
{{< note > }}
2017-06-29 05:03:44 +00:00
**Note:** If your use case does not involve mutating objects, consider using
external admission webhooks, as they have better performance.
2018-06-22 18:26:06 +00:00
{{< / note > }}
2017-06-28 23:38:44 +00:00
### How are initializers triggered?
When an object is POSTed, it is checked against all existing
`initializerConfiguration` objects (explained below). For all that it matches,
all `spec.initializers[].name` s are appended to the new object's
2017-08-01 06:15:39 +00:00
`metadata.initializers.pending` field.
2017-06-28 23:38:44 +00:00
An initializer controller should list and watch for uninitialized objects, by
using the query parameter `?includeUninitialized=true` . If using client-go, just
2018-04-04 00:13:08 +00:00
set
2017-06-28 23:38:44 +00:00
[listOptions.includeUninitialized ](https://github.com/kubernetes/kubernetes/blob/v1.7.0-rc.1/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/types.go#L315 )
to true.
For the observed uninitialized objects, an initializer controller should first
2017-08-01 06:15:39 +00:00
check if its name matches `metadata.initializers.pending[0]` . If so, it should then
2017-06-28 23:38:44 +00:00
perform its assigned task and remove its name from the list.
### Enable initializers alpha feature
2017-06-29 05:03:44 +00:00
*Initializers* is an alpha feature, so it is disabled by default. To turn it on,
2017-06-28 23:38:44 +00:00
you need to:
Merge 1.10 to master for release (#7861)
* 1.10 update (#7151)
* Fix partition value expected behaviour explanation (#7123)
Fixes issue #7057
* Correct "On-Premise" to "On-Premises"
* Updates the Calico installation page (#7094)
* All files for Haufe Groups case study (#7051)
* Fix typo (#7127)
* fix typo of device-plugins.md (#7106)
* fix broken links (#7136)
* Updated configure-service-account (#7147)
Error from server resolved by escaping kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "myregistrykey"}]}' JSON string by '\'
* Remove docs related to 'require-kubeconfig' (#7138)
With kubernetes/kubernetes#58367 merged, v1.10 will not use the
"require-kubeconfig" flag. The flag has become a no-op solely to ensure
existing deployments won't break.
* Added Verification Scenario for a Pod that Uses a PVC in Terminating State (#7164)
The below PR:
https://github.com/kubernetes/kubernetes/pull/55873
modified scheduler in such a way that scheduling of a pod that uses a PVC in Terminating state fails.
That's why verification of such scenario was added to documentation.
* fix LimitPodHardAntiAffinityTopology name (#7221)
* Document the removal of the KubeletConfigFile feature gate (#7140)
With kubernetes/kubernetes#58978 merged, the said feature gate is
removed. This PR removes texts related to the gate and revises the
Feature Gates reference to reflect this change.
* deprecate three admission controller (#7363)
* Document the removal of Accelerators feature gate (#7389)
The `Accelerators` feature gate will be removed in 1.11. 1.10 will be
its last mile.
References: kubernetes/kubernetes#57384
* Update local storage docs for beta (#7473)
* Document that HugePages feature gate is Beta (#7387)
The `HugePages` feature gate has graduated to Beta in v1.10. This PR
documents this fact.
* Add HyperVContainer feature gates (#7502)
* Remove the beta reference from Taints and Tolerations doc (#7493)
* Kms provider doc (#7479)
* Kms provider doc
* issue# 7399, Create KMS-provider.md and update encrypt-data.md
* address review comments
* Document that Device Plugin feature is Beta (1.10) (#7512)
* Add docs for CRD features for 1.10 (#7439)
* Add docs for CRD features for 1.10
* Add CustomResourcesSubresources to list of feature gates
* Add latest changes to custom resources doc
* Add crds as abbreviated alias (#7437)
* Bring PVC Protection Feature to Beta (#7165)
* Bring PVC Protection Feature to Beta
The PR: https://github.com/kubernetes/kubernetes/pull/59052
brought PVC Protection feature to beta.
That's why the documentation is updated accordingly.
* The PVC Protection feature was renamed to Storage Protection. That's why the documentation is updated.
* promote PodNodeSelector to stable; document detailed behavior (#7134)
* promote PodNodeSelector to stable; document detailed behavior
* respond to feedback
* Update CPU manager feature enabling (#7390)
With `CPUManager` feature graduating to beta. No explicit enabling is
required starting v1.10.
References: kubernetes/kubernetes#55977
* Adding block volumeMode documentation for local volumes. (#7531)
Code review comments.
Changed property to field.
Address tech review comment.
* remove description kubectl --show-all (#7574)
--show-all has been deprecated and set to true by default.
https://github.com/kubernetes/kubernetes/pull/60210
* fix description about contribute style guide (#7592)
* fix description about KUBECONFIG (#7589)
s/envrionment/environment
* fix description about cni (#7588)
s/simultanously/simultaneously/
* fix description about MutatingAdmissionWebhook and ValidatingAdmissionWebhook (#7587)
* fix description about persistent volume binding (#7590)
s/slighty/slightly/
* Doc change for configurable pod resolv.conf Beta (#7611)
* fix description about out of resource handling (#7597)
s/threshhold/threshold
* fix description about zookeeper (#7598)
s/achive/achieve
* fix description about kubeadm (#7594)
s/compatability/compatibility/
* fix description about kubeadm (#7593)
* fix description about kubeadm implementation details (#7595)
* fix description about api concepts (#7596)
* Storage Protection was renamed to Storage Object in Use Protection (#7576)
* Storage Protection was renamed to Storage Object in Use Protection
The K8s PR: https://github.com/kubernetes/kubernetes/pull/59901
renamed Storage Protection to Storage Object in Use Protection.
That's why the same is also renamed in the documentation.
* Moved Storage Object in Use Protection admission plugin description down according to alphabetic order.
* Use PSP from policy API group. (#7562)
* update kubeletconfig docs for v1.10, beta (#7561)
* Update port-forwarding docs (#7575)
* add pv protection description (#7620)
* fix description about client library (#7634)
* Add docs on configuring NodePort IP (#7631)
* Document that LocalStorageCapacityIsolation is beta (#7635)
A follow-up to the kubernetes/kubernetes#60159 change which has promoted
the `LocalStorageCapacityIsolation` feature gate to Beta.
* Update CoreDNS docs for beta (#7638)
* Update CoreDNS docs for beta
* Review comments
* Fix typo (#7640)
* Update feature gates move to beta (#7662)
* Added the inability to use colon ':' character as environment variable names and described workaround (#7657)
* merge master to 1.10, with fixes (#7682)
* Flag names changed (s/admission-control/enable-admission-plugins); disable-admissions-plugin entry added; removed reference to admission controller/plugins requiring set order (for v1.10), redundant example enabling specific plugin, and redundant version-specific info (#7449)
* Documentation for MountPropagation beta (#7655)
* Remove job's scale-related operations (#7684)
* authentication: document client-go exec plugins (#7648)
* authentication: document client-go exec plugins
* Update authentication.md
* Update local ephemeral storage feature to beta (#7685)
Update local ephemeral storage feature to beta
* Update docs for windows container resources (#7653)
* add server-side print docs (#7671)
* Create a task describing Pod process namespace sharing (#7489)
* Add external metrics to HPA docs (#7664)
* Add external metrics to HPA docs
* Update horizontal-pod-autoscale-walkthrough.md
* Apply review comments to HPA walkthrough
* remove description about "scale jobs" (#7712)
* CSI Docs for K8s v1.10 (#7698)
* Add a warning about increased memory consumption for audit logging feature. (#7725)
Signed-off-by: Mik Vyatskov <vmik@google.com>
* Update Audit Logging documentation for 1.10 (#7679)
Signed-off-by: Mik Vyatskov <vmik@google.com>
* Fix stage names in audit logging documentation (#7746)
Signed-off-by: Mik Vyatskov <vmik@google.com>
* Feature gate update for release 1.10 (#7742)
* State in the docs that the value of default Node labels are not reliable. (#7794)
* Kill the reference to --admission-control option (#7755)
The `--admission-control` option has been replaced by two new options in
v1.10. This PR kills the last appearance of the old option in the doc.
* Pvcprotection toc (#7807)
* Refreshing installation instructions (#7495)
* Refreshing installation instructions
Added conjure-up. Updated displays and juju versions to current versions.
* Updated anchors
* Fixed image value version typo (#7768)
Was inconsistent with other values
* Update flocker reference to the github repo (#7784)
* Fix typo in federation document (#7779)
* an user -> a user (#7778)
* Events are namespaced (#7767)
* fix 'monitoring' link lose efficacy problem' (#7764)
* docs/concepts/policy/pod-security-policy.md: minor fix. (#7659)
* Update downward-api-volume-expose-pod-information.md (#7771)
* Update downward-api-volume-expose-pod-information.md
The pod spec puts the downward api files into /etc/podinfo, not directly in /etc. Updated docs to reflect this fact.
* Update downward-api-volume-expose-pod-information.md
One more spot needed fixing.
* Update downward-api-volume-expose-pod-information.md
Yet another fix, in the container example.
* Add Amadeus Case Study (#7783)
* Add Amadeus Case Study
* add Amadeus logo
* Fixed Cyrillic с in 'kube-proxy-cm' (#7787)
There was a typo (wrong character) in kube-proxy-cm.yaml - Cyrillic с (UTF-8 0x0441) was used instead of Latin c.
* install-kubectl: choose one installation method (#7705)
The previous text layout suggested that all installations had to be done, one after another.
* Update install-kubeadm.md (#7781)
Add note to kubeadm install instruction to help install in other arch i.e. aarch64, ppc64le etc.
* repair failure link (#7788)
* repair failure link
* repair failure link
* do change as required
* Update k8s201.md (#7777)
* Update k8s201.md
Change instructions to download yams files directly from the website (as used in other pages.)
Added instructions to delete labeled pod to avoid warnings in the subsequent deployment step.
* Update k8s201.md
Added example of using the exposed host from the a node running Kubernetes. (This works on AWS with Weave; not able to test it on other variations...)
* Gramatical fix to kompose introduction (#7792)
The original wording didn't through very well. As much of the original sentence has been preserved as possible, primarily to ensure the kompose web address is see both in text and as a href link.
* update amadeus.html (#7800)
* Fix a missing word in endpoint reconciler section (#7804)
* add toc entry for pvcprotection downgrade issue doc
* Pvcprotection toc (#7809)
* Refreshing installation instructions (#7495)
* Refreshing installation instructions
Added conjure-up. Updated displays and juju versions to current versions.
* Updated anchors
* Fixed image value version typo (#7768)
Was inconsistent with other values
* Update flocker reference to the github repo (#7784)
* Fix typo in federation document (#7779)
* an user -> a user (#7778)
* Events are namespaced (#7767)
* fix 'monitoring' link lose efficacy problem' (#7764)
* docs/concepts/policy/pod-security-policy.md: minor fix. (#7659)
* Update downward-api-volume-expose-pod-information.md (#7771)
* Update downward-api-volume-expose-pod-information.md
The pod spec puts the downward api files into /etc/podinfo, not directly in /etc. Updated docs to reflect this fact.
* Update downward-api-volume-expose-pod-information.md
One more spot needed fixing.
* Update downward-api-volume-expose-pod-information.md
Yet another fix, in the container example.
* Add Amadeus Case Study (#7783)
* Add Amadeus Case Study
* add Amadeus logo
* Fixed Cyrillic с in 'kube-proxy-cm' (#7787)
There was a typo (wrong character) in kube-proxy-cm.yaml - Cyrillic с (UTF-8 0x0441) was used instead of Latin c.
* install-kubectl: choose one installation method (#7705)
The previous text layout suggested that all installations had to be done, one after another.
* Update install-kubeadm.md (#7781)
Add note to kubeadm install instruction to help install in other arch i.e. aarch64, ppc64le etc.
* repair failure link (#7788)
* repair failure link
* repair failure link
* do change as required
* Update k8s201.md (#7777)
* Update k8s201.md
Change instructions to download yams files directly from the website (as used in other pages.)
Added instructions to delete labeled pod to avoid warnings in the subsequent deployment step.
* Update k8s201.md
Added example of using the exposed host from the a node running Kubernetes. (This works on AWS with Weave; not able to test it on other variations...)
* Gramatical fix to kompose introduction (#7792)
The original wording didn't through very well. As much of the original sentence has been preserved as possible, primarily to ensure the kompose web address is see both in text and as a href link.
* update amadeus.html (#7800)
* Fix a missing word in endpoint reconciler section (#7804)
* add toc entry for pvcprotection downgrade issue doc
* revert TOC change
* Release 1.10 (#7818)
* Refreshing installation instructions (#7495)
* Refreshing installation instructions
Added conjure-up. Updated displays and juju versions to current versions.
* Updated anchors
* Fixed image value version typo (#7768)
Was inconsistent with other values
* Update flocker reference to the github repo (#7784)
* Fix typo in federation document (#7779)
* an user -> a user (#7778)
* Events are namespaced (#7767)
* fix 'monitoring' link lose efficacy problem' (#7764)
* docs/concepts/policy/pod-security-policy.md: minor fix. (#7659)
* Update downward-api-volume-expose-pod-information.md (#7771)
* Update downward-api-volume-expose-pod-information.md
The pod spec puts the downward api files into /etc/podinfo, not directly in /etc. Updated docs to reflect this fact.
* Update downward-api-volume-expose-pod-information.md
One more spot needed fixing.
* Update downward-api-volume-expose-pod-information.md
Yet another fix, in the container example.
* Add Amadeus Case Study (#7783)
* Add Amadeus Case Study
* add Amadeus logo
* Fixed Cyrillic с in 'kube-proxy-cm' (#7787)
There was a typo (wrong character) in kube-proxy-cm.yaml - Cyrillic с (UTF-8 0x0441) was used instead of Latin c.
* install-kubectl: choose one installation method (#7705)
The previous text layout suggested that all installations had to be done, one after another.
* Update install-kubeadm.md (#7781)
Add note to kubeadm install instruction to help install in other arch i.e. aarch64, ppc64le etc.
* repair failure link (#7788)
* repair failure link
* repair failure link
* do change as required
* Update k8s201.md (#7777)
* Update k8s201.md
Change instructions to download yams files directly from the website (as used in other pages.)
Added instructions to delete labeled pod to avoid warnings in the subsequent deployment step.
* Update k8s201.md
Added example of using the exposed host from the a node running Kubernetes. (This works on AWS with Weave; not able to test it on other variations...)
* Gramatical fix to kompose introduction (#7792)
The original wording didn't through very well. As much of the original sentence has been preserved as possible, primarily to ensure the kompose web address is see both in text and as a href link.
* update amadeus.html (#7800)
* Fix a missing word in endpoint reconciler section (#7804)
* Partners page updates (#7802)
* Partners page updates
* Update to ZTE link
* Make using sysctls a task instead of a concept (#6808)
Closes: #4505
* add a note when mount a configmap to pod (#7745)
* adjust a note format (#7812)
* Update docker-cli-to-kubectl.md (#7748)
* Update docker-cli-to-kubectl.md
Edited the document for adherence to the style guide and word usage.
* Update docker-cli-to-kubectl.md
* Incorporated the changes suggested.
* Mount propagation update to include docker config (#7854)
* update overridden config for 1.10 (#7847)
* update overridden config for 1.10
* fix config file per comments
* Update Extended Resource doc wrt cluster-level resources (#7759)
2018-03-27 01:33:11 +00:00
* Include "Initializers" in the `--enable-admission-plugins` flag when starting
2017-06-28 23:38:44 +00:00
`kube-apiserver` . If you have multiple `kube-apiserver` replicas, all should
have the same flag setting.
* Enable the dynamic admission controller registration API by adding
`admissionregistration.k8s.io/v1alpha1` to the `--runtime-config` flag passed
to `kube-apiserver` , e.g.
`--runtime-config=admissionregistration.k8s.io/v1alpha1` . Again, all replicas
should have the same flag setting.
### Deploy an initializer controller
2017-06-29 05:03:44 +00:00
You should deploy an initializer controller via the [deployment
2018-05-05 16:00:51 +00:00
API](/docs/reference/generated/kubernetes-api/{{< param " version " > }}/#deployment-v1beta1-apps).
2017-06-28 23:38:44 +00:00
### Configure initializers on the fly
You can configure what initializers are enabled and what resources are subject
2017-08-01 06:15:39 +00:00
to the initializers by creating `initializerConfiguration` resources.
2017-06-28 23:38:44 +00:00
2017-06-29 05:03:44 +00:00
You should first deploy the initializer controller and make sure that it is
2017-08-01 06:15:39 +00:00
working properly before creating the `initializerConfiguration` . Otherwise, any
2017-06-28 23:38:44 +00:00
newly created resources will be stuck in an uninitialized state.
2017-08-01 06:15:39 +00:00
The following is an example `initializerConfiguration` :
2017-06-28 23:38:44 +00:00
```yaml
apiVersion: admissionregistration.k8s.io/v1alpha1
kind: InitializerConfiguration
metadata:
name: example-config
2017-07-05 21:52:37 +00:00
initializers:
# the name needs to be fully qualified, i.e., containing at least two "."
- name: podimage.example.com
rules:
# apiGroups, apiVersion, resources all support wildcard "*".
# "*" cannot be mixed with non-wildcard.
- apiGroups:
- ""
apiVersions:
- v1
resources:
- pods
2017-06-28 23:38:44 +00:00
```
2017-08-01 06:15:39 +00:00
After you create the `initializerConfiguration` , the system will take a few
seconds to honor the new configuration. Then, `"podimage.example.com"` will be
appended to the `metadata.initializers.pending` field of newly created pods. You
should already have a ready "podimage" initializer controller that handles pods
whose `metadata.initializers.pending[0].name="podimage.example.com"` . Otherwise
2017-12-06 22:25:17 +00:00
the pods will be stuck in an uninitialized state.
2017-08-01 06:15:39 +00:00
2017-06-28 23:38:44 +00:00
Make sure that all expansions of the `<apiGroup, apiVersions, resources>` tuple
2017-06-29 05:03:44 +00:00
in a `rule` are valid. If they are not, separate them in different `rules` .
2018-06-22 18:26:06 +00:00
{{% /capture %}}
