move access/auth content to reference folder, add TOC (#8624)
parent
f4158d642b
commit
1f557bde2c
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
title: Accessing the API
|
||||||
|
weight: 20
|
||||||
|
toc-hide: true
|
||||||
|
---
|
|
@ -4,8 +4,9 @@ reviewers:
|
||||||
- lavalamp
|
- lavalamp
|
||||||
- deads2k
|
- deads2k
|
||||||
- liggitt
|
- liggitt
|
||||||
title: ABAC Mode
|
title: Using ABAC Authorization
|
||||||
content_template: templates/concept
|
content_template: templates/concept
|
||||||
|
weight: 80
|
||||||
---
|
---
|
||||||
|
|
||||||
{{% capture overview %}}
|
{{% capture overview %}}
|
|
@ -7,6 +7,7 @@ reviewers:
|
||||||
- janetkuo
|
- janetkuo
|
||||||
- thockin
|
- thockin
|
||||||
title: Using Admission Controllers
|
title: Using Admission Controllers
|
||||||
|
weight: 30
|
||||||
---
|
---
|
||||||
|
|
||||||
{{< toc >}}
|
{{< toc >}}
|
|
@ -6,6 +6,7 @@ reviewers:
|
||||||
- deads2k
|
- deads2k
|
||||||
- liggitt
|
- liggitt
|
||||||
title: Authenticating
|
title: Authenticating
|
||||||
|
weight: 10
|
||||||
---
|
---
|
||||||
|
|
||||||
{{< toc >}}
|
{{< toc >}}
|
|
@ -4,8 +4,9 @@ reviewers:
|
||||||
- lavalamp
|
- lavalamp
|
||||||
- deads2k
|
- deads2k
|
||||||
- liggitt
|
- liggitt
|
||||||
title: Overview
|
title: Authorization Overview
|
||||||
content_template: templates/concept
|
content_template: templates/concept
|
||||||
|
weight: 60
|
||||||
---
|
---
|
||||||
|
|
||||||
{{% capture overview %}}
|
{{% capture overview %}}
|
|
@ -2,6 +2,7 @@
|
||||||
reviewers:
|
reviewers:
|
||||||
- jbeda
|
- jbeda
|
||||||
title: Authenticating with Bootstrap Tokens
|
title: Authenticating with Bootstrap Tokens
|
||||||
|
weight: 20
|
||||||
---
|
---
|
||||||
|
|
||||||
{{< toc >}}
|
{{< toc >}}
|
|
@ -4,6 +4,7 @@ reviewers:
|
||||||
- erictune
|
- erictune
|
||||||
- lavalamp
|
- lavalamp
|
||||||
title: Controlling Access to the Kubernetes API
|
title: Controlling Access to the Kubernetes API
|
||||||
|
weight: 5
|
||||||
---
|
---
|
||||||
|
|
||||||
Users [access the API](docs/tasks/access-application-cluster/access-cluster/) using `kubectl`,
|
Users [access the API](docs/tasks/access-application-cluster/access-cluster/) using `kubectl`,
|
|
@ -6,6 +6,7 @@ reviewers:
|
||||||
- caesarxuchao
|
- caesarxuchao
|
||||||
- deads2k
|
- deads2k
|
||||||
title: Dynamic Admission Control
|
title: Dynamic Admission Control
|
||||||
|
weight: 40
|
||||||
---
|
---
|
||||||
|
|
||||||
{{< toc >}}
|
{{< toc >}}
|
|
@ -5,6 +5,7 @@ reviewers:
|
||||||
- liggitt
|
- liggitt
|
||||||
- ericchiang
|
- ericchiang
|
||||||
title: Using Node Authorization
|
title: Using Node Authorization
|
||||||
|
weight: 90
|
||||||
---
|
---
|
||||||
|
|
||||||
{{< toc >}}
|
{{< toc >}}
|
|
@ -4,6 +4,7 @@ reviewers:
|
||||||
- deads2k
|
- deads2k
|
||||||
- liggitt
|
- liggitt
|
||||||
title: Using RBAC Authorization
|
title: Using RBAC Authorization
|
||||||
|
weight: 70
|
||||||
---
|
---
|
||||||
|
|
||||||
{{< toc >}}
|
{{< toc >}}
|
|
@ -5,6 +5,7 @@ reviewers:
|
||||||
- lavalamp
|
- lavalamp
|
||||||
- liggitt
|
- liggitt
|
||||||
title: Managing Service Accounts
|
title: Managing Service Accounts
|
||||||
|
weight: 50
|
||||||
---
|
---
|
||||||
|
|
||||||
*This is a Cluster Administrator guide to service accounts. It assumes knowledge of
|
*This is a Cluster Administrator guide to service accounts. It assumes knowledge of
|
|
@ -6,6 +6,7 @@ reviewers:
|
||||||
- liggitt
|
- liggitt
|
||||||
title: Webhook Mode
|
title: Webhook Mode
|
||||||
content_template: templates/concept
|
content_template: templates/concept
|
||||||
|
weight: 95
|
||||||
---
|
---
|
||||||
|
|
||||||
{{% capture overview %}}
|
{{% capture overview %}}
|
|
@ -1,226 +0,0 @@
|
||||||
---
|
|
||||||
title: Feature Gates
|
|
||||||
content_template: templates/concept
|
|
||||||
---
|
|
||||||
|
|
||||||
{{% capture overview %}}
|
|
||||||
This page contains an overview of the various feature gates an administrator
|
|
||||||
can specify on different Kubernetes components.
|
|
||||||
{{% /capture %}}
|
|
||||||
|
|
||||||
{{% capture body %}}
|
|
||||||
|
|
||||||
## Overview
|
|
||||||
|
|
||||||
Feature gates are a set of key=value pairs that describe alpha or experimental
|
|
||||||
features.
|
|
||||||
An administrator can use the `--feature-gates` command line flag on each component
|
|
||||||
to turn a feature on or off.
|
|
||||||
The following table is a summary of the feature gates that you can set on
|
|
||||||
different Kubernetes components.
|
|
||||||
|
|
||||||
- The "Since" column contains the Kubernetes release when a feature is introduced
|
|
||||||
or its release stage is changed.
|
|
||||||
- The "Until" column, if not empty, contains the last Kubernetes release in which
|
|
||||||
you can still use a feature gate.
|
|
||||||
|
|
||||||
| Feature | Default | Stage | Since | Until |
|
|
||||||
|---------|---------|-------|-------|-------|
|
|
||||||
| `Accelerators` | `false` | Alpha | 1.6 | 1.10 |
|
|
||||||
| `AdvancedAuditing` | `false` | Alpha | 1.7 | 1.7 |
|
|
||||||
| `AdvancedAuditing` | `true` | Beta | 1.8 | |
|
|
||||||
| `AffinityInAnnotations` | `false` | Alpha | 1.6 | 1.7 |
|
|
||||||
| `AllowExtTrafficLocalEndpoints` | `false` | Beta | 1.4 | 1.6 |
|
|
||||||
| `AllowExtTrafficLocalEndpoints` | `true` | GA | 1.7 | |
|
|
||||||
| `APIListChunking` | `false` | Alpha | 1.8 | 1.8 |
|
|
||||||
| `APIListChunking` | `true` | Beta | 1.9 | |
|
|
||||||
| `APIResponseCompression` | `false` | Alpha | 1.7 | |
|
|
||||||
| `AppArmor` | `true` | Beta | 1.4 | |
|
|
||||||
| `BlockVolume` | `false` | Alpha | 1.9 | |
|
|
||||||
| `CPUManager` | `false` | Alpha | 1.8 | 1.9 |
|
|
||||||
| `CPUManager` | `true` | Beta | 1.10 | |
|
|
||||||
| `CRIContainerLogRotation` | `false` | Alpha | 1.10 | |
|
|
||||||
| `CSIPersistentVolume` | `false` | Alpha | 1.9 | 1.9 |
|
|
||||||
| `CSIPersistentVolume` | `true` | Beta | 1.10 | |
|
|
||||||
| `CustomPodDNS` | `false` | Alpha | 1.9 | 1.9 |
|
|
||||||
| `CustomPodDNS` | `true` | Beta| 1.10 | |
|
|
||||||
| `CustomResourceSubresources` | `false` | Alpha | 1.10 | |
|
|
||||||
| `CustomResourceValidation` | `false` | Alpha | 1.8 | 1.8 |
|
|
||||||
| `CustomResourceValidation` | `true` | Beta | 1.9 | |
|
|
||||||
| `DebugContainers` | `false` | Alpha | 1.10 | |
|
|
||||||
| `DevicePlugins` | `false` | Alpha | 1.8 | 1.9 |
|
|
||||||
| `DevicePlugins` | `true` | Beta | 1.10 | |
|
|
||||||
| `DynamicKubeletConfig` | `false` | Alpha | 1.4 | |
|
|
||||||
| `DynamicVolumeProvisioning` | `true` | Alpha | 1.3 | 1.7 |
|
|
||||||
| `DynamicVolumeProvisioning` | `true` | GA | 1.8 | |
|
|
||||||
| `EnableEquivalenceClassCache` | `false` | Alpha | 1.8 | |
|
|
||||||
| `ExpandPersistentVolumes` | `false` | Alpha | 1.8 | 1.8 |
|
|
||||||
| `ExperimentalCriticalPodAnnotation` | `false` | Alpha | 1.5 | |
|
|
||||||
| `ExperimentalHostUserNamespaceDefaulting` | `false` | Beta | 1.5 | |
|
|
||||||
| `GCERegionalPersistentDisk` | `true` | Beta | 1.10 | |
|
|
||||||
| `HugePages` | `false` | Alpha | 1.8 | 1.9 |
|
|
||||||
| `HugePages` | `true` | Beta| 1.10 | |
|
|
||||||
| `HyperVContainer` | `false` | Alpha | 1.10 | |
|
|
||||||
| `Initializers` | `false` | Alpha | 1.7 | |
|
|
||||||
| `KubeletConfigFile` | `false` | Alpha | 1.8 | 1.9 |
|
|
||||||
| `LocalStorageCapacityIsolation` | `false` | Alpha | 1.7 | 1.9 |
|
|
||||||
| `LocalStorageCapacityIsolation` | `true` | Beta| 1.10 | |
|
|
||||||
| `MountContainers` | `false` | Alpha | 1.9 | |
|
|
||||||
| `MountPropagation` | `false` | Alpha | 1.8 | 1.9 |
|
|
||||||
| `MountPropagation` | `true` | Beta | 1.10 | |
|
|
||||||
| `PersistentLocalVolumes` | `false` | Alpha | 1.7 | 1.9 |
|
|
||||||
| `PersistentLocalVolumes` | `true` | Beta | 1.10 | |
|
|
||||||
| `PodPriority` | `false` | Alpha | 1.8 | |
|
|
||||||
| `PodShareProcessNamespace` | `false` | Alpha | 1.10 | |
|
|
||||||
| `PVCProtection` | `false` | Alpha | 1.9 | 1.9 |
|
|
||||||
| `ReadOnlyAPIDataVolumes` | `true` | Deprecated | 1.10 | |
|
|
||||||
| `ResourceLimitsPriorityFunction` | `false` | Alpha | 1.9 | |
|
|
||||||
| `RotateKubeletClientCertificate` | `true` | Beta | 1.7 | |
|
|
||||||
| `RotateKubeletServerCertificate` | `false` | Alpha | 1.7 | |
|
|
||||||
| `RunAsGroup` | `false` | Alpha | 1.10 | |
|
|
||||||
| `ScheduleDaemonSetPods` | `false` | Alpha | 1.10 | |
|
|
||||||
| `ServiceNodeExclusion` | `false` | Alpha | 1.8 | |
|
|
||||||
| `StorageObjectInUseProtection` | `true` | Beta | 1.10 | |
|
|
||||||
| `StreamingProxyRedirects` | `true` | Beta | 1.5 | |
|
|
||||||
| `SupportIPVSProxyMode` | `false` | Alpha | 1.8 | 1.8 |
|
|
||||||
| `SupportIPVSProxyMode` | `false` | Beta | 1.9 | 1.9 |
|
|
||||||
| `SupportIPVSProxyMode` | `true` | Beta | 1.10 | |
|
|
||||||
| `SupportPodPidsLimit` | `false` | Alpha | 1.10 | |
|
|
||||||
| `TaintBasedEvictions` | `false` | Alpha | 1.6 | |
|
|
||||||
| `TaintNodesByCondition` | `false` | Alpha | 1.8 | |
|
|
||||||
| `TokenRequest` | `false` | Alpha | 1.10 | |
|
|
||||||
| `VolumeScheduling` | `false` | Alpha | 1.9 | 1.9 |
|
|
||||||
| `VolumeScheduling` | `true` | Beta | 1.10 | |
|
|
||||||
|
|
||||||
## Using a Feature
|
|
||||||
|
|
||||||
### Feature Stages
|
|
||||||
|
|
||||||
A feature can be in *Alpha*, *Beta* or *GA* stage.
|
|
||||||
An *Alpha* feature means:
|
|
||||||
|
|
||||||
* Disabled by default.
|
|
||||||
* Might be buggy. Enabling the feature may expose bugs.
|
|
||||||
* Support for feature may be dropped at any time without notice.
|
|
||||||
* The API may change in incompatible ways in a later software release without notice.
|
|
||||||
* Recommended for use only in short-lived testing clusters, due to increased
|
|
||||||
risk of bugs and lack of long-term support.
|
|
||||||
|
|
||||||
A *Beta* feature means:
|
|
||||||
|
|
||||||
* Enabled by default.
|
|
||||||
* The feature is well tested. Enabling the feature is considered safe.
|
|
||||||
* Support for the overall feature will not be dropped, though details may change.
|
|
||||||
* The schema and/or semantics of objects may change in incompatible ways in a
|
|
||||||
subsequent beta or stable release. When this happens, we will provide instructions
|
|
||||||
for migrating to the next version. This may require deleting, editing, and
|
|
||||||
re-creating API objects. The editing process may require some thought.
|
|
||||||
This may require downtime for applications that rely on the feature.
|
|
||||||
* Recommended for only non-business-critical uses because of potential for
|
|
||||||
incompatible changes in subsequent releases. If you have multiple clusters
|
|
||||||
that can be upgraded independently, you may be able to relax this restriction.
|
|
||||||
|
|
||||||
{{< note >}}
|
|
||||||
**Note:** Please do try *Beta* features and give feedback on them!
|
|
||||||
After they exit beta, it may not be practical for us to make more changes.
|
|
||||||
{{< /note >}}
|
|
||||||
|
|
||||||
A *GA* feature is also referred to as a *stable* feature. It means:
|
|
||||||
|
|
||||||
* The corresponding feature gate is no longer needed.
|
|
||||||
* Stable versions of features will appear in released software for many subsequent versions.
|
|
||||||
|
|
||||||
### Feature Gates
|
|
||||||
|
|
||||||
Each feature gate is designed for enabling/disabling a specific feature:
|
|
||||||
|
|
||||||
- `Accelerators`: Enable Nvidia GPU support when using Docker
|
|
||||||
- `AdvancedAuditing`: Enable [advanced auditing](/docs/tasks/debug-application-cluster/audit/#advanced-audit)
|
|
||||||
- `AffinityInAnnotations`(*deprecated*): Enable setting [Pod affinity or anti-affinitys](/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity).
|
|
||||||
- `AllowExtTrafficLocalEndpoints`: Enable a service to route external requests to node local endpoints.
|
|
||||||
- `APIListChunking`: Enable the API clients to retrieve (`LIST` or `GET`) resources from API server in chunks.
|
|
||||||
- `APIResponseCompression`: Compress the API responses for `LIST` or `GET` requests.
|
|
||||||
- `AppArmor`: Enable AppArmor based mandatory access control on Linux nodes when using Docker.
|
|
||||||
See [AppArmor Tutorial](/docs/tutorials/clusters/apparmor/) for more details.
|
|
||||||
- `BlockVolume`: Enable the definition and consumption of raw block devices in Pods.
|
|
||||||
See [Raw Block Volume Support](/docs/concepts/storage/persistent-volumes/#raw-block-volume-support)
|
|
||||||
for more details.
|
|
||||||
- `CPUManager`: Enable container level CPU affinity support, see [CPU Management Policies](/docs/tasks/administer-cluster/cpu-management-policies/).
|
|
||||||
- `CRIContainerLogRotation`: Enable container log rotation for cri container runtime.
|
|
||||||
- `CSIPersistentVolume`: Enable discovering and mounting volumes provisioned through a
|
|
||||||
[CSI (Container Storage Interface)](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/storage/container-storage-interface.md)
|
|
||||||
compatible volume plugin.
|
|
||||||
Check the [`csi` volume type](/docs/concepts/storage/volumes/#csi) documentation for more details.
|
|
||||||
- `CustomPodDNS`: Enable customizing the DNS settings for a Pod using its `dnsConfig` property.
|
|
||||||
Check [Pod's DNS Config](/docs/concepts/services-networking/dns-pod-service/#pods-dns-config)
|
|
||||||
for more details.
|
|
||||||
- `CustomResourceSubresources`: Enable `/status` and `/scale` subresources
|
|
||||||
on resources created from [CustomResourceDefinition](/docs/concepts/api-extension/custom-resources/).
|
|
||||||
- `CustomResourceValidation`: Enable schema based validation on resources created from
|
|
||||||
[CustomResourceDefinition](/docs/concepts/api-extension/custom-resources/).
|
|
||||||
- `DebugContainers`: Enable running a "debugging" container in a Pod's namespace to
|
|
||||||
troubleshoot a running Pod.
|
|
||||||
- `DevicePlugins`: Enable the [device-plugins](/docs/concepts/cluster-administration/device-plugins/)
|
|
||||||
based resource provisioning on nodes.
|
|
||||||
- `DynamicKubeletConfig`: Enable the dynamic configuration of kubelet. See [Reconfigure kubelet](/docs/tasks/administer-cluster/reconfigure-kubelet/).
|
|
||||||
- `DynamicVolumeProvisioning`(*deprecated*): Enable the [dynamic provisioning](/docs/concepts/storage/dynamic-provisioning/) of persistent volumes to Pods.
|
|
||||||
- `EnableEquivalenceClassCache`: Enable the scheduler to cache equivalence of nodes when scheduling Pods.
|
|
||||||
- `ExpandPersistentVolumes`: Enable the expanding of persistent volumes. See [Expanding Persistent Volumes Claims](/docs/concepts/storage/persistent-volumes/#expanding-persistent-volumes-claims).
|
|
||||||
- `ExperimentalCriticalPodAnnotation`: Enable annotating specific pods as *critical* so that their [scheduling is guaranteed](/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/).
|
|
||||||
- `ExperimentalHostUserNamespaceDefaultingGate`: Enabling the defaulting user
|
|
||||||
namespace to host. This is for containers that are using other host namespaces,
|
|
||||||
host mounts, or containers that are privileged or using specific non-namespaced
|
|
||||||
capabilities (e.g. `MKNODE`, `SYS_MODULE` etc.). This should only be enabled
|
|
||||||
if user namespace remapping is enabled in the Docker daemon.
|
|
||||||
- `GCERegionalPersistentDisk`: Enable the regional PD feature on GCE.
|
|
||||||
- `HugePages`: Enable the allocation and consumption of pre-allocated [huge pages](/docs/tasks/manage-hugepages/scheduling-hugepages/).
|
|
||||||
- `HyperVContainer`: Enable [Hyper-V isolation](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/hyperv-container) for Windows containers.
|
|
||||||
- `Intializers`: Enable the [dynamic admission control](/docs/admin/extensible-admission-controllers/)
|
|
||||||
as an extension to the built-in [admission controllers](/docs/admin/admission-controllers/).
|
|
||||||
When the `Initializers` admission controller is enabled, this feature is automatically enabled.
|
|
||||||
- `KubeletConfigFile`: Enable loading kubelet configuration from a file specified using a config file.
|
|
||||||
See [setting kubelet parameters via a config file](/docs/tasks/administer-cluster/kubelet-config-file/) for more details.
|
|
||||||
- `LocalStorageCapacityIsolation`: Enable the consumption of [local ephemeral storage](/docs/concepts/configuration/manage-compute-resources-container/) and also the `sizeLimit` property of an [emptyDir volume](/docs/concepts/storage/volumes/#emptydir).
|
|
||||||
- `MountContainers`: Enable using utility containers on host as the volume mounter.
|
|
||||||
- `MountPropagation`: Enable sharing volume mounted by one container to other containers or pods.
|
|
||||||
For more details, please see [mount propagation](/docs/concepts/storage/volumes/#mount-propagation).
|
|
||||||
- `PersistentLocalVolumes`: Enable the usage of `local` volume type in Pods.
|
|
||||||
Pod affinity has to be specified if requesting a `local` volume.
|
|
||||||
- `PodPriority`: Enable the descheduling and preemption of Pods based on their [priorities](/docs/concepts/configuration/pod-priority-preemption/).
|
|
||||||
- `PVCProtection`: Enable the prevention of a PersistentVolumeClaim (PVC) from
|
|
||||||
being deleted when it is still used by any Pod.
|
|
||||||
More details can be found [here](/docs/tasks/administer-cluster/pvc-protection/).
|
|
||||||
- `ReadOnlyAPIDataVolumes`: Set Secret, ConfigMap, DownwardAPI and projected volumes to be mounted in read-only mode.
|
|
||||||
This gate exists only for backward compatibility. It will be removed in 1.11 release.
|
|
||||||
- `ResourceLimitsPriorityFunction`: Enable a scheduler priority function that
|
|
||||||
assigns a lowest possible score of 1 to a node that satisfies at least one of
|
|
||||||
the input Pod's cpu and memory limits. The intent is to break ties between
|
|
||||||
nodes with same scores.
|
|
||||||
- `RotateKubeletClientCertificate`: Enable the rotation of the client TLS certificate on the kubelet.
|
|
||||||
See [kubelet configuration](/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration) for more details.
|
|
||||||
- `RotateKubeletServerCertificate`: Enable the rotation of the server TLS certificate on the kubelet.
|
|
||||||
See [kubelet configuration](/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration) for more details.
|
|
||||||
- `RunAsGroup`: Enable control over the primary group ID set on the init processes of containers.
|
|
||||||
- `ScheduleDaemonSetPods`: Enable DaemonSet Pods to be scheduled by the default scheduler instead of the DaemonSet controller.
|
|
||||||
- `ServiceNodeExclusion`: Enable the exclusion of nodes from load balancers created by a cloud provider.
|
|
||||||
A node is eligible for exclusion if annotated with "`alpha.service-controller.kubernetes.io/exclude-balancer`" key.
|
|
||||||
- `StorageObjectInUseProtection`: Postpone the deletion of PersistentVolume or
|
|
||||||
PersistentVolumeClaim objects if they are still being used.
|
|
||||||
- `StreamingProxyRedirects`: Instructs the API server to intercept (and follow)
|
|
||||||
redirects from the backend (kubelet) for streaming requests.
|
|
||||||
Examples of streaming requests include the `exec`, `attach` and `port-forward` requests.
|
|
||||||
- `SupportIPVSProxyMode`: Enable providing in-cluster service load balancing using IPVS.
|
|
||||||
See [service proxies](/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies) for more details.
|
|
||||||
- `SupportPodPidsLimit`: Enable the support to limiting PIDs in Pods.
|
|
||||||
- `TaintBasedEvictions`: Enable evicting pods from nodes based on taints on nodes and tolerations on Pods.
|
|
||||||
See [taints and tolerations](/docs/concepts/configuration/taint-and-toleration/) for more details.
|
|
||||||
- `TaintNodesByCondition`: Enable automatic tainting nodes based on [node conditions](/docs/concepts/architecture/nodes/#condition).
|
|
||||||
- `TokenRequest`: Enable the `TokenRequest` endpoint on service account resources.
|
|
||||||
- `VolumeScheduling`: Enable volume topology aware scheduling and make the
|
|
||||||
PersistentVolumeClaim (PVC) binding aware of scheduling decisions. It also
|
|
||||||
enables the usage of [`local`](/docs/concepts/storage/volumes/#local) volume
|
|
||||||
type when used together with the `PersistentLocalVolumes` feature gate.
|
|
||||||
|
|
||||||
{{% /capture %}}
|
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
title: Kubernetes Issues and Security
|
||||||
|
weight: 10
|
||||||
|
toc-hide: true
|
||||||
|
---
|
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
title: Kubernetes Issue Tracker
|
||||||
|
weight: 10
|
||||||
|
---
|
||||||
|
|
||||||
|
Work on Kubernetes code is tracked using [GitHub Issues](https://github.com/kubernetes/kubernetes/issues/).
|
|
@ -7,6 +7,7 @@ reviewers:
|
||||||
- erictune
|
- erictune
|
||||||
- philips
|
- philips
|
||||||
- jessfraz
|
- jessfraz
|
||||||
|
weight: 20
|
||||||
---
|
---
|
||||||
|
|
||||||
## Security Announcements
|
## Security Announcements
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
title: Using the Kubernetes API
|
||||||
|
weight: 10
|
||||||
|
toc-hide: true
|
||||||
|
---
|
|
@ -6,6 +6,7 @@ reviewers:
|
||||||
- lavalamp
|
- lavalamp
|
||||||
- liggitt
|
- liggitt
|
||||||
content_template: templates/concept
|
content_template: templates/concept
|
||||||
|
weight: 20
|
||||||
---
|
---
|
||||||
|
|
||||||
{{% capture overview %}}
|
{{% capture overview %}}
|
|
@ -6,6 +6,7 @@ reviewers:
|
||||||
- lavalamp
|
- lavalamp
|
||||||
- jbeda
|
- jbeda
|
||||||
content_template: templates/concept
|
content_template: templates/concept
|
||||||
|
weight: 10
|
||||||
---
|
---
|
||||||
|
|
||||||
{{% capture overview %}}
|
{{% capture overview %}}
|
|
@ -3,6 +3,7 @@ title: Client Libraries
|
||||||
reviewers:
|
reviewers:
|
||||||
- ahmetb
|
- ahmetb
|
||||||
content_template: templates/concept
|
content_template: templates/concept
|
||||||
|
weight: 30
|
||||||
---
|
---
|
||||||
|
|
||||||
{{% capture overview %}}
|
{{% capture overview %}}
|
|
@ -4,6 +4,7 @@ reviewers:
|
||||||
- lavalamp
|
- lavalamp
|
||||||
- thockin
|
- thockin
|
||||||
title: Kubernetes Deprecation Policy
|
title: Kubernetes Deprecation Policy
|
||||||
|
weight: 40
|
||||||
---
|
---
|
||||||
|
|
||||||
Kubernetes is a large system with many components and many contributors. As
|
Kubernetes is a large system with many components and many contributors. As
|
|
@ -1,261 +0,0 @@
|
||||||
---
|
|
||||||
title: Workloads API changes in versions 1.8 and 1.9
|
|
||||||
approvers:
|
|
||||||
- steveperry-53
|
|
||||||
- kow3ns
|
|
||||||
---
|
|
||||||
|
|
||||||
## Overview
|
|
||||||
|
|
||||||
The Kubernetes core Workloads API includes the Deployment, DaemonSet, ReplicaSet, and StatefulSet kinds. To provide a stable API for users to orchestrate their workloads, we are prioritizing promoting these kinds to GA. The batch Workloads API (Job and CronJob), while also important, is not part of this effort, and it will have a separate path to GA stability.
|
|
||||||
|
|
||||||
- In the 1.8 release, we introduce the apps/v1beta2 API group and version. This beta version of the core Workloads API contains the Deployment, DaemonSet, ReplicaSet, and StatefulSet kinds, and it is the version we plan to promote to GA in the 1.9 release provided the feedback is positive.
|
|
||||||
|
|
||||||
- In the 1.9 release, we plan to introduce the apps/v1 group version. We intend to promote the apps/v1beta2 group version in its entirety to apps/v1 and to deprecate apps/v1beta2 at that time.
|
|
||||||
|
|
||||||
- We realize that even after the release of apps/v1, users will need time to migrate their code from extensions/v1beta1, apps/v1beta1, and apps/v1beta2. It is important to remember that the minimum support durations listed in the deprecations guidelines are minimums. We will continue to support conversion between groups and versions until users have had sufficient time to migrate.
|
|
||||||
|
|
||||||
## Migration
|
|
||||||
|
|
||||||
This section contains information to assist users in migrating core Workloads API kinds between group versions.
|
|
||||||
|
|
||||||
### General
|
|
||||||
|
|
||||||
- If you are using kinds from the extensions/v1beta1 or apps/v1beta1 group versions, you can wait to migrate existing code until after the release of the apps/v1 group version.
|
|
||||||
|
|
||||||
- If your deployment requires features that are available in the apps/v1beta2 group version, you can migrate to this group version before the apps/v1 release.
|
|
||||||
|
|
||||||
- You should develop all new code against the latest stable release.
|
|
||||||
|
|
||||||
- You can run `kubectl convert` to convert manifests between group versions.
|
|
||||||
|
|
||||||
### Migrating to apps/v1beta2
|
|
||||||
|
|
||||||
This section provides information on migrating to the apps/v1beta2 group version. It covers general changes to the core Workloads API kinds. For changes that affect a specific kind (for example, default values), consult the reference documentation for the kind.
|
|
||||||
|
|
||||||
#### Default selectors are deprecated
|
|
||||||
|
|
||||||
In earlier versions of the apps and extensions groups, the spec.selectors of the core Workloads API kinds were, when left unspecified, defaulted to a LabelSelector generated from the spec.template.metadata.labels.
|
|
||||||
|
|
||||||
User feedback led us to determine that, as it is incompatible with strategic merge patch and kubectl apply, defaulting the value of a field from the value of another field of the same object is an anti-pattern.
|
|
||||||
|
|
||||||
#### Immutable selectors
|
|
||||||
|
|
||||||
We have always cautioned users against selector mutation. The core Workloads API controller does not, in the general case, handle selector mutation gracefully.
|
|
||||||
|
|
||||||
To provide a consistent, usable, and stable API, selectors are immutable for all kinds in the apps/v1beta2 group and version.
|
|
||||||
|
|
||||||
We believe that there are better ways to support features like promotable canaries and orchestrated Pod relabeling, but if restricted selector mutation is a necessary feature for our users, we can relax immutability before GA without breaking backward compatibility.
|
|
||||||
|
|
||||||
The development of features like promotable canaries, orchestrated Pod relabeling, and restricted selector mutability is driven by demand signals from our users. If you are currently modifying the selectors of your core Workloads API objects, please tell us about your use case in a GitHub issue or by participating in SIG-apps.
|
|
||||||
|
|
||||||
#### Default rolling updates
|
|
||||||
|
|
||||||
Before apps/v1beta2, some kinds defaulted the spec.updateStrategy to a strategy other than RollingUpdate. For example, apps/v1beta1 StatefulSet specifies OnDelete by default. In apps/v1beta2 the spec.updateStrategy for all kinds defaults to RollingUpdate.
|
|
||||||
|
|
||||||
#### Created-by annotation is deprecated
|
|
||||||
|
|
||||||
"kubernetes.io/created-by" is deprecated in version 1.8. Instead, you should specify an object’s ControllerRef from its ownerReferences to determine object ownership.
|
|
||||||
|
|
||||||
## Timeline
|
|
||||||
|
|
||||||
This section details the timeline for promotion and deprecation of kinds in the core Workloads API.
|
|
||||||
|
|
||||||
### Release 1.8
|
|
||||||
|
|
||||||
In Kubernetes 1.8, we unify the core Workloads API kinds in a single group and version. We address consistency, usability, and stability issues across the API surface. We have deprecated portions of the apps/v1beta1 group version and the extension/v1beta1 group version and replaced them with the apps/v1beta2 group version. The table below shows the kinds that are deprecated and the kinds that replace them.
|
|
||||||
|
|
||||||
<table style="width:100%">
|
|
||||||
<tr>
|
|
||||||
<th colspan="3">Deprecated</th>
|
|
||||||
<th colspan="3">Replaced By</th>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>Group</td>
|
|
||||||
<td>Version</td>
|
|
||||||
<td>Kind</td>
|
|
||||||
<td>Group</td>
|
|
||||||
<td>Version</td>
|
|
||||||
<td>Kind</td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>apps</td>
|
|
||||||
<td>v1beta1</td>
|
|
||||||
<td>Deployment</td>
|
|
||||||
<td>apps</td>
|
|
||||||
<td>v1beta2</td>
|
|
||||||
<td>Deployment</td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>apps</td>
|
|
||||||
<td>v1beta1</td>
|
|
||||||
<td>ReplicaSet</td>
|
|
||||||
<td>apps</td>
|
|
||||||
<td>v1beta2</td>
|
|
||||||
<td>ReplicaSet</td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>apps</td>
|
|
||||||
<td>v1beta1</td>
|
|
||||||
<td>StatefulSet</td>
|
|
||||||
<td>apps</td>
|
|
||||||
<td>v1beta2</td>
|
|
||||||
<td>StatefulSet</td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>extensions</td>
|
|
||||||
<td>v1beta1</td>
|
|
||||||
<td>Deployment</td>
|
|
||||||
<td>apps</td>
|
|
||||||
<td>v1beta2</td>
|
|
||||||
<td>Deployment</td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>extensions</td>
|
|
||||||
<td>v1beta1</td>
|
|
||||||
<td>DaemonSet</td>
|
|
||||||
<td>apps</td>
|
|
||||||
<td>v1beta2</td>
|
|
||||||
<td>DaemonSet</td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>extensions</td>
|
|
||||||
<td>v1beta1</td>
|
|
||||||
<td>StatefulSet</td>
|
|
||||||
<td>apps</td>
|
|
||||||
<td>v1beta2</td>
|
|
||||||
<td>StatefulSet</td>
|
|
||||||
</tr>
|
|
||||||
</table>
|
|
||||||
|
|
||||||
### Release 1.9
|
|
||||||
|
|
||||||
In Kubernetes 1.9, our goal is to address any feedback on the apps/v1beta2 group version and to promote the group version to GA. The table below shows the kinds that we plan to deprecate and the kinds that will replace them.
|
|
||||||
|
|
||||||
<table style="width:100%">
|
|
||||||
<tr>
|
|
||||||
<th colspan="3">Deprecated</th>
|
|
||||||
<th colspan="3">Replaced By</th>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>Group</td>
|
|
||||||
<td>Version</td>
|
|
||||||
<td>Kind</td>
|
|
||||||
<td>Group</td>
|
|
||||||
<td>Version</td>
|
|
||||||
<td>Kind</td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>apps</td>
|
|
||||||
<td>v1beta2</td>
|
|
||||||
<td>Deployment</td>
|
|
||||||
<td>apps</td>
|
|
||||||
<td>v1</td>
|
|
||||||
<td>Deployment</td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>apps</td>
|
|
||||||
<td>v1beta2</td>
|
|
||||||
<td>DaemonSet</td>
|
|
||||||
<td>apps</td>
|
|
||||||
<td>v1</td>
|
|
||||||
<td>DaemonSet</td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>apps</td>
|
|
||||||
<td>v1beta2</td>
|
|
||||||
<td>ReplicaSet</td>
|
|
||||||
<td>apps</td>
|
|
||||||
<td>v1</td>
|
|
||||||
<td>ReplicaSet</td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>apps</td>
|
|
||||||
<td>v1beta2</td>
|
|
||||||
<td>StatefulSet</td>
|
|
||||||
<td>apps</td>
|
|
||||||
<td>v1</td>
|
|
||||||
<td>StatefulSet</td>
|
|
||||||
</tr>
|
|
||||||
</table>
|
|
||||||
|
|
||||||
### Post 1.9
|
|
||||||
|
|
||||||
Because users will continue to depend on extensions/v1beta1, apps/v1beta1, and apps/v1beta2, we will not completely remove deprecated kinds in these group versions upon GA promotion. Instead, we will provide auto-conversion between the deprecated portions of the API surface and the GA version. The table below shows the bidirectional conversion that we will support.
|
|
||||||
|
|
||||||
<table style="width:100%">
|
|
||||||
<tr>
|
|
||||||
<th colspan="3">GA</th>
|
|
||||||
<th colspan="3">Previous</th>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>Group</td>
|
|
||||||
<td>Version</td>
|
|
||||||
<td>Kind</td>
|
|
||||||
<td>Group</td>
|
|
||||||
<td>Version</td>
|
|
||||||
<td>Kind</td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td rowspan="3">apps</td>
|
|
||||||
<td rowspan="3">v1</td>
|
|
||||||
<td rowspan="3">Deployment</td>
|
|
||||||
<td>apps</td>
|
|
||||||
<td>v1beta1</td>
|
|
||||||
<td>Deployment</td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>apps</td>
|
|
||||||
<td>v1beta2</td>
|
|
||||||
<td>Deployment</td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>extensions</td>
|
|
||||||
<td>v1beta1</td>
|
|
||||||
<td>Deployment</td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td rowspan="2">apps</td>
|
|
||||||
<td rowspan="2">v1</td>
|
|
||||||
<td rowspan="2">Daemonset</td>
|
|
||||||
<td>apps</td>
|
|
||||||
<td>v1beta2</td>
|
|
||||||
<td>DaemonSet</td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>extensions</td>
|
|
||||||
<td>v1beta1</td>
|
|
||||||
<td>DaemonSet</td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td rowspan="3">apps</td>
|
|
||||||
<td rowspan="3">v1</td>
|
|
||||||
<td rowspan="3">ReplicaSet</td>
|
|
||||||
<td>apps</td>
|
|
||||||
<td>v1beta1</td>
|
|
||||||
<td>ReplicaSet</td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>apps</td>
|
|
||||||
<td>v1beta2</td>
|
|
||||||
<td>ReplicaSet</td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>extensions</td>
|
|
||||||
<td>v1beta1</td>
|
|
||||||
<td>ReplicaSet</td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td rowspan="2">apps</td>
|
|
||||||
<td rowspan="2">v1</td>
|
|
||||||
<td rowspan="2">StatefulSet</td>
|
|
||||||
<td>apps</td>
|
|
||||||
<td>v1beta1</td>
|
|
||||||
<td>StatefulSet</td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>apps</td>
|
|
||||||
<td>v1beta2</td>
|
|
||||||
<td>StatefulSet</td>
|
|
||||||
</tr>
|
|
||||||
</table>
|
|
|
@ -484,3 +484,15 @@ https://kubernetes-io-v1-7.netlify.com/* https://v1-7.docs.kubernetes.io/:spl
|
||||||
/docs/reference/generated/kubeadm/ /docs/reference/setup-tools/kubeadm/kubeadm/ 301
|
/docs/reference/generated/kubeadm/ /docs/reference/setup-tools/kubeadm/kubeadm/ 301
|
||||||
|
|
||||||
/editdocs/ /docs/home/contribute/ 301
|
/editdocs/ /docs/home/contribute/ 301
|
||||||
|
|
||||||
|
/docs/admin/accessing-the-api/ /docs/reference/access-authn-authz/controlling-access/ 301
|
||||||
|
/docs/admin/admission-controllers/ /docs/reference/access-authn-authz/admission-controllers/ 301
|
||||||
|
/docs/admin/authentication/ /docs/reference/access-authn-authz/authentication/ 301
|
||||||
|
/docs/admin/bootstrap-tokens/ /docs/reference/access-authn-authz/bootstrap-tokens/ 301
|
||||||
|
/docs/admin/extensible-admission-controllers/ /docs/reference/access-authn-authz/extensible-admission-controllers/ 301
|
||||||
|
/docs/admin/service-accounts-admin/ /docs/reference/access-authn-authz/service-accounts-admin/ 301
|
||||||
|
/docs/admin/authorization/abac/ /docs/reference/access-authn-authz/abac/ 301
|
||||||
|
/docs/admin/authorization/node/ /docs/reference/access-authn-authz/node/ 301
|
||||||
|
/docs/admin/authorization/rbac/ /docs/reference/access-authn-authz/rbac/ 301
|
||||||
|
/docs/admin/authorization/webhook/ /docs/reference/access-authn-authz/webhook/ 301
|
||||||
|
/docs/admin/authorization/ /docs/reference/access-authn-authz/authorization/ 301
|
||||||
|
|
Loading…
Reference in New Issue