diff --git a/content/en/docs/reference/access-authn-authz/_index.md b/content/en/docs/reference/access-authn-authz/_index.md
new file mode 100644
index 0000000000..d4966d99a5
--- /dev/null
+++ b/content/en/docs/reference/access-authn-authz/_index.md
@@ -0,0 +1,5 @@
+---
+title: Accessing the API
+weight: 20
+toc-hide: true
+---
\ No newline at end of file
diff --git a/content/en/docs/admin/authorization/abac.md b/content/en/docs/reference/access-authn-authz/abac.md
similarity index 99%
rename from content/en/docs/admin/authorization/abac.md
rename to content/en/docs/reference/access-authn-authz/abac.md
index bac6a27c12..0e3e6cf17f 100644
--- a/content/en/docs/admin/authorization/abac.md
+++ b/content/en/docs/reference/access-authn-authz/abac.md
@@ -4,8 +4,9 @@ reviewers:
- lavalamp
- deads2k
- liggitt
-title: ABAC Mode
+title: Using ABAC Authorization
content_template: templates/concept
+weight: 80
---
{{% capture overview %}}
diff --git a/content/en/docs/admin/admission-controllers.md b/content/en/docs/reference/access-authn-authz/admission-controllers.md
similarity index 99%
rename from content/en/docs/admin/admission-controllers.md
rename to content/en/docs/reference/access-authn-authz/admission-controllers.md
index ece6d7b1d1..dcc5ce623e 100644
--- a/content/en/docs/admin/admission-controllers.md
+++ b/content/en/docs/reference/access-authn-authz/admission-controllers.md
@@ -7,6 +7,7 @@ reviewers:
- janetkuo
- thockin
title: Using Admission Controllers
+weight: 30
---
{{< toc >}}
diff --git a/content/en/docs/admin/authentication.md b/content/en/docs/reference/access-authn-authz/authentication.md
similarity index 99%
rename from content/en/docs/admin/authentication.md
rename to content/en/docs/reference/access-authn-authz/authentication.md
index 56a026baec..e477cf1a72 100644
--- a/content/en/docs/admin/authentication.md
+++ b/content/en/docs/reference/access-authn-authz/authentication.md
@@ -6,6 +6,7 @@ reviewers:
- deads2k
- liggitt
title: Authenticating
+weight: 10
---
{{< toc >}}
diff --git a/content/en/docs/admin/authorization/_index.md b/content/en/docs/reference/access-authn-authz/authorization.md
similarity index 99%
rename from content/en/docs/admin/authorization/_index.md
rename to content/en/docs/reference/access-authn-authz/authorization.md
index fecefa84fd..40dd7d47ab 100644
--- a/content/en/docs/admin/authorization/_index.md
+++ b/content/en/docs/reference/access-authn-authz/authorization.md
@@ -4,8 +4,9 @@ reviewers:
- lavalamp
- deads2k
- liggitt
-title: Overview
+title: Authorization Overview
content_template: templates/concept
+weight: 60
---
{{% capture overview %}}
diff --git a/content/en/docs/admin/bootstrap-tokens.md b/content/en/docs/reference/access-authn-authz/bootstrap-tokens.md
similarity index 99%
rename from content/en/docs/admin/bootstrap-tokens.md
rename to content/en/docs/reference/access-authn-authz/bootstrap-tokens.md
index 99f28579ef..de9d77e81b 100644
--- a/content/en/docs/admin/bootstrap-tokens.md
+++ b/content/en/docs/reference/access-authn-authz/bootstrap-tokens.md
@@ -2,6 +2,7 @@
reviewers:
- jbeda
title: Authenticating with Bootstrap Tokens
+weight: 20
---
{{< toc >}}
diff --git a/content/en/docs/admin/accessing-the-api.md b/content/en/docs/reference/access-authn-authz/controlling-access.md
similarity index 99%
rename from content/en/docs/admin/accessing-the-api.md
rename to content/en/docs/reference/access-authn-authz/controlling-access.md
index 4efe355fe4..6926cb6855 100644
--- a/content/en/docs/admin/accessing-the-api.md
+++ b/content/en/docs/reference/access-authn-authz/controlling-access.md
@@ -4,6 +4,7 @@ reviewers:
- erictune
- lavalamp
title: Controlling Access to the Kubernetes API
+weight: 5
---
Users [access the API](docs/tasks/access-application-cluster/access-cluster/) using `kubectl`,
diff --git a/content/en/docs/admin/extensible-admission-controllers.md b/content/en/docs/reference/access-authn-authz/extensible-admission-controllers.md
similarity index 99%
rename from content/en/docs/admin/extensible-admission-controllers.md
rename to content/en/docs/reference/access-authn-authz/extensible-admission-controllers.md
index 70fa3e3665..669ec31a33 100644
--- a/content/en/docs/admin/extensible-admission-controllers.md
+++ b/content/en/docs/reference/access-authn-authz/extensible-admission-controllers.md
@@ -6,6 +6,7 @@ reviewers:
- caesarxuchao
- deads2k
title: Dynamic Admission Control
+weight: 40
---
{{< toc >}}
diff --git a/content/en/docs/admin/authorization/node.md b/content/en/docs/reference/access-authn-authz/node.md
similarity index 99%
rename from content/en/docs/admin/authorization/node.md
rename to content/en/docs/reference/access-authn-authz/node.md
index 32e768f097..d61b43ac74 100644
--- a/content/en/docs/admin/authorization/node.md
+++ b/content/en/docs/reference/access-authn-authz/node.md
@@ -5,6 +5,7 @@ reviewers:
- liggitt
- ericchiang
title: Using Node Authorization
+weight: 90
---
{{< toc >}}
diff --git a/content/en/docs/admin/authorization/rbac.md b/content/en/docs/reference/access-authn-authz/rbac.md
similarity index 99%
rename from content/en/docs/admin/authorization/rbac.md
rename to content/en/docs/reference/access-authn-authz/rbac.md
index 98be00d071..ea72df7e4a 100644
--- a/content/en/docs/admin/authorization/rbac.md
+++ b/content/en/docs/reference/access-authn-authz/rbac.md
@@ -4,6 +4,7 @@ reviewers:
- deads2k
- liggitt
title: Using RBAC Authorization
+weight: 70
---
{{< toc >}}
diff --git a/content/en/docs/admin/service-accounts-admin.md b/content/en/docs/reference/access-authn-authz/service-accounts-admin.md
similarity index 99%
rename from content/en/docs/admin/service-accounts-admin.md
rename to content/en/docs/reference/access-authn-authz/service-accounts-admin.md
index a6a93e86b0..51387e0069 100644
--- a/content/en/docs/admin/service-accounts-admin.md
+++ b/content/en/docs/reference/access-authn-authz/service-accounts-admin.md
@@ -5,6 +5,7 @@ reviewers:
- lavalamp
- liggitt
title: Managing Service Accounts
+weight: 50
---
*This is a Cluster Administrator guide to service accounts. It assumes knowledge of
diff --git a/content/en/docs/admin/authorization/webhook.md b/content/en/docs/reference/access-authn-authz/webhook.md
similarity index 99%
rename from content/en/docs/admin/authorization/webhook.md
rename to content/en/docs/reference/access-authn-authz/webhook.md
index 4ce650e090..3989baa724 100644
--- a/content/en/docs/admin/authorization/webhook.md
+++ b/content/en/docs/reference/access-authn-authz/webhook.md
@@ -6,6 +6,7 @@ reviewers:
- liggitt
title: Webhook Mode
content_template: templates/concept
+weight: 95
---
{{% capture overview %}}
diff --git a/content/en/docs/reference/feature-gates.md b/content/en/docs/reference/feature-gates.md
deleted file mode 100644
index 659f151e04..0000000000
--- a/content/en/docs/reference/feature-gates.md
+++ /dev/null
@@ -1,226 +0,0 @@
----
-title: Feature Gates
-content_template: templates/concept
----
-
-{{% capture overview %}}
-This page contains an overview of the various feature gates an administrator
-can specify on different Kubernetes components.
-{{% /capture %}}
-
-{{% capture body %}}
-
-## Overview
-
-Feature gates are a set of key=value pairs that describe alpha or experimental
-features.
-An administrator can use the `--feature-gates` command line flag on each component
-to turn a feature on or off.
-The following table is a summary of the feature gates that you can set on
-different Kubernetes components.
-
-- The "Since" column contains the Kubernetes release when a feature is introduced
- or its release stage is changed.
-- The "Until" column, if not empty, contains the last Kubernetes release in which
- you can still use a feature gate.
-
-| Feature | Default | Stage | Since | Until |
-|---------|---------|-------|-------|-------|
-| `Accelerators` | `false` | Alpha | 1.6 | 1.10 |
-| `AdvancedAuditing` | `false` | Alpha | 1.7 | 1.7 |
-| `AdvancedAuditing` | `true` | Beta | 1.8 | |
-| `AffinityInAnnotations` | `false` | Alpha | 1.6 | 1.7 |
-| `AllowExtTrafficLocalEndpoints` | `false` | Beta | 1.4 | 1.6 |
-| `AllowExtTrafficLocalEndpoints` | `true` | GA | 1.7 | |
-| `APIListChunking` | `false` | Alpha | 1.8 | 1.8 |
-| `APIListChunking` | `true` | Beta | 1.9 | |
-| `APIResponseCompression` | `false` | Alpha | 1.7 | |
-| `AppArmor` | `true` | Beta | 1.4 | |
-| `BlockVolume` | `false` | Alpha | 1.9 | |
-| `CPUManager` | `false` | Alpha | 1.8 | 1.9 |
-| `CPUManager` | `true` | Beta | 1.10 | |
-| `CRIContainerLogRotation` | `false` | Alpha | 1.10 | |
-| `CSIPersistentVolume` | `false` | Alpha | 1.9 | 1.9 |
-| `CSIPersistentVolume` | `true` | Beta | 1.10 | |
-| `CustomPodDNS` | `false` | Alpha | 1.9 | 1.9 |
-| `CustomPodDNS` | `true` | Beta| 1.10 | |
-| `CustomResourceSubresources` | `false` | Alpha | 1.10 | |
-| `CustomResourceValidation` | `false` | Alpha | 1.8 | 1.8 |
-| `CustomResourceValidation` | `true` | Beta | 1.9 | |
-| `DebugContainers` | `false` | Alpha | 1.10 | |
-| `DevicePlugins` | `false` | Alpha | 1.8 | 1.9 |
-| `DevicePlugins` | `true` | Beta | 1.10 | |
-| `DynamicKubeletConfig` | `false` | Alpha | 1.4 | |
-| `DynamicVolumeProvisioning` | `true` | Alpha | 1.3 | 1.7 |
-| `DynamicVolumeProvisioning` | `true` | GA | 1.8 | |
-| `EnableEquivalenceClassCache` | `false` | Alpha | 1.8 | |
-| `ExpandPersistentVolumes` | `false` | Alpha | 1.8 | 1.8 |
-| `ExperimentalCriticalPodAnnotation` | `false` | Alpha | 1.5 | |
-| `ExperimentalHostUserNamespaceDefaulting` | `false` | Beta | 1.5 | |
-| `GCERegionalPersistentDisk` | `true` | Beta | 1.10 | |
-| `HugePages` | `false` | Alpha | 1.8 | 1.9 |
-| `HugePages` | `true` | Beta| 1.10 | |
-| `HyperVContainer` | `false` | Alpha | 1.10 | |
-| `Initializers` | `false` | Alpha | 1.7 | |
-| `KubeletConfigFile` | `false` | Alpha | 1.8 | 1.9 |
-| `LocalStorageCapacityIsolation` | `false` | Alpha | 1.7 | 1.9 |
-| `LocalStorageCapacityIsolation` | `true` | Beta| 1.10 | |
-| `MountContainers` | `false` | Alpha | 1.9 | |
-| `MountPropagation` | `false` | Alpha | 1.8 | 1.9 |
-| `MountPropagation` | `true` | Beta | 1.10 | |
-| `PersistentLocalVolumes` | `false` | Alpha | 1.7 | 1.9 |
-| `PersistentLocalVolumes` | `true` | Beta | 1.10 | |
-| `PodPriority` | `false` | Alpha | 1.8 | |
-| `PodShareProcessNamespace` | `false` | Alpha | 1.10 | |
-| `PVCProtection` | `false` | Alpha | 1.9 | 1.9 |
-| `ReadOnlyAPIDataVolumes` | `true` | Deprecated | 1.10 | |
-| `ResourceLimitsPriorityFunction` | `false` | Alpha | 1.9 | |
-| `RotateKubeletClientCertificate` | `true` | Beta | 1.7 | |
-| `RotateKubeletServerCertificate` | `false` | Alpha | 1.7 | |
-| `RunAsGroup` | `false` | Alpha | 1.10 | |
-| `ScheduleDaemonSetPods` | `false` | Alpha | 1.10 | |
-| `ServiceNodeExclusion` | `false` | Alpha | 1.8 | |
-| `StorageObjectInUseProtection` | `true` | Beta | 1.10 | |
-| `StreamingProxyRedirects` | `true` | Beta | 1.5 | |
-| `SupportIPVSProxyMode` | `false` | Alpha | 1.8 | 1.8 |
-| `SupportIPVSProxyMode` | `false` | Beta | 1.9 | 1.9 |
-| `SupportIPVSProxyMode` | `true` | Beta | 1.10 | |
-| `SupportPodPidsLimit` | `false` | Alpha | 1.10 | |
-| `TaintBasedEvictions` | `false` | Alpha | 1.6 | |
-| `TaintNodesByCondition` | `false` | Alpha | 1.8 | |
-| `TokenRequest` | `false` | Alpha | 1.10 | |
-| `VolumeScheduling` | `false` | Alpha | 1.9 | 1.9 |
-| `VolumeScheduling` | `true` | Beta | 1.10 | |
-
-## Using a Feature
-
-### Feature Stages
-
-A feature can be in *Alpha*, *Beta* or *GA* stage.
-An *Alpha* feature means:
-
-* Disabled by default.
-* Might be buggy. Enabling the feature may expose bugs.
-* Support for feature may be dropped at any time without notice.
-* The API may change in incompatible ways in a later software release without notice.
-* Recommended for use only in short-lived testing clusters, due to increased
- risk of bugs and lack of long-term support.
-
-A *Beta* feature means:
-
-* Enabled by default.
-* The feature is well tested. Enabling the feature is considered safe.
-* Support for the overall feature will not be dropped, though details may change.
-* The schema and/or semantics of objects may change in incompatible ways in a
- subsequent beta or stable release. When this happens, we will provide instructions
- for migrating to the next version. This may require deleting, editing, and
- re-creating API objects. The editing process may require some thought.
- This may require downtime for applications that rely on the feature.
-* Recommended for only non-business-critical uses because of potential for
- incompatible changes in subsequent releases. If you have multiple clusters
- that can be upgraded independently, you may be able to relax this restriction.
-
-{{< note >}}
-**Note:** Please do try *Beta* features and give feedback on them!
-After they exit beta, it may not be practical for us to make more changes.
-{{< /note >}}
-
-A *GA* feature is also referred to as a *stable* feature. It means:
-
-* The corresponding feature gate is no longer needed.
-* Stable versions of features will appear in released software for many subsequent versions.
-
-### Feature Gates
-
-Each feature gate is designed for enabling/disabling a specific feature:
-
-- `Accelerators`: Enable Nvidia GPU support when using Docker
-- `AdvancedAuditing`: Enable [advanced auditing](/docs/tasks/debug-application-cluster/audit/#advanced-audit)
-- `AffinityInAnnotations`(*deprecated*): Enable setting [Pod affinity or anti-affinitys](/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity).
-- `AllowExtTrafficLocalEndpoints`: Enable a service to route external requests to node local endpoints.
-- `APIListChunking`: Enable the API clients to retrieve (`LIST` or `GET`) resources from API server in chunks.
-- `APIResponseCompression`: Compress the API responses for `LIST` or `GET` requests.
-- `AppArmor`: Enable AppArmor based mandatory access control on Linux nodes when using Docker.
- See [AppArmor Tutorial](/docs/tutorials/clusters/apparmor/) for more details.
-- `BlockVolume`: Enable the definition and consumption of raw block devices in Pods.
- See [Raw Block Volume Support](/docs/concepts/storage/persistent-volumes/#raw-block-volume-support)
- for more details.
-- `CPUManager`: Enable container level CPU affinity support, see [CPU Management Policies](/docs/tasks/administer-cluster/cpu-management-policies/).
-- `CRIContainerLogRotation`: Enable container log rotation for cri container runtime.
-- `CSIPersistentVolume`: Enable discovering and mounting volumes provisioned through a
- [CSI (Container Storage Interface)](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/storage/container-storage-interface.md)
- compatible volume plugin.
- Check the [`csi` volume type](/docs/concepts/storage/volumes/#csi) documentation for more details.
-- `CustomPodDNS`: Enable customizing the DNS settings for a Pod using its `dnsConfig` property.
- Check [Pod's DNS Config](/docs/concepts/services-networking/dns-pod-service/#pods-dns-config)
- for more details.
-- `CustomResourceSubresources`: Enable `/status` and `/scale` subresources
- on resources created from [CustomResourceDefinition](/docs/concepts/api-extension/custom-resources/).
-- `CustomResourceValidation`: Enable schema based validation on resources created from
- [CustomResourceDefinition](/docs/concepts/api-extension/custom-resources/).
-- `DebugContainers`: Enable running a "debugging" container in a Pod's namespace to
- troubleshoot a running Pod.
-- `DevicePlugins`: Enable the [device-plugins](/docs/concepts/cluster-administration/device-plugins/)
- based resource provisioning on nodes.
-- `DynamicKubeletConfig`: Enable the dynamic configuration of kubelet. See [Reconfigure kubelet](/docs/tasks/administer-cluster/reconfigure-kubelet/).
-- `DynamicVolumeProvisioning`(*deprecated*): Enable the [dynamic provisioning](/docs/concepts/storage/dynamic-provisioning/) of persistent volumes to Pods.
-- `EnableEquivalenceClassCache`: Enable the scheduler to cache equivalence of nodes when scheduling Pods.
-- `ExpandPersistentVolumes`: Enable the expanding of persistent volumes. See [Expanding Persistent Volumes Claims](/docs/concepts/storage/persistent-volumes/#expanding-persistent-volumes-claims).
-- `ExperimentalCriticalPodAnnotation`: Enable annotating specific pods as *critical* so that their [scheduling is guaranteed](/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/).
-- `ExperimentalHostUserNamespaceDefaultingGate`: Enabling the defaulting user
- namespace to host. This is for containers that are using other host namespaces,
- host mounts, or containers that are privileged or using specific non-namespaced
- capabilities (e.g. `MKNODE`, `SYS_MODULE` etc.). This should only be enabled
- if user namespace remapping is enabled in the Docker daemon.
-- `GCERegionalPersistentDisk`: Enable the regional PD feature on GCE.
-- `HugePages`: Enable the allocation and consumption of pre-allocated [huge pages](/docs/tasks/manage-hugepages/scheduling-hugepages/).
-- `HyperVContainer`: Enable [Hyper-V isolation](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/hyperv-container) for Windows containers.
-- `Intializers`: Enable the [dynamic admission control](/docs/admin/extensible-admission-controllers/)
- as an extension to the built-in [admission controllers](/docs/admin/admission-controllers/).
- When the `Initializers` admission controller is enabled, this feature is automatically enabled.
-- `KubeletConfigFile`: Enable loading kubelet configuration from a file specified using a config file.
- See [setting kubelet parameters via a config file](/docs/tasks/administer-cluster/kubelet-config-file/) for more details.
-- `LocalStorageCapacityIsolation`: Enable the consumption of [local ephemeral storage](/docs/concepts/configuration/manage-compute-resources-container/) and also the `sizeLimit` property of an [emptyDir volume](/docs/concepts/storage/volumes/#emptydir).
-- `MountContainers`: Enable using utility containers on host as the volume mounter.
-- `MountPropagation`: Enable sharing volume mounted by one container to other containers or pods.
- For more details, please see [mount propagation](/docs/concepts/storage/volumes/#mount-propagation).
-- `PersistentLocalVolumes`: Enable the usage of `local` volume type in Pods.
- Pod affinity has to be specified if requesting a `local` volume.
-- `PodPriority`: Enable the descheduling and preemption of Pods based on their [priorities](/docs/concepts/configuration/pod-priority-preemption/).
-- `PVCProtection`: Enable the prevention of a PersistentVolumeClaim (PVC) from
- being deleted when it is still used by any Pod.
- More details can be found [here](/docs/tasks/administer-cluster/pvc-protection/).
-- `ReadOnlyAPIDataVolumes`: Set Secret, ConfigMap, DownwardAPI and projected volumes to be mounted in read-only mode.
- This gate exists only for backward compatibility. It will be removed in 1.11 release.
-- `ResourceLimitsPriorityFunction`: Enable a scheduler priority function that
- assigns a lowest possible score of 1 to a node that satisfies at least one of
- the input Pod's cpu and memory limits. The intent is to break ties between
- nodes with same scores.
-- `RotateKubeletClientCertificate`: Enable the rotation of the client TLS certificate on the kubelet.
- See [kubelet configuration](/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration) for more details.
-- `RotateKubeletServerCertificate`: Enable the rotation of the server TLS certificate on the kubelet.
- See [kubelet configuration](/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration) for more details.
-- `RunAsGroup`: Enable control over the primary group ID set on the init processes of containers.
-- `ScheduleDaemonSetPods`: Enable DaemonSet Pods to be scheduled by the default scheduler instead of the DaemonSet controller.
-- `ServiceNodeExclusion`: Enable the exclusion of nodes from load balancers created by a cloud provider.
- A node is eligible for exclusion if annotated with "`alpha.service-controller.kubernetes.io/exclude-balancer`" key.
-- `StorageObjectInUseProtection`: Postpone the deletion of PersistentVolume or
- PersistentVolumeClaim objects if they are still being used.
-- `StreamingProxyRedirects`: Instructs the API server to intercept (and follow)
- redirects from the backend (kubelet) for streaming requests.
- Examples of streaming requests include the `exec`, `attach` and `port-forward` requests.
-- `SupportIPVSProxyMode`: Enable providing in-cluster service load balancing using IPVS.
- See [service proxies](/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies) for more details.
-- `SupportPodPidsLimit`: Enable the support to limiting PIDs in Pods.
-- `TaintBasedEvictions`: Enable evicting pods from nodes based on taints on nodes and tolerations on Pods.
- See [taints and tolerations](/docs/concepts/configuration/taint-and-toleration/) for more details.
-- `TaintNodesByCondition`: Enable automatic tainting nodes based on [node conditions](/docs/concepts/architecture/nodes/#condition).
-- `TokenRequest`: Enable the `TokenRequest` endpoint on service account resources.
-- `VolumeScheduling`: Enable volume topology aware scheduling and make the
- PersistentVolumeClaim (PVC) binding aware of scheduling decisions. It also
- enables the usage of [`local`](/docs/concepts/storage/volumes/#local) volume
- type when used together with the `PersistentLocalVolumes` feature gate.
-
-{{% /capture %}}
-
-
diff --git a/content/en/docs/reference/issues-security/_index.md b/content/en/docs/reference/issues-security/_index.md
new file mode 100644
index 0000000000..ec7a38abe1
--- /dev/null
+++ b/content/en/docs/reference/issues-security/_index.md
@@ -0,0 +1,5 @@
+---
+title: Kubernetes Issues and Security
+weight: 10
+toc-hide: true
+---
\ No newline at end of file
diff --git a/content/en/docs/reference/issues-security/issues.md b/content/en/docs/reference/issues-security/issues.md
new file mode 100644
index 0000000000..63fb0041e8
--- /dev/null
+++ b/content/en/docs/reference/issues-security/issues.md
@@ -0,0 +1,6 @@
+---
+title: Kubernetes Issue Tracker
+weight: 10
+---
+
+Work on Kubernetes code is tracked using [GitHub Issues](https://github.com/kubernetes/kubernetes/issues/).
diff --git a/content/en/docs/reference/security.md b/content/en/docs/reference/issues-security/security.md
similarity index 99%
rename from content/en/docs/reference/security.md
rename to content/en/docs/reference/issues-security/security.md
index d214cd573e..4c6c383f41 100644
--- a/content/en/docs/reference/security.md
+++ b/content/en/docs/reference/issues-security/security.md
@@ -7,6 +7,7 @@ reviewers:
- erictune
- philips
- jessfraz
+weight: 20
---
## Security Announcements
diff --git a/content/en/docs/reference/labels-annotations-taints.md b/content/en/docs/reference/kubernetes-api/labels-annotations-taints.md
similarity index 100%
rename from content/en/docs/reference/labels-annotations-taints.md
rename to content/en/docs/reference/kubernetes-api/labels-annotations-taints.md
diff --git a/content/en/docs/reference/using-api/_index.md b/content/en/docs/reference/using-api/_index.md
new file mode 100644
index 0000000000..c6bbb2831b
--- /dev/null
+++ b/content/en/docs/reference/using-api/_index.md
@@ -0,0 +1,5 @@
+---
+title: Using the Kubernetes API
+weight: 10
+toc-hide: true
+---
\ No newline at end of file
diff --git a/content/en/docs/reference/api-concepts.md b/content/en/docs/reference/using-api/api-concepts.md
similarity index 99%
rename from content/en/docs/reference/api-concepts.md
rename to content/en/docs/reference/using-api/api-concepts.md
index 7b7cda12c8..fa86b6fd0c 100644
--- a/content/en/docs/reference/api-concepts.md
+++ b/content/en/docs/reference/using-api/api-concepts.md
@@ -6,6 +6,7 @@ reviewers:
- lavalamp
- liggitt
content_template: templates/concept
+weight: 20
---
{{% capture overview %}}
diff --git a/content/en/docs/reference/api-overview.md b/content/en/docs/reference/using-api/api-overview.md
similarity index 99%
rename from content/en/docs/reference/api-overview.md
rename to content/en/docs/reference/using-api/api-overview.md
index 9178031a06..27e0275c44 100644
--- a/content/en/docs/reference/api-overview.md
+++ b/content/en/docs/reference/using-api/api-overview.md
@@ -6,6 +6,7 @@ reviewers:
- lavalamp
- jbeda
content_template: templates/concept
+weight: 10
---
{{% capture overview %}}
diff --git a/content/en/docs/reference/client-libraries.md b/content/en/docs/reference/using-api/client-libraries.md
similarity index 99%
rename from content/en/docs/reference/client-libraries.md
rename to content/en/docs/reference/using-api/client-libraries.md
index 4a21b62a08..00902f55ad 100644
--- a/content/en/docs/reference/client-libraries.md
+++ b/content/en/docs/reference/using-api/client-libraries.md
@@ -3,6 +3,7 @@ title: Client Libraries
reviewers:
- ahmetb
content_template: templates/concept
+weight: 30
---
{{% capture overview %}}
diff --git a/content/en/docs/reference/deprecation-policy.md b/content/en/docs/reference/using-api/deprecation-policy.md
similarity index 99%
rename from content/en/docs/reference/deprecation-policy.md
rename to content/en/docs/reference/using-api/deprecation-policy.md
index 1fb99934f6..8e8e2e1052 100644
--- a/content/en/docs/reference/deprecation-policy.md
+++ b/content/en/docs/reference/using-api/deprecation-policy.md
@@ -4,6 +4,7 @@ reviewers:
- lavalamp
- thockin
title: Kubernetes Deprecation Policy
+weight: 40
---
Kubernetes is a large system with many components and many contributors. As
diff --git a/content/en/docs/reference/workloads-18-19.md b/content/en/docs/reference/workloads-18-19.md
deleted file mode 100644
index c1ed999881..0000000000
--- a/content/en/docs/reference/workloads-18-19.md
+++ /dev/null
@@ -1,261 +0,0 @@
----
-title: Workloads API changes in versions 1.8 and 1.9
-approvers:
-- steveperry-53
-- kow3ns
----
-
-## Overview
-
-The Kubernetes core Workloads API includes the Deployment, DaemonSet, ReplicaSet, and StatefulSet kinds. To provide a stable API for users to orchestrate their workloads, we are prioritizing promoting these kinds to GA. The batch Workloads API (Job and CronJob), while also important, is not part of this effort, and it will have a separate path to GA stability.
-
-- In the 1.8 release, we introduce the apps/v1beta2 API group and version. This beta version of the core Workloads API contains the Deployment, DaemonSet, ReplicaSet, and StatefulSet kinds, and it is the version we plan to promote to GA in the 1.9 release provided the feedback is positive.
-
-- In the 1.9 release, we plan to introduce the apps/v1 group version. We intend to promote the apps/v1beta2 group version in its entirety to apps/v1 and to deprecate apps/v1beta2 at that time.
-
-- We realize that even after the release of apps/v1, users will need time to migrate their code from extensions/v1beta1, apps/v1beta1, and apps/v1beta2. It is important to remember that the minimum support durations listed in the deprecations guidelines are minimums. We will continue to support conversion between groups and versions until users have had sufficient time to migrate.
-
-## Migration
-
-This section contains information to assist users in migrating core Workloads API kinds between group versions.
-
-### General
-
-- If you are using kinds from the extensions/v1beta1 or apps/v1beta1 group versions, you can wait to migrate existing code until after the release of the apps/v1 group version.
-
-- If your deployment requires features that are available in the apps/v1beta2 group version, you can migrate to this group version before the apps/v1 release.
-
-- You should develop all new code against the latest stable release.
-
-- You can run `kubectl convert` to convert manifests between group versions.
-
-### Migrating to apps/v1beta2
-
-This section provides information on migrating to the apps/v1beta2 group version. It covers general changes to the core Workloads API kinds. For changes that affect a specific kind (for example, default values), consult the reference documentation for the kind.
-
-#### Default selectors are deprecated
-
-In earlier versions of the apps and extensions groups, the spec.selectors of the core Workloads API kinds were, when left unspecified, defaulted to a LabelSelector generated from the spec.template.metadata.labels.
-
-User feedback led us to determine that, as it is incompatible with strategic merge patch and kubectl apply, defaulting the value of a field from the value of another field of the same object is an anti-pattern.
-
-#### Immutable selectors
-
-We have always cautioned users against selector mutation. The core Workloads API controller does not, in the general case, handle selector mutation gracefully.
-
-To provide a consistent, usable, and stable API, selectors are immutable for all kinds in the apps/v1beta2 group and version.
-
-We believe that there are better ways to support features like promotable canaries and orchestrated Pod relabeling, but if restricted selector mutation is a necessary feature for our users, we can relax immutability before GA without breaking backward compatibility.
-
-The development of features like promotable canaries, orchestrated Pod relabeling, and restricted selector mutability is driven by demand signals from our users. If you are currently modifying the selectors of your core Workloads API objects, please tell us about your use case in a GitHub issue or by participating in SIG-apps.
-
-#### Default rolling updates
-
-Before apps/v1beta2, some kinds defaulted the spec.updateStrategy to a strategy other than RollingUpdate. For example, apps/v1beta1 StatefulSet specifies OnDelete by default. In apps/v1beta2 the spec.updateStrategy for all kinds defaults to RollingUpdate.
-
-#### Created-by annotation is deprecated
-
-"kubernetes.io/created-by" is deprecated in version 1.8. Instead, you should specify an object’s ControllerRef from its ownerReferences to determine object ownership.
-
-## Timeline
-
-This section details the timeline for promotion and deprecation of kinds in the core Workloads API.
-
-### Release 1.8
-
-In Kubernetes 1.8, we unify the core Workloads API kinds in a single group and version. We address consistency, usability, and stability issues across the API surface. We have deprecated portions of the apps/v1beta1 group version and the extension/v1beta1 group version and replaced them with the apps/v1beta2 group version. The table below shows the kinds that are deprecated and the kinds that replace them.
-
-
-
- | Deprecated |
- Replaced By |
-
-
- | Group |
- Version |
- Kind |
- Group |
- Version |
- Kind |
-
-
- | apps |
- v1beta1 |
- Deployment |
- apps |
- v1beta2 |
- Deployment |
-
-
- | apps |
- v1beta1 |
- ReplicaSet |
- apps |
- v1beta2 |
- ReplicaSet |
-
-
- | apps |
- v1beta1 |
- StatefulSet |
- apps |
- v1beta2 |
- StatefulSet |
-
-
- | extensions |
- v1beta1 |
- Deployment |
- apps |
- v1beta2 |
- Deployment |
-
-
- | extensions |
- v1beta1 |
- DaemonSet |
- apps |
- v1beta2 |
- DaemonSet |
-
-
- | extensions |
- v1beta1 |
- StatefulSet |
- apps |
- v1beta2 |
- StatefulSet |
-
-
-
-### Release 1.9
-
-In Kubernetes 1.9, our goal is to address any feedback on the apps/v1beta2 group version and to promote the group version to GA. The table below shows the kinds that we plan to deprecate and the kinds that will replace them.
-
-
-
- | Deprecated |
- Replaced By |
-
-
- | Group |
- Version |
- Kind |
- Group |
- Version |
- Kind |
-
-
- | apps |
- v1beta2 |
- Deployment |
- apps |
- v1 |
- Deployment |
-
-
- | apps |
- v1beta2 |
- DaemonSet |
- apps |
- v1 |
- DaemonSet |
-
-
- | apps |
- v1beta2 |
- ReplicaSet |
- apps |
- v1 |
- ReplicaSet |
-
-
- | apps |
- v1beta2 |
- StatefulSet |
- apps |
- v1 |
- StatefulSet |
-
-
-
-### Post 1.9
-
-Because users will continue to depend on extensions/v1beta1, apps/v1beta1, and apps/v1beta2, we will not completely remove deprecated kinds in these group versions upon GA promotion. Instead, we will provide auto-conversion between the deprecated portions of the API surface and the GA version. The table below shows the bidirectional conversion that we will support.
-
-
-
- | GA |
- Previous |
-
-
- | Group |
- Version |
- Kind |
- Group |
- Version |
- Kind |
-
-
- | apps |
- v1 |
- Deployment |
- apps |
- v1beta1 |
- Deployment |
-
-
- | apps |
- v1beta2 |
- Deployment |
-
-
- | extensions |
- v1beta1 |
- Deployment |
-
-
- | apps |
- v1 |
- Daemonset |
- apps |
- v1beta2 |
- DaemonSet |
-
-
- | extensions |
- v1beta1 |
- DaemonSet |
-
-
- | apps |
- v1 |
- ReplicaSet |
- apps |
- v1beta1 |
- ReplicaSet |
-
-
- | apps |
- v1beta2 |
- ReplicaSet |
-
-
- | extensions |
- v1beta1 |
- ReplicaSet |
-
-
- | apps |
- v1 |
- StatefulSet |
- apps |
- v1beta1 |
- StatefulSet |
-
-
- | apps |
- v1beta2 |
- StatefulSet |
-
-
diff --git a/static/_redirects b/static/_redirects
index a6637f428a..841fb91380 100644
--- a/static/_redirects
+++ b/static/_redirects
@@ -484,3 +484,15 @@ https://kubernetes-io-v1-7.netlify.com/* https://v1-7.docs.kubernetes.io/:spl
/docs/reference/generated/kubeadm/ /docs/reference/setup-tools/kubeadm/kubeadm/ 301
/editdocs/ /docs/home/contribute/ 301
+
+/docs/admin/accessing-the-api/ /docs/reference/access-authn-authz/controlling-access/ 301
+/docs/admin/admission-controllers/ /docs/reference/access-authn-authz/admission-controllers/ 301
+/docs/admin/authentication/ /docs/reference/access-authn-authz/authentication/ 301
+/docs/admin/bootstrap-tokens/ /docs/reference/access-authn-authz/bootstrap-tokens/ 301
+/docs/admin/extensible-admission-controllers/ /docs/reference/access-authn-authz/extensible-admission-controllers/ 301
+/docs/admin/service-accounts-admin/ /docs/reference/access-authn-authz/service-accounts-admin/ 301
+/docs/admin/authorization/abac/ /docs/reference/access-authn-authz/abac/ 301
+/docs/admin/authorization/node/ /docs/reference/access-authn-authz/node/ 301
+/docs/admin/authorization/rbac/ /docs/reference/access-authn-authz/rbac/ 301
+/docs/admin/authorization/webhook/ /docs/reference/access-authn-authz/webhook/ 301
+/docs/admin/authorization/ /docs/reference/access-authn-authz/authorization/ 301