Fix for non-building file; also exemplifies what needs to happen to get to a non-munged/pure-Jekyll page.

pull/43/head
John Mulhausen 2016-02-10 17:20:22 -08:00
parent 233c6de2b9
commit 21497a421d
412 changed files with 83390 additions and 775 deletions

File diff suppressed because one or more lines are too long

View File

@ -43,4 +43,4 @@ $(document).ready(function(){
var result = $('<ul style="list-style-type: none; padding-left:0px;">');
buildRec(headingNodes,result,1);
$("#pageTOC").append(result);
});
});

File diff suppressed because one or more lines are too long

View File

@ -0,0 +1,138 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Kubernetes API Reference</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Kubernetes API Reference</h1>
<h2 id="kubernetes-api-reference">Kubernetes API Reference</h2>
<p>Use these reference documents to learn how to interact with Kubernetes through the REST API.</p>
<p>You can also view details about the <em>Extensions API</em>. For more about extensions, see <a href="docs/api.html">API versioning</a>.</p>
<p>Table of Contents:</p>
<ul id="toclist">
</ul>
<script>
$(function() {
$('#toclist').load( location.pathname + " #gentocapiref li" );
});
</script>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,136 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Application Administration: Detailed Walkthrough</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Application Administration: Detailed Walkthrough</h1>
<h2 id="application-administration-detailed-walkthrough">Application Administration: Detailed Walkthrough</h2>
<p>The detailed walkthrough covers all the in-depth details and tasks for administering your applications in Kubernetes.</p>
<p>Table of Contents:</p>
<ul id="toclist">
</ul>
<script>
$(function() {
$('#toclist').load( location.pathname + " #gentocappadmin li" );
});
</script>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,136 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Quick Walkthrough: Kubernetes Basics</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Quick Walkthrough: Kubernetes Basics</h1>
<h2 id="quick-walkthrough-kubernetes-basics">Quick Walkthrough: Kubernetes Basics</h2>
<p>Use this quick walkthrough of Kubernetes to learn about the basic application administration tasks.</p>
<p>Table of Contents:</p>
<ul id="toclist">
</ul>
<script>
$(function() {
$('#toclist').load( location.pathname + " #gentocbasictut li" );
});
</script>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,136 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Examples: Deploying Clusters</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Examples: Deploying Clusters</h1>
<h2 id="examples-deploying-clusters">Examples: Deploying Clusters</h2>
<p>Use the following examples to learn how to deploy your application into a Kubernetes cluster.</p>
<p>Table of Contents:</p>
<ul id="toclist">
</ul>
<script>
$(function() {
$('#toclist').load( location.pathname + " #gentocdplyclst li" );
});
</script>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,174 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Kubernetes Documentation: releases.k8s.io/release-1.1</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Kubernetes Documentation: releases.k8s.io/release-1.1</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="kubernetes-documentation-releasesk8siorelease-11">Kubernetes Documentation: releases.k8s.io/release-1.1</h1>
<ul>
<li>
<p>The <a href="user-guide/README.html">Users guide</a> is for anyone who wants to run programs and
services on an existing Kubernetes cluster.</p>
</li>
<li>
<p>The <a href="admin/README.html">Cluster Admins guide</a> is for anyone setting up
a Kubernetes cluster or administering it.</p>
</li>
<li>
<p>The <a href="devel/README.html">Developer guide</a> is for anyone wanting to write
programs that access the Kubernetes API, write plugins or extensions, or
modify the core code of Kubernetes.</p>
</li>
<li>
<p>The <a href="user-guide/kubectl/kubectl.html">Kubectl Command Line Interface</a> is a detailed reference on
the <code>kubectl</code> CLI.</p>
</li>
<li>
<p>The <a href="http://kubernetes.io/third_party/swagger-ui/">API object documentation</a>
is a detailed description of all fields found in core API objects.</p>
</li>
<li>
<p>An overview of the <a href="design/">Design of Kubernetes</a></p>
</li>
<li>
<p>There are example files and walkthroughs in the <a href="../examples/">examples</a>
folder.</p>
</li>
<li>
<p>If something went wrong, see the <a href="troubleshooting.html">troubleshooting</a> document for how to debug.
You should also check the <a href="user-guide/known-issues.html">known issues</a> for the release youre using.</p>
</li>
<li>
<p>To report a security issue, see <a href="reporting-security-issues.html">Reporting a Security Issue</a>.</p>
</li>
</ul>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/README.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,188 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Kubernetes Cluster Admin Guide</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Kubernetes Cluster Admin Guide</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="kubernetes-cluster-admin-guide">Kubernetes Cluster Admin Guide</h1>
<p>The cluster admin guide is for anyone creating or administering a Kubernetes cluster.
It assumes some familiarity with concepts in the <a href="../user-guide/README.html">User Guide</a>.</p>
<h2 id="admin-guide-table-of-contents">Admin Guide Table of Contents</h2>
<p><a href="introduction.html">Introduction</a></p>
<ol>
<li><a href="cluster-components.html">Components of a cluster</a></li>
<li><a href="cluster-management.html">Cluster Management</a></li>
<li>Administrating Master Components
1. <a href="kube-apiserver.html">The kube-apiserver binary</a>
<ol>
<li><a href="authorization.html">Authorization</a></li>
<li><a href="authentication.html">Authentication</a></li>
<li><a href="accessing-the-api.html">Accessing the api</a></li>
<li><a href="admission-controllers.html">Admission Controllers</a></li>
<li><a href="service-accounts-admin.html">Administrating Service Accounts</a></li>
<li><a href="resource-quota.html">Resource Quotas</a>
<ol>
<li><a href="kube-scheduler.html">The kube-scheduler binary</a></li>
<li><a href="kube-controller-manager.html">The kube-controller-manager binary</a></li>
</ol>
</li>
</ol>
</li>
<li><a href="node.html">Administrating Kubernetes Nodes</a>
1. <a href="kubelet.html">The kubelet binary</a>
<ol>
<li><a href="garbage-collection.html">Garbage Collection</a>
<ol>
<li><a href="kube-proxy.html">The kube-proxy binary</a></li>
</ol>
</li>
</ol>
</li>
<li>Administrating Addons
1. <a href="dns.html">DNS</a></li>
<li><a href="networking.html">Networking</a>
1. <a href="ovs-networking.html">OVS Networking</a></li>
<li>Example Configurations
1. <a href="multi-cluster.html">Multiple Clusters</a>
1. <a href="high-availability.html">High Availability Clusters</a>
1. <a href="cluster-large.html">Large Clusters</a>
1. <a href="../getting-started-guides/scratch.html">Getting started from scratch</a>
<ol>
<li><a href="salt.html">Kubernetess use of salt</a></li>
</ol>
</li>
<li><a href="cluster-troubleshooting.html">Troubleshooting</a></li>
</ol>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/README.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,206 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Configuring APIserver ports</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Configuring APIserver ports</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="configuring-apiserver-ports">Configuring APIserver ports</h1>
<p>This document describes what ports the Kubernetes apiserver
may serve on and how to reach them. The audience is
cluster administrators who want to customize their cluster
or understand the details.</p>
<p>Most questions about accessing the cluster are covered
in <a href="../user-guide/accessing-the-cluster.html">Accessing the cluster</a>.</p>
<h2 id="ports-and-ips-served-on">Ports and IPs Served On</h2>
<p>The Kubernetes API is served by the Kubernetes apiserver process. Typically,
there is one of these running on a single kubernetes-master node.</p>
<p>By default the Kubernetes APIserver serves HTTP on 2 ports:
1. Localhost Port
- serves HTTP
- default is port 8080, change with <code>--insecure-port</code> flag.
- defaults IP is localhost, change with <code>--insecure-bind-address</code> flag.
- no authentication or authorization checks in HTTP
- protected by need to have host access
2. Secure Port
- default is port 6443, change with <code>--secure-port</code> flag.
- default IP is first non-localhost network interface, change with <code>--bind-address</code> flag.
- serves HTTPS. Set cert with <code>--tls-cert-file</code> and key with <code>--tls-private-key-file</code> flag.
- uses token-file or client-certificate based <a href="authentication.html">authentication</a>.
- uses policy-based <a href="authorization.html">authorization</a>.
3. Removed: ReadOnly Port
- For security reasons, this had to be removed. Use the <a href="../user-guide/service-accounts.html">service account</a> feature instead.</p>
<h2 id="proxies-and-firewall-rules">Proxies and Firewall rules</h2>
<p>Additionally, in some configurations there is a proxy (nginx) running
on the same machine as the apiserver process. The proxy serves HTTPS protected
by Basic Auth on port 443, and proxies to the apiserver on localhost:8080. In
these configurations the secure port is typically set to 6443.</p>
<p>A firewall rule is typically configured to allow external HTTPS access to port 443.</p>
<p>The above are defaults and reflect how Kubernetes is deployed to Google Compute Engine using
kube-up.sh. Other cloud providers may vary.</p>
<h2 id="use-cases-vs-ipports">Use Cases vs IP:Ports</h2>
<p>There are three differently configured serving ports because there are a
variety of uses cases:
1. Clients outside of a Kubernetes cluster, such as human running <code>kubectl</code>
on desktop machine. Currently, accesses the Localhost Port via a proxy (nginx)
running on the <code>kubernetes-master</code> machine. The proxy can use cert-based authentication
or token-based authentication.
2. Processes running in Containers on Kubernetes that need to read from
the apiserver. Currently, these can use a <a href="../user-guide/service-accounts.html">service account</a>.
3. Scheduler and Controller-manager processes, which need to do read-write
API operations. Currently, these have to run on the same host as the
apiserver and use the Localhost Port. In the future, these will be
switched to using service accounts to avoid the need to be co-located.
4. Kubelets, which need to do read-write API operations and are necessarily
on different machines than the apiserver. Kubelet uses the Secure Port
to get their pods, to find the services that a pod can see, and to
write events. Credentials are distributed to kubelets at cluster
setup time. Kubelet and kube-proxy can use cert-based authentication or token-based
authentication.</p>
<h2 id="expected-changes">Expected changes</h2>
<ul>
<li>Policy will limit the actions kubelets can do via the authed port.</li>
<li>Scheduler and Controller-manager will use the Secure Port too. They
will then be able to run on different machines than the apiserver.</li>
</ul>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/accessing-the-api.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,297 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Admission Controllers</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Admission Controllers</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="admission-controllers">Admission Controllers</h1>
<p><strong>Table of Contents</strong>
<!-- BEGIN MUNGE: GENERATED_TOC --></p>
<ul>
<li><a href="#admission-controllers">Admission Controllers</a>
<ul>
<li><a href="#what-are-they">What are they?</a></li>
<li><a href="#why-do-i-need-them">Why do I need them?</a></li>
<li><a href="#how-do-i-turn-on-an-admission-control-plug-in">How do I turn on an admission control plug-in?</a></li>
<li><a href="#what-does-each-plug-in-do">What does each plug-in do?</a>
<ul>
<li><a href="#alwaysadmit">AlwaysAdmit</a></li>
<li><a href="#alwaysdeny">AlwaysDeny</a></li>
<li><a href="#denyexeconprivileged-deprecated">DenyExecOnPrivileged (deprecated)</a></li>
<li><a href="#denyescalatingexec">DenyEscalatingExec</a></li>
<li><a href="#serviceaccount">ServiceAccount</a></li>
<li><a href="#securitycontextdeny">SecurityContextDeny</a></li>
<li><a href="#resourcequota">ResourceQuota</a></li>
<li><a href="#limitranger">LimitRanger</a></li>
<li><a href="#initialresources-experimental">InitialResources (experimental)</a></li>
<li><a href="#namespaceexists-deprecated">NamespaceExists (deprecated)</a></li>
<li><a href="#namespaceautoprovision-deprecated">NamespaceAutoProvision (deprecated)</a></li>
<li><a href="#namespacelifecycle">NamespaceLifecycle</a></li>
</ul>
</li>
<li><a href="#is-there-a-recommended-set-of-plug-ins-to-use">Is there a recommended set of plug-ins to use?</a></li>
</ul>
</li>
</ul>
<!-- END MUNGE: GENERATED_TOC -->
<h2 id="what-are-they">What are they?</h2>
<p>An admission control plug-in is a piece of code that intercepts requests to the Kubernetes
API server prior to persistence of the object, but after the request is authenticated
and authorized. The plug-in code is in the API server process
and must be compiled into the binary in order to be used at this time.</p>
<p>Each admission control plug-in is run in sequence before a request is accepted into the cluster. If
any of the plug-ins in the sequence reject the request, the entire request is rejected immediately
and an error is returned to the end-user.</p>
<p>Admission control plug-ins may mutate the incoming object in some cases to apply system configured
defaults. In addition, admission control plug-ins may mutate related resources as part of request
processing to do things like increment quota usage.</p>
<h2 id="why-do-i-need-them">Why do I need them?</h2>
<p>Many advanced features in Kubernetes require an admission control plug-in to be enabled in order
to properly support the feature. As a result, a Kubernetes API server that is not properly
configured with the right set of admission control plug-ins is an incomplete server and will not
support all the features you expect.</p>
<h2 id="how-do-i-turn-on-an-admission-control-plug-in">How do I turn on an admission control plug-in?</h2>
<p>The Kubernetes API server supports a flag, <code>admission-control</code> that takes a comma-delimited,
ordered list of admission control choices to invoke prior to modifying objects in the cluster.</p>
<h2 id="what-does-each-plug-in-do">What does each plug-in do?</h2>
<h3 id="alwaysadmit">AlwaysAdmit</h3>
<p>Use this plugin by itself to pass-through all requests.</p>
<h3 id="alwaysdeny">AlwaysDeny</h3>
<p>Rejects all requests. Used for testing.</p>
<h3 id="denyexeconprivileged-deprecated">DenyExecOnPrivileged (deprecated)</h3>
<p>This plug-in will intercept all requests to exec a command in a pod if that pod has a privileged container.</p>
<p>If your cluster supports privileged containers, and you want to restrict the ability of end-users to exec
commands in those containers, we strongly encourage enabling this plug-in.</p>
<p>This functionality has been merged into <a href="#denyescalatingexec">DenyEscalatingExec</a>.</p>
<h3 id="denyescalatingexec">DenyEscalatingExec</h3>
<p>This plug-in will deny exec and attach commands to pods that run with escalated privileges that
allow host access. This includes pods that run as privileged, have access to the host IPC namespace, and
have access to the host PID namespace.</p>
<p>If your cluster supports containers that run with escalated privileges, and you want to
restrict the ability of end-users to exec commands in those containers, we strongly encourage
enabling this plug-in.</p>
<h3 id="serviceaccount">ServiceAccount</h3>
<p>This plug-in implements automation for <a href="../user-guide/service-accounts.html">serviceAccounts</a>.
We strongly recommend using this plug-in if you intend to make use of Kubernetes <code>ServiceAccount</code> objects.</p>
<h3 id="securitycontextdeny">SecurityContextDeny</h3>
<p>This plug-in will deny any pod with a <a href="../user-guide/security-context.html">SecurityContext</a> that defines options that were not available on the <code>Container</code>.</p>
<h3 id="resourcequota">ResourceQuota</h3>
<p>This plug-in will observe the incoming request and ensure that it does not violate any of the constraints
enumerated in the <code>ResourceQuota</code> object in a <code>Namespace</code>. If you are using <code>ResourceQuota</code>
objects in your Kubernetes deployment, you MUST use this plug-in to enforce quota constraints.</p>
<p>See the <a href="../design/admission_control_resource_quota.html">resourceQuota design doc</a> and the <a href="resourcequota/">example of Resource Quota</a> for more details.</p>
<p>It is strongly encouraged that this plug-in is configured last in the sequence of admission control plug-ins. This is
so that quota is not prematurely incremented only for the request to be rejected later in admission control.</p>
<h3 id="limitranger">LimitRanger</h3>
<p>This plug-in will observe the incoming request and ensure that it does not violate any of the constraints
enumerated in the <code>LimitRange</code> object in a <code>Namespace</code>. If you are using <code>LimitRange</code> objects in
your Kubernetes deployment, you MUST use this plug-in to enforce those constraints. LimitRanger can also
be used to apply default resource requests to Pods that dont specify any; currently, the default LimitRanger
applies a 0.1 CPU requirement to all Pods in the <code>default</code> namespace.</p>
<p>See the <a href="../design/admission_control_limit_range.html">limitRange design doc</a> and the <a href="limitrange/">example of Limit Range</a> for more details.</p>
<h3 id="initialresources-experimental">InitialResources (experimental)</h3>
<p>This plug-in observes pod creation requests. If a container omits compute resource requests and limits,
then the plug-in auto-populates a compute resource request based on historical usage of containers running the same image.
If there is not enough data to make a decision the Request is left unchanged.
When the plug-in sets a compute resource request, it annotates the pod with information on what compute resources it auto-populated.</p>
<p>See the <a href="../proposals/initial-resources.html">InitialResouces proposal</a> for more details.</p>
<h3 id="namespaceexists-deprecated">NamespaceExists (deprecated)</h3>
<p>This plug-in will observe all incoming requests that attempt to create a resource in a Kubernetes <code>Namespace</code>
and reject the request if the <code>Namespace</code> was not previously created. We strongly recommend running
this plug-in to ensure integrity of your data.</p>
<p>The functionality of this admission controller has been merged into <code>NamespaceLifecycle</code></p>
<h3 id="namespaceautoprovision-deprecated">NamespaceAutoProvision (deprecated)</h3>
<p>This plug-in will observe all incoming requests that attempt to create a resource in a Kubernetes <code>Namespace</code>
and create a new <code>Namespace</code> if one did not already exist previously.</p>
<p>We strongly recommend <code>NamespaceLifecycle</code> over <code>NamespaceAutoProvision</code>.</p>
<h3 id="namespacelifecycle">NamespaceLifecycle</h3>
<p>This plug-in enforces that a <code>Namespace</code> that is undergoing termination cannot have new objects created in it,
and ensures that requests in a non-existant <code>Namespace</code> are rejected.</p>
<p>A <code>Namespace</code> deletion kicks off a sequence of operations that remove all objects (pods, services, etc.) in that
namespace. In order to enforce integrity of that process, we strongly recommend running this plug-in.</p>
<h2 id="is-there-a-recommended-set-of-plug-ins-to-use">Is there a recommended set of plug-ins to use?</h2>
<p>Yes.</p>
<p>For Kubernetes 1.0, we strongly recommend running the following set of admission control plug-ins (order matters):</p>
<pre><code>
--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
</code></pre>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/admission-controllers.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,273 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Authentication Plugins</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Authentication Plugins</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="authentication-plugins">Authentication Plugins</h1>
<p>Kubernetes uses client certificates, tokens, or http basic auth to authenticate users for API calls.</p>
<p><strong>Client certificate authentication</strong> is enabled by passing the <code>--client-ca-file=SOMEFILE</code>
option to apiserver. The referenced file must contain one or more certificates authorities
to use to validate client certificates presented to the apiserver. If a client certificate
is presented and verified, the common name of the subject is used as the user name for the
request.</p>
<p><strong>Token File</strong> is enabled by passing the <code>--token-auth-file=SOMEFILE</code> option
to apiserver. Currently, tokens last indefinitely, and the token list cannot
be changed without restarting apiserver.</p>
<p>The token file format is implemented in <code>plugin/pkg/auth/authenticator/token/tokenfile/...</code>
and is a csv file with 3 columns: token, user name, user uid.</p>
<p>When using token authentication from an http client the apiserver expects an <code>Authorization</code>
header with a value of <code>Bearer SOMETOKEN</code>.</p>
<p><strong>OpenID Connect ID Token</strong> is enabled by passing the following options to the apiserver:
- <code>--oidc-issuer-url</code> (required) tells the apiserver where to connect to the OpenID provider. Only HTTPS scheme will be accepted.
- <code>--oidc-client-id</code> (required) is used by apiserver to verify the audience of the token.
A valid <a href="http://openid.net/specs/openid-connect-core-1_0.html#IDToken">ID token</a> MUST have this
client-id in its <code>aud</code> claims.
- <code>--oidc-ca-file</code> (optional) is used by apiserver to establish and verify the secure connection
to the OpenID provider.
- <code>--oidc-username-claim</code> (optional, experimental) specifies which OpenID claim to use as the user name. By default, <code>sub</code>
will be used, which should be unique and immutable under the issuers domain. Cluster administrator can
choose other claims such as <code>email</code> to use as the user name, but the uniqueness and immutability is not guaranteed.</p>
<p>Please note that this flag is still experimental until we settle more on how to handle the mapping of the OpenID user to the Kubernetes user. Thus further changes are possible.</p>
<p>Currently, the ID token will be obtained by some third-party app. This means the app and apiserver
MUST share the <code>--oidc-client-id</code>.</p>
<p>Like <strong>Token File</strong>, when using token authentication from an http client the apiserver expects
an <code>Authorization</code> header with a value of <code>Bearer SOMETOKEN</code>.</p>
<p><strong>Basic authentication</strong> is enabled by passing the <code>--basic-auth-file=SOMEFILE</code>
option to apiserver. Currently, the basic auth credentials last indefinitely,
and the password cannot be changed without restarting apiserver. Note that basic
authentication is currently supported for convenience while we finish making the
more secure modes described above easier to use.</p>
<p>The basic auth file format is implemented in <code>plugin/pkg/auth/authenticator/password/passwordfile/...</code>
and is a csv file with 3 columns: password, user name, user id.</p>
<p>When using basic authentication from an http client, the apiserver expects an <code>Authorization</code> header
with a value of <code>Basic BASE64ENCODED(USER:PASSWORD)</code>.</p>
<p><strong>Keystone authentication</strong> is enabled by passing the <code>--experimental-keystone-url=&lt;AuthURL&gt;</code>
option to the apiserver during startup. The plugin is implemented in
<code>plugin/pkg/auth/authenticator/request/keystone/keystone.go</code>.
For details on how to use keystone to manage projects and users, refer to the
<a href="http://docs.openstack.org/developer/keystone/">Keystone documentation</a>. Please note that
this plugin is still experimental which means it is subject to changes.
Please refer to the <a href="https://github.com/kubernetes/kubernetes/pull/11798#issuecomment-129655212">discussion</a>
and the <a href="https://github.com/kubernetes/kubernetes/issues/11626">blueprint</a> for more details</p>
<h2 id="plugin-development">Plugin Development</h2>
<p>We plan for the Kubernetes API server to issue tokens
after the user has been (re)authenticated by a <em>bedrock</em> authentication
provider external to Kubernetes. We plan to make it easy to develop modules
that interface between Kubernetes and a bedrock authentication provider (e.g.
github.com, google.com, enterprise directory, kerberos, etc.)</p>
<h2 id="appendix">APPENDIX</h2>
<h3 id="creating-certificates">Creating Certificates</h3>
<p>When using client certificate authentication, you can generate certificates manually or
using an existing deployment script.</p>
<p><strong>Deployment script</strong> is implemented at
<code>cluster/saltbase/salt/generate-cert/make-ca-cert.sh</code>.
Execute this script with two parameters. First is the IP address of apiserver, the second is
a list of subject alternate names in the form <code>IP:&lt;ip-address&gt; or DNS:&lt;dns-name&gt;</code>.
The script will generate three files:ca.crt, server.crt and server.key.
Finally, add these parameters
<code>--client-ca-file=/srv/kubernetes/ca.crt</code>
<code>--tls-cert-file=/srv/kubernetes/server.cert</code>
<code>--tls-private-key-file=/srv/kubernetes/server.key</code>
into apiserver start parameters.</p>
<p><strong>easyrsa</strong> can be used to manually generate certificates for your cluster.</p>
<ol>
<li>
<p>Download, unpack, and initialize the patched version of easyrsa3.</p>
<pre><code> curl -L -O https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz
tar xzf easy-rsa.tar.gz
cd easy-rsa-master/easyrsa3
./easyrsa init-pki
</code></pre>
</li>
<li>
<p>Generate a CA. (<code>--batch</code> set automatic mode. <code>--req-cn</code> default CN to use.)</p>
<pre><code> ./easyrsa --batch "--req-cn=${MASTER_IP}@`date +%s`" build-ca nopass
</code></pre>
</li>
<li>
<p>Generate server certificate and key.
(build-server-full [filename]: Generate a keypair and sign locally for a client or server)</p>
<pre><code> ./easyrsa --subject-alt-name="IP:${MASTER_IP}" build-server-full kubernetes-master nopass
</code></pre>
</li>
<li>Copy <code>pki/ca.crt</code> <code>pki/issued/kubernetes-master.crt</code>
<code>pki/private/kubernetes-master.key</code> to your directory.</li>
<li>Remember fill the parameters
<code>--client-ca-file=/yourdirectory/ca.crt</code>
<code>--tls-cert-file=/yourdirectory/server.cert</code>
<code>--tls-private-key-file=/yourdirectory/server.key</code>
and add these into apiserver start parameters.</li>
</ol>
<p><strong>openssl</strong> can also be use to manually generate certificates for your cluster.</p>
<ol>
<li>Generate a ca.key with 2048bit
<code>openssl genrsa -out ca.key 2048</code></li>
<li>According to the ca.key generate a ca.crt. (-days set the certificate effective time).
<code>openssl req -x509 -new -nodes -key ca.key -subj "/CN=${MASTER_IP}" -days 10000 -out ca.crt</code></li>
<li>Generate a server.key with 2048bit
<code>openssl genrsa -out server.key 2048</code></li>
<li>According to the server.key generate a server.csr.
<code>openssl req -new -key server.key -subj "/CN=${MASTER_IP}" -out server.csr</code></li>
<li>According to the ca.key, ca.crt and server.csr generate the server.crt.
<code>openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
-days 10000</code></li>
<li>View the certificate.
<code>openssl x509 -noout -text -in ./server.crt</code>
Finally, do not forget fill the same parameters and add parameters into apiserver start parameters.</li>
</ol>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/authentication.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,269 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Authorization Plugins</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Authorization Plugins</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="authorization-plugins">Authorization Plugins</h1>
<p>In Kubernetes, authorization happens as a separate step from authentication.
See the <a href="authentication.html">authentication documentation</a> for an
overview of authentication.</p>
<p>Authorization applies to all HTTP accesses on the main (secure) apiserver port.</p>
<p>The authorization check for any request compares attributes of the context of
the request, (such as user, resource, and namespace) with access
policies. An API call must be allowed by some policy in order to proceed.</p>
<p>The following implementations are available, and are selected by flag:
- <code>--authorization-mode=AlwaysDeny</code>
- <code>--authorization-mode=AlwaysAllow</code>
- <code>--authorization-mode=ABAC</code></p>
<p><code>AlwaysDeny</code> blocks all requests (used in tests).
<code>AlwaysAllow</code> allows all requests; use if you dont need authorization.
<code>ABAC</code> allows for user-configured authorization policy. ABAC stands for Attribute-Based Access Control.</p>
<h2 id="abac-mode">ABAC Mode</h2>
<h3 id="request-attributes">Request Attributes</h3>
<p>A request has 5 attributes that can be considered for authorization:
- user (the user-string which a user was authenticated as).
- group (the list of group names the authenticated user is a member of).
- whether the request is readonly (GETs are readonly).
- what resource is being accessed.
- applies only to the API endpoints, such as
<code>/api/v1/namespaces/default/pods</code>. For miscellaneous endpoints, like <code>/version</code>, the
resource is the empty string.
- the namespace of the object being access, or the empty string if the
endpoint does not support namespaced objects.</p>
<p>We anticipate adding more attributes to allow finer grained access control and
to assist in policy management.</p>
<h3 id="policy-file-format">Policy File Format</h3>
<p>For mode <code>ABAC</code>, also specify <code>--authorization-policy-file=SOME_FILENAME</code>.</p>
<p>The file format is <a href="http://jsonlines.org/">one JSON object per line</a>. There should be no enclosing list or map, just
one map per line.</p>
<p>Each line is a “policy object”. A policy object is a map with the following properties:
- <code>user</code>, type string; the user-string from <code>--token-auth-file</code>. If you specify <code>user</code>, it must match the username of the authenticated user.
- <code>group</code>, type string; if you specify <code>group</code>, it must match one of the groups of the authenticated user.
- <code>readonly</code>, type boolean, when true, means that the policy only applies to GET
operations.
- <code>resource</code>, type string; a resource from an URL, such as <code>pods</code>.
- <code>namespace</code>, type string; a namespace string.</p>
<p>An unset property is the same as a property set to the zero value for its type (e.g. empty string, 0, false).
However, unset should be preferred for readability.</p>
<p>In the future, policies may be expressed in a JSON format, and managed via a REST
interface.</p>
<h3 id="authorization-algorithm">Authorization Algorithm</h3>
<p>A request has attributes which correspond to the properties of a policy object.</p>
<p>When a request is received, the attributes are determined. Unknown attributes
are set to the zero value of its type (e.g. empty string, 0, false).</p>
<p>An unset property will match any value of the corresponding
attribute. An unset attribute will match any value of the corresponding property.</p>
<p>The tuple of attributes is checked for a match against every policy in the policy file.
If at least one line matches the request attributes, then the request is authorized (but may fail later validation).</p>
<p>To permit any user to do something, write a policy with the user property unset.
To permit an action Policy with an unset namespace applies regardless of namespace.</p>
<h3 id="examples">Examples</h3>
<ol>
<li>Alice can do anything: <code>{"user":"alice"}</code></li>
<li>Kubelet can read any pods: <code>{"user":"kubelet", "resource": "pods", "readonly": true}</code></li>
<li>Kubelet can read and write events: <code>{"user":"kubelet", "resource": "events"}</code></li>
<li>Bob can just read pods in namespace “projectCaribou”: <code>{"user":"bob", "resource": "pods", "readonly": true, "namespace": "projectCaribou"}</code></li>
</ol>
<p><a href="http://releases.k8s.io/release-1.1/pkg/auth/authorizer/abac/example_policy_file.jsonl">Complete file example</a></p>
<h3 id="a-quick-note-on-service-accounts">A quick note on service accounts</h3>
<p>A service account automatically generates a user. The users name is generated according to the naming convention:</p>
<pre><code>
system:serviceaccount:&lt;namespace&gt;:&lt;serviceaccountname&gt;
</code></pre>
<p>Creating a new namespace also causes a new service account to be created, of this form:*</p>
<pre><code>
system:serviceaccount:&lt;namespace&gt;:default
</code></pre>
<p>For example, if you wanted to grant the default service account in the kube-system full privilege to the API, you would add this line to your policy file:</p>
<div class="highlight">
<pre><code class="language-json">{"user":"system:serviceaccount:kube-system:default"}
</code></pre>
</div>
<p>The apiserver will need to be restarted to pickup the new policy lines.</p>
<h2 id="plugin-development">Plugin Development</h2>
<p>Other implementations can be developed fairly easily.
The APIserver calls the Authorizer interface:</p>
<div class="highlight">
<pre><code class="language-go">type Authorizer interface {
Authorize(a Attributes) error
}
</code></pre>
</div>
<p>to determine whether or not to allow each API action.</p>
<p>An authorization plugin is a module that implements this interface.
Authorization plugin code goes in <code>pkg/auth/authorizer/$MODULENAME</code>.</p>
<p>An authorization module can be completely implemented in go, or can call out
to a remote authorization service. Authorization modules can implement
their own caching to reduce the cost of repeated authorization calls with the
same or similar arguments. Developers should then consider the interaction between
caching and revocation of permissions.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/authorization.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,251 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Kubernetes Cluster Admin Guide: Cluster Components</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Kubernetes Cluster Admin Guide: Cluster Components</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="kubernetes-cluster-admin-guide-cluster-components">Kubernetes Cluster Admin Guide: Cluster Components</h1>
<p>This document outlines the various binary components that need to run to
deliver a functioning Kubernetes cluster.</p>
<h2 id="master-components">Master Components</h2>
<p>Master components are those that provide the clusters control plane. For
example, master components are responsible for making global decisions about the
cluster (e.g., scheduling), and detecting and responding to cluster events
(e.g., starting up a new pod when a replication controllers replicas field is
unsatisfied).</p>
<p>Master components could in theory be run on any node in the cluster. However,
for simplicity, current set up scripts typically start all master components on
the same VM, and does not run user containers on this VM. See
<a href="high-availability.html">high-availability.md</a> for an example multi-master-VM setup.</p>
<p>Even in the future, when Kubernetes is fully self-hosting, it will probably be
wise to only allow master components to schedule on a subset of nodes, to limit
co-running with user-run pods, reducing the possible scope of a
node-compromising security exploit.</p>
<h3 id="kube-apiserver">kube-apiserver</h3>
<p><a href="kube-apiserver.html">kube-apiserver</a> exposes the Kubernetes API; it is the front-end for the
Kubernetes control plane. It is designed to scale horizontally (i.e., one scales
it by running more of them <a href="high-availability.html">high-availability.md</a>).</p>
<h3 id="etcd">etcd</h3>
<p><a href="etcd.html">etcd</a> is used as Kubernetes backing store. All cluster data is stored here.
Proper administration of a Kubernetes cluster includes a backup plan for etcds
data.</p>
<h3 id="kube-controller-manager">kube-controller-manager</h3>
<p><a href="kube-controller-manager.html">kube-controller-manager</a> is a binary that runs controllers, which are the
background threads that handle routine tasks in the cluster. Logically, each
controller is a separate process, but to reduce the number of moving pieces in
the system, they are all compiled into a single binary and run in a single
process.</p>
<p>These controllers include:</p>
<ul>
<li>Node Controller</li>
<li>Responsible for noticing &amp; responding when nodes go down.</li>
<li>Replication Controller</li>
<li>Responsible for maintaining the correct number of pods for every replication
controller object in the system.</li>
<li>Endpoints Controller</li>
<li>Populates the Endpoints object (i.e., join Services &amp; Pods).</li>
<li>Service Account &amp; Token Controllers</li>
<li>Create default accounts and API access tokens for new namespaces.</li>
<li>… and others.</li>
</ul>
<h3 id="kube-scheduler">kube-scheduler</h3>
<p><a href="kube-scheduler.html">kube-scheduler</a> watches newly created pods that have no node assigned, and
selects a node for them to run on.</p>
<h3 id="addons">addons</h3>
<p>Addons are pods and services that implement cluster features. They dont run on
the master VM, but currently the default setup scripts that make the API calls
to create these pods and services does run on the master VM. See:
<a href="http://releases.k8s.io/release-1.1/cluster/saltbase/salt/kube-master-addons/kube-master-addons.sh">kube-master-addons</a></p>
<p>Addon objects are created in the “kube-system” namespace.</p>
<p>Example addons are:
* <a href="http://releases.k8s.io/release-1.1/cluster/addons/dns/">DNS</a> provides cluster local DNS.
* <a href="http://releases.k8s.io/release-1.1/cluster/addons/kube-ui/">kube-ui</a> provides a graphical UI for the
cluster.
* <a href="http://releases.k8s.io/release-1.1/cluster/addons/fluentd-elasticsearch/">fluentd-elasticsearch</a> provides
log storage. Also see the <a href="http://releases.k8s.io/release-1.1/cluster/addons/fluentd-gcp/">gcp version</a>.
* <a href="http://releases.k8s.io/release-1.1/cluster/addons/cluster-monitoring/">cluster-monitoring</a> provides
monitoring for the cluster.</p>
<h2 id="node-components">Node components</h2>
<p>Node components run on every node, maintaining running pods and providing them
the Kubernetes runtime environment.</p>
<h3 id="kubelet">kubelet</h3>
<p><a href="kubelet.html">kubelet</a> is the primary node agent. It:
* Watches for pods that have been assigned to its node (either by apiserver
or via local configuration file) and:
* Mounts the pods required volumes
* Downloads the pods secrets
* Run the pods containers via docker (or, experimentally, rkt).
* Periodically executes any requested container liveness probes.
* Reports the status of the pod back to the rest of the system, by creating a
“mirror pod” if necessary.
* Reports the status of the node back to the rest of the system.</p>
<h3 id="kube-proxy">kube-proxy</h3>
<p><a href="kube-proxy.html">kube-proxy</a> enables the Kubernetes service abstraction by maintaining
network rules on the host and performing connection forwarding.</p>
<h3 id="docker">docker</h3>
<p><code>docker</code> is of course used for actually running containers.</p>
<h3 id="rkt">rkt</h3>
<p><code>rkt</code> is supported experimentally as an alternative to docker.</p>
<h3 id="supervisord">supervisord</h3>
<p><code>supervisord</code> is a lightweight process babysitting system for keeping kubelet and docker
running.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/cluster-components.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,198 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Kubernetes Large Cluster</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Kubernetes Large Cluster</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="kubernetes-large-cluster">Kubernetes Large Cluster</h1>
<h2 id="support">Support</h2>
<p>At v1.0, Kubernetes supports clusters up to 100 nodes with 30 pods per node and 1-2 containers per pod.</p>
<h2 id="setup">Setup</h2>
<p>A cluster is a set of nodes (physical or virtual machines) running Kubernetes agents, managed by a “master” (the cluster-level control plane).</p>
<p>Normally the number of nodes in a cluster is controlled by the the value <code>NUM_MINIONS</code> in the platform-specific <code>config-default.sh</code> file (for example, see <a href="http://releases.k8s.io/release-1.1/cluster/gce/config-default.sh">GCEs <code>config-default.sh</code></a>).</p>
<p>Simply changing that value to something very large, however, may cause the setup script to fail for many cloud providers. A GCE deployment, for example, will run in to quota issues and fail to bring the cluster up.</p>
<p>When setting up a large Kubernetes cluster, the following issues must be considered.</p>
<h3 id="quota-issues">Quota Issues</h3>
<p>To avoid running into cloud provider quota issues, when creating a cluster with many nodes, consider:
* Increase the quota for things like CPU, IPs, etc.
* In <a href="https://cloud.google.com/compute/docs/resource-quotas">GCE, for example,</a> youll want to increase the quota for:
* CPUs
* VM instances
* Total persistent disk reserved
* In-use IP addresses
* Firewall Rules
* Forwarding rules
* Routes
* Target pools
* Gating the setup script so that it brings up new node VMs in smaller batches with waits in between, because some cloud providers rate limit the creation of VMs.</p>
<h3 id="addon-resources">Addon Resources</h3>
<p>To prevent memory leaks or other resource issues in <a href="https://releases.k8s.io/release-1.1/cluster/addons">cluster addons</a> from consuming all the resources available on a node, Kubernetes sets resource limits on addon containers to limit the CPU and Memory resources they can consume (See PR <a href="http://pr.k8s.io/10653/files">#10653</a> and <a href="http://pr.k8s.io/10778/files">#10778</a>).</p>
<p>For example:</p>
<div class="highlight">
<pre><code class="language-yaml">containers:
- image: gcr.io/google_containers/heapster:v0.15.0
name: heapster
resources:
limits:
cpu: 100m
memory: 200Mi
</code></pre>
</div>
<p>These limits, however, are based on data collected from addons running on 4-node clusters (see <a href="http://issue.k8s.io/10335#issuecomment-117861225">#10335</a>). The addons consume a lot more resources when running on large deployment clusters (see <a href="http://issue.k8s.io/5880#issuecomment-113984085">#5880</a>). So, if a large cluster is deployed without adjusting these values, the addons may continuously get killed because they keep hitting the limits.</p>
<p>To avoid running into cluster addon resource issues, when creating a cluster with many nodes, consider the following:
* Scale memory and CPU limits for each of the following addons, if used, along with the size of cluster (there is one replica of each handling the entire cluster so memory and CPU usage tends to grow proportionally with size/load on cluster):
* Heapster (<a href="http://releases.k8s.io/release-1.1/cluster/addons/cluster-monitoring/google/heapster-controller.yaml">GCM/GCL backed</a>, <a href="http://releases.k8s.io/release-1.1/cluster/addons/cluster-monitoring/influxdb/heapster-controller.yaml">InfluxDB backed</a>, <a href="http://releases.k8s.io/release-1.1/cluster/addons/cluster-monitoring/googleinfluxdb/heapster-controller-combined.yaml">InfluxDB/GCL backed</a>, <a href="http://releases.k8s.io/release-1.1/cluster/addons/cluster-monitoring/standalone/heapster-controller.yaml">standalone</a>)
* <a href="http://releases.k8s.io/release-1.1/cluster/addons/cluster-monitoring/influxdb/influxdb-grafana-controller.yaml">InfluxDB and Grafana</a>
* <a href="http://releases.k8s.io/release-1.1/cluster/addons/dns/skydns-rc.yaml.in">skydns, kube2sky, and dns etcd</a>
* <a href="http://releases.k8s.io/release-1.1/cluster/addons/fluentd-elasticsearch/kibana-controller.yaml">Kibana</a>
* Scale number of replicas for the following addons, if used, along with the size of cluster (there are multiple replicas of each so increasing replicas should help handle increased load, but, since load per replica also increases slightly, also consider increasing CPU/memory limits):
* <a href="http://releases.k8s.io/release-1.1/cluster/addons/fluentd-elasticsearch/es-controller.yaml">elasticsearch</a>
* Increase memory and CPU limits slightly for each of the following addons, if used, along with the size of cluster (there is one replica per node but CPU/memory usage increases slightly along with cluster load/size as well):
* <a href="http://releases.k8s.io/release-1.1/cluster/saltbase/salt/fluentd-es/fluentd-es.yaml">FluentD with ElasticSearch Plugin</a>
* <a href="http://releases.k8s.io/release-1.1/cluster/saltbase/salt/fluentd-gcp/fluentd-gcp.yaml">FluentD with GCP Plugin</a></p>
<p>For directions on how to detect if addon containers are hitting resource limits, see the <a href="../user-guide/compute-resources.html#troubleshooting">Troubleshooting section of Compute Resources</a>.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/cluster-large.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,325 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Cluster Management</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Cluster Management</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="cluster-management">Cluster Management</h1>
<p>This document describes several topics related to the lifecycle of a cluster: creating a new cluster,
upgrading your clusters
master and worker nodes, performing node maintenance (e.g. kernel upgrades), and upgrading the Kubernetes API version of a
running cluster.</p>
<h2 id="creating-and-configuring-a-cluster">Creating and configuring a Cluster</h2>
<p>To install Kubernetes on a set of machines, consult one of the existing <a href="../../docs/getting-started-guides/README.html">Getting Started guides</a> depending on your environment.</p>
<h2 id="upgrading-a-cluster">Upgrading a cluster</h2>
<p>The current state of cluster upgrades is provider dependent.</p>
<h3 id="master-upgrades">Master Upgrades</h3>
<p>Both Google Container Engine (GKE) and
Compute Engine Open Source (GCE-OSS) support node upgrades via a <a href="https://cloud.google.com/compute/docs/instance-groups/">Managed Instance Group</a>.
Managed Instance Group upgrades sequentially delete and recreate each virtual machine, while maintaining the same
Persistent Disk (PD) to ensure that data is retained across the upgrade.</p>
<p>In contrast, the <code>kube-push.sh</code> process used on <a href="#other-platforms">other platforms</a> attempts to upgrade the binaries in
places, without recreating the virtual machines.</p>
<h3 id="node-upgrades">Node Upgrades</h3>
<p>Node upgrades for GKE and GCE-OSS again use a Managed Instance Group, each node is sequentially destroyed and then recreated with new software. Any Pods that are running
on that node need to be controlled by a Replication Controller, or manually re-created after the roll out.</p>
<p>For other platforms, <code>kube-push.sh</code> is again used, performing an in-place binary upgrade on existing machines.</p>
<h3 id="upgrading-google-container-engine-gke">Upgrading Google Container Engine (GKE)</h3>
<p>Google Container Engine automatically updates master components (e.g. <code>kube-apiserver</code>, <code>kube-scheduler</code>) to the latest
version. It also handles upgrading the operating system and other components that the master runs on.</p>
<p>The node upgrade process is user-initiated and is described in the <a href="https://cloud.google.com/container-engine/docs/clusters/upgrade">GKE documentation.</a></p>
<h3 id="upgrading-open-source-google-compute-engine-clusters">Upgrading open source Google Compute Engine clusters</h3>
<p>Upgrades on open source Google Compute Engine (GCE) clusters are controlled by the <code>cluster/gce/upgrade.sh</code> script.</p>
<p>Get its usage by running <code>cluster/gce/upgrade.sh -h</code>.</p>
<p>For example, to upgrade just your master to a specific version (v1.0.2):</p>
<div class="highlight">
<pre><code class="language-console">cluster/gce/upgrade.sh -M v1.0.2
</code></pre>
</div>
<p>Alternatively, to upgrade your entire cluster to the latest stable release:</p>
<div class="highlight">
<pre><code class="language-console">cluster/gce/upgrade.sh release/stable
</code></pre>
</div>
<h3 id="other-platforms">Other platforms</h3>
<p>The <code>cluster/kube-push.sh</code> script will do a rudimentary update. This process is still quite experimental, we
recommend testing the upgrade on an experimental cluster before performing the update on a production cluster.</p>
<h2 id="resizing-a-cluster">Resizing a cluster</h2>
<p>If your cluster runs short on resources you can easily add more machines to it if your cluster is running in <a href="node.html#self-registration-of-nodes">Node self-registration mode</a>.
If youre using GCE or GKE its done by resizing Instance Group managing your Nodes. It can be accomplished by modifying number of instances on <code>Compute &gt; Compute Engine &gt; Instance groups &gt; your group &gt; Edit group</code> <a href="https://console.developers.google.com">Google Cloud Console page</a> or using gcloud CLI:</p>
<pre><code>
gcloud compute instance-groups managed --zone compute-zone resize my-cluster-minon-group --new-size 42
</code></pre>
<p>Instance Group will take care of putting appropriate image on new machines and start them, while Kubelet will register its Node with API server to make it available for scheduling. If you scale the instance group down, system will randomly choose Nodes to kill.</p>
<p>In other environments you may need to configure the machine yourself and tell the Kubelet on which machine API server is running.</p>
<h3 id="horizontal-auto-scaling-of-nodes-gce">Horizontal auto-scaling of nodes (GCE)</h3>
<p>If you are using GCE, you can configure your cluster so that the number of nodes will be automatically scaled based on their CPU and memory utilization.
Before setting up the cluster by <code>kube-up.sh</code>, you can set <code>KUBE_ENABLE_NODE_AUTOSCALER</code> environment variable to <code>true</code> and export it.
The script will create an autoscaler for the instance group managing your nodes.</p>
<p>The autoscaler will try to maintain the average CPU and memory utilization of nodes within the cluster close to the target value.
The target value can be configured by <code>KUBE_TARGET_NODE_UTILIZATION</code> environment variable (default: 0.7) for <code>kube-up.sh</code> when creating the cluster.
The node utilization is the total nodes CPU/memory usage (OS + k8s + user load) divided by the nodes capacity.
If the desired numbers of nodes in the cluster resulting from CPU utilization and memory utilization are different,
the autoscaler will choose the bigger number.
The number of nodes in the cluster set by the autoscaler will be limited from <code>KUBE_AUTOSCALER_MIN_NODES</code> (default: 1)
to <code>KUBE_AUTOSCALER_MAX_NODES</code> (default: the initial number of nodes in the cluster).</p>
<p>The autoscaler is implemented as a Compute Engine Autoscaler.
The initial values of the autoscaler parameters set by <code>kube-up.sh</code> and some more advanced options can be tweaked on
<code>Compute &gt; Compute Engine &gt; Instance groups &gt; your group &gt; Edit group</code><a href="https://console.developers.google.com">Google Cloud Console page</a>
or using gcloud CLI:</p>
<pre><code>
gcloud preview autoscaler --zone compute-zone &lt;command&gt;
</code></pre>
<p>Note that autoscaling will work properly only if node metrics are accessible in Google Cloud Monitoring.
To make the metrics accessible, you need to create your cluster with <code>KUBE_ENABLE_CLUSTER_MONITORING</code>
equal to <code>google</code> or <code>googleinfluxdb</code> (<code>googleinfluxdb</code> is the default value).</p>
<h2 id="maintenance-on-a-node">Maintenance on a Node</h2>
<p>If you need to reboot a node (such as for a kernel upgrade, libc upgrade, hardware repair, etc.), and the downtime is
brief, then when the Kubelet restarts, it will attempt to restart the pods scheduled to it. If the reboot takes longer,
then the node controller will terminate the pods that are bound to the unavailable node. If there is a corresponding
replication controller, then a new copy of the pod will be started on a different node. So, in the case where all
pods are replicated, upgrades can be done without special coordination, assuming that not all nodes will go down at the same time.</p>
<p>If you want more control over the upgrading process, you may use the following workflow:</p>
<p>Mark the node to be rebooted as unschedulable:</p>
<div class="highlight">
<pre><code class="language-console">kubectl replace nodes $NODENAME --patch='{"apiVersion": "v1", "spec": {"unschedulable": true}}'
</code></pre>
</div>
<p>This keeps new pods from landing on the node while you are trying to get them off.</p>
<p>Get the pods off the machine, via any of the following strategies:
* Wait for finite-duration pods to complete.
* Delete pods with:</p>
<div class="highlight">
<pre><code class="language-console">kubectl delete pods $PODNAME
</code></pre>
</div>
<p>For pods with a replication controller, the pod will eventually be replaced by a new pod which will be scheduled to a new node. Additionally, if the pod is part of a service, then clients will automatically be redirected to the new pod.</p>
<p>For pods with no replication controller, you need to bring up a new copy of the pod, and assuming it is not part of a service, redirect clients to it.</p>
<p>Perform maintenance work on the node.</p>
<p>Make the node schedulable again:</p>
<div class="highlight">
<pre><code class="language-console">kubectl replace nodes $NODENAME --patch='{"apiVersion": "v1", "spec": {"unschedulable": false}}'
</code></pre>
</div>
<p>If you deleted the nodes VM instance and created a new one, then a new schedulable node resource will
be created automatically when you create a new VM instance (if youre using a cloud provider that supports
node discovery; currently this is only Google Compute Engine, not including CoreOS on Google Compute Engine using kube-register). See <a href="node.html">Node</a> for more details.</p>
<h2 id="advanced-topics">Advanced Topics</h2>
<h3 id="upgrading-to-a-different-api-version">Upgrading to a different API version</h3>
<p>When a new API version is released, you may need to upgrade a cluster to support the new API version (e.g. switching from v1 to v2 when v2 is launched)</p>
<p>This is an infrequent event, but it requires careful management. There is a sequence of steps to upgrade to a new API version.</p>
<ol>
<li>Turn on the new api version.</li>
<li>Upgrade the clusters storage to use the new version.</li>
<li>Upgrade all config files. Identify users of the old API version endpoints.</li>
<li>Update existing objects in the storage to new version by running <code>cluster/update-storage-objects.sh</code>.</li>
<li>Turn off the old API version.</li>
</ol>
<h3 id="turn-on-or-off-an-api-version-for-your-cluster">Turn on or off an API version for your cluster</h3>
<p>Specific API versions can be turned on or off by passing runtime-config=api/ <version> flag while bringing up the API server. For example: to turn off v1 API, pass `--runtime-config=api/v1=false`. runtime-config also supports 2 special keys: api/all and api/legacy to control all and legacy APIs respectively. For example, for turning off all api versions except v1, pass `--runtime-config=api/all=false,api/v1=true`. For the purposes of these flags, _legacy_ APIs are those APIs which have been explicitly deprecated (e.g. `v1beta3`).</version>
</p>
<h3 id="switching-your-clusters-storage-api-version">Switching your clusters storage API version</h3>
<p>The objects that are stored to disk for a clusters internal representation of the Kubernetes resources active in the cluster are written using a particular version of the API.
When the supported API changes, these objects may need to be rewritten in the newer API. Failure to do this will eventually result in resources that are no longer decodable or usable
by the kubernetes API server.</p>
<p><code>KUBE_API_VERSIONS</code> environment variable for the <code>kube-apiserver</code> binary which controls the API versions that are supported in the cluster. The first version in the list is used as the clusters storage version. Hence, to set a specific version as the storage version, bring it to the front of list of versions in the value of <code>KUBE_API_VERSIONS</code>. You need to restart the <code>kube-apiserver</code> binary
for changes to this variable to take effect.</p>
<h3 id="switching-your-config-files-to-a-new-api-version">Switching your config files to a new API version</h3>
<p>You can use the <code>kube-version-change</code> utility to convert config files between different API versions.</p>
<div class="highlight">
<pre><code class="language-console">$ hack/build-go.sh cmd/kube-version-change
$ _output/local/go/bin/kube-version-change -i myPod.v1beta3.yaml -o myPod.v1.yaml
</code></pre>
</div>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/cluster-management.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,269 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Cluster Troubleshooting</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Cluster Troubleshooting</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="cluster-troubleshooting">Cluster Troubleshooting</h1>
<p>This doc is about cluster troubleshooting; we assume you have already ruled out your application as the root cause of the
problem you are experiencing. See
the <a href="../user-guide/application-troubleshooting.html">application troubleshooting guide</a> for tips on application debugging.
You may also visit <a href="../troubleshooting.html">troubleshooting document</a> for more information.</p>
<h2 id="listing-your-cluster">Listing your cluster</h2>
<p>The first thing to debug in your cluster is if your nodes are all registered correctly.</p>
<p>Run</p>
<div class="highlight">
<pre><code class="language-sh">kubectl get nodes
</code></pre>
</div>
<p>And verify that all of the nodes you expect to see are present and that they are all in the <code>Ready</code> state.</p>
<h2 id="looking-at-logs">Looking at logs</h2>
<p>For now, digging deeper into the cluster requires logging into the relevant machines. Here are the locations
of the relevant log files. (note that on systemd-based systems, you may need to use <code>journalctl</code> instead)</p>
<h3 id="master">Master</h3>
<ul>
<li>/var/log/kube-apiserver.log - API Server, responsible for serving the API</li>
<li>/var/log/kube-scheduler.log - Scheduler, responsible for making scheduling decisions</li>
<li>/var/log/kube-controller-manager.log - Controller that manages replication controllers</li>
</ul>
<h3 id="worker-nodes">Worker Nodes</h3>
<ul>
<li>/var/log/kubelet.log - Kubelet, responsible for running containers on the node</li>
<li>/var/log/kube-proxy.log - Kube Proxy, responsible for service load balancing</li>
</ul>
<h2 id="a-general-overview-of-cluster-failure-modes">A general overview of cluster failure modes</h2>
<p>This is an incomplete list of things that could go wrong, and how to adjust your cluster setup to mitigate the problems.</p>
<p>Root causes:
- VM(s) shutdown
- Network partition within cluster, or between cluster and users
- Crashes in Kubernetes software
- Data loss or unavailability of persistent storage (e.g. GCE PD or AWS EBS volume)
- Operator error, e.g. misconfigured Kubernetes software or application software</p>
<p>Specific scenarios:
- Apiserver VM shutdown or apiserver crashing
- Results
- unable to stop, update, or start new pods, services, replication controller
- existing pods and services should continue to work normally, unless they depend on the Kubernetes API
- Apiserver backing storage lost
- Results
- apiserver should fail to come up
- kubelets will not be able to reach it but will continue to run the same pods and provide the same service proxying
- manual recovery or recreation of apiserver state necessary before apiserver is restarted
- Supporting services (node controller, replication controller manager, scheduler, etc) VM shutdown or crashes
- currently those are colocated with the apiserver, and their unavailability has similar consequences as apiserver
- in future, these will be replicated as well and may not be co-located
- they do not have their own persistent state
- Individual node (VM or physical machine) shuts down
- Results
- pods on that Node stop running
- Network partition
- Results
- partition A thinks the nodes in partition B are down; partition B thinks the apiserver is down. (Assuming the master VM ends up in partition A.)
- Kubelet software fault
- Results
- crashing kubelet cannot start new pods on the node
- kubelet might delete the pods or not
- node marked unhealthy
- replication controllers start new pods elsewhere
- Cluster operator error
- Results
- loss of pods, services, etc
- lost of apiserver backing store
- users unable to read API
- etc.</p>
<p>Mitigations:
- Action: Use IaaS providers automatic VM restarting feature for IaaS VMs
- Mitigates: Apiserver VM shutdown or apiserver crashing
- Mitigates: Supporting services VM shutdown or crashes</p>
<ul>
<li>Action use IaaS providers reliable storage (e.g GCE PD or AWS EBS volume) for VMs with apiserver+etcd
<ul>
<li>Mitigates: Apiserver backing storage lost</li>
</ul>
</li>
<li>Action: Use (experimental) <a href="high-availability.html">high-availability</a> configuration
<ul>
<li>Mitigates: Master VM shutdown or master components (scheduler, API server, controller-managing) crashing
<ul>
<li>Will tolerate one or more simultaneous node or component failures</li>
</ul>
</li>
<li>Mitigates: Apiserver backing storage (i.e., etcds data directory) lost
<ul>
<li>Assuming you used clustered etcd.</li>
</ul>
</li>
</ul>
</li>
<li>Action: Snapshot apiserver PDs/EBS-volumes periodically
<ul>
<li>Mitigates: Apiserver backing storage lost</li>
<li>Mitigates: Some cases of operator error</li>
<li>Mitigates: Some cases of Kubernetes software fault</li>
</ul>
</li>
<li>Action: use replication controller and services in front of pods
<ul>
<li>Mitigates: Node shutdown</li>
<li>Mitigates: Kubelet software fault</li>
</ul>
</li>
<li>Action: applications (containers) designed to tolerate unexpected restarts
<ul>
<li>Mitigates: Node shutdown</li>
<li>Mitigates: Kubelet software fault</li>
</ul>
</li>
<li>Action: <a href="multi-cluster.html">Multiple independent clusters</a> (and avoid making risky changes to all clusters at once)
<ul>
<li>Mitigates: Everything listed above.</li>
</ul>
</li>
</ul>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/cluster-troubleshooting.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,18 @@
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: prometheus-node-exporter
spec:
template:
metadata:
name: prometheus-node-exporter
labels:
daemon: prom-node-exp
spec:
containers:
- name: c
image: prom/prometheus
ports:
- containerPort: 9090
hostPort: 9090
name: serverport

View File

@ -0,0 +1,339 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Daemon Sets</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Daemon Sets</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="daemon-sets">Daemon Sets</h1>
<p><strong>Table of Contents</strong>
<!-- BEGIN MUNGE: GENERATED_TOC --></p>
<ul>
<li><a href="#daemon-sets">Daemon Sets</a>
<ul>
<li><a href="#what-is-a-daemon-set">What is a <em>Daemon Set</em>?</a></li>
<li><a href="#writing-a-daemonset-spec">Writing a DaemonSet Spec</a>
<ul>
<li><a href="#required-fields">Required Fields</a></li>
<li><a href="#pod-template">Pod Template</a></li>
<li><a href="#pod-selector">Pod Selector</a></li>
<li><a href="#running-pods-on-only-some-nodes">Running Pods on Only Some Nodes</a></li>
</ul>
</li>
<li><a href="#how-daemon-pods-are-scheduled">How Daemon Pods are Scheduled</a></li>
<li><a href="#communicating-with-daemonset-pods">Communicating with DaemonSet Pods</a></li>
<li><a href="#updating-a-daemonset">Updating a DaemonSet</a></li>
<li><a href="#alternatives-to-daemon-set">Alternatives to Daemon Set</a>
<ul>
<li><a href="#init-scripts">Init Scripts</a></li>
<li><a href="#bare-pods">Bare Pods</a></li>
<li><a href="#static-pods">Static Pods</a></li>
<li><a href="#replication-controller">Replication Controller</a></li>
</ul>
</li>
<li><a href="#caveats">Caveats</a></li>
</ul>
</li>
</ul>
<!-- END MUNGE: GENERATED_TOC -->
<h2 id="what-is-a-daemon-set">What is a <em>Daemon Set</em>?</h2>
<p>A <em>Daemon Set</em> ensures that all (or some) nodes run a copy of a pod. As nodes are added to the
cluster, pods are added to them. As nodes are removed from the cluster, those pods are garbage
collected. Deleting a Daemon Set will clean up the pods it created.</p>
<p>Some typical uses of a Daemon Set are:</p>
<ul>
<li>running a cluster storage daemon, such as <code>glusterd</code>, <code>ceph</code>, on each node.</li>
<li>running a logs collection daemon on every node, such as <code>fluentd</code> or <code>logstash</code>.</li>
<li>running a node monitoring daemon on every node, such as <a href="https://github.com/prometheus/node_exporter">Prometheus Node Exporter</a>, <code>collectd</code>, New Relic agent, or Ganglia <code>gmond</code>.</li>
</ul>
<p>In a simple case, one Daemon Set, covering all nodes, would be used for each type of daemon.
A more complex setup might use multiple DaemonSets would be used for a single type of daemon,
but with different flags and/or different memory and cpu requests for different hardware types.</p>
<h2 id="writing-a-daemonset-spec">Writing a DaemonSet Spec</h2>
<h3 id="required-fields">Required Fields</h3>
<p>As with all other Kubernetes config, a DaemonSet needs <code>apiVersion</code>, <code>kind</code>, and <code>metadata</code> fields. For
general information about working with config files, see <a href="../user-guide/simple-yaml.html">here</a>,
<a href="../user-guide/configuring-containers.html">here</a>, and <a href="../user-guide/working-with-resources.html">here</a>.</p>
<p>A DaemonSet also needs a <a href="../devel/api-conventions.html#spec-and-status"><code>.spec</code></a> section.</p>
<h3 id="pod-template">Pod Template</h3>
<p>The <code>.spec.template</code> is the only required field of the <code>.spec</code>.</p>
<p>The <code>.spec.template</code> is a <a href="../user-guide/replication-controller.html#pod-template">pod template</a>.
It has exactly the same schema as a <a href="../user-guide/pods.html">pod</a>, except
it is nested and does not have an <code>apiVersion</code> or <code>kind</code>.</p>
<p>In addition to required fields for a pod, a pod template in a DaemonSet has to specify appropriate
labels (see <a href="#pod-selector">pod selector</a>).</p>
<p>A pod template in a DaemonSet must have a <a href="../user-guide/pod-states.html"><code>RestartPolicy</code></a>
equal to <code>Always</code>, or be unspecified, which defaults to <code>Always</code>.</p>
<h3 id="pod-selector">Pod Selector</h3>
<p>The <code>.spec.selector</code> field is a pod selector. It works the same as the <code>.spec.selector</code> of
a <a href="../user-guide/replication-controller.html">ReplicationController</a> or
<a href="../user-guide/jobs.html">Job</a>.</p>
<p>If the <code>.spec.selector</code> is specified, it must equal the <code>.spec.template.metadata.labels</code>. If not
specified, the are default to be equal. Config with these unequal will be rejected by the API.</p>
<p>Also you should not normally create any pods whose labels match this selector, either directly, via
another DaemonSet, or via other controller such as ReplicationController. Otherwise, the DaemonSet
controller will think that those pods were created by it. Kubernetes will not stop you from doing
this. Once case where you might want to do this is manually create a pod with a different value on
a node for testing.</p>
<h3 id="running-pods-on-only-some-nodes">Running Pods on Only Some Nodes</h3>
<p>If you specify a <code>.spec.template.spec.nodeSelector</code>, then the DaemonSet controller will
create pods on nodes which match that <a href="../user-guide/node-selection/README.html">node
selector</a>.</p>
<p>If you do not specify a <code>.spec.template.spec.nodeSelector</code>, then the DaemonSet controller will
create pods on all nodes.</p>
<h2 id="how-daemon-pods-are-scheduled">How Daemon Pods are Scheduled</h2>
<p>Normally, the machine that a pod runs on is selected by the Kubernetes scheduler. However, pods
created by the Daemon controller have the machine already selected (<code>.spec.nodeName</code> is specified
when the pod is created, so it is ignored by the scheduler). Therefore:</p>
<ul>
<li>the <a href="node.html#manual-node-administration"><code>unschedulable</code></a> field of a node is not respected
by the daemon set controller.</li>
<li>daemon set controller can make pods even when the scheduler has not been started, which can help cluster
bootstrap.</li>
</ul>
<h2 id="communicating-with-daemonset-pods">Communicating with DaemonSet Pods</h2>
<p>Some possible patterns for communicating with pods in a DaemonSet are:</p>
<ul>
<li><strong>Push</strong>: Pods in the Daemon Set are configured to send updates to another service, such
as a stats database. They do not have clients.</li>
<li><strong>NodeIP and Known Port</strong>: Pods in the Daemon Set use a <code>hostPort</code>, so that the pods are reachable
via the node IPs. Clients knows the the list of nodes ips somehow, and know the port by convention.</li>
<li><strong>DNS</strong>: Create a <a href="../user-guide/services.html#headless-services">headless service</a> with the same pod selector,
and then discover DaemonSets using the <code>endpoints</code> resource or retrieve multiple A records from
DNS.</li>
<li><strong>Service</strong>: Create a service with the same pod selector, and use the service to reach a
daemon on a random node. (No way to reach specific node.)</li>
</ul>
<h2 id="updating-a-daemonset">Updating a DaemonSet</h2>
<p>If node labels are changed, the DaemonSet will promptly add pods to newly matching nodes and delete
pods from newly not-matching nodes.</p>
<p>You can modify the pods that a DaemonSet creates. However, pods do not allow all
fields to be updated. Also, the DeamonSet controller will use the original template the next
time a node (even with the same name) is created.</p>
<p>You can delete a DeamonSet. If you specify <code>--cascade=false</code> with <code>kubectl</code>, then the pods
will be left on the nodes. You can then create a new DaemonSet with a different template.
the new DaemonSet with the different template will recognize all the existing pods as having
matching labels. It will not modify or delete them despite a mismatch in the pod template.
You will need to force new pod creation by deleting the pod or deleting the node.</p>
<p>You cannot update a DaemonSet.</p>
<p>Support for updating DaemonSets and controlled updating of nodes is planned.</p>
<h2 id="alternatives-to-daemon-set">Alternatives to Daemon Set</h2>
<h3 id="init-scripts">Init Scripts</h3>
<p>It is certainly possible to run daemon processes by directly starting them on a node (e.g using
<code>init</code>, <code>upstartd</code>, or <code>systemd</code>). This is perfectly fine. However, there are several advantages to
running such processes via a DaemonSet:</p>
<ul>
<li>Ability to monitor and manage logs for daemons in the same way as applications.</li>
<li>Same config language and tools (e.g. pod templates, <code>kubectl</code>) for daemons and applications.</li>
<li>Future versions of Kubernetes will likely support integration between DaemonSet-created
pods and node upgrade workflows.</li>
<li>Running daemons in containers with resource limits increases isolation between daemons from app
containers. However, this can also be accomplished by running the daemons in a container but not in a pod
(e.g. start directly via Docker).</li>
</ul>
<h3 id="bare-pods">Bare Pods</h3>
<p>It is possible to create pods directly which specify a particular node to run on. However,
a Daemon Set replaces pods that are deleted or terminated for any reason, such as in the case of
node failure or disruptive node maintenance, such as a kernel upgrade. For this reason, you should
use a Daemon Set rather than creating individual pods.</p>
<h3 id="static-pods">Static Pods</h3>
<p>It is possible to create pods by writing a file to a certain directory watched by Kubelet. These
are called <a href="static-pods.html">static pods</a>.
Unlike DaemonSet, static pods cannot be managed with kubectl
or other Kubernetes API clients. Static pods do not depend on the apiserver, making them useful
in cluster bootstrapping cases. Also, static pods may be deprecated in the future.</p>
<h3 id="replication-controller">Replication Controller</h3>
<p>Daemon Set are similar to <a href="../user-guide/replication-controller.html">Replication Controllers</a> in that
they both create pods, and those pods have processes which are not expected to terminate (e.g. web servers,
storage servers).</p>
<p>Use a replication controller for stateless services, like frontends, where scaling up and down the
number of replicas and rolling out updates are more important than controlling exactly which host
the pod runs on. Use a Daemon Controller when it is important that a copy of a pod always run on
all or certain hosts, and when it needs to start before other pods.</p>
<h2 id="caveats">Caveats</h2>
<p>DaemonSet objects are in the <a href="../api.html#api-groups"><code>extensions</code> API Group</a>.
DaemonSet is not enabled by default. Enable it by setting
<code>--runtime-config=extensions/v1beta1/daemonsets=true</code> on the api server. This can be
achieved by exporting ENABLE_DAEMONSETS=true before running kube-up.sh script
on GCE.</p>
<p>DaemonSet objects effectively have <a href="../api.html#api-versioning">API version <code>v1alpha1</code></a>.
Alpha objects may change or even be discontinued in future software releases.
However, due to to a known issue, they will appear as API version <code>v1beta1</code> if enabled.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/daemons.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,173 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - DNS Integration with Kubernetes</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>DNS Integration with Kubernetes</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="dns-integration-with-kubernetes">DNS Integration with Kubernetes</h1>
<p>As of Kubernetes 0.8, DNS is offered as a <a href="http://releases.k8s.io/release-1.1/cluster/addons/README.md">cluster add-on</a>.
If enabled, a DNS Pod and Service will be scheduled on the cluster, and the kubelets will be
configured to tell individual containers to use the DNS Services IP to resolve DNS names.</p>
<p>Every Service defined in the cluster (including the DNS server itself) will be
assigned a DNS name. By default, a client Pods DNS search list will
include the Pods own namespace and the clusters default domain. This is best
illustrated by example:</p>
<p>Assume a Service named <code>foo</code> in the Kubernetes namespace <code>bar</code>. A Pod running
in namespace <code>bar</code> can look up this service by simply doing a DNS query for
<code>foo</code>. A Pod running in namespace <code>quux</code> can look up this service by doing a
DNS query for <code>foo.bar</code>.</p>
<p>The cluster DNS server (<a href="https://github.com/skynetservices/skydns">SkyDNS</a>)
supports forward lookups (A records) and service lookups (SRV records).</p>
<h2 id="how-it-works">How it Works</h2>
<p>The running DNS pod holds 3 containers - skydns, etcd (a private instance which skydns uses),
and a Kubernetes-to-skydns bridge called kube2sky. The kube2sky process
watches the Kubernetes master for changes in Services, and then writes the
information to etcd, which skydns reads. This etcd instance is not linked to
any other etcd clusters that might exist, including the Kubernetes master.</p>
<h2 id="issues">Issues</h2>
<p>The skydns service is reachable directly from Kubernetes nodes (outside
of any container) and DNS resolution works if the skydns service is targeted
explicitly. However, nodes are not configured to use the cluster DNS service or
to search the clusters DNS domain by default. This may be resolved at a later
time.</p>
<h2 id="for-more-information">For more information</h2>
<p>See <a href="http://releases.k8s.io/release-1.1/cluster/addons/dns/README.md">the docs for the DNS cluster addon</a>.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/dns.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,181 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - etcd</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>etcd</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="etcd">etcd</h1>
<p><a href="https://coreos.com/etcd/docs/2.0.12/">etcd</a> is a highly-available key value
store which Kubernetes uses for persistent storage of all of its REST API
objects.</p>
<h2 id="configuration-high-level-goals">Configuration: high-level goals</h2>
<p>Access Control: give <em>only</em> kube-apiserver read/write access to etcd. You do not
want apiservers etcd exposed to every node in your cluster (or worse, to the
internet at large), because access to etcd is equivalent to root in your
cluster.</p>
<p>Data Reliability: for reasonable safety, either etcd needs to be run as a
<a href="high-availability.html#clustering-etcd">cluster</a> (multiple machines each running
etcd) or etcds data directory should be located on durable storage (e.g., GCEs
persistent disk). In either case, if high availability is requiredas it might
be in a production clusterthe data directory ought to be <a href="https://coreos.com/etcd/docs/2.0.12/admin_guide.html#disaster-recovery">backed up
periodically</a>,
to reduce downtime in case of corruption.</p>
<h2 id="default-configuration">Default configuration</h2>
<p>The default setup scripts use kubelets file-based static pods feature to run etcd in a
<a href="http://releases.k8s.io/release-1.1/cluster/saltbase/salt/etcd/etcd.manifest">pod</a>. This manifest should only
be run on master VMs. The default location that kubelet scans for manifests is
<code>/etc/kubernetes/manifests/</code>.</p>
<h2 id="kubernetess-usage-of-etcd">Kubernetess usage of etcd</h2>
<p>By default, Kubernetes objects are stored under the <code>/registry</code> key in etcd.
This path can be prefixed by using the <a href="kube-apiserver.html">kube-apiserver</a> flag
<code>--etcd-prefix="/foo"</code>.</p>
<p><code>etcd</code> is the only place that Kubernetes keeps state.</p>
<h2 id="troubleshooting">Troubleshooting</h2>
<p>To test whether <code>etcd</code> is running correctly, you can try writing a value to a
test key. On your master VM (or somewhere with firewalls configured such that
you can talk to your clusters etcd), try:</p>
<div class="highlight">
<pre><code class="language-sh">curl -fs -X PUT "http://${host}:${port}/v2/keys/_test"
</code></pre>
</div>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/etcd.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,208 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Garbage Collection</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Garbage Collection</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="garbage-collection">Garbage Collection</h1>
<ul>
<li><a href="#introduction">Introduction</a></li>
<li><a href="#image-collection">Image Collection</a></li>
<li><a href="#container-collection">Container Collection</a></li>
<li><a href="#user-configuration">User Configuration</a></li>
</ul>
<h3 id="introduction">Introduction</h3>
<p>Garbage collection is managed by kubelet automatically, mainly including unreferenced
images and dead containers. kubelet applies container garbage collection every minute
and image garbage collection every 5 minutes.
Note that we dont recommend external garbage collection tool generally, since it could
break the behavior of kubelet potentially if it attempts to remove all of the containers
which acts as the tombstone kubelet relies on. Yet those garbage collector aims to deal
with the docker leaking issues would be appreciated.</p>
<h3 id="image-collection">Image Collection</h3>
<p>kubernetes manages lifecycle of all images through imageManager, with the cooperation
of cadvisor.
The policy for garbage collecting images we apply takes two factors into consideration,
<code>HighThresholdPercent</code> and <code>LowThresholdPercent</code>. Disk usage above the the high threshold
will trigger garbage collection, which attempts to delete unused images until the low
threshold is met. Least recently used images are deleted first.</p>
<h3 id="container-collection">Container Collection</h3>
<p>The policy for garbage collecting containers we apply takes on three variables, which can
be user-defined. <code>MinAge</code> is the minimum age at which a container can be garbage collected,
zero for no limit. <code>MaxPerPodContainer</code> is the max number of dead containers any single
pod (UID, container name) pair is allowed to have, less than zero for no limit.
<code>MaxContainers</code> is the max number of total dead containers, less than zero for no limit as well.</p>
<p>kubelet sorts out containers which are unidentified or stay out of bounds set by previous
mentioned three flags. Gernerally the oldest containers are removed first. Since we take both
<code>MaxPerPodContainer</code> and <code>MaxContainers</code> into consideration, it could happen when they
have conflict retaining the max number of containers per pod goes out of range set by max
number of global dead containers. In this case, we would sacrifice the <code>MaxPerPodContainer</code>
a little bit. For the worst case, we first downgrade it to 1 container per pod, and then
evict the oldest containers for the greater good.</p>
<p>When kubelet removes the dead containers, all the files inside the container will be cleaned up as well.
Note that we will skip the containers that are not managed by kubelet.</p>
<h3 id="user-configuration">User Configuration</h3>
<p>Users are free to set their own value to address image garbage collection.</p>
<ol>
<li><code>image-gc-high-threshold</code>, the percent of disk usage which triggers image garbage collection.
Default is 90%.</li>
<li><code>image-gc-low-threshold</code>, the percent of disk usage to which image garbage collection attempts
to free. Default is 80%.</li>
</ol>
<p>We also allow users to customize garbage collection policy, basically via following three flags.</p>
<ol>
<li><code>minimum-container-ttl-duration</code>, minimum age for a finished container before it is
garbage collected. Default is 1 minute.</li>
<li><code>maximum-dead-containers-per-container</code>, maximum number of old instances to retain
per container. Default is 2.</li>
<li><code>maximum-dead-containers</code>, maximum number of old instances of containers to retain globally.
Default is 100.</li>
</ol>
<p>Note that we highly recommend a large enough value for <code>maximum-dead-containers-per-container</code>
to allow at least 2 dead containers retaining per expected container when you customize the flag
configuration. A loose value for <code>maximum-dead-containers</code> also assumes importance for a similar reason.
See <a href="https://github.com/kubernetes/kubernetes/issues/13287">this issue</a> for more details.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/garbage-collection.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,8 @@
# This should be the IP address of the load balancer for all masters
MASTER_IP=<insert-ip-here>
# This should be the internal service IP address reserved for DNS
DNS_IP=<insert-dns-ip-here>
DAEMON_ARGS="$DAEMON_ARGS --api-servers=https://${MASTER_IP} --enable-debugging-handlers=true --cloud-provider=
gce --config=/etc/kubernetes/manifests --allow-privileged=False --v=2 --cluster-dns=${DNS_IP} --cluster-domain=c
luster.local --configure-cbr0=true --cgroup-root=/ --system-container=/system "

View File

@ -0,0 +1,87 @@
apiVersion: v1
kind: Pod
metadata:
name: etcd-server
spec:
hostNetwork: true
containers:
- image: gcr.io/google_containers/etcd:2.0.9
name: etcd-container
command:
- /usr/local/bin/etcd
- --name
- ${NODE_NAME}
- --initial-advertise-peer-urls
- http://${NODE_IP}:2380
- --listen-peer-urls
- http://${NODE_IP}:2380
- --advertise-client-urls
- http://${NODE_IP}:4001
- --listen-client-urls
- http://127.0.0.1:4001
- --data-dir
- /var/etcd/data
- --discovery
- ${DISCOVERY_TOKEN}
ports:
- containerPort: 2380
hostPort: 2380
name: serverport
- containerPort: 4001
hostPort: 4001
name: clientport
volumeMounts:
- mountPath: /var/etcd
name: varetcd
- mountPath: /etc/ssl
name: etcssl
readOnly: true
- mountPath: /usr/share/ssl
name: usrsharessl
readOnly: true
- mountPath: /var/ssl
name: varssl
readOnly: true
- mountPath: /usr/ssl
name: usrssl
readOnly: true
- mountPath: /usr/lib/ssl
name: usrlibssl
readOnly: true
- mountPath: /usr/local/openssl
name: usrlocalopenssl
readOnly: true
- mountPath: /etc/openssl
name: etcopenssl
readOnly: true
- mountPath: /etc/pki/tls
name: etcpkitls
readOnly: true
volumes:
- hostPath:
path: /var/etcd/data
name: varetcd
- hostPath:
path: /etc/ssl
name: etcssl
- hostPath:
path: /usr/share/ssl
name: usrsharessl
- hostPath:
path: /var/ssl
name: varssl
- hostPath:
path: /usr/ssl
name: usrssl
- hostPath:
path: /usr/lib/ssl
name: usrlibssl
- hostPath:
path: /usr/local/openssl
name: usrlocalopenssl
- hostPath:
path: /etc/openssl
name: etcopenssl
- hostPath:
path: /etc/pki/tls
name: etcpkitls

Binary file not shown.

After

Width:  |  Height:  |  Size: 38 KiB

File diff suppressed because one or more lines are too long

After

Width:  |  Height:  |  Size: 453 KiB

View File

@ -0,0 +1,402 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - High Availability Kubernetes Clusters</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>High Availability Kubernetes Clusters</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="high-availability-kubernetes-clusters">High Availability Kubernetes Clusters</h1>
<p><strong>Table of Contents</strong>
<!-- BEGIN MUNGE: GENERATED_TOC --></p>
<ul>
<li><a href="#high-availability-kubernetes-clusters">High Availability Kubernetes Clusters</a>
<ul>
<li><a href="#introduction">Introduction</a></li>
<li><a href="#overview">Overview</a></li>
<li><a href="#initial-set-up">Initial set-up</a></li>
<li><a href="#reliable-nodes">Reliable nodes</a></li>
<li><a href="#establishing-a-redundant-reliable-data-storage-layer">Establishing a redundant, reliable data storage layer</a>
<ul>
<li><a href="#clustering-etcd">Clustering etcd</a>
<ul>
<li><a href="#validating-your-cluster">Validating your cluster</a></li>
</ul>
</li>
<li><a href="#even-more-reliable-storage">Even more reliable storage</a></li>
</ul>
</li>
<li><a href="#replicated-api-servers">Replicated API Servers</a>
<ul>
<li><a href="#installing-configuration-files">Installing configuration files</a></li>
<li><a href="#starting-the-api-server">Starting the API Server</a></li>
<li><a href="#load-balancing">Load balancing</a></li>
</ul>
</li>
<li><a href="#master-elected-components">Master elected components</a>
<ul>
<li><a href="#installing-configuration-files">Installing configuration files</a></li>
<li><a href="#running-the-podmaster">Running the podmaster</a></li>
</ul>
</li>
<li><a href="#conclusion">Conclusion</a></li>
<li><a href="#vagrant-up">Vagrant up!</a></li>
</ul>
</li>
</ul>
<!-- END MUNGE: GENERATED_TOC -->
<h2 id="introduction">Introduction</h2>
<p>This document describes how to build a high-availability (HA) Kubernetes cluster. This is a fairly advanced topic.
Users who merely want to experiment with Kubernetes are encouraged to use configurations that are simpler to set up such as
the simple <a href="../../docs/getting-started-guides/docker.html">Docker based single node cluster instructions</a>,
or try <a href="https://cloud.google.com/container-engine/">Google Container Engine</a> for hosted Kubernetes.</p>
<p>Also, at this time high availability support for Kubernetes is not continuously tested in our end-to-end (e2e) testing. We will
be working to add this continuous testing, but for now the single-node master installations are more heavily tested.</p>
<h2 id="overview">Overview</h2>
<p>Setting up a truly reliable, highly available distributed system requires a number of steps, it is akin to
wearing underwear, pants, a belt, suspenders, another pair of underwear, and another pair of pants. We go into each
of these steps in detail, but a summary is given here to help guide and orient the user.</p>
<p>The steps involved are as follows:
* <a href="#reliable-nodes">Creating the reliable constituent nodes that collectively form our HA master implementation.</a>
* <a href="#establishing-a-redundant-reliable-data-storage-layer">Setting up a redundant, reliable storage layer with clustered etcd.</a>
* <a href="#replicated-api-servers">Starting replicated, load balanced Kubernetes API servers</a>
* <a href="#master-elected-components">Setting up master-elected Kubernetes scheduler and controller-manager daemons</a></p>
<p>Heres what the system should look like when its finished:
<img src="high-availability/ha.png" alt="High availability Kubernetes diagram" /></p>
<p>Ready? Lets get started.</p>
<h2 id="initial-set-up">Initial set-up</h2>
<p>The remainder of this guide assumes that you are setting up a 3-node clustered master, where each machine is running some flavor of Linux.
Examples in the guide are given for Debian distributions, but they should be easily adaptable to other distributions.
Likewise, this set up should work whether you are running in a public or private cloud provider, or if you are running
on bare metal.</p>
<p>The easiest way to implement an HA Kubernetes cluster is to start with an existing single-master cluster. The
instructions at <a href="https://get.k8s.io">https://get.k8s.io</a>
describe easy installation for single-master clusters on a variety of platforms.</p>
<h2 id="reliable-nodes">Reliable nodes</h2>
<p>On each master node, we are going to run a number of processes that implement the Kubernetes API. The first step in making these reliable is
to make sure that each automatically restarts when it fails. To achieve this, we need to install a process watcher. We choose to use
the <code>kubelet</code> that we run on each of the worker nodes. This is convenient, since we can use containers to distribute our binaries, we can
establish resource limits, and introspect the resource usage of each daemon. Of course, we also need something to monitor the kubelet
itself (insert who watches the watcher jokes here). For Debian systems, we choose monit, but there are a number of alternate
choices. For example, on systemd-based systems (e.g. RHEL, CentOS), you can run systemctl enable kubelet.</p>
<p>If you are extending from a standard Kubernetes installation, the <code>kubelet</code> binary should already be present on your system. You can run
<code>which kubelet</code> to determine if the binary is in fact installed. If it is not installed,
you should install the <a href="https://storage.googleapis.com/kubernetes-release/release/v0.19.3/bin/linux/amd64/kubelet">kubelet binary</a>, the
<a href="http://releases.k8s.io/release-1.1/cluster/saltbase/salt/kubelet/initd">kubelet init file</a> and <a href="high-availability/default-kubelet">high-availability/default-kubelet</a>
scripts.</p>
<p>If you are using monit, you should also install the monit daemon (<code>apt-get install monit</code>) and the <a href="high-availability/monit-kubelet">high-availability/monit-kubelet</a> and
<a href="high-availability/monit-docker">high-availability/monit-docker</a> configs.</p>
<p>On systemd systems you <code>systemctl enable kubelet</code> and <code>systemctl enable docker</code>.</p>
<h2 id="establishing-a-redundant-reliable-data-storage-layer">Establishing a redundant, reliable data storage layer</h2>
<p>The central foundation of a highly available solution is a redundant, reliable storage layer. The number one rule of high-availability is
to protect the data. Whatever else happens, whatever catches on fire, if you have the data, you can rebuild. If you lose the data, youre
done.</p>
<p>Clustered etcd already replicates your storage to all master instances in your cluster. This means that to lose data, all three nodes would need
to have their physical (or virtual) disks fail at the same time. The probability that this occurs is relatively low, so for many people
running a replicated etcd cluster is likely reliable enough. You can add additional reliability by increasing the
size of the cluster from three to five nodes. If that is still insufficient, you can add
<a href="#even-more-reliable-storage">even more redundancy to your storage layer</a>.</p>
<h3 id="clustering-etcd">Clustering etcd</h3>
<p>The full details of clustering etcd are beyond the scope of this document, lots of details are given on the
<a href="https://github.com/coreos/etcd/blob/master/Documentation/clustering.md">etcd clustering page</a>. This example walks through
a simple cluster set up, using etcds built in discovery to build our cluster.</p>
<p>First, hit the etcd discovery service to create a new token:</p>
<div class="highlight">
<pre><code class="language-sh">curl https://discovery.etcd.io/new?size=3
</code></pre>
</div>
<p>On each node, copy the <a href="high-availability/etcd.yaml">etcd.yaml</a> file into <code>/etc/kubernetes/manifests/etcd.yaml</code></p>
<p>The kubelet on each node actively monitors the contents of that directory, and it will create an instance of the <code>etcd</code>
server from the definition of the pod specified in <code>etcd.yaml</code>.</p>
<p>Note that in <code>etcd.yaml</code> you should substitute the token URL you got above for <code>${DISCOVERY_TOKEN}</code> on all three machines,
and you should substitute a different name (e.g. <code>node-1</code>) for ${NODE_NAME} and the correct IP address
for <code>${NODE_IP}</code> on each machine.</p>
<h4 id="validating-your-cluster">Validating your cluster</h4>
<p>Once you copy this into all three nodes, you should have a clustered etcd set up. You can validate with</p>
<div class="highlight">
<pre><code class="language-sh">etcdctl member list
</code></pre>
</div>
<p>and</p>
<div class="highlight">
<pre><code class="language-sh">etcdctl cluster-health
</code></pre>
</div>
<p>You can also validate that this is working with <code>etcdctl set foo bar</code> on one node, and <code>etcd get foo</code>
on a different node.</p>
<h3 id="even-more-reliable-storage">Even more reliable storage</h3>
<p>Of course, if you are interested in increased data reliability, there are further options which makes the place where etcd
installs its data even more reliable than regular disks (belts <em>and</em> suspenders, ftw!).</p>
<p>If you use a cloud provider, then they usually provide this
for you, for example <a href="https://cloud.google.com/compute/docs/disks/persistent-disks">Persistent Disk</a> on the Google Cloud Platform. These
are block-device persistent storage that can be mounted onto your virtual machine. Other cloud providers provide similar solutions.</p>
<p>If you are running on physical machines, you can also use network attached redundant storage using an iSCSI or NFS interface.
Alternatively, you can run a clustered file system like Gluster or Ceph. Finally, you can also run a RAID array on each physical machine.</p>
<p>Regardless of how you choose to implement it, if you chose to use one of these options, you should make sure that your storage is mounted
to each machine. If your storage is shared between the three masters in your cluster, you should create a different directory on the storage
for each node. Throughout these instructions, we assume that this storage is mounted to your machine in <code>/var/etcd/data</code></p>
<h2 id="replicated-api-servers">Replicated API Servers</h2>
<p>Once you have replicated etcd set up correctly, we will also install the apiserver using the kubelet.</p>
<h3 id="installing-configuration-files">Installing configuration files</h3>
<p>First you need to create the initial log file, so that Docker mounts a file instead of a directory:</p>
<div class="highlight">
<pre><code class="language-sh">touch /var/log/kube-apiserver.log
</code></pre>
</div>
<p>Next, you need to create a <code>/srv/kubernetes/</code> directory on each node. This directory includes:
* basic_auth.csv - basic auth user and password
* ca.crt - Certificate Authority cert
* known_tokens.csv - tokens that entities (e.g. the kubelet) can use to talk to the apiserver
* kubecfg.crt - Client certificate, public key
* kubecfg.key - Client certificate, private key
* server.cert - Server certificate, public key
* server.key - Server certificate, private key</p>
<p>The easiest way to create this directory, may be to copy it from the master node of a working cluster, or you can manually generate these files yourself.</p>
<h3 id="starting-the-api-server">Starting the API Server</h3>
<p>Once these files exist, copy the <a href="high-availability/kube-apiserver.yaml">kube-apiserver.yaml</a> into <code>/etc/kubernetes/manifests/</code> on each master node.</p>
<p>The kubelet monitors this directory, and will automatically create an instance of the <code>kube-apiserver</code> container using the pod definition specified
in the file.</p>
<h3 id="load-balancing">Load balancing</h3>
<p>At this point, you should have 3 apiservers all working correctly. If you set up a network load balancer, you should
be able to access your cluster via that load balancer, and see traffic balancing between the apiserver instances. Setting
up a load balancer will depend on the specifics of your platform, for example instructions for the Google Cloud
Platform can be found <a href="https://cloud.google.com/compute/docs/load-balancing/">here</a></p>
<p>Note, if you are using authentication, you may need to regenerate your certificate to include the IP address of the balancer,
in addition to the IP addresses of the individual nodes.</p>
<p>For pods that you deploy into the cluster, the <code>kubernetes</code> service/dns name should provide a load balanced endpoint for the master automatically.</p>
<p>For external users of the API (e.g. the <code>kubectl</code> command line interface, continuous build pipelines, or other clients) you will want to configure
them to talk to the external load balancers IP address.</p>
<h2 id="master-elected-components">Master elected components</h2>
<p>So far we have set up state storage, and we have set up the API server, but we havent run anything that actually modifies
cluster state, such as the controller manager and scheduler. To achieve this reliably, we only want to have one actor modifying state at a time, but we want replicated
instances of these actors, in case a machine dies. To achieve this, we are going to use a lease-lock in etcd to perform
master election. On each of the three apiserver nodes, we run a small utility application named <code>podmaster</code>. Its job is to implement a master
election protocol using etcd “compare and swap”. If the apiserver node wins the election, it starts the master component it is managing (e.g. the scheduler), if it
loses the election, it ensures that any master components running on the node (e.g. the scheduler) are stopped.</p>
<p>In the future, we expect to more tightly integrate this lease-locking into the scheduler and controller-manager binaries directly, as described in the <a href="../proposals/high-availability.html">high availability design proposal</a></p>
<h3 id="installing-configuration-files-1">Installing configuration files</h3>
<p>First, create empty log files on each node, so that Docker will mount the files not make new directories:</p>
<div class="highlight">
<pre><code class="language-sh">touch /var/log/kube-scheduler.log
touch /var/log/kube-controller-manager.log
</code></pre>
</div>
<p>Next, set up the descriptions of the scheduler and controller manager pods on each node.
by copying <a href="high-availability/kube-scheduler.yaml">kube-scheduler.yaml</a> and <a href="high-availability/kube-controller-manager.yaml">kube-controller-manager.yaml</a> into the <code>/srv/kubernetes/</code>
directory.</p>
<h3 id="running-the-podmaster">Running the podmaster</h3>
<p>Now that the configuration files are in place, copy the <a href="high-availability/podmaster.yaml">podmaster.yaml</a> config file into <code>/etc/kubernetes/manifests/</code></p>
<p>As before, the kubelet on the node monitors this directory, and will start an instance of the podmaster using the pod specification provided in <code>podmaster.yaml</code>.</p>
<p>Now you will have one instance of the scheduler process running on a single master node, and likewise one
controller-manager process running on a single (possibly different) master node. If either of these processes fail,
the kubelet will restart them. If any of these nodes fail, the process will move to a different instance of a master
node.</p>
<h2 id="conclusion">Conclusion</h2>
<p>At this point, you are done (yeah!) with the master components, but you still need to add worker nodes (boo!).</p>
<p>If you have an existing cluster, this is as simple as reconfiguring your kubelets to talk to the load-balanced endpoint, and
restarting the kubelets on each node.</p>
<p>If you are turning up a fresh cluster, you will need to install the kubelet and kube-proxy on each worker node, and
set the <code>--apiserver</code> flag to your replicated endpoint.</p>
<h2 id="vagrant-up">Vagrant up!</h2>
<p>We indeed have an initial proof of concept tester for this, which is available <a href="https://releases.k8s.io/release-1.1/examples/high-availability">here</a>.</p>
<p>It implements the major concepts (with a few minor reductions for simplicity), of the podmaster HA implementation alongside a quick smoke test using k8petstore.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/high-availability.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,90 @@
apiVersion: v1
kind: Pod
metadata:
name: kube-apiserver
spec:
hostNetwork: true
containers:
- name: kube-apiserver
image: gcr.io/google_containers/kube-apiserver:9680e782e08a1a1c94c656190011bd02
command:
- /bin/sh
- -c
- /usr/local/bin/kube-apiserver --address=127.0.0.1 --etcd-servers=http://127.0.0.1:4001
--cloud-provider=gce --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
--service-cluster-ip-range=10.0.0.0/16 --client-ca-file=/srv/kubernetes/ca.crt
--basic-auth-file=/srv/kubernetes/basic_auth.csv --cluster-name=e2e-test-bburns
--tls-cert-file=/srv/kubernetes/server.cert --tls-private-key-file=/srv/kubernetes/server.key
--secure-port=443 --token-auth-file=/srv/kubernetes/known_tokens.csv --v=2
--allow-privileged=False 1>>/var/log/kube-apiserver.log 2>&1
ports:
- containerPort: 443
hostPort: 443
name: https
- containerPort: 7080
hostPort: 7080
name: http
- containerPort: 8080
hostPort: 8080
name: local
volumeMounts:
- mountPath: /srv/kubernetes
name: srvkube
readOnly: true
- mountPath: /var/log/kube-apiserver.log
name: logfile
- mountPath: /etc/ssl
name: etcssl
readOnly: true
- mountPath: /usr/share/ssl
name: usrsharessl
readOnly: true
- mountPath: /var/ssl
name: varssl
readOnly: true
- mountPath: /usr/ssl
name: usrssl
readOnly: true
- mountPath: /usr/lib/ssl
name: usrlibssl
readOnly: true
- mountPath: /usr/local/openssl
name: usrlocalopenssl
readOnly: true
- mountPath: /etc/openssl
name: etcopenssl
readOnly: true
- mountPath: /etc/pki/tls
name: etcpkitls
readOnly: true
volumes:
- hostPath:
path: /srv/kubernetes
name: srvkube
- hostPath:
path: /var/log/kube-apiserver.log
name: logfile
- hostPath:
path: /etc/ssl
name: etcssl
- hostPath:
path: /usr/share/ssl
name: usrsharessl
- hostPath:
path: /var/ssl
name: varssl
- hostPath:
path: /usr/ssl
name: usrssl
- hostPath:
path: /usr/lib/ssl
name: usrlibssl
- hostPath:
path: /usr/local/openssl
name: usrlocalopenssl
- hostPath:
path: /etc/openssl
name: etcopenssl
- hostPath:
path: /etc/pki/tls
name: etcpkitls

View File

@ -0,0 +1,82 @@
apiVersion: v1
kind: Pod
metadata:
name: kube-controller-manager
spec:
containers:
- command:
- /bin/sh
- -c
- /usr/local/bin/kube-controller-manager --master=127.0.0.1:8080 --cluster-name=e2e-test-bburns
--cluster-cidr=10.245.0.0/16 --allocate-node-cidrs=true --cloud-provider=gce --service-account-private-key-file=/srv/kubernetes/server.key
--v=2 1>>/var/log/kube-controller-manager.log 2>&1
image: gcr.io/google_containers/kube-controller-manager:fda24638d51a48baa13c35337fcd4793
livenessProbe:
httpGet:
path: /healthz
port: 10252
initialDelaySeconds: 15
timeoutSeconds: 1
name: kube-controller-manager
volumeMounts:
- mountPath: /srv/kubernetes
name: srvkube
readOnly: true
- mountPath: /var/log/kube-controller-manager.log
name: logfile
- mountPath: /etc/ssl
name: etcssl
readOnly: true
- mountPath: /usr/share/ssl
name: usrsharessl
readOnly: true
- mountPath: /var/ssl
name: varssl
readOnly: true
- mountPath: /usr/ssl
name: usrssl
readOnly: true
- mountPath: /usr/lib/ssl
name: usrlibssl
readOnly: true
- mountPath: /usr/local/openssl
name: usrlocalopenssl
readOnly: true
- mountPath: /etc/openssl
name: etcopenssl
readOnly: true
- mountPath: /etc/pki/tls
name: etcpkitls
readOnly: true
hostNetwork: true
volumes:
- hostPath:
path: /srv/kubernetes
name: srvkube
- hostPath:
path: /var/log/kube-controller-manager.log
name: logfile
- hostPath:
path: /etc/ssl
name: etcssl
- hostPath:
path: /usr/share/ssl
name: usrsharessl
- hostPath:
path: /var/ssl
name: varssl
- hostPath:
path: /usr/ssl
name: usrssl
- hostPath:
path: /usr/lib/ssl
name: usrlibssl
- hostPath:
path: /usr/local/openssl
name: usrlocalopenssl
- hostPath:
path: /etc/openssl
name: etcopenssl
- hostPath:
path: /etc/pki/tls
name: etcpkitls

View File

@ -0,0 +1,30 @@
apiVersion: v1
kind: Pod
metadata:
name: kube-scheduler
spec:
hostNetwork: true
containers:
- name: kube-scheduler
image: gcr.io/google_containers/kube-scheduler:34d0b8f8b31e27937327961528739bc9
command:
- /bin/sh
- -c
- /usr/local/bin/kube-scheduler --master=127.0.0.1:8080 --v=2 1>>/var/log/kube-scheduler.log
2>&1
livenessProbe:
httpGet:
path: /healthz
port: 10251
initialDelaySeconds: 15
timeoutSeconds: 1
volumeMounts:
- mountPath: /var/log/kube-scheduler.log
name: logfile
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token-s8ejd
readOnly: true
volumes:
- hostPath:
path: /var/log/kube-scheduler.log
name: logfile

View File

@ -0,0 +1,9 @@
check process docker with pidfile /var/run/docker.pid
group docker
start program = "/etc/init.d/docker start"
stop program = "/etc/init.d/docker stop"
if does not exist then restart
if failed
unixsocket /var/run/docker.sock
protocol HTTP request "/version"
then restart

View File

@ -0,0 +1,11 @@
check process kubelet with pidfile /var/run/kubelet.pid
group kubelet
start program = "/etc/init.d/kubelet start"
stop program = "/etc/init.d/kubelet stop"
if does not exist then restart
if failed
host 127.0.0.1
port 10255
protocol HTTP
request "/healthz"
then restart

View File

@ -0,0 +1,43 @@
apiVersion: v1
kind: Pod
metadata:
name: scheduler-master
spec:
hostNetwork: true
containers:
- name: scheduler-elector
image: gcr.io/google_containers/podmaster:1.1
command:
- /podmaster
- --etcd-servers=http://127.0.0.1:4001
- --key=scheduler
- --source-file=/kubernetes/kube-scheduler.manifest
- --dest-file=/manifests/kube-scheduler.manifest
volumeMounts:
- mountPath: /kubernetes
name: k8s
readOnly: true
- mountPath: /manifests
name: manifests
- name: controller-manager-elector
image: gcr.io/google_containers/podmaster:1.1
command:
- /podmaster
- --etcd-servers=http://127.0.0.1:4001
- --key=controller
- --source-file=/kubernetes/kube-controller-manager.manifest
- --dest-file=/manifests/kube-controller-manager.manifest
terminationMessagePath: /dev/termination-log
volumeMounts:
- mountPath: /kubernetes
name: k8s
readOnly: true
- mountPath: /manifests
name: manifests
volumes:
- hostPath:
path: /srv/kubernetes
name: k8s
- hostPath:
path: /etc/kubernetes/manifests
name: manifests

View File

@ -0,0 +1,188 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Kubernetes Cluster Admin Guide</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Kubernetes Cluster Admin Guide</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="kubernetes-cluster-admin-guide">Kubernetes Cluster Admin Guide</h1>
<p>The cluster admin guide is for anyone creating or administering a Kubernetes cluster.
It assumes some familiarity with concepts in the <a href="../user-guide/README.html">User Guide</a>.</p>
<h2 id="admin-guide-table-of-contents">Admin Guide Table of Contents</h2>
<p><a href="introduction.html">Introduction</a></p>
<ol>
<li><a href="cluster-components.html">Components of a cluster</a></li>
<li><a href="cluster-management.html">Cluster Management</a></li>
<li>Administrating Master Components
1. <a href="kube-apiserver.html">The kube-apiserver binary</a>
<ol>
<li><a href="authorization.html">Authorization</a></li>
<li><a href="authentication.html">Authentication</a></li>
<li><a href="accessing-the-api.html">Accessing the api</a></li>
<li><a href="admission-controllers.html">Admission Controllers</a></li>
<li><a href="service-accounts-admin.html">Administrating Service Accounts</a></li>
<li><a href="resource-quota.html">Resource Quotas</a>
<ol>
<li><a href="kube-scheduler.html">The kube-scheduler binary</a></li>
<li><a href="kube-controller-manager.html">The kube-controller-manager binary</a></li>
</ol>
</li>
</ol>
</li>
<li><a href="node.html">Administrating Kubernetes Nodes</a>
1. <a href="kubelet.html">The kubelet binary</a>
<ol>
<li><a href="garbage-collection.html">Garbage Collection</a>
<ol>
<li><a href="kube-proxy.html">The kube-proxy binary</a></li>
</ol>
</li>
</ol>
</li>
<li>Administrating Addons
1. <a href="dns.html">DNS</a></li>
<li><a href="networking.html">Networking</a>
1. <a href="ovs-networking.html">OVS Networking</a></li>
<li>Example Configurations
1. <a href="multi-cluster.html">Multiple Clusters</a>
1. <a href="high-availability.html">High Availability Clusters</a>
1. <a href="cluster-large.html">Large Clusters</a>
1. <a href="../getting-started-guides/scratch.html">Getting started from scratch</a>
<ol>
<li><a href="salt.html">Kubernetess use of salt</a></li>
</ol>
</li>
<li><a href="cluster-troubleshooting.html">Troubleshooting</a></li>
</ol>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/README.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,226 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Kubernetes Cluster Admin Guide</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Kubernetes Cluster Admin Guide</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="kubernetes-cluster-admin-guide">Kubernetes Cluster Admin Guide</h1>
<p>The cluster admin guide is for anyone creating or administering a Kubernetes cluster.
It assumes some familiarity with concepts in the <a href="../user-guide/README.html">User Guide</a>.</p>
<h2 id="planning-a-cluster">Planning a cluster</h2>
<p>There are many different examples of how to setup a kubernetes cluster. Many of them are listed in this
<a href="../getting-started-guides/README.html">matrix</a>. We call each of the combinations in this matrix a <em>distro</em>.</p>
<p>Before choosing a particular guide, here are some things to consider:</p>
<ul>
<li>Are you just looking to try out Kubernetes on your laptop, or build a high-availability many-node cluster? Both
models are supported, but some distros are better for one case or the other.</li>
<li>Will you be using a hosted Kubernetes cluster, such as <a href="https://cloud.google.com/container-engine">GKE</a>, or setting
one up yourself?</li>
<li>Will your cluster be on-premises, or in the cloud (IaaS)? Kubernetes does not directly support hybrid clusters. We
recommend setting up multiple clusters rather than spanning distant locations.</li>
<li>Will you be running Kubernetes on “bare metal” or virtual machines? Kubernetes supports both, via different distros.</li>
<li>Do you just want to run a cluster, or do you expect to do active development of kubernetes project code? If the
latter, it is better to pick a distro actively used by other developers. Some distros only use binary releases, but
offer is a greater variety of choices.</li>
<li>Not all distros are maintained as actively. Prefer ones which are listed as tested on a more recent version of
Kubernetes.</li>
<li>If you are configuring kubernetes on-premises, you will need to consider what <a href="networking.html">networking
model</a> fits best.</li>
<li>If you are designing for very high-availability, you may want <a href="multi-cluster.html">clusters in multiple zones</a>.</li>
<li>You may want to familiarize yourself with the various
<a href="cluster-components.html">components</a> needed to run a cluster.</li>
</ul>
<h2 id="setting-up-a-cluster">Setting up a cluster</h2>
<p>Pick one of the Getting Started Guides from the <a href="../getting-started-guides/README.html">matrix</a> and follow it.
If none of the Getting Started Guides fits, you may want to pull ideas from several of the guides.</p>
<p>One option for custom networking is <em>OpenVSwitch GRE/VxLAN networking</em> (<a href="ovs-networking.html">ovs-networking.md</a>), which
uses OpenVSwitch to set up networking between pods across
Kubernetes nodes.</p>
<p>If you are modifying an existing guide which uses Salt, this document explains <a href="salt.html">how Salt is used in the Kubernetes
project</a>.</p>
<h2 id="managing-a-cluster-including-upgrades">Managing a cluster, including upgrades</h2>
<p><a href="cluster-management.html">Managing a cluster</a>.</p>
<h2 id="managing-nodes">Managing nodes</h2>
<p><a href="node.html">Managing nodes</a>.</p>
<h2 id="optional-cluster-services">Optional Cluster Services</h2>
<ul>
<li>
<p><strong>DNS Integration with SkyDNS</strong> (<a href="dns.html">dns.md</a>):
Resolving a DNS name directly to a Kubernetes service.</p>
</li>
<li>
<p><strong>Logging</strong> with <a href="../user-guide/logging.html">Kibana</a></p>
</li>
</ul>
<h2 id="multi-tenant-support">Multi-tenant support</h2>
<ul>
<li><strong>Resource Quota</strong> (<a href="resource-quota.html">resource-quota.md</a>)</li>
</ul>
<h2 id="security">Security</h2>
<ul>
<li>
<p><strong>Kubernetes Container Environment</strong> (<a href="../user-guide/container-environment.html">docs/user-guide/container-environment.md</a>):
Describes the environment for Kubelet managed containers on a Kubernetes
node.</p>
</li>
<li>
<p><strong>Securing access to the API Server</strong> <a href="accessing-the-api.html">accessing the api</a></p>
</li>
<li>
<p><strong>Authentication</strong> <a href="authentication.html">authentication</a></p>
</li>
<li>
<p><strong>Authorization</strong> <a href="authorization.html">authorization</a></p>
</li>
<li>
<p><strong>Admission Controllers</strong> <a href="admission-controllers.html">admission_controllers</a></p>
</li>
</ul>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/introduction.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,210 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - kube-apiserver</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>kube-apiserver</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h2 id="kube-apiserver">kube-apiserver</h2>
<h3 id="synopsis">Synopsis</h3>
<p>The Kubernetes API server validates and configures data
for the api objects which include pods, services, replicationcontrollers, and
others. The API Server services REST operations and provides the frontend to the
clusters shared state through which all other components interact.</p>
<pre><code>
kube-apiserver
</code></pre>
<h3 id="options">Options</h3>
<pre><code>
--admission-control="AlwaysAdmit": Ordered list of plug-ins to do admission control of resources into cluster. Comma-delimited list of: AlwaysAdmit, AlwaysDeny, DenyEscalatingExec, DenyExecOnPrivileged, InitialResources, LimitRanger, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, ResourceQuota, SecurityContextDeny, ServiceAccount
--admission-control-config-file="": File with admission control configuration.
--advertise-address=&lt;nil&gt;: The IP address on which to advertise the apiserver to members of the cluster. This address must be reachable by the rest of the cluster. If blank, the --bind-address will be used. If --bind-address is unspecified, the host's default interface will be used.
--allow-privileged[=false]: If true, allow privileged containers.
--authorization-mode="AlwaysAllow": Ordered list of plug-ins to do authorization on secure port. Comma-delimited list of: AlwaysAllow,AlwaysDeny,ABAC
--authorization-policy-file="": File with authorization policy in csv format, used with --authorization-mode=ABAC, on the secure port.
--basic-auth-file="": If set, the file that will be used to admit requests to the secure port of the API server via http basic authentication.
--bind-address=0.0.0.0: The IP address on which to serve the --read-only-port and --secure-port ports. The associated interface(s) must be reachable by the rest of the cluster, and by CLI/web clients. If blank, all interfaces will be used (0.0.0.0).
--cert-dir="/var/run/kubernetes": The directory where the TLS certs are located (by default /var/run/kubernetes). If --tls-cert-file and --tls-private-key-file are provided, this flag will be ignored.
--client-ca-file="": If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate.
--cloud-config="": The path to the cloud provider configuration file. Empty string for no configuration file.
--cloud-provider="": The provider for cloud services. Empty string for no provider.
--cluster-name="kubernetes": The instance prefix for the cluster
--cors-allowed-origins=[]: List of allowed origins for CORS, comma separated. An allowed origin can be a regular expression to support subdomain matching. If this list is empty CORS will not be enabled.
--etcd-config="": The config file for the etcd client. Mutually exclusive with -etcd-servers.
--etcd-prefix="/registry": The prefix for all resource paths in etcd.
--etcd-servers=[]: List of etcd servers to watch (http://ip:port), comma separated. Mutually exclusive with -etcd-config
--etcd-servers-overrides=[]: Per-resource etcd servers overrides, comma separated. The individual override format: group/resource#servers, where servers are http://ip:port, semicolon separated.
--event-ttl=1h0m0s: Amount of time to retain events. Default 1 hour.
--experimental-keystone-url="": If passed, activates the keystone authentication plugin
--external-hostname="": The hostname to use when generating externalized URLs for this master (e.g. Swagger API Docs.)
--google-json-key="": The Google Cloud Platform Service Account JSON Key to use for authentication.
--insecure-bind-address=127.0.0.1: The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all interfaces). Defaults to localhost.
--insecure-port=8080: The port on which to serve unsecured, unauthenticated access. Default 8080. It is assumed that firewall rules are set up such that this port is not reachable from outside of the cluster and that port 443 on the cluster's public address is proxied to this port. This is performed by nginx in the default setup.
--kubelet-certificate-authority="": Path to a cert. file for the certificate authority.
--kubelet-client-certificate="": Path to a client cert file for TLS.
--kubelet-client-key="": Path to a client key file for TLS.
--kubelet-https[=true]: Use https for kubelet connections
--kubelet-port=10250: Kubelet port
--kubelet-timeout=5s: Timeout for kubelet operations
--log-flush-frequency=5s: Maximum number of seconds between log flushes
--long-running-request-regexp="(/|^)((watch|proxy)(/|$)|(logs?|portforward|exec|attach)/?$)": A regular expression matching long running requests which should be excluded from maximum inflight request handling.
--master-service-namespace="default": The namespace from which the kubernetes master services should be injected into pods
--max-connection-bytes-per-sec=0: If non-zero, throttle each user connection to this number of bytes/sec. Currently only applies to long-running requests
--max-requests-inflight=400: The maximum number of requests in flight at a given time. When the server exceeds this, it rejects requests. Zero for no limit.
--min-request-timeout=1800: An optional field indicating the minimum number of seconds a handler must keep a request open before timing it out. Currently only honored by the watch request handler, which picks a randomized value above this number as the connection timeout, to spread out load.
--oidc-ca-file="": If set, the OpenID server's certificate will be verified by one of the authorities in the oidc-ca-file, otherwise the host's root CA set will be used
--oidc-client-id="": The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set
--oidc-issuer-url="": The URL of the OpenID issuer, only HTTPS scheme will be accepted. If set, it will be used to verify the OIDC JSON Web Token (JWT)
--oidc-username-claim="sub": The OpenID claim to use as the user name. Note that claims other than the default ('sub') is not guaranteed to be unique and immutable. This flag is experimental, please see the authentication documentation for further details.
--profiling[=true]: Enable profiling via web interface host:port/debug/pprof/
--runtime-config=: A set of key=value pairs that describe runtime configuration that may be passed to apiserver. apis/&lt;groupVersion&gt; key can be used to turn on/off specific api versions. apis/&lt;groupVersion&gt;/&lt;resource&gt; can be used to turn on/off specific resources. api/all and api/legacy are special keys to control all and legacy api versions respectively.
--secure-port=6443: The port on which to serve HTTPS with authentication and authorization. If 0, don't serve HTTPS at all.
--service-account-key-file="": File containing PEM-encoded x509 RSA private or public key, used to verify ServiceAccount tokens. If unspecified, --tls-private-key-file is used.
--service-account-lookup[=false]: If true, validate ServiceAccount tokens exist in etcd as part of authentication.
--service-cluster-ip-range=&lt;nil&gt;: A CIDR notation IP range from which to assign service cluster IPs. This must not overlap with any IP ranges assigned to nodes for pods.
--service-node-port-range=: A port range to reserve for services with NodePort visibility. Example: '30000-32767'. Inclusive at both ends of the range.
--ssh-keyfile="": If non-empty, use secure SSH proxy to the nodes, using this user keyfile
--ssh-user="": If non-empty, use secure SSH proxy to the nodes, using this user name
--storage-versions="extensions/v1beta1,v1": The versions to store resources with. Different groups may be stored in different versions. Specified in the format "group1/version1,group2/version2...". This flag expects a complete list of storage versions of ALL groups registered in the server. It defaults to a list of preferred versions of all registered groups, which is derived from the KUBE_API_VERSIONS environment variable.
--tls-cert-file="": File containing x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to /var/run/kubernetes.
--tls-private-key-file="": File containing x509 private key matching --tls-cert-file.
--token-auth-file="": If set, the file that will be used to secure the secure port of the API server via token authentication.
--watch-cache[=true]: Enable watch caching in the apiserver
</code></pre>
<h6 id="auto-generated-by-spf13cobra-at-2015-10-29-201233554980405-0000-utc">Auto generated by spf13/cobra at 2015-10-29 20:12:33.554980405 +0000 UTC</h6>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/kube-apiserver.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,197 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - kube-controller-manager</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>kube-controller-manager</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h2 id="kube-controller-manager">kube-controller-manager</h2>
<h3 id="synopsis">Synopsis</h3>
<p>The Kubernetes controller manager is a daemon that embeds
the core control loops shipped with Kubernetes. In applications of robotics and
automation, a control loop is a non-terminating loop that regulates the state of
the system. In Kubernetes, a controller is a control loop that watches the shared
state of the cluster through the apiserver and makes changes attempting to move the
current state towards the desired state. Examples of controllers that ship with
Kubernetes today are the replication controller, endpoints controller, namespace
controller, and serviceaccounts controller.</p>
<pre><code>
kube-controller-manager
</code></pre>
<h3 id="options">Options</h3>
<pre><code>
--address=127.0.0.1: The IP address to serve on (set to 0.0.0.0 for all interfaces)
--allocate-node-cidrs[=false]: Should CIDRs for Pods be allocated and set on the cloud provider.
--cloud-config="": The path to the cloud provider configuration file. Empty string for no configuration file.
--cloud-provider="": The provider for cloud services. Empty string for no provider.
--cluster-cidr=&lt;nil&gt;: CIDR Range for Pods in cluster.
--cluster-name="kubernetes": The instance prefix for the cluster
--concurrent-endpoint-syncs=5: The number of endpoint syncing operations that will be done concurrently. Larger number = faster endpoint updating, but more CPU (and network) load
--concurrent_rc_syncs=5: The number of replication controllers that are allowed to sync concurrently. Larger number = more reponsive replica management, but more CPU (and network) load
--deleting-pods-burst=10: Number of nodes on which pods are bursty deleted in case of node failure. For more details look into RateLimiter.
--deleting-pods-qps=0.1: Number of nodes per second on which pods are deleted in case of node failure.
--deployment-controller-sync-period=30s: Period for syncing the deployments.
--google-json-key="": The Google Cloud Platform Service Account JSON Key to use for authentication.
--horizontal-pod-autoscaler-sync-period=30s: The period for syncing the number of pods in horizontal pod autoscaler.
--kubeconfig="": Path to kubeconfig file with authorization and master location information.
--log-flush-frequency=5s: Maximum number of seconds between log flushes
--master="": The address of the Kubernetes API server (overrides any value in kubeconfig)
--min-resync-period=12h0m0s: The resync period in reflectors will be random between MinResyncPeriod and 2*MinResyncPeriod
--namespace-sync-period=5m0s: The period for syncing namespace life-cycle updates
--node-monitor-grace-period=40s: Amount of time which we allow running Node to be unresponsive before marking it unhealty. Must be N times more than kubelet's nodeStatusUpdateFrequency, where N means number of retries allowed for kubelet to post node status.
--node-monitor-period=5s: The period for syncing NodeStatus in NodeController.
--node-startup-grace-period=1m0s: Amount of time which we allow starting Node to be unresponsive before marking it unhealty.
--node-sync-period=10s: The period for syncing nodes from cloudprovider. Longer periods will result in fewer calls to cloud provider, but may delay addition of new nodes to cluster.
--pod-eviction-timeout=5m0s: The grace period for deleting pods on failed nodes.
--port=10252: The port that the controller-manager's http service runs on
--profiling[=true]: Enable profiling via web interface host:port/debug/pprof/
--pv-recycler-increment-timeout-nfs=30: the increment of time added per Gi to ActiveDeadlineSeconds for an NFS scrubber pod
--pv-recycler-minimum-timeout-hostpath=60: The minimum ActiveDeadlineSeconds to use for a HostPath Recycler pod. This is for development and testing only and will not work in a multi-node cluster.
--pv-recycler-minimum-timeout-nfs=300: The minimum ActiveDeadlineSeconds to use for an NFS Recycler pod
--pv-recycler-pod-template-filepath-hostpath="": The file path to a pod definition used as a template for HostPath persistent volume recycling. This is for development and testing only and will not work in a multi-node cluster.
--pv-recycler-pod-template-filepath-nfs="": The file path to a pod definition used as a template for NFS persistent volume recycling
--pv-recycler-timeout-increment-hostpath=30: the increment of time added per Gi to ActiveDeadlineSeconds for a HostPath scrubber pod. This is for development and testing only and will not work in a multi-node cluster.
--pvclaimbinder-sync-period=10s: The period for syncing persistent volumes and persistent volume claims
--resource-quota-sync-period=10s: The period for syncing quota usage status in the system
--root-ca-file="": If set, this root certificate authority will be included in service account's token secret. This must be a valid PEM-encoded CA bundle.
--service-account-private-key-file="": Filename containing a PEM-encoded private RSA key used to sign service account tokens.
--service-sync-period=5m0s: The period for syncing services with their external load balancers
--terminated-pod-gc-threshold=12500: Number of terminated pods that can exist before the terminated pod garbage collector starts deleting terminated pods. If &lt;= 0, the terminated pod garbage collector is disabled.
</code></pre>
<h6 id="auto-generated-by-spf13cobra-at-2015-10-29-201225539938496-0000-utc">Auto generated by spf13/cobra at 2015-10-29 20:12:25.539938496 +0000 UTC</h6>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/kube-controller-manager.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,175 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - kube-proxy</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>kube-proxy</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h2 id="kube-proxy">kube-proxy</h2>
<h3 id="synopsis">Synopsis</h3>
<p>The Kubernetes network proxy runs on each node. This
reflects services as defined in the Kubernetes API on each node and can do simple
TCP,UDP stream forwarding or round robin TCP,UDP forwarding across a set of backends.
Service cluster ips and ports are currently found through Docker-links-compatible
environment variables specifying ports opened by the service proxy. There is an optional
addon that provides cluster DNS for these cluster IPs. The user must create a service
with the apiserver API to configure the proxy.</p>
<pre><code>
kube-proxy
</code></pre>
<h3 id="options">Options</h3>
<pre><code>
--bind-address=0.0.0.0: The IP address for the proxy server to serve on (set to 0.0.0.0 for all interfaces)
--cleanup-iptables[=false]: If true cleanup iptables rules and exit.
--google-json-key="": The Google Cloud Platform Service Account JSON Key to use for authentication.
--healthz-bind-address=127.0.0.1: The IP address for the health check server to serve on, defaulting to 127.0.0.1 (set to 0.0.0.0 for all interfaces)
--healthz-port=10249: The port to bind the health check server. Use 0 to disable.
--hostname-override="": If non-empty, will use this string as identification instead of the actual hostname.
--iptables-sync-period=30s: How often iptables rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than 0.
--kubeconfig="": Path to kubeconfig file with authorization information (the master location is set by the master flag).
--log-flush-frequency=5s: Maximum number of seconds between log flushes
--masquerade-all[=false]: If using the pure iptables proxy, SNAT everything
--master="": The address of the Kubernetes API server (overrides any value in kubeconfig)
--oom-score-adj=-999: The oom-score-adj value for kube-proxy process. Values must be within the range [-1000, 1000]
--proxy-mode="": Which proxy mode to use: 'userspace' (older, stable) or 'iptables' (experimental). If blank, look at the Node object on the Kubernetes API and respect the 'net.experimental.kubernetes.io/proxy-mode' annotation if provided. Otherwise use the best-available proxy (currently userspace, but may change in future versions). If the iptables proxy is selected, regardless of how, but the system's kernel or iptables versions are insufficient, this always falls back to the userspace proxy.
--proxy-port-range=: Range of host ports (beginPort-endPort, inclusive) that may be consumed in order to proxy service traffic. If unspecified (0-0) then ports will be randomly chosen.
--resource-container="/kube-proxy": Absolute name of the resource-only container to create and run the Kube-proxy in (Default: /kube-proxy).
--udp-timeout=250ms: How long an idle UDP connection will be kept open (e.g. '250ms', '2s'). Must be greater than 0. Only applicable for proxy-mode=userspace
</code></pre>
<h6 id="auto-generated-by-spf13cobra-at-2015-10-29-201228465584706-0000-utc">Auto generated by spf13/cobra at 2015-10-29 20:12:28.465584706 +0000 UTC</h6>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/kube-proxy.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,170 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - kube-scheduler</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>kube-scheduler</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h2 id="kube-scheduler">kube-scheduler</h2>
<h3 id="synopsis">Synopsis</h3>
<p>The Kubernetes scheduler is a policy-rich, topology-aware,
workload-specific function that significantly impacts availability, performance,
and capacity. The scheduler needs to take into account individual and collective
resource requirements, quality of service requirements, hardware/software/policy
constraints, affinity and anti-affinity specifications, data locality, inter-workload
interference, deadlines, and so on. Workload-specific requirements will be exposed
through the API as necessary.</p>
<pre><code>
kube-scheduler
</code></pre>
<h3 id="options">Options</h3>
<pre><code>
--address=127.0.0.1: The IP address to serve on (set to 0.0.0.0 for all interfaces)
--algorithm-provider="DefaultProvider": The scheduling algorithm provider to use, one of: DefaultProvider
--bind-pods-burst=100: Number of bindings per second scheduler is allowed to make during bursts
--bind-pods-qps=50: Number of bindings per second scheduler is allowed to continuously make
--google-json-key="": The Google Cloud Platform Service Account JSON Key to use for authentication.
--kubeconfig="": Path to kubeconfig file with authorization and master location information.
--log-flush-frequency=5s: Maximum number of seconds between log flushes
--master="": The address of the Kubernetes API server (overrides any value in kubeconfig)
--policy-config-file="": File with scheduler policy configuration
--port=10251: The port that the scheduler's http service runs on
--profiling[=true]: Enable profiling via web interface host:port/debug/pprof/
</code></pre>
<h6 id="auto-generated-by-spf13cobra-at-2015-10-29-201220542446971-0000-utc">Auto generated by spf13/cobra at 2015-10-29 20:12:20.542446971 +0000 UTC</h6>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/kube-scheduler.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,237 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - kubelet</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>kubelet</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h2 id="kubelet">kubelet</h2>
<h3 id="synopsis">Synopsis</h3>
<p>The kubelet is the primary “node agent” that runs on each
node. The kubelet works in terms of a PodSpec. A PodSpec is a YAML or JSON object
that describes a pod. The kubelet takes a set of PodSpecs that are provided through
various mechanisms (primarily through the apiserver) and ensures that the containers
described in those PodSpecs are running and healthy.</p>
<p>Other than from an PodSpec from the apiserver, there are three ways that a container
manifest can be provided to the Kubelet.</p>
<p>File: Path passed as a flag on the command line. This file is rechecked every 20
seconds (configurable with a flag).</p>
<p>HTTP endpoint: HTTP endpoint passed as a parameter on the command line. This endpoint
is checked every 20 seconds (also configurable with a flag).</p>
<p>HTTP server: The kubelet can also listen for HTTP and respond to a simple API
(underspecd currently) to submit a new manifest.</p>
<pre><code>
kubelet
</code></pre>
<h3 id="options">Options</h3>
<pre><code>
--address=0.0.0.0: The IP address for the Kubelet to serve on (set to 0.0.0.0 for all interfaces)
--allow-privileged[=false]: If true, allow containers to request privileged mode. [default=false]
--api-servers=[]: List of Kubernetes API servers for publishing events, and reading pods and services. (ip:port), comma separated.
--cadvisor-port=4194: The port of the localhost cAdvisor endpoint
--cert-dir="/var/run/kubernetes": The directory where the TLS certs are located (by default /var/run/kubernetes). If --tls-cert-file and --tls-private-key-file are provided, this flag will be ignored.
--cgroup-root="": Optional root cgroup to use for pods. This is handled by the container runtime on a best effort basis. Default: '', which means use the container runtime default.
--chaos-chance=0: If &gt; 0.0, introduce random client errors and latency. Intended for testing. [default=0.0]
--cloud-config="": The path to the cloud provider configuration file. Empty string for no configuration file.
--cloud-provider="": The provider for cloud services. Empty string for no provider.
--cluster-dns=&lt;nil&gt;: IP address for a cluster DNS server. If set, kubelet will configure all containers to use this for DNS resolution in addition to the host's DNS servers
--cluster-domain="": Domain for this cluster. If set, kubelet will configure all containers to search this domain in addition to the host's search domains
--config="": Path to the config file or directory of files
--configure-cbr0[=false]: If true, kubelet will configure cbr0 based on Node.Spec.PodCIDR.
--container-runtime="docker": The container runtime to use. Possible values: 'docker', 'rkt'. Default: 'docker'.
--containerized[=false]: Experimental support for running kubelet in a container. Intended for testing. [default=false]
--cpu-cfs-quota[=false]: Enable CPU CFS quota enforcement for containers that specify CPU limits
--docker-endpoint="": If non-empty, use this for the docker endpoint to communicate with
--docker-exec-handler="native": Handler to use when executing a command in a container. Valid values are 'native' and 'nsenter'. Defaults to 'native'.
--enable-debugging-handlers[=true]: Enables server endpoints for log collection and local running of containers and commands
--enable-server[=true]: Enable the Kubelet's server
--event-burst=0: Maximum size of a bursty event records, temporarily allows event records to burst to this number, while still not exceeding event-qps. Only used if --event-qps &gt; 0
--event-qps=0: If &gt; 0, limit event creations per second to this value. If 0, unlimited. [default=0.0]
--file-check-frequency=20s: Duration between checking config files for new data
--google-json-key="": The Google Cloud Platform Service Account JSON Key to use for authentication.
--healthz-bind-address=127.0.0.1: The IP address for the healthz server to serve on, defaulting to 127.0.0.1 (set to 0.0.0.0 for all interfaces)
--healthz-port=10248: The port of the localhost healthz endpoint
--host-ipc-sources="*": Comma-separated list of sources from which the Kubelet allows pods to use the host ipc namespace. [default="*"]
--host-network-sources="*": Comma-separated list of sources from which the Kubelet allows pods to use of host network. [default="*"]
--host-pid-sources="*": Comma-separated list of sources from which the Kubelet allows pods to use the host pid namespace. [default="*"]
--hostname-override="": If non-empty, will use this string as identification instead of the actual hostname.
--http-check-frequency=20s: Duration between checking http for new data
--image-gc-high-threshold=90: The percent of disk usage after which image garbage collection is always run. Default: 90%%
--image-gc-low-threshold=80: The percent of disk usage before which image garbage collection is never run. Lowest disk usage to garbage collect to. Default: 80%%
--kubeconfig="/var/lib/kubelet/kubeconfig": Path to a kubeconfig file, specifying how to authenticate to API server (the master location is set by the api-servers flag).
--log-flush-frequency=5s: Maximum number of seconds between log flushes
--low-diskspace-threshold-mb=256: The absolute free disk space, in MB, to maintain. When disk space falls below this threshold, new pods would be rejected. Default: 256
--manifest-url="": URL for accessing the container manifest
--manifest-url-header="": HTTP header to use when accessing the manifest URL, with the key separated from the value with a ':', as in 'key:value'
--master-service-namespace="default": The namespace from which the kubernetes master services should be injected into pods
--max-open-files=1000000: Number of files that can be opened by Kubelet process. [default=1000000]
--max-pods=40: Number of Pods that can run on this Kubelet.
--maximum-dead-containers=100: Maximum number of old instances of containers to retain globally. Each container takes up some disk space. Default: 100.
--maximum-dead-containers-per-container=2: Maximum number of old instances to retain per container. Each container takes up some disk space. Default: 2.
--minimum-container-ttl-duration=1m0s: Minimum age for a finished container before it is garbage collected. Examples: '300ms', '10s' or '2h45m'
--network-plugin="": &lt;Warning: Alpha feature&gt; The name of the network plugin to be invoked for various events in kubelet/pod lifecycle
--network-plugin-dir="/usr/libexec/kubernetes/kubelet-plugins/net/exec/": &lt;Warning: Alpha feature&gt; The full path of the directory in which to search for network plugins
--node-status-update-frequency=10s: Specifies how often kubelet posts node status to master. Note: be cautious when changing the constant, it must work with nodeMonitorGracePeriod in nodecontroller. Default: 10s
--oom-score-adj=-999: The oom-score-adj value for kubelet process. Values must be within the range [-1000, 1000]
--pod-cidr="": The CIDR to use for pod IP addresses, only used in standalone mode. In cluster mode, this is obtained from the master.
--pod-infra-container-image="gcr.io/google_containers/pause:0.8.0": The image whose network/ipc namespaces containers in each pod will use.
--port=10250: The port for the Kubelet to serve on. Note that "kubectl logs" will not work if you set this flag.
--read-only-port=10255: The read-only port for the Kubelet to serve on (set to 0 to disable)
--really-crash-for-testing[=false]: If true, when panics occur crash. Intended for testing.
--register-node[=true]: Register the node with the apiserver (defaults to true if --api-servers is set)
--registry-burst=10: Maximum size of a bursty pulls, temporarily allows pulls to burst to this number, while still not exceeding registry-qps. Only used if --registry-qps &gt; 0
--registry-qps=0: If &gt; 0, limit registry pull QPS to this value. If 0, unlimited. [default=0.0]
--resolv-conf="/etc/resolv.conf": Resolver configuration file used as the basis for the container DNS resolution configuration.
--resource-container="/kubelet": Absolute name of the resource-only container to create and run the Kubelet in (Default: /kubelet).
--rkt-path="": Path of rkt binary. Leave empty to use the first rkt in $PATH. Only used if --container-runtime='rkt'
--rkt-stage1-image="": image to use as stage1. Local paths and http/https URLs are supported. If empty, the 'stage1.aci' in the same directory as '--rkt-path' will be used
--root-dir="/var/lib/kubelet": Directory path for managing kubelet files (volume mounts,etc).
--runonce[=false]: If true, exit after spawning pods from local manifests or remote urls. Exclusive with --api-servers, and --enable-server
--serialize-image-pulls[=true]: Pull images one at a time. We recommend *not* changing the default value on nodes that run docker daemon with version &lt; 1.9 or an Aufs storage backend. Issue #10959 has more details. [default=true]
--streaming-connection-idle-timeout=0: Maximum time a streaming connection can be idle before the connection is automatically closed. Example: '5m'
--sync-frequency=10s: Max period between synchronizing running containers and config
--system-container="": Optional resource-only container in which to place all non-kernel processes that are not already in a container. Empty for no container. Rolling back the flag requires a reboot. (Default: "").
--tls-cert-file="": File containing x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory passed to --cert-dir.
--tls-private-key-file="": File containing x509 private key matching --tls-cert-file.
</code></pre>
<h6 id="auto-generated-by-spf13cobra-at-2015-10-29-201215480131233-0000-utc">Auto generated by spf13/cobra at 2015-10-29 20:12:15.480131233 +0000 UTC</h6>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/kubelet.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,335 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Limit Range</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Limit Range</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<p>Limit Range
========================================
By default, pods run with unbounded CPU and memory limits. This means that any pod in the
system will be able to consume as much CPU and memory on the node that executes the pod.</p>
<p>Users may want to impose restrictions on the amount of resource a single pod in the system may consume
for a variety of reasons.</p>
<p>For example:</p>
<ol>
<li>Each node in the cluster has 2GB of memory. The cluster operator does not want to accept pods
that require more than 2GB of memory since no node in the cluster can support the requirement. To prevent a
pod from being permanently unscheduled to a node, the operator instead chooses to reject pods that exceed 2GB
of memory as part of admission control.</li>
<li>A cluster is shared by two communities in an organization that runs production and development workloads
respectively. Production workloads may consume up to 8GB of memory, but development workloads may consume up
to 512MB of memory. The cluster operator creates a separate namespace for each workload, and applies limits to
each namespace.</li>
<li>Users may create a pod which consumes resources just below the capacity of a machine. The left over space
may be too small to be useful, but big enough for the waste to be costly over the entire cluster. As a result,
the cluster operator may want to set limits that a pod must consume at least 20% of the memory and cpu of their
average node size in order to provide for more uniform scheduling and to limit waste.</li>
</ol>
<p>This example demonstrates how limits can be applied to a Kubernetes namespace to control
min/max resource limits per pod. In addition, this example demonstrates how you can
apply default resource limits to pods in the absence of an end-user specified value.</p>
<p>See <a href="../../design/admission_control_limit_range.html">LimitRange design doc</a> for more information. For a detailed description of the Kubernetes resource model, see <a href="../../../docs/user-guide/compute-resources.html">Resources</a></p>
<h2 id="step-0-prerequisites">Step 0: Prerequisites</h2>
<p>This example requires a running Kubernetes cluster. See the <a href="../../../docs/getting-started-guides/">Getting Started guides</a> for how to get started.</p>
<p>Change to the <code>&lt;kubernetes&gt;</code> directory if youre not already there.</p>
<h2 id="step-1-create-a-namespace">Step 1: Create a namespace</h2>
<p>This example will work in a custom namespace to demonstrate the concepts involved.</p>
<p>Lets create a new namespace called limit-example:</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl create -f docs/admin/limitrange/namespace.yaml
namespace "limit-example" created
$ kubectl get namespaces
NAME LABELS STATUS AGE
default &lt;none&gt; Active 5m
limit-example &lt;none&gt; Active 53s
</code></pre>
</div>
<h2 id="step-2-apply-a-limit-to-the-namespace">Step 2: Apply a limit to the namespace</h2>
<p>Lets create a simple limit in our namespace.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl create -f docs/admin/limitrange/limits.yaml --namespace=limit-example
limitrange "mylimits" created
</code></pre>
</div>
<p>Lets describe the limits that we have imposed in our namespace.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl describe limits mylimits --namespace=limit-example
Name: mylimits
Namespace: limit-example
Type Resource Min Max Request Limit Limit/Request
---- -------- --- --- ------- ----- -------------
Pod cpu 200m 2 - - -
Pod memory 6Mi 1Gi - - -
Container cpu 100m 2 200m 300m -
Container memory 3Mi 1Gi 100Mi 200Mi -
</code></pre>
</div>
<p>In this scenario, we have said the following:</p>
<ol>
<li>If a max constraint is specified for a resource (2 CPU and 1Gi memory in this case), then a limit
must be specified for that resource across all containers. Failure to specify a limit will result in
a validation error when attempting to create the pod. Note that a default value of limit is set by
<em>default</em> in file <code>limits.yaml</code> (300m CPU and 200Mi memory).</li>
<li>If a min constraint is specified for a resource (100m CPU and 3Mi memory in this case), then a
request must be specified for that resource across all containers. Failure to specify a request will
result in a validation error when attempting to create the pod. Note that a default value of request is
set by <em>defaultRequest</em> in file <code>limits.yaml</code> (200m CPU and 100Mi memory).</li>
<li>For any pod, the sum of all containers memory requests must be &gt;= 6Mi and the sum of all containers
memory limits must be &lt;= 1Gi; the sum of all containers CPU requests must be &gt;= 200m and the sum of all
containers CPU limits must be &lt;= 2.</li>
</ol>
<h2 id="step-3-enforcing-limits-at-point-of-creation">Step 3: Enforcing limits at point of creation</h2>
<p>The limits enumerated in a namespace are only enforced when a pod is created or updated in
the cluster. If you change the limits to a different value range, it does not affect pods that
were previously created in a namespace.</p>
<p>If a resource (cpu or memory) is being restricted by a limit, the user will get an error at time
of creation explaining why.</p>
<p>Lets first spin up a replication controller that creates a single container pod to demonstrate
how default values are applied to each pod.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl run nginx --image=nginx --replicas=1 --namespace=limit-example
replicationcontroller "nginx" created
$ kubectl get pods --namespace=limit-example
NAME READY STATUS RESTARTS AGE
nginx-aq0mf 1/1 Running 0 35s
$ kubectl get pods nginx-aq0mf --namespace=limit-example -o yaml | grep resources -C 8
</code></pre>
</div>
<div class="highlight">
<pre><code class="language-yaml">resourceVersion: "127"
selfLink: /api/v1/namespaces/limit-example/pods/nginx-aq0mf
uid: 51be42a7-7156-11e5-9921-286ed488f785
spec:
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: nginx
resources:
limits:
cpu: 300m
memory: 200Mi
requests:
cpu: 200m
memory: 100Mi
terminationMessagePath: /dev/termination-log
volumeMounts:
</code></pre>
</div>
<p>Note that our nginx container has picked up the namespace default cpu and memory resource <em>limits</em> and <em>requests</em>.</p>
<p>Lets create a pod that exceeds our allowed limits by having it have a container that requests 3 cpu cores.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl create -f docs/admin/limitrange/invalid-pod.yaml --namespace=limit-example
Error from server: error when creating "docs/admin/limitrange/invalid-pod.yaml": Pod "invalid-pod" is forbidden: [Maximum cpu usage per Pod is 2, but limit is 3., Maximum cpu usage per Container is 2, but limit is 3.]
</code></pre>
</div>
<p>Lets create a pod that falls within the allowed limit boundaries.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl create -f docs/admin/limitrange/valid-pod.yaml --namespace=limit-example
pod "valid-pod" created
$ kubectl get pods valid-pod --namespace=limit-example -o yaml | grep -C 6 resources
</code></pre>
</div>
<div class="highlight">
<pre><code class="language-yaml">uid: 162a12aa-7157-11e5-9921-286ed488f785
spec:
containers:
- image: gcr.io/google_containers/serve_hostname
imagePullPolicy: IfNotPresent
name: kubernetes-serve-hostname
resources:
limits:
cpu: "1"
memory: 512Mi
requests:
cpu: "1"
memory: 512Mi
</code></pre>
</div>
<p>Note that this pod specifies explicit resource <em>limits</em> and <em>requests</em> so it did not pick up the namespace
default values.</p>
<p>Note: The <em>limits</em> for CPU resource are not enforced in the default Kubernetes setup on the physical node
that runs the container unless the administrator deploys the kubelet with the folllowing flag:</p>
<pre><code>
$ kubelet --help
Usage of kubelet
....
--cpu-cfs-quota[=false]: Enable CPU CFS quota enforcement for containers that specify CPU limits
$ kubelet --cpu-cfs-quota=true ...
</code></pre>
<h2 id="step-4-cleanup">Step 4: Cleanup</h2>
<p>To remove the resources used by this example, you can just delete the limit-example namespace.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl delete namespace limit-example
namespace "limit-example" deleted
$ kubectl get namespaces
NAME LABELS STATUS AGE
default &lt;none&gt; Active 20m
</code></pre>
</div>
<h2 id="summary">Summary</h2>
<p>Cluster operators that want to restrict the amount of resources a single container or pod may consume
are able to define allowable ranges per Kubernetes namespace. In the absence of any explicit assignments,
the Kubernetes system is able to apply default resource <em>limits</em> and <em>requests</em> if desired in order to
constrain the amount of resource a pod consumes on a node.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/limitrange/README.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,335 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Limit Range</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Limit Range</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<p>Limit Range
========================================
By default, pods run with unbounded CPU and memory limits. This means that any pod in the
system will be able to consume as much CPU and memory on the node that executes the pod.</p>
<p>Users may want to impose restrictions on the amount of resource a single pod in the system may consume
for a variety of reasons.</p>
<p>For example:</p>
<ol>
<li>Each node in the cluster has 2GB of memory. The cluster operator does not want to accept pods
that require more than 2GB of memory since no node in the cluster can support the requirement. To prevent a
pod from being permanently unscheduled to a node, the operator instead chooses to reject pods that exceed 2GB
of memory as part of admission control.</li>
<li>A cluster is shared by two communities in an organization that runs production and development workloads
respectively. Production workloads may consume up to 8GB of memory, but development workloads may consume up
to 512MB of memory. The cluster operator creates a separate namespace for each workload, and applies limits to
each namespace.</li>
<li>Users may create a pod which consumes resources just below the capacity of a machine. The left over space
may be too small to be useful, but big enough for the waste to be costly over the entire cluster. As a result,
the cluster operator may want to set limits that a pod must consume at least 20% of the memory and cpu of their
average node size in order to provide for more uniform scheduling and to limit waste.</li>
</ol>
<p>This example demonstrates how limits can be applied to a Kubernetes namespace to control
min/max resource limits per pod. In addition, this example demonstrates how you can
apply default resource limits to pods in the absence of an end-user specified value.</p>
<p>See <a href="../../design/admission_control_limit_range.html">LimitRange design doc</a> for more information. For a detailed description of the Kubernetes resource model, see <a href="../../../docs/user-guide/compute-resources.html">Resources</a></p>
<h2 id="step-0-prerequisites">Step 0: Prerequisites</h2>
<p>This example requires a running Kubernetes cluster. See the <a href="../../../docs/getting-started-guides/">Getting Started guides</a> for how to get started.</p>
<p>Change to the <code>&lt;kubernetes&gt;</code> directory if youre not already there.</p>
<h2 id="step-1-create-a-namespace">Step 1: Create a namespace</h2>
<p>This example will work in a custom namespace to demonstrate the concepts involved.</p>
<p>Lets create a new namespace called limit-example:</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl create -f docs/admin/limitrange/namespace.yaml
namespace "limit-example" created
$ kubectl get namespaces
NAME LABELS STATUS AGE
default &lt;none&gt; Active 5m
limit-example &lt;none&gt; Active 53s
</code></pre>
</div>
<h2 id="step-2-apply-a-limit-to-the-namespace">Step 2: Apply a limit to the namespace</h2>
<p>Lets create a simple limit in our namespace.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl create -f docs/admin/limitrange/limits.yaml --namespace=limit-example
limitrange "mylimits" created
</code></pre>
</div>
<p>Lets describe the limits that we have imposed in our namespace.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl describe limits mylimits --namespace=limit-example
Name: mylimits
Namespace: limit-example
Type Resource Min Max Request Limit Limit/Request
---- -------- --- --- ------- ----- -------------
Pod cpu 200m 2 - - -
Pod memory 6Mi 1Gi - - -
Container cpu 100m 2 200m 300m -
Container memory 3Mi 1Gi 100Mi 200Mi -
</code></pre>
</div>
<p>In this scenario, we have said the following:</p>
<ol>
<li>If a max constraint is specified for a resource (2 CPU and 1Gi memory in this case), then a limit
must be specified for that resource across all containers. Failure to specify a limit will result in
a validation error when attempting to create the pod. Note that a default value of limit is set by
<em>default</em> in file <code>limits.yaml</code> (300m CPU and 200Mi memory).</li>
<li>If a min constraint is specified for a resource (100m CPU and 3Mi memory in this case), then a
request must be specified for that resource across all containers. Failure to specify a request will
result in a validation error when attempting to create the pod. Note that a default value of request is
set by <em>defaultRequest</em> in file <code>limits.yaml</code> (200m CPU and 100Mi memory).</li>
<li>For any pod, the sum of all containers memory requests must be &gt;= 6Mi and the sum of all containers
memory limits must be &lt;= 1Gi; the sum of all containers CPU requests must be &gt;= 200m and the sum of all
containers CPU limits must be &lt;= 2.</li>
</ol>
<h2 id="step-3-enforcing-limits-at-point-of-creation">Step 3: Enforcing limits at point of creation</h2>
<p>The limits enumerated in a namespace are only enforced when a pod is created or updated in
the cluster. If you change the limits to a different value range, it does not affect pods that
were previously created in a namespace.</p>
<p>If a resource (cpu or memory) is being restricted by a limit, the user will get an error at time
of creation explaining why.</p>
<p>Lets first spin up a replication controller that creates a single container pod to demonstrate
how default values are applied to each pod.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl run nginx --image=nginx --replicas=1 --namespace=limit-example
replicationcontroller "nginx" created
$ kubectl get pods --namespace=limit-example
NAME READY STATUS RESTARTS AGE
nginx-aq0mf 1/1 Running 0 35s
$ kubectl get pods nginx-aq0mf --namespace=limit-example -o yaml | grep resources -C 8
</code></pre>
</div>
<div class="highlight">
<pre><code class="language-yaml">resourceVersion: "127"
selfLink: /api/v1/namespaces/limit-example/pods/nginx-aq0mf
uid: 51be42a7-7156-11e5-9921-286ed488f785
spec:
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: nginx
resources:
limits:
cpu: 300m
memory: 200Mi
requests:
cpu: 200m
memory: 100Mi
terminationMessagePath: /dev/termination-log
volumeMounts:
</code></pre>
</div>
<p>Note that our nginx container has picked up the namespace default cpu and memory resource <em>limits</em> and <em>requests</em>.</p>
<p>Lets create a pod that exceeds our allowed limits by having it have a container that requests 3 cpu cores.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl create -f docs/admin/limitrange/invalid-pod.yaml --namespace=limit-example
Error from server: error when creating "docs/admin/limitrange/invalid-pod.yaml": Pod "invalid-pod" is forbidden: [Maximum cpu usage per Pod is 2, but limit is 3., Maximum cpu usage per Container is 2, but limit is 3.]
</code></pre>
</div>
<p>Lets create a pod that falls within the allowed limit boundaries.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl create -f docs/admin/limitrange/valid-pod.yaml --namespace=limit-example
pod "valid-pod" created
$ kubectl get pods valid-pod --namespace=limit-example -o yaml | grep -C 6 resources
</code></pre>
</div>
<div class="highlight">
<pre><code class="language-yaml">uid: 162a12aa-7157-11e5-9921-286ed488f785
spec:
containers:
- image: gcr.io/google_containers/serve_hostname
imagePullPolicy: IfNotPresent
name: kubernetes-serve-hostname
resources:
limits:
cpu: "1"
memory: 512Mi
requests:
cpu: "1"
memory: 512Mi
</code></pre>
</div>
<p>Note that this pod specifies explicit resource <em>limits</em> and <em>requests</em> so it did not pick up the namespace
default values.</p>
<p>Note: The <em>limits</em> for CPU resource are not enforced in the default Kubernetes setup on the physical node
that runs the container unless the administrator deploys the kubelet with the folllowing flag:</p>
<pre><code>
$ kubelet --help
Usage of kubelet
....
--cpu-cfs-quota[=false]: Enable CPU CFS quota enforcement for containers that specify CPU limits
$ kubelet --cpu-cfs-quota=true ...
</code></pre>
<h2 id="step-4-cleanup">Step 4: Cleanup</h2>
<p>To remove the resources used by this example, you can just delete the limit-example namespace.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl delete namespace limit-example
namespace "limit-example" deleted
$ kubectl get namespaces
NAME LABELS STATUS AGE
default &lt;none&gt; Active 20m
</code></pre>
</div>
<h2 id="summary">Summary</h2>
<p>Cluster operators that want to restrict the amount of resources a single container or pod may consume
are able to define allowable ranges per Kubernetes namespace. In the absence of any explicit assignments,
the Kubernetes system is able to apply default resource <em>limits</em> and <em>requests</em> if desired in order to
constrain the amount of resource a pod consumes on a node.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/limitrange/README.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: invalid-pod
spec:
containers:
- name: kubernetes-serve-hostname
image: gcr.io/google_containers/serve_hostname
resources:
limits:
cpu: "3"
memory: 100Mi

View File

@ -0,0 +1,26 @@
apiVersion: v1
kind: LimitRange
metadata:
name: mylimits
spec:
limits:
- max:
cpu: "2"
memory: 1Gi
min:
cpu: 200m
memory: 6Mi
type: Pod
- default:
cpu: 300m
memory: 200Mi
defaultRequest:
cpu: 200m
memory: 100Mi
max:
cpu: "2"
memory: 1Gi
min:
cpu: 100m
memory: 3Mi
type: Container

View File

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: limit-example

View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: Pod
metadata:
name: valid-pod
labels:
name: valid-pod
spec:
containers:
- name: kubernetes-serve-hostname
image: gcr.io/google_containers/serve_hostname
resources:
limits:
cpu: "1"
memory: 512Mi

View File

@ -0,0 +1,196 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Considerations for running multiple Kubernetes clusters</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Considerations for running multiple Kubernetes clusters</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="considerations-for-running-multiple-kubernetes-clusters">Considerations for running multiple Kubernetes clusters</h1>
<p>You may want to set up multiple Kubernetes clusters, both to
have clusters in different regions to be nearer to your users, and to tolerate failures and/or invasive maintenance.
This document describes some of the issues to consider when making a decision about doing so.</p>
<p>Note that at present,
Kubernetes does not offer a mechanism to aggregate multiple clusters into a single virtual cluster. However,
we <a href="../proposals/federation.html">plan to do this in the future</a>.</p>
<h2 id="scope-of-a-single-cluster">Scope of a single cluster</h2>
<p>On IaaS providers such as Google Compute Engine or Amazon Web Services, a VM exists in a
<a href="https://cloud.google.com/compute/docs/zones">zone</a> or <a href="http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html">availability
zone</a>.
We suggest that all the VMs in a Kubernetes cluster should be in the same availability zone, because:
- compared to having a single global Kubernetes cluster, there are fewer single-points of failure
- compared to a cluster that spans availability zones, it is easier to reason about the availability properties of a
single-zone cluster.
- when the Kubernetes developers are designing the system (e.g. making assumptions about latency, bandwidth, or
correlated failures) they are assuming all the machines are in a single data center, or otherwise closely connected.</p>
<p>It is okay to have multiple clusters per availability zone, though on balance we think fewer is better.
Reasons to prefer fewer clusters are:
- improved bin packing of Pods in some cases with more nodes in one cluster (less resource fragmentation)
- reduced operational overhead (though the advantage is diminished as ops tooling and processes matures)
- reduced costs for per-cluster fixed resource costs, e.g. apiserver VMs (but small as a percentage
of overall cluster cost for medium to large clusters).</p>
<p>Reasons to have multiple clusters include:
- strict security policies requiring isolation of one class of work from another (but, see Partitioning Clusters
below).
- test clusters to canary new Kubernetes releases or other cluster software.</p>
<h2 id="selecting-the-right-number-of-clusters">Selecting the right number of clusters</h2>
<p>The selection of the number of Kubernetes clusters may be a relatively static choice, only revisited occasionally.
By contrast, the number of nodes in a cluster and the number of pods in a service may be change frequently according to
load and growth.</p>
<p>To pick the number of clusters, first, decide which regions you need to be in to have adequate latency to all your end users, for services that will run
on Kubernetes (if you use a Content Distribution Network, the latency requirements for the CDN-hosted content need not
be considered). Legal issues might influence this as well. For example, a company with a global customer base might decide to have clusters in US, EU, AP, and SA regions.
Call the number of regions to be in <code>R</code>.</p>
<p>Second, decide how many clusters should be able to be unavailable at the same time, while still being available. Call
the number that can be unavailable <code>U</code>. If you are not sure, then 1 is a fine choice.</p>
<p>If it is allowable for load-balancing to direct traffic to any region in the event of a cluster failure, then
you need <code>R + U</code> clusters. If it is not (e.g you want to ensure low latency for all users in the event of a
cluster failure), then you need to have <code>R * U</code> clusters (<code>U</code> in each of <code>R</code> regions). In any case, try to put each cluster in a different zone.</p>
<p>Finally, if any of your clusters would need more than the maximum recommended number of nodes for a Kubernetes cluster, then
you may need even more clusters. Kubernetes v1.0 currently supports clusters up to 100 nodes in size, but we are targeting
1000-node clusters by early 2016.</p>
<h2 id="working-with-multiple-clusters">Working with multiple clusters</h2>
<p>When you have multiple clusters, you would typically create services with the same config in each cluster and put each of those
service instances behind a load balancer (AWS Elastic Load Balancer, GCE Forwarding Rule or HTTP Load Balancer) spanning all of them, so that
failures of a single cluster are not visible to end users.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/multi-cluster.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,403 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Kubernetes Namespaces</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Kubernetes Namespaces</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h2 id="kubernetes-namespaces">Kubernetes Namespaces</h2>
<p>Kubernetes <em><a href="../../../docs/admin/namespaces.html">namespaces</a></em> help different projects, teams, or customers to share a Kubernetes cluster.</p>
<p>It does this by providing the following:</p>
<ol>
<li>A scope for <a href="../../user-guide/identifiers.html">Names</a>.</li>
<li>A mechanism to attach authorization and policy to a subsection of the cluster.</li>
</ol>
<p>Use of multiple namespaces is optional.</p>
<p>This example demonstrates how to use Kubernetes namespaces to subdivide your cluster.</p>
<h3 id="step-zero-prerequisites">Step Zero: Prerequisites</h3>
<p>This example assumes the following:</p>
<ol>
<li>You have an <a href="../../getting-started-guides/">existing Kubernetes cluster</a>.</li>
<li>You have a basic understanding of Kubernetes <em><a href="../../user-guide/pods.html">pods</a></em>, <em><a href="../../user-guide/services.html">services</a></em>, and <em><a href="../../user-guide/replication-controller.html">replication controllers</a></em>.</li>
</ol>
<h3 id="step-one-understand-the-default-namespace">Step One: Understand the default namespace</h3>
<p>By default, a Kubernetes cluster will instantiate a default namespace when provisioning the cluster to hold the default set of pods,
services, and replication controllers used by the cluster.</p>
<p>Assuming you have a fresh cluster, you can introspect the available namespaces by doing the following:</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl get namespaces
NAME LABELS
default &lt;none&gt;
</code></pre>
</div>
<h3 id="step-two-create-new-namespaces">Step Two: Create new namespaces</h3>
<p>For this exercise, we will create two additional Kubernetes namespaces to hold our content.</p>
<p>Lets imagine a scenario where an organization is using a shared Kubernetes cluster for development and production use cases.</p>
<p>The development team would like to maintain a space in the cluster where they can get a view on the list of pods, services, and replication controllers
they use to build and run their application. In this space, Kubernetes resources come and go, and the restrictions on who can or cannot modify resources
are relaxed to enable agile development.</p>
<p>The operations team would like to maintain a space in the cluster where they can enforce strict procedures on who can or cannot manipulate the set of
pods, services, and replication controllers that run the production site.</p>
<p>One pattern this organization could follow is to partition the Kubernetes cluster into two namespaces: development and production.</p>
<p>Lets create two new namespaces to hold our work.</p>
<p>Use the file <a href="namespace-dev.json"><code>namespace-dev.json</code></a> which describes a development namespace:</p>
<!-- BEGIN MUNGE: EXAMPLE namespace-dev.json -->
<div class="highlight">
<pre><code class="language-json">{
"kind": "Namespace",
"apiVersion": "v1",
"metadata": {
"name": "development",
"labels": {
"name": "development"
}
}
}
</code></pre>
</div>
<p><a href="namespace-dev.json">Download example</a>
<!-- END MUNGE: EXAMPLE namespace-dev.json --></p>
<p>Create the development namespace using kubectl.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl create -f docs/admin/namespaces/namespace-dev.json
</code></pre>
</div>
<p>And then lets create the production namespace using kubectl.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl create -f docs/admin/namespaces/namespace-prod.json
</code></pre>
</div>
<p>To be sure things are right, lets list all of the namespaces in our cluster.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl get namespaces
NAME LABELS STATUS
default &lt;none&gt; Active
development name=development Active
production name=production Active
</code></pre>
</div>
<h3 id="step-three-create-pods-in-each-namespace">Step Three: Create pods in each namespace</h3>
<p>A Kubernetes namespace provides the scope for pods, services, and replication controllers in the cluster.</p>
<p>Users interacting with one namespace do not see the content in another namespace.</p>
<p>To demonstrate this, lets spin up a simple replication controller and pod in the development namespace.</p>
<p>We first check what is the current context:</p>
<div class="highlight">
<pre><code class="language-yaml">apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://130.211.122.180
name: lithe-cocoa-92103_kubernetes
contexts:
- context:
cluster: lithe-cocoa-92103_kubernetes
user: lithe-cocoa-92103_kubernetes
name: lithe-cocoa-92103_kubernetes
current-context: lithe-cocoa-92103_kubernetes
kind: Config
preferences: {}
users:
- name: lithe-cocoa-92103_kubernetes
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
token: 65rZW78y8HbwXXtSXuUw9DbP4FLjHi4b
- name: lithe-cocoa-92103_kubernetes-basic-auth
user:
password: h5M0FtUUIflBSdI7
username: admin
</code></pre>
</div>
<p>The next step is to define a context for the kubectl client to work in each namespace. The value of “cluster” and “user” fields are copied from the current context.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl config set-context dev --namespace=development --cluster=lithe-cocoa-92103_kubernetes --user=lithe-cocoa-92103_kubernetes
$ kubectl config set-context prod --namespace=production --cluster=lithe-cocoa-92103_kubernetes --user=lithe-cocoa-92103_kubernetes
</code></pre>
</div>
<p>The above commands provided two request contexts you can alternate against depending on what namespace you
wish to work against.</p>
<p>Lets switch to operate in the development namespace.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl config use-context dev
</code></pre>
</div>
<p>You can verify your current context by doing the following:</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl config view
</code></pre>
</div>
<div class="highlight">
<pre><code class="language-yaml">apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://130.211.122.180
name: lithe-cocoa-92103_kubernetes
contexts:
- context:
cluster: lithe-cocoa-92103_kubernetes
namespace: development
user: lithe-cocoa-92103_kubernetes
name: dev
- context:
cluster: lithe-cocoa-92103_kubernetes
user: lithe-cocoa-92103_kubernetes
name: lithe-cocoa-92103_kubernetes
- context:
cluster: lithe-cocoa-92103_kubernetes
namespace: production
user: lithe-cocoa-92103_kubernetes
name: prod
current-context: dev
kind: Config
preferences: {}
users:
- name: lithe-cocoa-92103_kubernetes
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
token: 65rZW78y8HbwXXtSXuUw9DbP4FLjHi4b
- name: lithe-cocoa-92103_kubernetes-basic-auth
user:
password: h5M0FtUUIflBSdI7
username: admin
</code></pre>
</div>
<p>At this point, all requests we make to the Kubernetes cluster from the command line are scoped to the development namespace.</p>
<p>Lets create some content.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl run snowflake --image=kubernetes/serve_hostname --replicas=2
</code></pre>
</div>
<p>We have just created a replication controller whose replica size is 2 that is running the pod called snowflake with a basic container that just serves the hostname.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl get rc
CONTROLLER CONTAINER(S) IMAGE(S) SELECTOR REPLICAS
snowflake snowflake kubernetes/serve_hostname run=snowflake 2
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
snowflake-8w0qn 1/1 Running 0 22s
snowflake-jrpzb 1/1 Running 0 22s
</code></pre>
</div>
<p>And this is great, developers are able to do what they want, and they do not have to worry about affecting content in the production namespace.</p>
<p>Lets switch to the production namespace and show how resources in one namespace are hidden from the other.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl config use-context prod
</code></pre>
</div>
<p>The production namespace should be empty.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl get rc
CONTROLLER CONTAINER(S) IMAGE(S) SELECTOR REPLICAS
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
</code></pre>
</div>
<p>Production likes to run cattle, so lets create some cattle pods.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl run cattle --image=kubernetes/serve_hostname --replicas=5
$ kubectl get rc
CONTROLLER CONTAINER(S) IMAGE(S) SELECTOR REPLICAS
cattle cattle kubernetes/serve_hostname run=cattle 5
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
cattle-97rva 1/1 Running 0 12s
cattle-i9ojn 1/1 Running 0 12s
cattle-qj3yv 1/1 Running 0 12s
cattle-yc7vn 1/1 Running 0 12s
cattle-zz7ea 1/1 Running 0 12s
</code></pre>
</div>
<p>At this point, it should be clear that the resources users create in one namespace are hidden from the other namespace.</p>
<p>As the policy support in Kubernetes evolves, we will extend this scenario to show how you can provide different
authorization rules for each namespace.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/namespaces/README.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,292 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Namespaces</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Namespaces</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="namespaces">Namespaces</h1>
<h2 id="abstract">Abstract</h2>
<p>A Namespace is a mechanism to partition resources created by users into
a logically named group.</p>
<h2 id="motivation">Motivation</h2>
<p>A single cluster should be able to satisfy the needs of multiple users or groups of users (henceforth a user community).</p>
<p>Each user community wants to be able to work in isolation from other communities.</p>
<p>Each user community has its own:</p>
<ol>
<li>resources (pods, services, replication controllers, etc.)</li>
<li>policies (who can or cannot perform actions in their community)</li>
<li>constraints (this community is allowed this much quota, etc.)</li>
</ol>
<p>A cluster operator may create a Namespace for each unique user community.</p>
<p>The Namespace provides a unique scope for:</p>
<ol>
<li>named resources (to avoid basic naming collisions)</li>
<li>delegated management authority to trusted users</li>
<li>ability to limit community resource consumption</li>
</ol>
<h2 id="use-cases">Use cases</h2>
<ol>
<li>As a cluster operator, I want to support multiple user communities on a single cluster.</li>
<li>As a cluster operator, I want to delegate authority to partitions of the cluster to trusted users
in those communities.</li>
<li>As a cluster operator, I want to limit the amount of resources each community can consume in order
to limit the impact to other communities using the cluster.</li>
<li>As a cluster user, I want to interact with resources that are pertinent to my user community in
isolation of what other user communities are doing on the cluster.</li>
</ol>
<h2 id="usage">Usage</h2>
<p>Look <a href="namespaces/">here</a> for an in depth example of namespaces.</p>
<h3 id="viewing-namespaces">Viewing namespaces</h3>
<p>You can list the current namespaces in a cluster using:</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl get namespaces
NAME LABELS STATUS
default &lt;none&gt; Active
kube-system &lt;none&gt; Active
</code></pre>
</div>
<p>Kubernetes starts with two initial namespaces:
* <code>default</code> The default namespace for objects with no other namespace
* <code>kube-system</code> The namespace for objects created by the Kubernetes system</p>
<p>You can also get the summary of a specific namespace using:</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl get namespaces &lt;name&gt;
</code></pre>
</div>
<p>Or you can get detailed information with:</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl describe namespaces &lt;name&gt;
Name: default
Labels: &lt;none&gt;
Status: Active
No resource quota.
Resource Limits
Type Resource Min Max Default
---- -------- --- --- ---
Container cpu - - 100m
</code></pre>
</div>
<p>Note that these details show both resource quota (if present) as well as resource limit ranges.</p>
<p>Resource quota tracks aggregate usage of resources in the <em>Namespace</em> and allows cluster operators
to define <em>Hard</em> resource usage limits that a <em>Namespace</em> may consume.</p>
<p>A limit range defines min/max constraints on the amount of resources a single entity can consume in
a <em>Namespace</em>.</p>
<p>See <a href="../design/admission_control_limit_range.html">Admission control: Limit Range</a></p>
<p>A namespace can be in one of two phases:
* <code>Active</code> the namespace is in use
* <code>Terminating</code> the namespace is being deleted, and can not be used for new objects</p>
<p>See the <a href="../design/namespaces.html#phases">design doc</a> for more details.</p>
<h3 id="creating-a-new-namespace">Creating a new namespace</h3>
<p>To create a new namespace, first create a new YAML file called <code>my-namespace.yaml</code> with the contents:</p>
<div class="highlight">
<pre><code class="language-yaml">apiVersion: v1
kind: Namespace
metadata:
name: &lt;insert-namespace-name-here&gt;
</code></pre>
</div>
<p>Note that the name of your namespace must be a DNS compatible label.</p>
<p>More information on the <code>finalizers</code> field can be found in the namespace <a href="../design/namespaces.html#finalizers">design doc</a>.</p>
<p>Then run:</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl create -f ./my-namespace.yaml
</code></pre>
</div>
<h3 id="working-in-namespaces">Working in namespaces</h3>
<p>See <a href="../../docs/user-guide/namespaces.html#setting-the-namespace-for-a-request">Setting the namespace for a request</a>
and <a href="../../docs/user-guide/namespaces.html#setting-the-namespace-preference">Setting the namespace preference</a>.</p>
<h3 id="deleting-a-namespace">Deleting a namespace</h3>
<p>You can delete a namespace with</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl delete namespaces &lt;insert-some-namespace-name&gt;
</code></pre>
</div>
<p><strong>WARNING, this deletes <em>everything</em> under the namespace!</strong></p>
<p>This delete is asynchronous, so for a time you will see the namespace in the <code>Terminating</code> state.</p>
<h2 id="namespaces-and-dns">Namespaces and DNS</h2>
<p>When you create a <a href="../../docs/user-guide/services.html">Service</a>, it creates a corresponding <a href="dns.html">DNS entry</a>.
This entry is of the form <code>&lt;service-name&gt;.&lt;namespace-name&gt;.svc.cluster.local</code>, which means
that if a container just uses <code>&lt;service-name&gt;</code> it will resolve to the service which
is local to a namespace. This is useful for using the same configuration across
multiple namespaces such as Development, Staging and Production. If you want to reach
across namespaces, you need to use the fully qualified domain name (FQDN).</p>
<h2 id="design">Design</h2>
<p>Details of the design of namespaces in Kubernetes, including a <a href="../design/namespaces.html#example-openshift-origin-managing-a-kubernetes-namespace">detailed example</a>
can be found in the <a href="../design/namespaces.html">namespaces design doc</a></p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/namespaces.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,10 @@
{
"kind": "Namespace",
"apiVersion": "v1",
"metadata": {
"name": "development",
"labels": {
"name": "development"
}
}
}

View File

@ -0,0 +1,10 @@
{
"kind": "Namespace",
"apiVersion": "v1",
"metadata": {
"name": "production",
"labels": {
"name": "production"
}
}
}

View File

@ -0,0 +1,341 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Networking in Kubernetes</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Networking in Kubernetes</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="networking-in-kubernetes">Networking in Kubernetes</h1>
<p><strong>Table of Contents</strong>
<!-- BEGIN MUNGE: GENERATED_TOC --></p>
<ul>
<li><a href="#networking-in-kubernetes">Networking in Kubernetes</a>
<ul>
<li><a href="#summary">Summary</a></li>
<li><a href="#docker-model">Docker model</a></li>
<li><a href="#kubernetes-model">Kubernetes model</a></li>
<li><a href="#how-to-achieve-this">How to achieve this</a>
<ul>
<li><a href="#google-compute-engine-gce">Google Compute Engine (GCE)</a></li>
<li><a href="#l2-networks-and-linux-bridging">L2 networks and linux bridging</a></li>
<li><a href="#flannel">Flannel</a></li>
<li><a href="#openvswitch">OpenVSwitch</a></li>
<li><a href="#weave">Weave</a></li>
<li><a href="#calico">Calico</a></li>
</ul>
</li>
<li><a href="#other-reading">Other reading</a></li>
</ul>
</li>
</ul>
<!-- END MUNGE: GENERATED_TOC -->
<p>Kubernetes approaches networking somewhat differently than Docker does by
default. There are 4 distinct networking problems to solve:
1. Highly-coupled container-to-container communications: this is solved by
<a href="../user-guide/pods.html">pods</a> and <code>localhost</code> communications.
2. Pod-to-Pod communications: this is the primary focus of this document.
3. Pod-to-Service communications: this is covered by <a href="../user-guide/services.html">services</a>.
4. External-to-Service communications: this is covered by <a href="../user-guide/services.html">services</a>.</p>
<h2 id="summary">Summary</h2>
<p>Kubernetes assumes that pods can communicate with other pods, regardless of
which host they land on. We give every pod its own IP address so you do not
need to explicitly create links between pods and you almost never need to deal
with mapping container ports to host ports. This creates a clean,
backwards-compatible model where pods can be treated much like VMs or physical
hosts from the perspectives of port allocation, naming, service discovery, load
balancing, application configuration, and migration.</p>
<p>To achieve this we must impose some requirements on how you set up your cluster
networking.</p>
<h2 id="docker-model">Docker model</h2>
<p>Before discussing the Kubernetes approach to networking, it is worthwhile to
review the “normal” way that networking works with Docker. By default, Docker
uses host-private networking. It creates a virtual bridge, called <code>docker0</code> by
default, and allocates a subnet from one of the private address blocks defined
in <a href="https://tools.ietf.org/html/rfc1918">RFC1918</a> for that bridge. For each
container that Docker creates, it allocates a virtual ethernet device (called
<code>veth</code>) which is attached to the bridge. The veth is mapped to appear as <code>eth0</code>
in the container, using Linux namespaces. The in-container <code>eth0</code> interface is
given an IP address from the bridges address range.</p>
<p>The result is that Docker containers can talk to other containers only if they
are on the same machine (and thus the same virtual bridge). Containers on
different machines can not reach each other - in fact they may end up with the
exact same network ranges and IP addresses.</p>
<p>In order for Docker containers to communicate across nodes, they must be
allocated ports on the machines own IP address, which are then forwarded or
proxied to the containers. This obviously means that containers must either
coordinate which ports they use very carefully or else be allocated ports
dynamically.</p>
<h2 id="kubernetes-model">Kubernetes model</h2>
<p>Coordinating ports across multiple developers is very difficult to do at
scale and exposes users to cluster-level issues outside of their control.
Dynamic port allocation brings a lot of complications to the system - every
application has to take ports as flags, the API servers have to know how to
insert dynamic port numbers into configuration blocks, services have to know
how to find each other, etc. Rather than deal with this, Kubernetes takes a
different approach.</p>
<p>Kubernetes imposes the following fundamental requirements on any networking
implementation (barring any intentional network segmentation policies):
* all containers can communicate with all other containers without NAT
* all nodes can communicate with all containers (and vice-versa) without NAT
* the IP that a container sees itself as is the same IP that others see it as</p>
<p>What this means in practice is that you can not just take two computers
running Docker and expect Kubernetes to work. You must ensure that the
fundamental requirements are met.</p>
<p>This model is not only less complex overall, but it is principally compatible
with the desire for Kubernetes to enable low-friction porting of apps from VMs
to containers. If your job previously ran in a VM, your VM had an IP and could
talk to other VMs in your project. This is the same basic model.</p>
<p>Until now this document has talked about containers. In reality, Kubernetes
applies IP addresses at the <code>Pod</code> scope - containers within a <code>Pod</code> share their
network namespaces - including their IP address. This means that containers
within a <code>Pod</code> can all reach each others ports on <code>localhost</code>. This does imply
that containers within a <code>Pod</code> must coordinate port usage, but this is no
different than processes in a VM. We call this the “IP-per-pod” model. This
is implemented in Docker as a “pod container” which holds the network namespace
open while “app containers” (the things the user specified) join that namespace
with Dockers <code>--net=container:&lt;id&gt;</code> function.</p>
<p>As with Docker, it is possible to request host ports, but this is reduced to a
very niche operation. In this case a port will be allocated on the host <code>Node</code>
and traffic will be forwarded to the <code>Pod</code>. The <code>Pod</code> itself is blind to the
existence or non-existence of host ports.</p>
<h2 id="how-to-achieve-this">How to achieve this</h2>
<p>There are a number of ways that this network model can be implemented. This
document is not an exhaustive study of the various methods, but hopefully serves
as an introduction to various technologies and serves as a jumping-off point.
If some techniques become vastly preferable to others, we might detail them more
here.</p>
<h3 id="google-compute-engine-gce">Google Compute Engine (GCE)</h3>
<p>For the Google Compute Engine cluster configuration scripts, we use <a href="https://developers.google.com/compute/docs/networking#routing">advanced
routing</a> to
assign each VM a subnet (default is <code>/24</code> - 254 IPs). Any traffic bound for that
subnet will be routed directly to the VM by the GCE network fabric. This is in
addition to the “main” IP address assigned to the VM, which is NATed for
outbound internet access. A linux bridge (called <code>cbr0</code>) is configured to exist
on that subnet, and is passed to dockers <code>--bridge</code> flag.</p>
<p>We start Docker with:</p>
<div class="highlight">
<pre><code class="language-sh">DOCKER_OPTS="--bridge=cbr0 --iptables=false --ip-masq=false"
</code></pre>
</div>
<p>This bridge is created by Kubelet (controlled by the <code>--configure-cbr0=true</code>
flag) according to the <code>Node</code>s <code>spec.podCIDR</code>.</p>
<p>Docker will now allocate IPs from the <code>cbr-cidr</code> block. Containers can reach
each other and <code>Nodes</code> over the <code>cbr0</code> bridge. Those IPs are all routable
within the GCE project network.</p>
<p>GCE itself does not know anything about these IPs, though, so it will not NAT
them for outbound internet traffic. To achieve that we use an iptables rule to
masquerade (aka SNAT - to make it seem as if packets came from the <code>Node</code>
itself) traffic that is bound for IPs outside the GCE project network
(10.0.0.0/8).</p>
<div class="highlight">
<pre><code class="language-sh">iptables -t nat -A POSTROUTING ! -d 10.0.0.0/8 -o eth0 -j MASQUERADE
</code></pre>
</div>
<p>Lastly we enable IP forwarding in the kernel (so the kernel will process
packets for bridged containers):</p>
<div class="highlight">
<pre><code class="language-sh">sysctl net.ipv4.ip_forward=1
</code></pre>
</div>
<p>The result of all this is that all <code>Pods</code> can reach each other and can egress
traffic to the internet.</p>
<h3 id="l2-networks-and-linux-bridging">L2 networks and linux bridging</h3>
<p>If you have a “dumb” L2 network, such as a simple switch in a “bare-metal”
environment, you should be able to do something similar to the above GCE setup.
Note that these instructions have only been tried very casually - it seems to
work, but has not been thoroughly tested. If you use this technique and
perfect the process, please let us know.</p>
<p>Follow the “With Linux Bridge devices” section of <a href="http://blog.oddbit.com/2014/08/11/four-ways-to-connect-a-docker/">this very nice
tutorial</a> from
Lars Kellogg-Stedman.</p>
<h3 id="flannel">Flannel</h3>
<p><a href="https://github.com/coreos/flannel#flannel">Flannel</a> is a very simple overlay
network that satisfies the Kubernetes requirements. It installs in minutes and
should get you up and running if the above techniques are not working. Many
people have reported success with Flannel and Kubernetes.</p>
<h3 id="openvswitch">OpenVSwitch</h3>
<p><a href="ovs-networking.html">OpenVSwitch</a> is a somewhat more mature but also
complicated way to build an overlay network. This is endorsed by several of the
“Big Shops” for networking.</p>
<h3 id="weave">Weave</h3>
<p><a href="https://github.com/zettio/weave">Weave</a> is yet another way to build an overlay
network, primarily aiming at Docker integration.</p>
<h3 id="calico">Calico</h3>
<p><a href="https://github.com/Metaswitch/calico">Calico</a> uses BGP to enable real container
IPs.</p>
<h2 id="other-reading">Other reading</h2>
<p>The early design of the networking model and its rationale, and some future
plans are described in more detail in the <a href="../design/networking.html">networking design
document</a>.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/networking.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,390 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Node</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Node</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="node">Node</h1>
<p><strong>Table of Contents</strong>
<!-- BEGIN MUNGE: GENERATED_TOC --></p>
<ul>
<li><a href="#node">Node</a>
<ul>
<li><a href="#what-is-a-node">What is a node?</a></li>
<li><a href="#node-status">Node Status</a>
<ul>
<li><a href="#node-addresses">Node Addresses</a></li>
<li><a href="#node-phase">Node Phase</a></li>
<li><a href="#node-condition">Node Condition</a></li>
<li><a href="#node-capacity">Node Capacity</a></li>
<li><a href="#node-info">Node Info</a></li>
</ul>
</li>
<li><a href="#node-management">Node Management</a>
<ul>
<li><a href="#node-controller">Node Controller</a></li>
<li><a href="#self-registration-of-nodes">Self-Registration of Nodes</a>
<ul>
<li><a href="#manual-node-administration">Manual Node Administration</a></li>
</ul>
</li>
<li><a href="#node-capacity">Node capacity</a></li>
</ul>
</li>
<li><a href="#api-object">API Object</a></li>
</ul>
</li>
</ul>
<!-- END MUNGE: GENERATED_TOC -->
<h2 id="what-is-a-node">What is a node?</h2>
<p><code>Node</code> is a worker machine in Kubernetes, previously known as <code>Minion</code>. Node
may be a VM or physical machine, depending on the cluster. Each node has
the services necessary to run <a href="../user-guide/pods.html">Pods</a> and is managed by the master
components. The services on a node include docker, kubelet and network proxy. See
<a href="../design/architecture.html#the-kubernetes-node">The Kubernetes Node</a> section in the
architecture design doc for more details.</p>
<h2 id="node-status">Node Status</h2>
<p>Node status describes current status of a node. For now, there are the following
pieces of information:</p>
<h3 id="node-addresses">Node Addresses</h3>
<p>The usage of these fields varies depending on your cloud provider or bare metal configuration.</p>
<ul>
<li>
<p>HostName: Generally not used</p>
</li>
<li>
<p>ExternalIP: Generally the IP address of the node that is externally routable (available from outside the cluster)</p>
</li>
<li>
<p>InternalIP: Generally the IP address of the node that is routable only within the cluster</p>
</li>
</ul>
<h3 id="node-phase">Node Phase</h3>
<p>Node Phase is the current lifecycle phase of node, one of <code>Pending</code>,
<code>Running</code> and <code>Terminated</code>.</p>
<ul>
<li>
<p>Pending: New nodes are created in this state. A node stays in this state until it is configured.</p>
</li>
<li>
<p>Running: Node has been configured and the Kubernetes components are running</p>
</li>
<li>
<p>Terminated: Node has been removed from the cluster. It will not receive any scheduling requests,
and any running pods will be removed from the node.</p>
</li>
</ul>
<p>Node with <code>Running</code> phase is necessary but not sufficient requirement for
scheduling Pods. For a node to be considered a scheduling candidate, it
must have appropriate conditions, see below.</p>
<h3 id="node-condition">Node Condition</h3>
<p>Node Condition describes the conditions of <code>Running</code> nodes. Currently the only
node condition is Ready. The Status of this condition can be True, False, or
Unknown. True means the Kubelet is healthy and ready to accept pods.
False means the Kubelet is not healthy and is not accepting pods. Unknown
means the Node Controller, which manages node lifecycle and is responsible for
setting the Status of the condition, has not heard from the
node recently (currently 40 seconds).
Node condition is represented as a json object. For example,
the following conditions mean the node is in sane state:</p>
<div class="highlight">
<pre><code class="language-json">"conditions": [
{
"kind": "Ready",
"status": "True",
},
]
</code></pre>
</div>
<p>If the Status of the Ready condition
is Unknown or False for more than five minutes, then all of the Pods on the node are terminated by the Node Controller.</p>
<h3 id="node-capacity">Node Capacity</h3>
<p>Describes the resources available on the node: CPUs, memory and the maximum
number of pods that can be scheduled onto the node.</p>
<h3 id="node-info">Node Info</h3>
<p>General information about the node, for instance kernel version, Kubernetes version
(kubelet version, kube-proxy version), docker version (if used), OS name.
The information is gathered by Kubelet from the node.</p>
<h2 id="node-management">Node Management</h2>
<p>Unlike <a href="../user-guide/pods.html">Pods</a> and <a href="../user-guide/services.html">Services</a>, a Node is not inherently
created by Kubernetes: it is either taken from cloud providers like Google Compute Engine,
or from your pool of physical or virtual machines. What this means is that when
Kubernetes creates a node, it is really just creating an object that represents the node in its internal state.
After creation, Kubernetes will check whether the node is valid or not.
For example, if you try to create a node from the following content:</p>
<div class="highlight">
<pre><code class="language-json">{
"kind": "Node",
"apiVersion": "v1",
"metadata": {
"name": "10.240.79.157",
"labels": {
"name": "my-first-k8s-node"
}
}
}
</code></pre>
</div>
<p>Kubernetes will create a Node object internally (the representation), and
validate the node by health checking based on the <code>metadata.name</code> field: we
assume <code>metadata.name</code> can be resolved. If the node is valid, i.e. all necessary
services are running, it is eligible to run a Pod; otherwise, it will be
ignored for any cluster activity, until it becomes valid. Note that Kubernetes
will keep the object for the invalid node unless it is explicitly deleted by the client, and it will keep
checking to see if it becomes valid.</p>
<p>Currently, there are three components that interact with the Kubernetes node interface: Node Controller, Kubelet, and kubectl.</p>
<h3 id="node-controller">Node Controller</h3>
<p>Node controller is a component in Kubernetes master which manages Node
objects. It performs two major functions: cluster-wide node synchronization
and single node life-cycle management.</p>
<p>Node controller has a sync loop that creates/deletes Nodes from Kubernetes
based on all matching VM instances listed from the cloud provider. The sync period
can be controlled via flag <code>--node-sync-period</code>. If a new VM instance
gets created, Node Controller creates a representation for it. If an existing
instance gets deleted, Node Controller deletes the representation. Note however,
that Node Controller is unable to provision the node for you, i.e. it wont install
any binary; therefore, to
join a node to a Kubernetes cluster, you as an admin need to make sure proper services are
running in the node. In the future, we plan to automatically provision some node
services.</p>
<h3 id="self-registration-of-nodes">Self-Registration of Nodes</h3>
<p>When kubelet flag <code>--register-node</code> is true (the default), the kubelet will attempt to
register itself with the API server. This is the preferred pattern, used by most distros.</p>
<p>For self-registration, the kubelet is started with the following options:
- <code>--api-servers=</code> tells the kubelet the location of the apiserver.
- <code>--kubeconfig</code> tells kubelet where to find credentials to authenticate itself to the apiserver.
- <code>--cloud-provider=</code> tells the kubelet how to talk to a cloud provider to read metadata about itself.
- <code>--register-node</code> tells the kubelet to create its own node resource.</p>
<p>Currently, any kubelet is authorized to create/modify any node resource, but in practice it only creates/modifies
its own. (In the future, we plan to limit authorization to only allow a kubelet to modify its own Node resource.)</p>
<h4 id="manual-node-administration">Manual Node Administration</h4>
<p>A cluster administrator can create and modify Node objects.</p>
<p>If the administrator wishes to create node objects manually, set kubelet flag
<code>--register-node=false</code>.</p>
<p>The administrator can modify Node resources (regardless of the setting of <code>--register-node</code>).
Modifications include setting labels on the Node, and marking it unschedulable.</p>
<p>Labels on nodes can be used in conjunction with node selectors on pods to control scheduling,
e.g. to constrain a Pod to only be eligible to run on a subset of the nodes.</p>
<p>Making a node unscheduleable will prevent new pods from being scheduled to that
node, but will not affect any existing pods on the node. This is useful as a
preparatory step before a node reboot, etc. For example, to mark a node
unschedulable, run this command:</p>
<div class="highlight">
<pre><code class="language-sh">kubectl replace nodes 10.1.2.3 --patch='{"apiVersion": "v1", "unschedulable": true}'
</code></pre>
</div>
<p>Note that pods which are created by a daemonSet controller bypass the Kubernetes scheduler,
and do not respect the unschedulable attribute on a node. The assumption is that daemons belong on
the machine even if it is being drained of applications in preparation for a reboot.</p>
<h3 id="node-capacity-1">Node capacity</h3>
<p>The capacity of the node (number of cpus and amount of memory) is part of the node resource.
Normally, nodes register themselves and report their capacity when creating the node resource. If
you are doing <a href="#manual-node-administration">manual node administration</a>, then you need to set node
capacity when adding a node.</p>
<p>The Kubernetes scheduler ensures that there are enough resources for all the pods on a node. It
checks that the sum of the limits of containers on the node is no greater than the node capacity. It
includes all containers started by kubelet, but not containers started directly by docker, nor
processes not in containers.</p>
<p>If you want to explicitly reserve resources for non-Pod processes, you can create a placeholder
pod. Use the following template:</p>
<div class="highlight">
<pre><code class="language-yaml">apiVersion: v1
kind: Pod
metadata:
name: resource-reserver
spec:
containers:
- name: sleep-forever
image: gcr.io/google_containers/pause:0.8.0
resources:
limits:
cpu: 100m
memory: 100Mi
</code></pre>
</div>
<p>Set the <code>cpu</code> and <code>memory</code> values to the amount of resources you want to reserve.
Place the file in the manifest directory (<code>--config=DIR</code> flag of kubelet). Do this
on each kubelet where you want to reserve resources.</p>
<h2 id="api-object">API Object</h2>
<p>Node is a top-level resource in the kubernetes REST API. More details about the
API object can be found at: <a href="http://kubernetes.io/v1.1/docs/api-reference/v1/definitions.html#_v1_node">Node API
object</a>.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/node.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

Binary file not shown.

After

Width:  |  Height:  |  Size: 103 KiB

View File

@ -0,0 +1,149 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Kubernetes OpenVSwitch GRE/VxLAN networking</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Kubernetes OpenVSwitch GRE/VxLAN networking</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="kubernetes-openvswitch-grevxlan-networking">Kubernetes OpenVSwitch GRE/VxLAN networking</h1>
<p>This document describes how OpenVSwitch is used to setup networking between pods across nodes.
The tunnel type could be GRE or VxLAN. VxLAN is preferable when large scale isolation needs to be performed within the network.</p>
<p><img src="ovs-networking.png" alt="ovs-networking" title="OVS Networking" /></p>
<p>The vagrant setup in Kubernetes does the following:</p>
<p>The docker bridge is replaced with a brctl generated linux bridge (kbr0) with a 256 address space subnet. Basically, a node gets 10.244.x.0/24 subnet and docker is configured to use that bridge instead of the default docker0 bridge.</p>
<p>Also, an OVS bridge is created(obr0) and added as a port to the kbr0 bridge. All OVS bridges across all nodes are linked with GRE tunnels. So, each node has an outgoing GRE tunnel to all other nodes. It does not need to be a complete mesh really, just meshier the better. STP (spanning tree) mode is enabled in the bridges to prevent loops.</p>
<p>Routing rules enable any 10.244.0.0/16 target to become reachable via the OVS bridge connected with the tunnels.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/ovs-networking.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,326 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Resource Quotas</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Resource Quotas</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="resource-quotas">Resource Quotas</h1>
<p>When several users or teams share a cluster with a fixed number of nodes,
there is a concern that one team could use more than its fair share of resources.</p>
<p>Resource quotas are a tool for administrators to address this concern. Resource quotas
work like this:
- Different teams work in different namespaces. Currently this is voluntary, but
support for making this mandatory via ACLs is planned.
- The administrator creates a Resource Quota for each namespace.
- Users put compute resource requests on their pods. The sum of all resource requests across
all pods in the same namespace must not exceed any hard resource limit in any Resource Quota
document for the namespace. Note that we used to verify Resource Quota by taking the sum of
resource limits of the pods, but this was altered to use resource requests. Backwards compatibility
for those pods previously created is preserved because pods that only specify a resource limit have
their resource requests defaulted to match their defined limits. The user is only charged for the
resources they request in the Resource Quota versus their limits because the request is the minimum
amount of resource guaranteed by the cluster during scheduling. For more information on over commit,
see <a href="../user-guide/compute-resources.html">compute-resources</a>.
- If creating a pod would cause the namespace to exceed any of the limits specified in the
the Resource Quota for that namespace, then the request will fail with HTTP status
code <code>403 FORBIDDEN</code>.
- If quota is enabled in a namespace and the user does not specify <em>requests</em> on the pod for each
of the resources for which quota is enabled, then the POST of the pod will fail with HTTP
status code <code>403 FORBIDDEN</code>. Hint: Use the LimitRange admission controller to force default
values of <em>limits</em> (then resource <em>requests</em> would be equal to <em>limits</em> by default, see
<a href="admission-controllers.html">admission controller</a>) before the quota is checked to avoid this problem.</p>
<p>Examples of policies that could be created using namespaces and quotas are:
- In a cluster with a capacity of 32 GiB RAM, and 16 cores, let team A use 20 Gib and 10 cores,
let B use 10GiB and 4 cores, and hold 2GiB and 2 cores in reserve for future allocation.
- Limit the “testing” namespace to using 1 core and 1GiB RAM. Let the “production” namespace
use any amount.</p>
<p>In the case where the total capacity of the cluster is less than the sum of the quotas of the namespaces,
there may be contention for resources. This is handled on a first-come-first-served basis.</p>
<p>Neither contention nor changes to quota will affect already-running pods.</p>
<h2 id="enabling-resource-quota">Enabling Resource Quota</h2>
<p>Resource Quota support is enabled by default for many Kubernetes distributions. It is
enabled when the apiserver <code>--admission-control=</code> flag has <code>ResourceQuota</code> as
one of its arguments.</p>
<p>Resource Quota is enforced in a particular namespace when there is a
<code>ResourceQuota</code> object in that namespace. There should be at most one
<code>ResourceQuota</code> object in a namespace.</p>
<h2 id="compute-resource-quota">Compute Resource Quota</h2>
<p>The total sum of <a href="../user-guide/compute-resources.html">compute resources</a> requested by pods
in a namespace can be limited. The following compute resource types are supported:</p>
<table>
<thead>
<tr>
<th>ResourceName</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>cpu</td>
<td>Total cpu requests of containers</td>
</tr>
<tr>
<td>memory</td>
<td>Total memory requests of containers</td>
</tr>
</tbody>
</table>
<p>For example, <code>cpu</code> quota sums up the <code>resources.requests.cpu</code> fields of every
container of every pod in the namespace, and enforces a maximum on that sum.</p>
<h2 id="object-count-quota">Object Count Quota</h2>
<p>The number of objects of a given type can be restricted. The following types
are supported:</p>
<table>
<thead>
<tr>
<th>ResourceName</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>pods</td>
<td>Total number of pods</td>
</tr>
<tr>
<td>services</td>
<td>Total number of services</td>
</tr>
<tr>
<td>replicationcontrollers</td>
<td>Total number of replication controllers</td>
</tr>
<tr>
<td>resourcequotas</td>
<td>Total number of <a href="admission-controllers.html#resourcequota">resource quotas</a></td>
</tr>
<tr>
<td>secrets</td>
<td>Total number of secrets</td>
</tr>
<tr>
<td>persistentvolumeclaims</td>
<td>Total number of <a href="../user-guide/persistent-volumes.html#persistentvolumeclaims">persistent volume claims</a></td>
</tr>
</tbody>
</table>
<p>For example, <code>pods</code> quota counts and enforces a maximum on the number of <code>pods</code>
created in a single namespace.</p>
<p>You might want to set a pods quota on a namespace
to avoid the case where a user creates many small pods and exhausts the clusters
supply of Pod IPs.</p>
<h2 id="viewing-and-setting-quotas">Viewing and Setting Quotas</h2>
<p>Kubectl supports creating, updating, and viewing quotas:</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl namespace myspace
$ cat &lt;&lt;EOF &gt; quota.json
{
"apiVersion": "v1",
"kind": "ResourceQuota",
"metadata": {
"name": "quota",
},
"spec": {
"hard": {
"memory": "1Gi",
"cpu": "20",
"pods": "10",
"services": "5",
"replicationcontrollers":"20",
"resourcequotas":"1",
},
}
}
EOF
$ kubectl create -f ./quota.json
$ kubectl get quota
NAME
quota
$ kubectl describe quota quota
Name: quota
Resource Used Hard
-------- ---- ----
cpu 0m 20
memory 0 1Gi
pods 5 10
replicationcontrollers 5 20
resourcequotas 1 1
services 3 5
</code></pre>
</div>
<h2 id="quota-and-cluster-capacity">Quota and Cluster Capacity</h2>
<p>Resource Quota objects are independent of the Cluster Capacity. They are
expressed in absolute units. So, if you add nodes to your cluster, this does <em>not</em>
automatically give each namespace the ability to consume more resources.</p>
<p>Sometimes more complex policies may be desired, such as:
- proportionally divide total cluster resources among several teams.
- allow each tenant to grow resource usage as needed, but have a generous
limit to prevent accidental resource exhaustion.
- detect demand from one namespace, add nodes, and increase quota.</p>
<p>Such policies could be implemented using ResourceQuota as a building-block, by
writing a controller which watches the quota usage and adjusts the quota
hard limits of each namespace according to other signals.</p>
<p>Note that resource quota divides up aggregate cluster resources, but it creates no
restrictions around nodes: pods from several namespaces may run on the same node.</p>
<h2 id="example">Example</h2>
<p>See a <a href="resourcequota/">detailed example for how to use resource quota</a>..</p>
<h2 id="read-more">Read More</h2>
<p>See <a href="../design/admission_control_resource_quota.html">ResourceQuota design doc</a> for more information.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/resource-quota.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,297 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Resource Quota</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Resource Quota</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<p>Resource Quota
========================================
This example demonstrates how <a href="../../admin/admission-controllers.html#resourcequota">resource quota</a> and
<a href="../../admin/admission-controllers.html#limitranger">limitsranger</a> can be applied to a Kubernetes namespace.
See <a href="../../design/admission_control_resource_quota.html">ResourceQuota design doc</a> for more information.</p>
<p>This example assumes you have a functional Kubernetes setup.</p>
<h2 id="step-1-create-a-namespace">Step 1: Create a namespace</h2>
<p>This example will work in a custom namespace to demonstrate the concepts involved.</p>
<p>Lets create a new namespace called quota-example:</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl create -f docs/admin/resourcequota/namespace.yaml
namespace "quota-example" created
$ kubectl get namespaces
NAME LABELS STATUS AGE
default &lt;none&gt; Active 2m
quota-example &lt;none&gt; Active 39s
</code></pre>
</div>
<h2 id="step-2-apply-a-quota-to-the-namespace">Step 2: Apply a quota to the namespace</h2>
<p>By default, a pod will run with unbounded CPU and memory requests/limits. This means that any pod in the
system will be able to consume as much CPU and memory on the node that executes the pod.</p>
<p>Users may want to restrict how much of the cluster resources a given namespace may consume
across all of its pods in order to manage cluster usage. To do this, a user applies a quota to
a namespace. A quota lets the user set hard limits on the total amount of node resources (cpu, memory)
and API resources (pods, services, etc.) that a namespace may consume. In term of resources, Kubernetes
checks the total resource <em>requests</em>, not resource <em>limits</em> of all containers/pods in the namespace.</p>
<p>Lets create a simple quota in our namespace:</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl create -f docs/admin/resourcequota/quota.yaml --namespace=quota-example
resourcequota "quota" created
</code></pre>
</div>
<p>Once your quota is applied to a namespace, the system will restrict any creation of content
in the namespace until the quota usage has been calculated. This should happen quickly.</p>
<p>You can describe your current quota usage to see what resources are being consumed in your
namespace.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl describe quota quota --namespace=quota-example
Name: quota
Namespace: quota-example
Resource Used Hard
-------- ---- ----
cpu 0 20
memory 0 1Gi
persistentvolumeclaims 0 10
pods 0 10
replicationcontrollers 0 20
resourcequotas 1 1
secrets 1 10
services 0 5
</code></pre>
</div>
<h2 id="step-3-applying-default-resource-requests-and-limits">Step 3: Applying default resource requests and limits</h2>
<p>Pod authors rarely specify resource requests and limits for their pods.</p>
<p>Since we applied a quota to our project, lets see what happens when an end-user creates a pod that has unbounded
cpu and memory by creating an nginx container.</p>
<p>To demonstrate, lets create a replication controller that runs nginx:</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl run nginx --image=nginx --replicas=1 --namespace=quota-example
replicationcontroller "nginx" created
</code></pre>
</div>
<p>Now lets look at the pods that were created.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl get pods --namespace=quota-example
NAME READY STATUS RESTARTS AGE
</code></pre>
</div>
<p>What happened? I have no pods! Lets describe the replication controller to get a view of what is happening.</p>
<div class="highlight">
<pre><code class="language-console">kubectl describe rc nginx --namespace=quota-example
Name: nginx
Namespace: quota-example
Image(s): nginx
Selector: run=nginx
Labels: run=nginx
Replicas: 0 current / 1 desired
Pods Status: 0 Running / 0 Waiting / 0 Succeeded / 0 Failed
No volumes.
Events:
FirstSeen LastSeen Count From SubobjectPath Reason Message
42s 11s 3 {replication-controller } FailedCreate Error creating: Pod "nginx-" is forbidden: Must make a non-zero request for memory since it is tracked by quota.
</code></pre>
</div>
<p>The Kubernetes API server is rejecting the replication controllers requests to create a pod because our pods
do not specify any memory usage <em>request</em>.</p>
<p>So lets set some default values for the amount of cpu and memory a pod can consume:</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl create -f docs/admin/resourcequota/limits.yaml --namespace=quota-example
limitrange "limits" created
$ kubectl describe limits limits --namespace=quota-example
Name: limits
Namespace: quota-example
Type Resource Min Max Request Limit Limit/Request
---- -------- --- --- ------- ----- -------------
Container memory - - 256Mi 512Mi -
Container cpu - - 100m 200m -
</code></pre>
</div>
<p>Now any time a pod is created in this namespace, if it has not specified any resource request/limit, the default
amount of cpu and memory per container will be applied, and the request will be used as part of admission control.</p>
<p>Now that we have applied default resource <em>request</em> for our namespace, our replication controller should be able to
create its pods.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl get pods --namespace=quota-example
NAME READY STATUS RESTARTS AGE
nginx-fca65 1/1 Running 0 1m
</code></pre>
</div>
<p>And if we print out our quota usage in the namespace:</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl describe quota quota --namespace=quota-example
Name: quota
Namespace: quota-example
Resource Used Hard
-------- ---- ----
cpu 100m 20
memory 256Mi 1Gi
persistentvolumeclaims 0 10
pods 1 10
replicationcontrollers 1 20
resourcequotas 1 1
secrets 1 10
services 0 5
</code></pre>
</div>
<p>You can now see the pod that was created is consuming explicit amounts of resources (specified by resource <em>request</em>),
and the usage is being tracked by the Kubernetes system properly.</p>
<h2 id="summary">Summary</h2>
<p>Actions that consume node resources for cpu and memory can be subject to hard quota limits defined
by the namespace quota. The resource consumption is measured by resource <em>request</em> in pod specification.</p>
<p>Any action that consumes those resources can be tweaked, or can pick up namespace level defaults to
meet your end goal.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/resourcequota/README.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,297 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Resource Quota</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Resource Quota</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<p>Resource Quota
========================================
This example demonstrates how <a href="../../admin/admission-controllers.html#resourcequota">resource quota</a> and
<a href="../../admin/admission-controllers.html#limitranger">limitsranger</a> can be applied to a Kubernetes namespace.
See <a href="../../design/admission_control_resource_quota.html">ResourceQuota design doc</a> for more information.</p>
<p>This example assumes you have a functional Kubernetes setup.</p>
<h2 id="step-1-create-a-namespace">Step 1: Create a namespace</h2>
<p>This example will work in a custom namespace to demonstrate the concepts involved.</p>
<p>Lets create a new namespace called quota-example:</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl create -f docs/admin/resourcequota/namespace.yaml
namespace "quota-example" created
$ kubectl get namespaces
NAME LABELS STATUS AGE
default &lt;none&gt; Active 2m
quota-example &lt;none&gt; Active 39s
</code></pre>
</div>
<h2 id="step-2-apply-a-quota-to-the-namespace">Step 2: Apply a quota to the namespace</h2>
<p>By default, a pod will run with unbounded CPU and memory requests/limits. This means that any pod in the
system will be able to consume as much CPU and memory on the node that executes the pod.</p>
<p>Users may want to restrict how much of the cluster resources a given namespace may consume
across all of its pods in order to manage cluster usage. To do this, a user applies a quota to
a namespace. A quota lets the user set hard limits on the total amount of node resources (cpu, memory)
and API resources (pods, services, etc.) that a namespace may consume. In term of resources, Kubernetes
checks the total resource <em>requests</em>, not resource <em>limits</em> of all containers/pods in the namespace.</p>
<p>Lets create a simple quota in our namespace:</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl create -f docs/admin/resourcequota/quota.yaml --namespace=quota-example
resourcequota "quota" created
</code></pre>
</div>
<p>Once your quota is applied to a namespace, the system will restrict any creation of content
in the namespace until the quota usage has been calculated. This should happen quickly.</p>
<p>You can describe your current quota usage to see what resources are being consumed in your
namespace.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl describe quota quota --namespace=quota-example
Name: quota
Namespace: quota-example
Resource Used Hard
-------- ---- ----
cpu 0 20
memory 0 1Gi
persistentvolumeclaims 0 10
pods 0 10
replicationcontrollers 0 20
resourcequotas 1 1
secrets 1 10
services 0 5
</code></pre>
</div>
<h2 id="step-3-applying-default-resource-requests-and-limits">Step 3: Applying default resource requests and limits</h2>
<p>Pod authors rarely specify resource requests and limits for their pods.</p>
<p>Since we applied a quota to our project, lets see what happens when an end-user creates a pod that has unbounded
cpu and memory by creating an nginx container.</p>
<p>To demonstrate, lets create a replication controller that runs nginx:</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl run nginx --image=nginx --replicas=1 --namespace=quota-example
replicationcontroller "nginx" created
</code></pre>
</div>
<p>Now lets look at the pods that were created.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl get pods --namespace=quota-example
NAME READY STATUS RESTARTS AGE
</code></pre>
</div>
<p>What happened? I have no pods! Lets describe the replication controller to get a view of what is happening.</p>
<div class="highlight">
<pre><code class="language-console">kubectl describe rc nginx --namespace=quota-example
Name: nginx
Namespace: quota-example
Image(s): nginx
Selector: run=nginx
Labels: run=nginx
Replicas: 0 current / 1 desired
Pods Status: 0 Running / 0 Waiting / 0 Succeeded / 0 Failed
No volumes.
Events:
FirstSeen LastSeen Count From SubobjectPath Reason Message
42s 11s 3 {replication-controller } FailedCreate Error creating: Pod "nginx-" is forbidden: Must make a non-zero request for memory since it is tracked by quota.
</code></pre>
</div>
<p>The Kubernetes API server is rejecting the replication controllers requests to create a pod because our pods
do not specify any memory usage <em>request</em>.</p>
<p>So lets set some default values for the amount of cpu and memory a pod can consume:</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl create -f docs/admin/resourcequota/limits.yaml --namespace=quota-example
limitrange "limits" created
$ kubectl describe limits limits --namespace=quota-example
Name: limits
Namespace: quota-example
Type Resource Min Max Request Limit Limit/Request
---- -------- --- --- ------- ----- -------------
Container memory - - 256Mi 512Mi -
Container cpu - - 100m 200m -
</code></pre>
</div>
<p>Now any time a pod is created in this namespace, if it has not specified any resource request/limit, the default
amount of cpu and memory per container will be applied, and the request will be used as part of admission control.</p>
<p>Now that we have applied default resource <em>request</em> for our namespace, our replication controller should be able to
create its pods.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl get pods --namespace=quota-example
NAME READY STATUS RESTARTS AGE
nginx-fca65 1/1 Running 0 1m
</code></pre>
</div>
<p>And if we print out our quota usage in the namespace:</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl describe quota quota --namespace=quota-example
Name: quota
Namespace: quota-example
Resource Used Hard
-------- ---- ----
cpu 100m 20
memory 256Mi 1Gi
persistentvolumeclaims 0 10
pods 1 10
replicationcontrollers 1 20
resourcequotas 1 1
secrets 1 10
services 0 5
</code></pre>
</div>
<p>You can now see the pod that was created is consuming explicit amounts of resources (specified by resource <em>request</em>),
and the usage is being tracked by the Kubernetes system properly.</p>
<h2 id="summary">Summary</h2>
<p>Actions that consume node resources for cpu and memory can be subject to hard quota limits defined
by the namespace quota. The resource consumption is measured by resource <em>request</em> in pod specification.</p>
<p>Any action that consumes those resources can be tweaked, or can pick up namespace level defaults to
meet your end goal.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/resourcequota/README.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: LimitRange
metadata:
name: limits
spec:
limits:
- default:
cpu: 200m
memory: 512Mi
defaultRequest:
cpu: 100m
memory: 256Mi
type: Container

View File

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: quota-example

View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: ResourceQuota
metadata:
name: quota
spec:
hard:
cpu: "20"
memory: 1Gi
persistentvolumeclaims: "10"
pods: "10"
replicationcontrollers: "20"
resourcequotas: "1"
secrets: "10"
services: "5"

View File

@ -0,0 +1,281 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Using Salt to configure Kubernetes</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Using Salt to configure Kubernetes</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="using-salt-to-configure-kubernetes">Using Salt to configure Kubernetes</h1>
<p>The Kubernetes cluster can be configured using Salt.</p>
<p>The Salt scripts are shared across multiple hosting providers, so its important to understand some background information prior to making a modification to ensure your changes do not break hosting Kubernetes across multiple environments. Depending on where you host your Kubernetes cluster, you may be using different operating systems and different networking configurations. As a result, its important to understand some background information before making Salt changes in order to minimize introducing failures for other hosting providers.</p>
<h2 id="salt-cluster-setup">Salt cluster setup</h2>
<p>The <strong>salt-master</strong> service runs on the kubernetes-master <a href="#standalone-salt-configuration-on-gce">(except on the default GCE setup)</a>.</p>
<p>The <strong>salt-minion</strong> service runs on the kubernetes-master and each kubernetes-node in the cluster.</p>
<p>Each salt-minion service is configured to interact with the <strong>salt-master</strong> service hosted on the kubernetes-master via the <strong>master.conf</strong> file <a href="#standalone-salt-configuration-on-gce">(except on GCE)</a>.</p>
<div class="highlight">
<pre><code class="language-console">[root@kubernetes-master] $ cat /etc/salt/minion.d/master.conf
master: kubernetes-master
</code></pre>
</div>
<p>The salt-master is contacted by each salt-minion and depending upon the machine information presented, the salt-master will provision the machine as either a kubernetes-master or kubernetes-node with all the required capabilities needed to run Kubernetes.</p>
<p>If you are running the Vagrant based environment, the <strong>salt-api</strong> service is running on the kubernetes-master. It is configured to enable the vagrant user to introspect the salt cluster in order to find out about machines in the Vagrant environment via a REST API.</p>
<h2 id="standalone-salt-configuration-on-gce">Standalone Salt Configuration on GCE</h2>
<p>On GCE, the master and nodes are all configured as <a href="http://docs.saltstack.com/en/latest/topics/tutorials/standalone_minion.html">standalone minions</a>. The configuration for each VM is derived from the VMs <a href="https://cloud.google.com/compute/docs/metadata">instance metadata</a> and then stored in Salt grains (<code>/etc/salt/minion.d/grains.conf</code>) and pillars (<code>/srv/salt-overlay/pillar/cluster-params.sls</code>) that local Salt uses to enforce state.</p>
<p>All remaining sections that refer to master/minion setups should be ignored for GCE. One fallout of the GCE setup is that the Salt mine doesnt exist - there is no sharing of configuration amongst nodes.</p>
<h2 id="salt-security">Salt security</h2>
<p><em>(Not applicable on default GCE setup.)</em></p>
<p>Security is not enabled on the salt-master, and the salt-master is configured to auto-accept incoming requests from minions. It is not recommended to use this security configuration in production environments without deeper study. (In some environments this isnt as bad as it might sound if the salt master port isnt externally accessible and you trust everyone on your network.)</p>
<div class="highlight">
<pre><code class="language-console">[root@kubernetes-master] $ cat /etc/salt/master.d/auto-accept.conf
open_mode: True
auto_accept: True
</code></pre>
</div>
<h2 id="salt-minion-configuration">Salt minion configuration</h2>
<p>Each minion in the salt cluster has an associated configuration that instructs the salt-master how to provision the required resources on the machine.</p>
<p>An example file is presented below using the Vagrant based environment.</p>
<div class="highlight">
<pre><code class="language-console">[root@kubernetes-master] $ cat /etc/salt/minion.d/grains.conf
grains:
etcd_servers: $MASTER_IP
cloud_provider: vagrant
roles:
- kubernetes-master
</code></pre>
</div>
<p>Each hosting environment has a slightly different grains.conf file that is used to build conditional logic where required in the Salt files.</p>
<p>The following enumerates the set of defined key/value pairs that are supported today. If you add new ones, please make sure to update this list.</p>
<table>
<thead>
<tr>
<th>Key</th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>api_servers</code></td>
<td>(Optional) The IP address / host name where a kubelet can get read-only access to kube-apiserver</td>
</tr>
<tr>
<td><code>cbr-cidr</code></td>
<td>(Optional) The minion IP address range used for the docker container bridge.</td>
</tr>
<tr>
<td><code>cloud</code></td>
<td>(Optional) Which IaaS platform is used to host Kubernetes, <em>gce</em>, <em>azure</em>, <em>aws</em>, <em>vagrant</em></td>
</tr>
<tr>
<td><code>etcd_servers</code></td>
<td>(Optional) Comma-delimited list of IP addresses the kube-apiserver and kubelet use to reach etcd. Uses the IP of the first machine in the kubernetes_master role, or 127.0.0.1 on GCE.</td>
</tr>
<tr>
<td><code>hostnamef</code></td>
<td>(Optional) The full host name of the machine, i.e. uname -n</td>
</tr>
<tr>
<td><code>node_ip</code></td>
<td>(Optional) The IP address to use to address this node</td>
</tr>
<tr>
<td><code>hostname_override</code></td>
<td>(Optional) Mapped to the kubelet hostname-override</td>
</tr>
<tr>
<td><code>network_mode</code></td>
<td>(Optional) Networking model to use among nodes: <em>openvswitch</em></td>
</tr>
<tr>
<td><code>networkInterfaceName</code></td>
<td>(Optional) Networking interface to use to bind addresses, default value <em>eth0</em></td>
</tr>
<tr>
<td><code>publicAddressOverride</code></td>
<td>(Optional) The IP address the kube-apiserver should use to bind against for external read-only access</td>
</tr>
<tr>
<td><code>roles</code></td>
<td>(Required) 1. <code>kubernetes-master</code> means this machine is the master in the Kubernetes cluster. 2. <code>kubernetes-pool</code> means this machine is a kubernetes-node. Depending on the role, the Salt scripts will provision different resources on the machine.</td>
</tr>
</tbody>
</table>
<p>These keys may be leveraged by the Salt sls files to branch behavior.</p>
<p>In addition, a cluster may be running a Debian based operating system or Red Hat based operating system (Centos, Fedora, RHEL, etc.). As a result, its important to sometimes distinguish behavior based on operating system using if branches like the following.</p>
<div class="highlight">
<pre><code class="language-jinja">{% if grains['os_family'] == 'RedHat' %}
// something specific to a RedHat environment (Centos, Fedora, RHEL) where you may use yum, systemd, etc.
{% else %}
// something specific to Debian environment (apt-get, initd)
{% endif %}
</code></pre>
</div>
<h2 id="best-practices">Best Practices</h2>
<ol>
<li>When configuring default arguments for processes, its best to avoid the use of EnvironmentFiles (Systemd in Red Hat environments) or init.d files (Debian distributions) to hold default values that should be common across operating system environments. This helps keep our Salt template files easy to understand for editors who may not be familiar with the particulars of each distribution.</li>
</ol>
<h2 id="future-enhancements-networking">Future enhancements (Networking)</h2>
<p>Per pod IP configuration is provider-specific, so when making networking changes, its important to sandbox these as all providers may not use the same mechanisms (iptables, openvswitch, etc.)</p>
<p>We should define a grains.conf key that captures more specifically what network configuration environment is being used to avoid future confusion across providers.</p>
<h2 id="further-reading">Further reading</h2>
<p>The <a href="http://releases.k8s.io/release-1.1/cluster/saltbase/">cluster/saltbase</a> tree has more details on the current SaltStack configuration.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/salt.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,230 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Cluster Admin Guide to Service Accounts</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Cluster Admin Guide to Service Accounts</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="cluster-admin-guide-to-service-accounts">Cluster Admin Guide to Service Accounts</h1>
<p><em>This is a Cluster Administrator guide to service accounts. It assumes knowledge of
the <a href="../user-guide/service-accounts.html">User Guide to Service Accounts</a>.</em></p>
<p><em>Support for authorization and user accounts is planned but incomplete. Sometimes
incomplete features are referred to in order to better describe service accounts.</em></p>
<h2 id="user-accounts-vs-service-accounts">User accounts vs service accounts</h2>
<p>Kubernetes distinguished between the concept of a user account and a service accounts
for a number of reasons:
- User accounts are for humans. Service accounts are for processes, which
run in pods.
- User accounts are intended to be global. Names must be unique across all
namespaces of a cluster, future user resource will not be namespaced).
Service accounts are namespaced.
- Typically, a clusters User accounts might be synced from a corporate
database, where new user account creation requires special privileges and
is tied to complex business processes. Service account creation is intended
to be more lightweight, allowing cluster users to create service accounts for
specific tasks (i.e. principle of least privilege).
- Auditing considerations for humans and service accounts may differ.
- A config bundle for a complex system may include definition of various service
accounts for components of that system. Because service accounts can be created
ad-hoc and have namespaced names, such config is portable.</p>
<h2 id="service-account-automation">Service account automation</h2>
<p>Three separate components cooperate to implement the automation around service accounts:
- A Service account admission controller
- A Token controller
- A Service account controller</p>
<h3 id="service-account-admission-controller">Service Account Admission Controller</h3>
<p>The modification of pods is implemented via a plugin
called an <a href="admission-controllers.html">Admission Controller</a>. It is part of the apiserver.
It acts synchronously to modify pods as they are created or updated. When this plugin is active
(and it is by default on most distributions), then it does the following when a pod is created or modified:
1. If the pod does not have a <code>ServiceAccount</code> set, it sets the <code>ServiceAccount</code> to <code>default</code>.
2. It ensures that the <code>ServiceAccount</code> referenced by the pod exists, and otherwise rejects it.
4. If the pod does not contain any <code>ImagePullSecrets</code>, then <code>ImagePullSecrets</code> of the
<code>ServiceAccount</code> are added to the pod.
5. It adds a <code>volume</code> to the pod which contains a token for API access.
6. It adds a <code>volumeSource</code> to each container of the pod mounted at <code>/var/run/secrets/kubernetes.io/serviceaccount</code>.</p>
<h3 id="token-controller">Token Controller</h3>
<p>TokenController runs as part of controller-manager. It acts asynchronously. It:
- observes serviceAccount creation and creates a corresponding Secret to allow API access.
- observes serviceAccount deletion and deletes all corresponding ServiceAccountToken Secrets
- observes secret addition, and ensures the referenced ServiceAccount exists, and adds a token to the secret if needed
- observes secret deletion and removes a reference from the corresponding ServiceAccount if needed</p>
<h4 id="to-create-additional-api-tokens">To create additional API tokens</h4>
<p>A controller loop ensures a secret with an API token exists for each service
account. To create additional API tokens for a service account, create a secret
of type <code>ServiceAccountToken</code> with an annotation referencing the service
account, and the controller will update it with a generated token:</p>
<div class="highlight">
<pre><code class="language-json">secret.json:
{
"kind": "Secret",
"apiVersion": "v1",
"metadata": {
"name": "mysecretname",
"annotations": {
"kubernetes.io/service-account.name": "myserviceaccount"
}
},
"type": "kubernetes.io/service-account-token"
}
</code></pre>
</div>
<div class="highlight">
<pre><code class="language-sh">kubectl create -f ./secret.json
kubectl describe secret mysecretname
</code></pre>
</div>
<h4 id="to-deleteinvalidate-a-service-account-token">To delete/invalidate a service account token</h4>
<div class="highlight">
<pre><code class="language-sh">kubectl delete secret mysecretname
</code></pre>
</div>
<h3 id="service-account-controller">Service Account Controller</h3>
<p>Service Account Controller manages ServiceAccount inside namespaces, and ensures
a ServiceAccount named “default” exists in every active namespace.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/service-accounts-admin.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,276 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Static pods (deprecated)</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Static pods (deprecated)</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="static-pods-deprecated">Static pods (deprecated)</h1>
<p><strong>Static pods are to be deprecated and can be removed in any future Kubernetes release!</strong></p>
<p><em>Static pod</em> are managed directly by kubelet daemon on a specific node, without API server observing it. It does not have associated any replication controller, kubelet daemon itself watches it and restarts it when it crashes. There is no health check though. Static pods are always bound to one kubelet daemon and always run on the same node with it.</p>
<p>Kubelet automatically creates so-called <em>mirror pod</em> on Kubernetes API server for each static pod, so the pods are visible there, but they cannot be controlled from the API server.</p>
<h2 id="static-pod-creation">Static pod creation</h2>
<p>Static pod can be created in two ways: either by using configuration file(s) or by HTTP.</p>
<h3 id="configuration-files">Configuration files</h3>
<p>The configuration files are just standard pod definition in json or yaml format in specific directory. Use <code>kubelet --config=&lt;the directory&gt;</code> to start kubelet daemon, which periodically scans the directory and creates/deletes static pods as yaml/json files appear/disappear there.</p>
<p>For example, this is how to start a simple web server as a static pod:</p>
<ol>
<li>Choose a node where we want to run the static pod. In this example, its <code>my-minion1</code>.</li>
</ol>
<div class="highlight">
<pre><code class="language-console">[joe@host ~] $ ssh my-minion1
</code></pre>
</div>
<ol>
<li>Choose a directory, say <code>/etc/kubelet.d</code> and place a web server pod definition there, e.g. <code>/etc/kubernetes.d/static-web.yaml</code>:</li>
</ol>
<div class="highlight">
<pre><code class="language-console">[root@my-minion1 ~] $ mkdir /etc/kubernetes.d/
[root@my-minion1 ~] $ cat &lt;&lt;EOF &gt;/etc/kubernetes.d/static-web.yaml
apiVersion: v1
kind: Pod
metadata:
name: static-web
labels:
role: myrole
spec:
containers:
- name: web
image: nginx
ports:
- name: web
containerPort: 80
protocol: tcp
EOF
</code></pre>
</div>
<ol>
<li>
<p>Configure your kubelet daemon on the node to use this directory by running it with <code>--config=/etc/kubelet.d/</code> argument. On Fedora Fedora 21 with Kubernetes 0.17 edit <code>/etc/kubernetes/kubelet</code> to include this line:</p>
<p>```</p>
<p>KUBELET_ARGS=”cluster-dns=10.254.0.10 cluster-domain=kube.local config=/etc/kubelet.d/”</p>
<p>```</p>
<p>Instructions for other distributions or Kubernetes installations may vary.</p>
</li>
<li>
<p>Restart kubelet. On Fedora 21, this is:</p>
</li>
</ol>
<div class="highlight">
<pre><code class="language-console">[root@my-minion1 ~] $ systemctl restart kubelet
</code></pre>
</div>
<h2 id="pods-created-via-http">Pods created via HTTP</h2>
<p>Kubelet periodically downloads a file specified by <code>--manifest-url=&lt;URL&gt;</code> argument and interprets it as a json/yaml file with a pod definition. It works the same as <code>--config=&lt;directory&gt;</code>, i.e. its reloaded every now and then and changes are applied to running static pods (see below).</p>
<h2 id="behavior-of-static-pods">Behavior of static pods</h2>
<p>When kubelet starts, it automatically starts all pods defined in directory specified in <code>--config=</code> or <code>--manifest-url=</code> arguments, i.e. our static-web. (It may take some time to pull nginx image, be patient…):</p>
<div class="highlight">
<pre><code class="language-console">[joe@my-minion1 ~] $ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS NAMES
f6d05272b57e nginx:latest "nginx" 8 minutes ago Up 8 minutes k8s_web.6f802af4_static-web-fk-minion1_default_67e24ed9466ba55986d120c867395f3c_378e5f3c
</code></pre>
</div>
<p>If we look at our Kubernetes API server (running on host <code>my-master</code>), we see that a new mirror-pod was created there too:</p>
<div class="highlight">
<pre><code class="language-console">[joe@host ~] $ ssh my-master
[joe@my-master ~] $ kubectl get pods
POD IP CONTAINER(S) IMAGE(S) HOST LABELS STATUS CREATED MESSAGE
static-web-my-minion1 172.17.0.3 my-minion1/192.168.100.71 role=myrole Running 11 minutes
web nginx Running 11 minutes
</code></pre>
</div>
<p>Labels from the static pod are propagated into the mirror-pod and can be used as usual for filtering.</p>
<p>Notice we cannot delete the pod with the API server (e.g. via <a href="../user-guide/kubectl/kubectl.html"><code>kubectl</code></a> command), kubelet simply wont remove it.</p>
<div class="highlight">
<pre><code class="language-console">[joe@my-master ~] $ kubectl delete pod static-web-my-minion1
pods/static-web-my-minion1
[joe@my-master ~] $ kubectl get pods
POD IP CONTAINER(S) IMAGE(S) HOST ...
static-web-my-minion1 172.17.0.3 my-minion1/192.168.100.71 ...
</code></pre>
</div>
<p>Back to our <code>my-minion1</code> host, we can try to stop the container manually and see, that kubelet automatically restarts it in a while:</p>
<div class="highlight">
<pre><code class="language-console">[joe@host ~] $ ssh my-minion1
[joe@my-minion1 ~] $ docker stop f6d05272b57e
[joe@my-minion1 ~] $ sleep 20
[joe@my-minion1 ~] $ docker ps
CONTAINER ID IMAGE COMMAND CREATED ...
5b920cbaf8b1 nginx:latest "nginx -g 'daemon of 2 seconds ago ...
</code></pre>
</div>
<h2 id="dynamic-addition-and-removal-of-static-pods">Dynamic addition and removal of static pods</h2>
<p>Running kubelet periodically scans the configured directory (<code>/etc/kubelet.d</code> in our example) for changes and adds/removes pods as files appear/disappear in this directory.</p>
<div class="highlight">
<pre><code class="language-console">[joe@my-minion1 ~] $ mv /etc/kubernetes.d/static-web.yaml /tmp
[joe@my-minion1 ~] $ sleep 20
[joe@my-minion1 ~] $ docker ps
// no nginx container is running
[joe@my-minion1 ~] $ mv /tmp/static-web.yaml /etc/kubernetes.d/
[joe@my-minion1 ~] $ sleep 20
[joe@my-minion1 ~] $ docker ps
CONTAINER ID IMAGE COMMAND CREATED ...
e7a62e3427f1 nginx:latest "nginx -g 'daemon of 27 seconds ago
</code></pre>
</div>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/static-pods.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,278 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - The Kubernetes API</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>The Kubernetes API</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="the-kubernetes-api">The Kubernetes API</h1>
<p>Primary system and API concepts are documented in the <a href="user-guide/README.html">User guide</a>.</p>
<p>Overall API conventions are described in the <a href="devel/api-conventions.html">API conventions doc</a>.</p>
<p>Complete API details are documented via <a href="http://swagger.io/">Swagger</a>. The Kubernetes apiserver (aka “master”) exports an API that can be used to retrieve the <a href="https://github.com/swagger-api/swagger-spec/tree/master/schemas/v1.2">Swagger spec</a> for the Kubernetes API, by default at <code>/swaggerapi</code>, and a UI you can use to browse the API documentation at <code>/swagger-ui</code>. We also periodically update a <a href="http://kubernetes.io/third_party/swagger-ui/">statically generated UI</a>.</p>
<p>Remote access to the API is discussed in the <a href="admin/accessing-the-api.html">access doc</a>.</p>
<p>The Kubernetes API also serves as the foundation for the declarative configuration schema for the system. The <a href="user-guide/kubectl/kubectl.html">Kubectl</a> command-line tool can be used to create, update, delete, and get API objects.</p>
<p>Kubernetes also stores its serialized state (currently in <a href="https://coreos.com/docs/distributed-configuration/getting-started-with-etcd/">etcd</a>) in terms of the API resources.</p>
<p>Kubernetes itself is decomposed into multiple components, which interact through its API.</p>
<h2 id="api-changes">API changes</h2>
<p>In our experience, any system that is successful needs to grow and change as new use cases emerge or existing ones change. Therefore, we expect the Kubernetes API to continuously change and grow. However, we intend to not break compatibility with existing clients, for an extended period of time. In general, new API resources and new resource fields can be expected to be added frequently. Elimination of resources or fields will require following a deprecation process. The precise deprecation policy for eliminating features is TBD, but once we reach our 1.0 milestone, there will be a specific policy.</p>
<p>What constitutes a compatible change and how to change the API are detailed by the <a href="devel/api_changes.html">API change document</a>.</p>
<h2 id="api-versioning">API versioning</h2>
<p>To make it easier to eliminate fields or restructure resource representations, Kubernetes supports
multiple API versions, each at a different API path, such as <code>/api/v1</code> or
<code>/apis/extensions/v1beta1</code>.</p>
<p>We chose to version at the API level rather than at the resource or field level to ensure that the API presents a clear, consistent view of system resources and behavior, and to enable controlling access to end-of-lifed and/or experimental APIs.</p>
<p>Note that API versioning and Software versioning are only indirectly related. The <a href="design/versioning.html">API and release
versioning proposal</a> describes the relationship between API versioning and
software versioning.</p>
<p>Different API versions imply different levels of stability and support. The criteria for each level are described
in more detail in the <a href="devel/api_changes.html#alpha-beta-and-stable-versions">API Changes documentation</a>. They are summarized here:</p>
<ul>
<li>Alpha level:
<ul>
<li>The version names contain <code>alpha</code> (e.g. <code>v1alpha1</code>).</li>
<li>May be buggy. Enabling the feature may expose bugs. Disabled by default.</li>
<li>Support for feature may be dropped at any time without notice.</li>
<li>The API may change in incompatible ways in a later software release without notice.</li>
<li>Recommended for use only in short-lived testing clusters, due to increased risk of bugs and lack of long-term support.</li>
</ul>
</li>
<li>Beta level:
<ul>
<li>The version names contain <code>beta</code> (e.g. <code>v2beta3</code>).</li>
<li>Code is well tested. Enabling the feature is considered safe. Enabled by default.</li>
<li>Support for the overall feature will not be dropped, though details may change.</li>
<li>The schema and/or semantics of objects may change in incompatible ways in a subsequent beta or stable release. When this happens,
we will provide instructions for migrating to the next version. This may require deleting, editing, and re-creating
API objects. The editing process may require some thought. This may require downtime for appplications that rely on the feature.</li>
<li>Recommended for only non-business-critical uses because of potential for incompatible changes in subsequent releases. If you have
multiple clusters which can be upgraded independently, you may be able to relax this restriction.</li>
<li><strong>Please do try our beta features and give feedback on them! Once they exit beta, it may not be practical for us to make more changes.</strong></li>
</ul>
</li>
<li>Stable level:
<ul>
<li>The version name is <code>vX</code> where <code>X</code> is an integer.</li>
<li>Stable versions of features will appear in released software for many subsequent versions.</li>
</ul>
</li>
</ul>
<h2 id="api-groups">API groups</h2>
<p>To make it easier to extend the Kubernetes API, we are in the process of implementing <a href="proposals/api-group.html"><em>API
groups</em></a>. These are simply different interfaces to read and/or modify the
same underlying resources. The API group is specified in a REST path and in the <code>apiVersion</code> field
of a serialized object.</p>
<p>Currently there are two API groups in use:</p>
<ol>
<li>the “core” group, which is at REST path <code>/api/v1</code> and is not specified as part of the <code>apiVersion</code> field, e.g.
<code>apiVersion: v1</code>.</li>
<li>the “extensions” group, which is at REST path <code>/apis/extensions/$VERSION</code>, and which uses
<code>apiVersion: extensions/$VERSION</code> (e.g. currently <code>apiVersion: extensions/v1beta1</code>).</li>
</ol>
<p>In the future we expect that there will be more API groups, all at REST path <code>/apis/$API_GROUP</code> and
using <code>apiVersion: $API_GROUP/$VERSION</code>. We expect that there will be a way for (third parties to
create their own API groups](design/extending-api.md), and to avoid naming collisions.</p>
<h2 id="enabling-resources-in-the-extensions-group">Enabling resources in the extensions group</h2>
<p>Jobs, Ingress and HorizontalPodAutoscalers are enabled by default.
Other extensions resources can be enabled by setting runtime-config on
apiserver. runtime-config accepts comma separated values. For ex: to enable deployments and disable jobs, set
<code>--runtime-config=extensions/v1beta1/deployments=true,extensions/v1beta1/jobs=false</code></p>
<h2 id="v1beta1-v1beta2-and-v1beta3-are-deprecated-please-move-to-v1-asap">v1beta1, v1beta2, and v1beta3 are deprecated; please move to v1 ASAP</h2>
<p>As of June 4, 2015, the Kubernetes v1 API has been enabled by default. The v1beta1 and v1beta2 APIs were deleted on June 1, 2015. v1beta3 is planned to be deleted on July 6, 2015.</p>
<h3 id="v1-conversion-tips-from-v1beta3">v1 conversion tips (from v1beta3)</h3>
<p>Were working to convert all documentation and examples to v1. A simple <a href="admin/cluster-management.html#switching-your-config-files-to-a-new-api-version">API conversion tool</a> has been written to simplify the translation process. Use <code>kubectl create --validate</code> in order to validate your json or yaml against our Swagger spec.</p>
<p>Changes to services are the most significant difference between v1beta3 and v1.</p>
<ul>
<li>The <code>service.spec.portalIP</code> property is renamed to <code>service.spec.clusterIP</code>.</li>
<li>The <code>service.spec.createExternalLoadBalancer</code> property is removed. Specify <code>service.spec.type: "LoadBalancer"</code> to create an external load balancer instead.</li>
<li>The <code>service.spec.publicIPs</code> property is deprecated and now called <code>service.spec.deprecatedPublicIPs</code>. This property will be removed entirely when v1beta3 is removed. The vast majority of users of this field were using it to expose services on ports on the node. Those users should specify <code>service.spec.type: "NodePort"</code> instead. Read <a href="user-guide/services.html#external-services">External Services</a> for more info. If this is not sufficient for your use case, please file an issue or contact @thockin.</li>
</ul>
<p>Some other difference between v1beta3 and v1:</p>
<ul>
<li>The <code>pod.spec.containers[*].privileged</code> and <code>pod.spec.containers[*].capabilities</code> properties are now nested under the <code>pod.spec.containers[*].securityContext</code> property. See <a href="user-guide/security-context.html">Security Contexts</a>.</li>
<li>The <code>pod.spec.host</code> property is renamed to <code>pod.spec.nodeName</code>.</li>
<li>The <code>endpoints.subsets[*].addresses.IP</code> property is renamed to <code>endpoints.subsets[*].addresses.ip</code>.</li>
<li>The <code>pod.status.containerStatuses[*].state.termination</code> and <code>pod.status.containerStatuses[*].lastState.termination</code> properties are renamed to <code>pod.status.containerStatuses[*].state.terminated</code> and <code>pod.status.containerStatuses[*].lastState.terminated</code> respectively.</li>
<li>The <code>pod.status.Condition</code> property is renamed to <code>pod.status.conditions</code>.</li>
<li>The <code>status.details.id</code> property is renamed to <code>status.details.name</code>.</li>
</ul>
<h3 id="v1beta3-conversion-tips-from-v1beta12">v1beta3 conversion tips (from v1beta1/2)</h3>
<p>Some important differences between v1beta1/2 and v1beta3:</p>
<ul>
<li>The resource <code>id</code> is now called <code>name</code>.</li>
<li><code>name</code>, <code>labels</code>, <code>annotations</code>, and other metadata are now nested in a map called <code>metadata</code></li>
<li><code>desiredState</code> is now called <code>spec</code>, and <code>currentState</code> is now called <code>status</code></li>
<li><code>/minions</code> has been moved to <code>/nodes</code>, and the resource has kind <code>Node</code></li>
<li>The namespace is required (for all namespaced resources) and has moved from a URL parameter to the path: <code>/api/v1beta3/namespaces/{namespace}/{resource_collection}/{resource_name}</code>. If you were not using a namespace before, use <code>default</code> here.</li>
<li>The names of all resource collections are now lower cased - instead of <code>replicationControllers</code>, use <code>replicationcontrollers</code>.</li>
<li>To watch for changes to a resource, open an HTTP or Websocket connection to the collection query and provide the <code>?watch=true</code> query parameter along with the desired <code>resourceVersion</code> parameter to watch from.</li>
<li>The <code>labels</code> query parameter has been renamed to <code>labelSelector</code>.</li>
<li>The <code>fields</code> query parameter has been renamed to <code>fieldSelector</code>.</li>
<li>The container <code>entrypoint</code> has been renamed to <code>command</code>, and <code>command</code> has been renamed to <code>args</code>.</li>
<li>Container, volume, and node resources are expressed as nested maps (e.g., <code>resources{cpu:1}</code>) rather than as individual fields, and resource values support <a href="user-guide/compute-resources.html#specifying-resource-quantities">scaling suffixes</a> rather than fixed scales (e.g., milli-cores).</li>
<li>Restart policy is represented simply as a string (e.g., <code>"Always"</code>) rather than as a nested map (<code>always{}</code>).</li>
<li>Pull policies changed from <code>PullAlways</code>, <code>PullNever</code>, and <code>PullIfNotPresent</code> to <code>Always</code>, <code>Never</code>, and <code>IfNotPresent</code>.</li>
<li>The volume <code>source</code> is inlined into <code>volume</code> rather than nested.</li>
<li>Host volumes have been changed from <code>hostDir</code> to <code>hostPath</code> to better reflect that they can be files or directories.</li>
</ul>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/api.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,152 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Kubernetes Design Overview</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Kubernetes Design Overview</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="kubernetes-design-overview">Kubernetes Design Overview</h1>
<p>Kubernetes is a system for managing containerized applications across multiple hosts, providing basic mechanisms for deployment, maintenance, and scaling of applications.</p>
<p>Kubernetes establishes robust declarative primitives for maintaining the desired state requested by the user. We see these primitives as the main value added by Kubernetes. Self-healing mechanisms, such as auto-restarting, re-scheduling, and replicating containers require active controllers, not just imperative orchestration.</p>
<p>Kubernetes is primarily targeted at applications composed of multiple containers, such as elastic, distributed micro-services. It is also designed to facilitate migration of non-containerized application stacks to Kubernetes. It therefore includes abstractions for grouping containers in both loosely coupled and tightly coupled formations, and provides ways for containers to find and communicate with each other in relatively familiar ways.</p>
<p>Kubernetes enables users to ask a cluster to run a set of containers. The system automatically chooses hosts to run those containers on. While Kubernetess scheduler is currently very simple, we expect it to grow in sophistication over time. Scheduling is a policy-rich, topology-aware, workload-specific function that significantly impacts availability, performance, and capacity. The scheduler needs to take into account individual and collective resource requirements, quality of service requirements, hardware/software/policy constraints, affinity and anti-affinity specifications, data locality, inter-workload interference, deadlines, and so on. Workload-specific requirements will be exposed through the API as necessary.</p>
<p>Kubernetes is intended to run on a number of cloud providers, as well as on physical hosts.</p>
<p>A single Kubernetes cluster is not intended to span multiple availability zones. Instead, we recommend building a higher-level layer to replicate complete deployments of highly available applications across multiple zones (see <a href="../admin/multi-cluster.html">the multi-cluster doc</a> and <a href="../proposals/federation.html">cluster federation proposal</a> for more details).</p>
<p>Finally, Kubernetes aspires to be an extensible, pluggable, building-block OSS platform and toolkit. Therefore, architecturally, we want Kubernetes to be built as a collection of pluggable components and layers, with the ability to use alternative schedulers, controllers, storage systems, and distribution mechanisms, and were evolving its current code in that direction. Furthermore, we want others to be able to extend Kubernetes functionality, such as with higher-level PaaS functionality or multi-cluster layers, without modification of core Kubernetes source. Therefore, its API isnt just (or even necessarily mainly) targeted at end users, but at tool and extension developers. Its APIs are intended to serve as the foundation for an open ecosystem of tools, automation systems, and higher-level API layers. Consequently, there are no “internal” inter-component APIs. All APIs are visible and available, including the APIs used by the scheduler, the node controller, the replication-controller manager, Kubelets API, etc. Theres no glass to break in order to handle more complex use cases, one can just access the lower-level APIs in a fully transparent, composable manner.</p>
<p>For more about the Kubernetes architecture, see <a href="architecture.html">architecture</a>.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/README.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,385 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - K8s Identity and Access Management Sketch</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>K8s Identity and Access Management Sketch</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="k8s-identity-and-access-management-sketch">K8s Identity and Access Management Sketch</h1>
<p>This document suggests a direction for identity and access management in the Kubernetes system.</p>
<h2 id="background">Background</h2>
<p>High level goals are:
- Have a plan for how identity, authentication, and authorization will fit in to the API.
- Have a plan for partitioning resources within a cluster between independent organizational units.
- Ease integration with existing enterprise and hosted scenarios.</p>
<h3 id="actors">Actors</h3>
<p>Each of these can act as normal users or attackers.
- External Users: People who are accessing applications running on K8s (e.g. a web site served by webserver running in a container on K8s), but who do not have K8s API access.
- K8s Users : People who access the K8s API (e.g. create K8s API objects like Pods)
- K8s Project Admins: People who manage access for some K8s Users
- K8s Cluster Admins: People who control the machines, networks, or binaries that make up a K8s cluster.
- K8s Admin means K8s Cluster Admins and K8s Project Admins taken together.</p>
<h3 id="threats">Threats</h3>
<p>Both intentional attacks and accidental use of privilege are concerns.</p>
<p>For both cases it may be useful to think about these categories differently:
- Application Path - attack by sending network messages from the internet to the IP/port of any application running on K8s. May exploit weakness in application or misconfiguration of K8s.
- K8s API Path - attack by sending network messages to any K8s API endpoint.
- Insider Path - attack on K8s system components. Attacker may have privileged access to networks, machines or K8s software and data. Software errors in K8s system components and administrator error are some types of threat in this category.</p>
<p>This document is primarily concerned with K8s API paths, and secondarily with Internal paths. The Application path also needs to be secure, but is not the focus of this document.</p>
<h3 id="assets-to-protect">Assets to protect</h3>
<p>External User assets:
- Personal information like private messages, or images uploaded by External Users.
- web server logs.</p>
<p>K8s User assets:
- External User assets of each K8s User.
- things private to the K8s app, like:
- credentials for accessing other services (docker private repos, storage services, facebook, etc)
- SSL certificates for web servers
- proprietary data and code</p>
<p>K8s Cluster assets:
- Assets of each K8s User.
- Machine Certificates or secrets.
- The value of K8s cluster computing resources (cpu, memory, etc).</p>
<p>This document is primarily about protecting K8s User assets and K8s cluster assets from other K8s Users and K8s Project and Cluster Admins.</p>
<h3 id="usage-environments">Usage environments</h3>
<p>Cluster in Small organization:
- K8s Admins may be the same people as K8s Users.
- few K8s Admins.
- prefer ease of use to fine-grained access control/precise accounting, etc.
- Product requirement that it be easy for potential K8s Cluster Admin to try out setting up a simple cluster.</p>
<p>Cluster in Large organization:
- K8s Admins typically distinct people from K8s Users. May need to divide K8s Cluster Admin access by roles.
- K8s Users need to be protected from each other.
- Auditing of K8s User and K8s Admin actions important.
- flexible accurate usage accounting and resource controls important.
- Lots of automated access to APIs.
- Need to integrate with existing enterprise directory, authentication, accounting, auditing, and security policy infrastructure.</p>
<p>Org-run cluster:
- organization that runs K8s master components is same as the org that runs apps on K8s.
- Nodes may be on-premises VMs or physical machines; Cloud VMs; or a mix.</p>
<p>Hosted cluster:
- Offering K8s API as a service, or offering a Paas or Saas built on K8s.
- May already offer web services, and need to integrate with existing customer account concept, and existing authentication, accounting, auditing, and security policy infrastructure.
- May want to leverage K8s User accounts and accounting to manage their User accounts (not a priority to support this use case.)
- Precise and accurate accounting of resources needed. Resource controls needed for hard limits (Users given limited slice of data) and soft limits (Users can grow up to some limit and then be expanded).</p>
<p>K8s ecosystem services:
- There may be companies that want to offer their existing services (Build, CI, A/B-test, release automation, etc) for use with K8s. There should be some story for this case.</p>
<p>Pods configs should be largely portable between Org-run and hosted configurations.</p>
<h1 id="design">Design</h1>
<p>Related discussion:
- http://issue.k8s.io/442
- http://issue.k8s.io/443</p>
<p>This doc describes two security profiles:
- Simple profile: like single-user mode. Make it easy to evaluate K8s without lots of configuring accounts and policies. Protects from unauthorized users, but does not partition authorized users.
- Enterprise profile: Provide mechanisms needed for large numbers of users. Defense in depth. Should integrate with existing enterprise security infrastructure.</p>
<p>K8s distribution should include templates of config, and documentation, for simple and enterprise profiles. System should be flexible enough for knowledgeable users to create intermediate profiles, but K8s developers should only reason about those two Profiles, not a matrix.</p>
<p>Features in this doc are divided into “Initial Feature”, and “Improvements”. Initial features would be candidates for version 1.00.</p>
<h2 id="identity">Identity</h2>
<h3 id="useraccount">userAccount</h3>
<p>K8s will have a <code>userAccount</code> API object.
- <code>userAccount</code> has a UID which is immutable. This is used to associate users with objects and to record actions in audit logs.
- <code>userAccount</code> has a name which is a string and human readable and unique among userAccounts. It is used to refer to users in Policies, to ensure that the Policies are human readable. It can be changed only when there are no Policy objects or other objects which refer to that name. An email address is a suggested format for this field.
- <code>userAccount</code> is not related to the unix username of processes in Pods created by that userAccount.
- <code>userAccount</code> API objects can have labels.</p>
<p>The system may associate one or more Authentication Methods with a
<code>userAccount</code> (but they are not formally part of the userAccount object.)
In a simple deployment, the authentication method for a
user might be an authentication token which is verified by a K8s server. In a
more complex deployment, the authentication might be delegated to
another system which is trusted by the K8s API to authenticate users, but where
the authentication details are unknown to K8s.</p>
<p>Initial Features:
- there is no superuser <code>userAccount</code>
- <code>userAccount</code> objects are statically populated in the K8s API store by reading a config file. Only a K8s Cluster Admin can do this.
- <code>userAccount</code> can have a default <code>namespace</code>. If API call does not specify a <code>namespace</code>, the default <code>namespace</code> for that caller is assumed.
- <code>userAccount</code> is global. A single human with access to multiple namespaces is recommended to only have one userAccount.</p>
<p>Improvements:
- Make <code>userAccount</code> part of a separate API group from core K8s objects like <code>pod</code>. Facilitates plugging in alternate Access Management.</p>
<p>Simple Profile:
- single <code>userAccount</code>, used by all K8s Users and Project Admins. One access token shared by all.</p>
<p>Enterprise Profile:
- every human user has own <code>userAccount</code>.
- <code>userAccount</code>s have labels that indicate both membership in groups, and ability to act in certain roles.
- each service using the API has own <code>userAccount</code> too. (e.g. <code>scheduler</code>, <code>repcontroller</code>)
- automated jobs to denormalize the ldap group info into the local system list of users into the K8s userAccount file.</p>
<h3 id="unix-accounts">Unix accounts</h3>
<p>A <code>userAccount</code> is not a Unix user account. The fact that a pod is started by a <code>userAccount</code> does not mean that the processes in that pods containers run as a Unix user with a corresponding name or identity.</p>
<p>Initially:
- The unix accounts available in a container, and used by the processes running in a container are those that are provided by the combination of the base operating system and the Docker manifest.
- Kubernetes doesnt enforce any relation between <code>userAccount</code> and unix accounts.</p>
<p>Improvements:
- Kubelet allocates disjoint blocks of root-namespace uids for each container. This may provide some defense-in-depth against container escapes. (https://github.com/docker/docker/pull/4572)
- requires docker to integrate user namespace support, and deciding what getpwnam() does for these uids.
- any features that help users avoid use of privileged containers (http://issue.k8s.io/391)</p>
<h3 id="namespaces">Namespaces</h3>
<p>K8s will have a have a <code>namespace</code> API object. It is similar to a Google Compute Engine <code>project</code>. It provides a namespace for objects created by a group of people co-operating together, preventing name collisions with non-cooperating groups. It also serves as a reference point for authorization policies.</p>
<p>Namespaces are described in <a href="namespaces.html">namespaces.md</a>.</p>
<p>In the Enterprise Profile:
- a <code>userAccount</code> may have permission to access several <code>namespace</code>s.</p>
<p>In the Simple Profile:
- There is a single <code>namespace</code> used by the single user.</p>
<p>Namespaces versus userAccount vs Labels:
- <code>userAccount</code>s are intended for audit logging (both name and UID should be logged), and to define who has access to <code>namespace</code>s.
- <code>labels</code> (see <a href="../../docs/user-guide/labels.html">docs/user-guide/labels.md</a>) should be used to distinguish pods, users, and other objects that cooperate towards a common goal but are different in some way, such as version, or responsibilities.
- <code>namespace</code>s prevent name collisions between uncoordinated groups of people, and provide a place to attach common policies for co-operating groups of people.</p>
<h2 id="authentication">Authentication</h2>
<p>Goals for K8s authentication:
- Include a built-in authentication system with no configuration required to use in single-user mode, and little configuration required to add several user accounts, and no https proxy required.
- Allow for authentication to be handled by a system external to Kubernetes, to allow integration with existing to enterprise authorization systems. The Kubernetes namespace itself should avoid taking contributions of multiple authorization schemes. Instead, a trusted proxy in front of the apiserver can be used to authenticate users.
- For organizations whose security requirements only allow FIPS compliant implementations (e.g. apache) for authentication.
- So the proxy can terminate SSL, and isolate the CA-signed certificate from less trusted, higher-touch APIserver.
- For organizations that already have existing SaaS web services (e.g. storage, VMs) and want a common authentication portal.
- Avoid mixing authentication and authorization, so that authorization policies be centrally managed, and to allow changes in authentication methods without affecting authorization code.</p>
<p>Initially:
- Tokens used to authenticate a user.
- Long lived tokens identify a particular <code>userAccount</code>.
- Administrator utility generates tokens at cluster setup.
- OAuth2.0 Bearer tokens protocol, http://tools.ietf.org/html/rfc6750
- No scopes for tokens. Authorization happens in the API server
- Tokens dynamically generated by apiserver to identify pods which are making API calls.
- Tokens checked in a module of the APIserver.
- Authentication in apiserver can be disabled by flag, to allow testing without authorization enabled, and to allow use of an authenticating proxy. In this mode, a query parameter or header added by the proxy will identify the caller.</p>
<p>Improvements:
- Refresh of tokens.
- SSH keys to access inside containers.</p>
<p>To be considered for subsequent versions:
- Fuller use of OAuth (http://tools.ietf.org/html/rfc6749)
- Scoped tokens.
- Tokens that are bound to the channel between the client and the api server
- http://www.ietf.org/proceedings/90/slides/slides-90-uta-0.pdf
- http://www.browserauth.net</p>
<h2 id="authorization">Authorization</h2>
<p>K8s authorization should:
- Allow for a range of maturity levels, from single-user for those test driving the system, to integration with existing to enterprise authorization systems.
- Allow for centralized management of users and policies. In some organizations, this will mean that the definition of users and access policies needs to reside on a system other than k8s and encompass other web services (such as a storage service).
- Allow processes running in K8s Pods to take on identity, and to allow narrow scoping of permissions for those identities in order to limit damage from software faults.
- Have Authorization Policies exposed as API objects so that a single config file can create or delete Pods, Replication Controllers, Services, and the identities and policies for those Pods and Replication Controllers.
- Be separate as much as practical from Authentication, to allow Authentication methods to change over time and space, without impacting Authorization policies.</p>
<p>K8s will implement a relatively simple
<a href="http://en.wikipedia.org/wiki/Attribute_Based_Access_Control">Attribute-Based Access Control</a> model.
The model will be described in more detail in a forthcoming document. The model will
- Be less complex than XACML
- Be easily recognizable to those familiar with Amazon IAM Policies.
- Have a subset/aliases/defaults which allow it to be used in a way comfortable to those users more familiar with Role-Based Access Control.</p>
<p>Authorization policy is set by creating a set of Policy objects.</p>
<p>The API Server will be the Enforcement Point for Policy. For each API call that it receives, it will construct the Attributes needed to evaluate the policy (what user is making the call, what resource they are accessing, what they are trying to do that resource, etc) and pass those attributes to a Decision Point. The Decision Point code evaluates the Attributes against all the Policies and allows or denies the API call. The system will be modular enough that the Decision Point code can either be linked into the APIserver binary, or be another service that the apiserver calls for each Decision (with appropriate time-limited caching as needed for performance).</p>
<p>Policy objects may be applicable only to a single namespace or to all namespaces; K8s Project Admins would be able to create those as needed. Other Policy objects may be applicable to all namespaces; a K8s Cluster Admin might create those in order to authorize a new type of controller to be used by all namespaces, or to make a K8s User into a K8s Project Admin.)</p>
<h2 id="accounting">Accounting</h2>
<p>The API should have a <code>quota</code> concept (see http://issue.k8s.io/442). A quota object relates a namespace (and optionally a label selector) to a maximum quantity of resources that may be used (see <a href="resources.html">resources design doc</a>).</p>
<p>Initially:
- a <code>quota</code> object is immutable.
- for hosted K8s systems that do billing, Project is recommended level for billing accounts.
- Every object that consumes resources should have a <code>namespace</code> so that Resource usage stats are roll-up-able to <code>namespace</code>.
- K8s Cluster Admin sets quota objects by writing a config file.</p>
<p>Improvements:
- allow one namespace to charge the quota for one or more other namespaces. This would be controlled by a policy which allows changing a billing_namespace= label on an object.
- allow quota to be set by namespace owners for (namespace x label) combinations (e.g. let “webserver” namespace use 100 cores, but to prevent accidents, dont allow “webserver” namespace and “instance=test” use more than 10 cores.
- tools to help write consistent quota config files based on number of nodes, historical namespace usages, QoS needs, etc.
- way for K8s Cluster Admin to incrementally adjust Quota objects.</p>
<p>Simple profile:
- a single <code>namespace</code> with infinite resource limits.</p>
<p>Enterprise profile:
- multiple namespaces each with their own limits.</p>
<p>Issues:
- need for locking or “eventual consistency” when multiple apiserver goroutines are accessing the object store and handling pod creations.</p>
<h2 id="audit-logging">Audit Logging</h2>
<p>API actions can be logged.</p>
<p>Initial implementation:
- All API calls logged to nginx logs.</p>
<p>Improvements:
- API server does logging instead.
- Policies to drop logging for high rate trusted API calls, or by users performing audit or other sensitive functions.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/access.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,271 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Kubernetes Proposal - Admission Control</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Kubernetes Proposal - Admission Control</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="kubernetes-proposal---admission-control">Kubernetes Proposal - Admission Control</h1>
<p><strong>Related PR:</strong></p>
<table>
<thead>
<tr>
<th>Topic</th>
<th>Link</th>
</tr>
</thead>
<tbody>
<tr>
<td>Separate validation from RESTStorage</td>
<td>http://issue.k8s.io/2977</td>
</tr>
</tbody>
</table>
<h2 id="background">Background</h2>
<p>High level goals:</p>
<ul>
<li>Enable an easy-to-use mechanism to provide admission control to cluster</li>
<li>Enable a provider to support multiple admission control strategies or author their own</li>
<li>Ensure any rejected request can propagate errors back to the caller with why the request failed</li>
</ul>
<p>Authorization via policy is focused on answering if a user is authorized to perform an action.</p>
<p>Admission Control is focused on if the system will accept an authorized action.</p>
<p>Kubernetes may choose to dismiss an authorized action based on any number of admission control strategies.</p>
<p>This proposal documents the basic design, and describes how any number of admission control plug-ins could be injected.</p>
<p>Implementation of specific admission control strategies are handled in separate documents.</p>
<h2 id="kube-apiserver">kube-apiserver</h2>
<p>The kube-apiserver takes the following OPTIONAL arguments to enable admission control</p>
<table>
<thead>
<tr>
<th>Option</th>
<th>Behavior</th>
</tr>
</thead>
<tbody>
<tr>
<td>admission-control</td>
<td>Comma-delimited, ordered list of admission control choices to invoke prior to modifying or deleting an object.</td>
</tr>
<tr>
<td>admission-control-config-file</td>
<td>File with admission control configuration parameters to boot-strap plug-in.</td>
</tr>
</tbody>
</table>
<p>An <strong>AdmissionControl</strong> plug-in is an implementation of the following interface:</p>
<div class="highlight">
<pre><code class="language-go">package admission
// Attributes is an interface used by a plug-in to make an admission decision on a individual request.
type Attributes interface {
GetNamespace() string
GetKind() string
GetOperation() string
GetObject() runtime.Object
}
// Interface is an abstract, pluggable interface for Admission Control decisions.
type Interface interface {
// Admit makes an admission decision based on the request attributes
// An error is returned if it denies the request.
Admit(a Attributes) (err error)
}
</code></pre>
</div>
<p>A <strong>plug-in</strong> must be compiled with the binary, and is registered as an available option by providing a name, and implementation
of admission.Interface.</p>
<div class="highlight">
<pre><code class="language-go">func init() {
admission.RegisterPlugin("AlwaysDeny", func(client client.Interface, config io.Reader) (admission.Interface, error) { return NewAlwaysDeny(), nil })
}
</code></pre>
</div>
<p>Invocation of admission control is handled by the <strong>APIServer</strong> and not individual <strong>RESTStorage</strong> implementations.</p>
<p>This design assumes that <strong>Issue 297</strong> is adopted, and as a consequence, the general framework of the APIServer request/response flow will ensure the following:</p>
<ol>
<li>Incoming request</li>
<li>Authenticate user</li>
<li>Authorize user</li>
<li>
<table>
<tbody>
<tr>
<td>If operation=create</td>
<td>update</td>
<td>delete</td>
<td>connect, then admission.Admit(requestAttributes)</td>
</tr>
</tbody>
</table>
<ul>
<li>invoke each admission.Interface object in sequence</li>
</ul>
</li>
<li>Case on the operation:
<ul>
<li>
<table>
<tbody>
<tr>
<td>If operation=create</td>
<td>update, then validate(object) and persist</td>
</tr>
</tbody>
</table>
</li>
<li>If operation=delete, delete the object</li>
<li>If operation=connect, exec</li>
</ul>
</li>
</ol>
<p>If at any step, there is an error, the request is canceled.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/admission_control.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,401 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Admission control plugin: LimitRanger</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Admission control plugin: LimitRanger</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="admission-control-plugin-limitranger">Admission control plugin: LimitRanger</h1>
<h2 id="background">Background</h2>
<p>This document proposes a system for enforcing resource requirements constraints as part of admission control.</p>
<h2 id="use-cases">Use cases</h2>
<ol>
<li>Ability to enumerate resource requirement constraints per namespace</li>
<li>Ability to enumerate min/max resource constraints for a pod</li>
<li>Ability to enumerate min/max resource constraints for a container</li>
<li>Ability to specify default resource limits for a container</li>
<li>Ability to specify default resource requests for a container</li>
<li>Ability to enforce a ratio between request and limit for a resource.</li>
</ol>
<h2 id="data-model">Data Model</h2>
<p>The <strong>LimitRange</strong> resource is scoped to a <strong>Namespace</strong>.</p>
<h3 id="type">Type</h3>
<div class="highlight">
<pre><code class="language-go">// LimitType is a type of object that is limited
type LimitType string
const (
// Limit that applies to all pods in a namespace
LimitTypePod LimitType = "Pod"
// Limit that applies to all containers in a namespace
LimitTypeContainer LimitType = "Container"
)
// LimitRangeItem defines a min/max usage limit for any resource that matches on kind.
type LimitRangeItem struct {
// Type of resource that this limit applies to.
Type LimitType `json:"type,omitempty"`
// Max usage constraints on this kind by resource name.
Max ResourceList `json:"max,omitempty"`
// Min usage constraints on this kind by resource name.
Min ResourceList `json:"min,omitempty"`
// Default resource requirement limit value by resource name if resource limit is omitted.
Default ResourceList `json:"default,omitempty"`
// DefaultRequest is the default resource requirement request value by resource name if resource request is omitted.
DefaultRequest ResourceList `json:"defaultRequest,omitempty"`
// MaxLimitRequestRatio if specified, the named resource must have a request and limit that are both non-zero where limit divided by request is less than or equal to the enumerated value; this represents the max burst for the named resource.
MaxLimitRequestRatio ResourceList `json:"maxLimitRequestRatio,omitempty"`
}
// LimitRangeSpec defines a min/max usage limit for resources that match on kind.
type LimitRangeSpec struct {
// Limits is the list of LimitRangeItem objects that are enforced.
Limits []LimitRangeItem `json:"limits"`
}
// LimitRange sets resource usage limits for each kind of resource in a Namespace.
type LimitRange struct {
TypeMeta `json:",inline"`
// Standard object's metadata.
// More info: http://releases.k8s.io/release-1.1/docs/devel/api-conventions.md#metadata
ObjectMeta `json:"metadata,omitempty"`
// Spec defines the limits enforced.
// More info: http://releases.k8s.io/release-1.1/docs/devel/api-conventions.md#spec-and-status
Spec LimitRangeSpec `json:"spec,omitempty"`
}
// LimitRangeList is a list of LimitRange items.
type LimitRangeList struct {
TypeMeta `json:",inline"`
// Standard list metadata.
// More info: http://releases.k8s.io/release-1.1/docs/devel/api-conventions.md#types-kinds
ListMeta `json:"metadata,omitempty"`
// Items is a list of LimitRange objects.
// More info: http://releases.k8s.io/release-1.1/docs/design/admission_control_limit_range.md
Items []LimitRange `json:"items"`
}
</code></pre>
</div>
<h3 id="validation">Validation</h3>
<p>Validation of a <strong>LimitRange</strong> enforces that for a given named resource the following rules apply:</p>
<p>Min (if specified) &lt;= DefaultRequest (if specified) &lt;= Default (if specified) &lt;= Max (if specified)</p>
<h3 id="default-value-behavior">Default Value Behavior</h3>
<p>The following default value behaviors are applied to a LimitRange for a given named resource.</p>
<pre><code>
if LimitRangeItem.Default[resourceName] is undefined
if LimitRangeItem.Max[resourceName] is defined
LimitRangeItem.Default[resourceName] = LimitRangeItem.Max[resourceName]
</code></pre>
<pre><code>
if LimitRangeItem.DefaultRequest[resourceName] is undefined
if LimitRangeItem.Default[resourceName] is defined
LimitRangeItem.DefaultRequest[resourceName] = LimitRangeItem.Default[resourceName]
else if LimitRangeItem.Min[resourceName] is defined
LimitRangeItem.DefaultRequest[resourceName] = LimitRangeItem.Min[resourceName]
</code></pre>
<h2 id="admissioncontrol-plugin-limitranger">AdmissionControl plugin: LimitRanger</h2>
<p>The <strong>LimitRanger</strong> plug-in introspects all incoming pod requests and evaluates the constraints defined on a LimitRange.</p>
<p>If a constraint is not specified for an enumerated resource, it is not enforced or tracked.</p>
<p>To enable the plug-in and support for LimitRange, the kube-apiserver must be configured as follows:</p>
<div class="highlight">
<pre><code class="language-console">$ kube-apiserver --admission-control=LimitRanger
</code></pre>
</div>
<h3 id="enforcement-of-constraints">Enforcement of constraints</h3>
<p><strong>Type: Container</strong></p>
<p>Supported Resources:</p>
<ol>
<li>memory</li>
<li>cpu</li>
</ol>
<p>Supported Constraints:</p>
<p>Per container, the following must hold true</p>
<table>
<thead>
<tr>
<th>Constraint</th>
<th>Behavior</th>
</tr>
</thead>
<tbody>
<tr>
<td>Min</td>
<td>Min &lt;= Request (required) &lt;= Limit (optional)</td>
</tr>
<tr>
<td>Max</td>
<td>Limit (required) &lt;= Max</td>
</tr>
<tr>
<td>LimitRequestRatio</td>
<td>LimitRequestRatio &lt;= ( Limit (required, non-zero) / Request (required, non-zero))</td>
</tr>
</tbody>
</table>
<p>Supported Defaults:</p>
<ol>
<li>Default - if the named resource has no enumerated value, the Limit is equal to the Default</li>
<li>DefaultRequest - if the named resource has no enumerated value, the Request is equal to the DefaultRequest</li>
</ol>
<p><strong>Type: Pod</strong></p>
<p>Supported Resources:</p>
<ol>
<li>memory</li>
<li>cpu</li>
</ol>
<p>Supported Constraints:</p>
<p>Across all containers in pod, the following must hold true</p>
<table>
<thead>
<tr>
<th>Constraint</th>
<th>Behavior</th>
</tr>
</thead>
<tbody>
<tr>
<td>Min</td>
<td>Min &lt;= Request (required) &lt;= Limit (optional)</td>
</tr>
<tr>
<td>Max</td>
<td>Limit (required) &lt;= Max</td>
</tr>
<tr>
<td>LimitRequestRatio</td>
<td>LimitRequestRatio &lt;= ( Limit (required, non-zero) / Request (non-zero) )</td>
</tr>
</tbody>
</table>
<h2 id="run-time-configuration">Run-time configuration</h2>
<p>The default <code>LimitRange</code> that is applied via Salt configuration will be updated as follows:</p>
<pre><code>
apiVersion: "v1"
kind: "LimitRange"
metadata:
name: "limits"
namespace: default
spec:
limits:
- type: "Container"
defaultRequests:
cpu: "100m"
</code></pre>
<h2 id="example">Example</h2>
<p>An example LimitRange configuration:</p>
<table>
<thead>
<tr>
<th>Type</th>
<th>Resource</th>
<th>Min</th>
<th>Max</th>
<th>Default</th>
<th>DefaultRequest</th>
<th>LimitRequestRatio</th>
</tr>
</thead>
<tbody>
<tr>
<td>Container</td>
<td>cpu</td>
<td>.1</td>
<td>1</td>
<td>500m</td>
<td>250m</td>
<td>4</td>
</tr>
<tr>
<td>Container</td>
<td>memory</td>
<td>250Mi</td>
<td>1Gi</td>
<td>500Mi</td>
<td>250Mi</td>
<td> </td>
</tr>
</tbody>
</table>
<p>Assuming an incoming container that specified no incoming resource requirements,
the following would happen.</p>
<ol>
<li>The incoming container cpu would request 250m with a limit of 500m.</li>
<li>The incoming container memory would request 250Mi with a limit of 500Mi</li>
<li>If the container is later resized, its cpu would be constrained to between .1 and 1 and the ratio of limit to request could not exceed 4.</li>
</ol>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/admission_control_limit_range.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,432 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Admission control plugin: ResourceQuota</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Admission control plugin: ResourceQuota</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="admission-control-plugin-resourcequota">Admission control plugin: ResourceQuota</h1>
<h2 id="background">Background</h2>
<p>This document describes a system for enforcing hard resource usage limits per namespace as part of admission control.</p>
<h2 id="use-cases">Use cases</h2>
<ol>
<li>Ability to enumerate resource usage limits per namespace.</li>
<li>Ability to monitor resource usage for tracked resources.</li>
<li>Ability to reject resource usage exceeding hard quotas.</li>
</ol>
<h2 id="data-model">Data Model</h2>
<p>The <strong>ResourceQuota</strong> object is scoped to a <strong>Namespace</strong>.</p>
<div class="highlight">
<pre><code class="language-go">// The following identify resource constants for Kubernetes object types
const (
// Pods, number
ResourcePods ResourceName = "pods"
// Services, number
ResourceServices ResourceName = "services"
// ReplicationControllers, number
ResourceReplicationControllers ResourceName = "replicationcontrollers"
// ResourceQuotas, number
ResourceQuotas ResourceName = "resourcequotas"
// ResourceSecrets, number
ResourceSecrets ResourceName = "secrets"
// ResourcePersistentVolumeClaims, number
ResourcePersistentVolumeClaims ResourceName = "persistentvolumeclaims"
)
// ResourceQuotaSpec defines the desired hard limits to enforce for Quota
type ResourceQuotaSpec struct {
// Hard is the set of desired hard limits for each named resource
Hard ResourceList `json:"hard,omitempty" description:"hard is the set of desired hard limits for each named resource; see http://releases.k8s.io/release-1.1/docs/design/admission_control_resource_quota.md#admissioncontrol-plugin-resourcequota"`
}
// ResourceQuotaStatus defines the enforced hard limits and observed use
type ResourceQuotaStatus struct {
// Hard is the set of enforced hard limits for each named resource
Hard ResourceList `json:"hard,omitempty" description:"hard is the set of enforced hard limits for each named resource; see http://releases.k8s.io/release-1.1/docs/design/admission_control_resource_quota.md#admissioncontrol-plugin-resourcequota"`
// Used is the current observed total usage of the resource in the namespace
Used ResourceList `json:"used,omitempty" description:"used is the current observed total usage of the resource in the namespace"`
}
// ResourceQuota sets aggregate quota restrictions enforced per namespace
type ResourceQuota struct {
TypeMeta `json:",inline"`
ObjectMeta `json:"metadata,omitempty" description:"standard object metadata; see http://releases.k8s.io/release-1.1/docs/devel/api-conventions.md#metadata"`
// Spec defines the desired quota
Spec ResourceQuotaSpec `json:"spec,omitempty" description:"spec defines the desired quota; http://releases.k8s.io/release-1.1/docs/devel/api-conventions.md#spec-and-status"`
// Status defines the actual enforced quota and its current usage
Status ResourceQuotaStatus `json:"status,omitempty" description:"status defines the actual enforced quota and current usage; http://releases.k8s.io/release-1.1/docs/devel/api-conventions.md#spec-and-status"`
}
// ResourceQuotaList is a list of ResourceQuota items
type ResourceQuotaList struct {
TypeMeta `json:",inline"`
ListMeta `json:"metadata,omitempty" description:"standard list metadata; see http://releases.k8s.io/release-1.1/docs/devel/api-conventions.md#metadata"`
// Items is a list of ResourceQuota objects
Items []ResourceQuota `json:"items" description:"items is a list of ResourceQuota objects; see http://releases.k8s.io/release-1.1/docs/design/admission_control_resource_quota.md#admissioncontrol-plugin-resourcequota"`
}
</code></pre>
</div>
<h2 id="quota-tracked-resources">Quota Tracked Resources</h2>
<p>The following resources are supported by the quota system.</p>
<table>
<thead>
<tr>
<th>Resource</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>cpu</td>
<td>Total requested cpu usage</td>
</tr>
<tr>
<td>memory</td>
<td>Total requested memory usage</td>
</tr>
<tr>
<td>pods</td>
<td>Total number of active pods where phase is pending or active.</td>
</tr>
<tr>
<td>services</td>
<td>Total number of services</td>
</tr>
<tr>
<td>replicationcontrollers</td>
<td>Total number of replication controllers</td>
</tr>
<tr>
<td>resourcequotas</td>
<td>Total number of resource quotas</td>
</tr>
<tr>
<td>secrets</td>
<td>Total number of secrets</td>
</tr>
<tr>
<td>persistentvolumeclaims</td>
<td>Total number of persistent volume claims</td>
</tr>
</tbody>
</table>
<p>If a third-party wants to track additional resources, it must follow the resource naming conventions prescribed
by Kubernetes. This means the resource must have a fully-qualified name (i.e. mycompany.org/shinynewresource)</p>
<h2 id="resource-requirements-requests-vs-limits">Resource Requirements: Requests vs Limits</h2>
<p>If a resource supports the ability to distinguish between a request and a limit for a resource,
the quota tracking system will only cost the request value against the quota usage. If a resource
is tracked by quota, and no request value is provided, the associated entity is rejected as part of admission.</p>
<p>For an example, consider the following scenarios relative to tracking quota on CPU:</p>
<table>
<thead>
<tr>
<th>Pod</th>
<th>Container</th>
<th>Request CPU</th>
<th>Limit CPU</th>
<th>Result</th>
</tr>
</thead>
<tbody>
<tr>
<td>X</td>
<td>C1</td>
<td>100m</td>
<td>500m</td>
<td>The quota usage is incremented 100m</td>
</tr>
<tr>
<td>Y</td>
<td>C2</td>
<td>100m</td>
<td>none</td>
<td>The quota usage is incremented 100m</td>
</tr>
<tr>
<td>Y</td>
<td>C2</td>
<td>none</td>
<td>500m</td>
<td>The quota usage is incremented 500m since request will default to limit</td>
</tr>
<tr>
<td>Z</td>
<td>C3</td>
<td>none</td>
<td>none</td>
<td>The pod is rejected since it does not enumerate a request.</td>
</tr>
</tbody>
</table>
<p>The rationale for accounting for the requested amount of a resource versus the limit is the belief
that a user should only be charged for what they are scheduled against in the cluster. In addition,
attempting to track usage against actual usage, where request &lt; actual &lt; limit, is considered highly
volatile.</p>
<p>As a consequence of this decision, the user is able to spread its usage of a resource across multiple tiers
of service. Lets demonstrate this via an example with a 4 cpu quota.</p>
<p>The quota may be allocated as follows:</p>
<table>
<thead>
<tr>
<th>Pod</th>
<th>Container</th>
<th>Request CPU</th>
<th>Limit CPU</th>
<th>Tier</th>
<th>Quota Usage</th>
</tr>
</thead>
<tbody>
<tr>
<td>X</td>
<td>C1</td>
<td>1</td>
<td>4</td>
<td>Burstable</td>
<td>1</td>
</tr>
<tr>
<td>Y</td>
<td>C2</td>
<td>2</td>
<td>2</td>
<td>Guaranteed</td>
<td>2</td>
</tr>
<tr>
<td>Z</td>
<td>C3</td>
<td>1</td>
<td>3</td>
<td>Burstable</td>
<td>1</td>
</tr>
</tbody>
</table>
<p>It is possible that the pods may consume 9 cpu over a given time period depending on the nodes available cpu
that held pod X and Z, but since we scheduled X and Z relative to the request, we only track the requesting
value against their allocated quota. If one wants to restrict the ratio between the request and limit,
it is encouraged that the user define a <strong>LimitRange</strong> with <strong>LimitRequestRatio</strong> to control burst out behavior.
This would in effect, let an administrator keep the difference between request and limit more in line with
tracked usage if desired.</p>
<h2 id="status-api">Status API</h2>
<p>A REST API endpoint to update the status section of the <strong>ResourceQuota</strong> is exposed. It requires an atomic compare-and-swap
in order to keep resource usage tracking consistent.</p>
<h2 id="resource-quota-controller">Resource Quota Controller</h2>
<p>A resource quota controller monitors observed usage for tracked resources in the <strong>Namespace</strong>.</p>
<p>If there is observed difference between the current usage stats versus the current <strong>ResourceQuota.Status</strong>, the controller
posts an update of the currently observed usage metrics to the <strong>ResourceQuota</strong> via the /status endpoint.</p>
<p>The resource quota controller is the only component capable of monitoring and recording usage updates after a DELETE operation
since admission control is incapable of guaranteeing a DELETE request actually succeeded.</p>
<h2 id="admissioncontrol-plugin-resourcequota">AdmissionControl plugin: ResourceQuota</h2>
<p>The <strong>ResourceQuota</strong> plug-in introspects all incoming admission requests.</p>
<p>To enable the plug-in and support for ResourceQuota, the kube-apiserver must be configured as follows:</p>
<pre><code>
$ kube-apiserver --admission-control=ResourceQuota
</code></pre>
<p>It makes decisions by evaluating the incoming object against all defined <strong>ResourceQuota.Status.Hard</strong> resource limits in the request
namespace. If acceptance of the resource would cause the total usage of a named resource to exceed its hard limit, the request is denied.</p>
<p>If the incoming request does not cause the total usage to exceed any of the enumerated hard resource limits, the plug-in will post a
<strong>ResourceQuota.Status</strong> document to the server to atomically update the observed usage based on the previously read
<strong>ResourceQuota.ResourceVersion</strong>. This keeps incremental usage atomically consistent, but does introduce a bottleneck (intentionally)
into the system.</p>
<p>To optimize system performance, it is encouraged that all resource quotas are tracked on the same <strong>ResourceQuota</strong> document in a <strong>Namespace</strong>. As a result, its encouraged to impose a cap on the total number of individual quotas that are tracked in the <strong>Namespace</strong>
to 1 in the <strong>ResourceQuota</strong> document.</p>
<h2 id="kubectl">kubectl</h2>
<p>kubectl is modified to support the <strong>ResourceQuota</strong> resource.</p>
<p><code>kubectl describe</code> provides a human-readable output of quota.</p>
<p>For example,</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl create -f docs/admin/resourcequota/namespace.yaml
namespace "quota-example" created
$ kubectl create -f docs/admin/resourcequota/quota.yaml --namespace=quota-example
resourcequota "quota" created
$ kubectl describe quota quota --namespace=quota-example
Name: quota
Namespace: quota-example
Resource Used Hard
-------- ---- ----
cpu 0 20
memory 0 1Gi
persistentvolumeclaims 0 10
pods 0 10
replicationcontrollers 0 20
resourcequotas 1 1
secrets 1 10
services 0 5
</code></pre>
</div>
<h2 id="more-information">More information</h2>
<p>See <a href="../admin/resource-quota.html">resource quota document</a> and the <a href="../admin/resourcequota/">example of Resource Quota</a> for more information.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/admission_control_resource_quota.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

Binary file not shown.

Binary file not shown.

After

Width:  |  Height:  |  Size: 262 KiB

File diff suppressed because it is too large Load Diff

After

Width:  |  Height:  |  Size: 50 KiB

View File

@ -0,0 +1,180 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Kubernetes architecture</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Kubernetes architecture</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="kubernetes-architecture">Kubernetes architecture</h1>
<p>A running Kubernetes cluster contains node agents (<code>kubelet</code>) and master components (APIs, scheduler, etc), on top of a distributed storage solution. This diagram shows our desired eventual state, though were still working on a few things, like making <code>kubelet</code> itself (all our components, really) run within containers, and making the scheduler 100% pluggable.</p>
<p><img src="architecture.png?raw=true" alt="Architecture Diagram" title="Architecture overview" /></p>
<h2 id="the-kubernetes-node">The Kubernetes Node</h2>
<p>When looking at the architecture of the system, well break it down to services that run on the worker node and services that compose the cluster-level control plane.</p>
<p>The Kubernetes node has the services necessary to run application containers and be managed from the master systems.</p>
<p>Each node runs Docker, of course. Docker takes care of the details of downloading images and running containers.</p>
<h3 id="kubelet"><code>kubelet</code></h3>
<p>The <code>kubelet</code> manages <a href="../user-guide/pods.html">pods</a> and their containers, their images, their volumes, etc.</p>
<h3 id="kube-proxy"><code>kube-proxy</code></h3>
<p>Each node also runs a simple network proxy and load balancer (see the <a href="https://github.com/kubernetes/kubernetes/wiki/Services-FAQ">services FAQ</a> for more details). This reflects <code>services</code> (see <a href="../user-guide/services.html">the services doc</a> for more details) as defined in the Kubernetes API on each node and can do simple TCP and UDP stream forwarding (round robin) across a set of backends.</p>
<p>Service endpoints are currently found via <a href="../admin/dns.html">DNS</a> or through environment variables (both <a href="https://docs.docker.com/userguide/dockerlinks/">Docker-links-compatible</a> and Kubernetes <code>{FOO}_SERVICE_HOST</code> and <code>{FOO}_SERVICE_PORT</code> variables are supported). These variables resolve to ports managed by the service proxy.</p>
<h2 id="the-kubernetes-control-plane">The Kubernetes Control Plane</h2>
<p>The Kubernetes control plane is split into a set of components. Currently they all run on a single <em>master</em> node, but that is expected to change soon in order to support high-availability clusters. These components work together to provide a unified view of the cluster.</p>
<h3 id="etcd"><code>etcd</code></h3>
<p>All persistent master state is stored in an instance of <code>etcd</code>. This provides a great way to store configuration data reliably. With <code>watch</code> support, coordinating components can be notified very quickly of changes.</p>
<h3 id="kubernetes-api-server">Kubernetes API Server</h3>
<p>The apiserver serves up the <a href="../api.html">Kubernetes API</a>. It is intended to be a CRUD-y server, with most/all business logic implemented in separate components or in plug-ins. It mainly processes REST operations, validates them, and updates the corresponding objects in <code>etcd</code> (and eventually other stores).</p>
<h3 id="scheduler">Scheduler</h3>
<p>The scheduler binds unscheduled pods to nodes via the <code>/binding</code> API. The scheduler is pluggable, and we expect to support multiple cluster schedulers and even user-provided schedulers in the future.</p>
<h3 id="kubernetes-controller-manager-server">Kubernetes Controller Manager Server</h3>
<p>All other cluster-level functions are currently performed by the Controller Manager. For instance, <code>Endpoints</code> objects are created and updated by the endpoints controller, and nodes are discovered, managed, and monitored by the node controller. These could eventually be split into separate components to make them independently pluggable.</p>
<p>The <a href="../user-guide/replication-controller.html"><code>replicationcontroller</code></a> is a mechanism that is layered on top of the simple <a href="../user-guide/pods.html"><code>pod</code></a> API. We eventually plan to port it to a generic plug-in mechanism, once one is implemented.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/architecture.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,12 @@
FROM debian:jessie
RUN apt-get update
RUN apt-get -qy install python-seqdiag make curl
WORKDIR /diagrams
RUN curl -sLo DroidSansMono.ttf https://googlefontdirectory.googlecode.com/hg/apache/droidsansmono/DroidSansMono.ttf
ADD . /diagrams
CMD bash -c 'make >/dev/stderr && tar cf - *.png'

View File

@ -0,0 +1,29 @@
FONT := DroidSansMono.ttf
PNGS := $(patsubst %.seqdiag,%.png,$(wildcard *.seqdiag))
.PHONY: all
all: $(PNGS)
.PHONY: watch
watch:
fswatch *.seqdiag | xargs -n 1 sh -c "make || true"
$(FONT):
curl -sLo $@ https://googlefontdirectory.googlecode.com/hg/apache/droidsansmono/$(FONT)
%.png: %.seqdiag $(FONT)
seqdiag --no-transparency -a -f '$(FONT)' $<
# Build the stuff via a docker image
.PHONY: docker
docker:
docker build -t clustering-seqdiag .
docker run --rm clustering-seqdiag | tar xvf -
docker-clean:
docker rmi clustering-seqdiag || true
docker images -q --filter "dangling=true" | xargs docker rmi
fix-clock-skew:
boot2docker ssh sudo date -u -D "%Y%m%d%H%M.%S" --set "$(shell date -u +%Y%m%d%H%M.%S)"

View File

@ -0,0 +1,163 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Building with Docker</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Building with Docker</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<p>This directory contains diagrams for the clustering design doc.</p>
<p>This depends on the <code>seqdiag</code> <a href="http://blockdiag.com/en/seqdiag/index.html">utility</a>. Assuming you have a non-borked python install, this should be installable with</p>
<div class="highlight">
<pre><code class="language-sh">pip install seqdiag
</code></pre>
</div>
<p>Just call <code>make</code> to regenerate the diagrams.</p>
<h2 id="building-with-docker">Building with Docker</h2>
<p>If you are on a Mac or your pip install is messed up, you can easily build with docker.</p>
<div class="highlight">
<pre><code class="language-sh">make docker
</code></pre>
</div>
<p>The first run will be slow but things should be fast after that.</p>
<p>To clean up the docker containers that are created (and other cruft that is left around) you can run <code>make docker-clean</code>.</p>
<p>If you are using boot2docker and get warnings about clock skew (or if things arent building for some reason) then you can fix that up with <code>make fix-clock-skew</code>.</p>
<h2 id="automatically-rebuild-on-file-changes">Automatically rebuild on file changes</h2>
<p>If you have the fswatch utility installed, you can have it monitor the file system and automatically rebuild when files have changed. Just do a <code>make watch</code>.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/clustering/README.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

Binary file not shown.

After

Width:  |  Height:  |  Size: 71 KiB

View File

@ -0,0 +1,24 @@
seqdiag {
activation = none;
user[label = "Admin User"];
bootstrap[label = "Bootstrap API\nEndpoint"];
master;
kubelet[stacked];
user -> bootstrap [label="createCluster", return="cluster ID"];
user <-- bootstrap [label="returns\n- bootstrap-cluster-uri"];
user ->> master [label="start\n- bootstrap-cluster-uri"];
master => bootstrap [label="setMaster\n- master-location\n- master-ca"];
user ->> kubelet [label="start\n- bootstrap-cluster-uri"];
kubelet => bootstrap [label="get-master", return="returns\n- master-location\n- master-ca"];
kubelet ->> master [label="signCert\n- unsigned-kubelet-cert", return="retuns\n- kubelet-cert"];
user => master [label="getSignRequests"];
user => master [label="approveSignRequests"];
kubelet <<-- master [label="returns\n- kubelet-cert"];
kubelet => master [label="register\n- kubelet-location"]
}

View File

@ -0,0 +1,163 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Building with Docker</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Building with Docker</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<p>This directory contains diagrams for the clustering design doc.</p>
<p>This depends on the <code>seqdiag</code> <a href="http://blockdiag.com/en/seqdiag/index.html">utility</a>. Assuming you have a non-borked python install, this should be installable with</p>
<div class="highlight">
<pre><code class="language-sh">pip install seqdiag
</code></pre>
</div>
<p>Just call <code>make</code> to regenerate the diagrams.</p>
<h2 id="building-with-docker">Building with Docker</h2>
<p>If you are on a Mac or your pip install is messed up, you can easily build with docker.</p>
<div class="highlight">
<pre><code class="language-sh">make docker
</code></pre>
</div>
<p>The first run will be slow but things should be fast after that.</p>
<p>To clean up the docker containers that are created (and other cruft that is left around) you can run <code>make docker-clean</code>.</p>
<p>If you are using boot2docker and get warnings about clock skew (or if things arent building for some reason) then you can fix that up with <code>make fix-clock-skew</code>.</p>
<h2 id="automatically-rebuild-on-file-changes">Automatically rebuild on file changes</h2>
<p>If you have the fswatch utility installed, you can have it monitor the file system and automatically rebuild when files have changed. Just do a <code>make watch</code>.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/clustering/README.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

Binary file not shown.

After

Width:  |  Height:  |  Size: 36 KiB

View File

@ -0,0 +1,16 @@
seqdiag {
activation = none;
admin[label = "Manual Admin"];
ca[label = "Manual CA"]
master;
kubelet[stacked];
admin => ca [label="create\n- master-cert"];
admin ->> master [label="start\n- ca-root\n- master-cert"];
admin => ca [label="create\n- kubelet-cert"];
admin ->> kubelet [label="start\n- ca-root\n- kubelet-cert\n- master-location"];
kubelet => master [label="register\n- kubelet-location"];
}

View File

@ -0,0 +1,292 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Container Command Execution & Port Forwarding in Kubernetes</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Container Command Execution & Port Forwarding in Kubernetes</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="container-command-execution--port-forwarding-in-kubernetes">Container Command Execution &amp; Port Forwarding in Kubernetes</h1>
<h2 id="abstract">Abstract</h2>
<p>This describes an approach for providing support for:</p>
<ul>
<li>executing commands in containers, with stdin/stdout/stderr streams attached</li>
<li>port forwarding to containers</li>
</ul>
<h2 id="background">Background</h2>
<p>There are several related issues/PRs:</p>
<ul>
<li><a href="http://issue.k8s.io/1521">Support attach</a></li>
<li><a href="http://issue.k8s.io/1513">Real container ssh</a></li>
<li><a href="http://issue.k8s.io/1863">Provide easy debug network access to services</a></li>
<li><a href="https://github.com/openshift/origin/pull/576">OpenShift container command execution proposal</a></li>
</ul>
<h2 id="motivation">Motivation</h2>
<p>Users and administrators are accustomed to being able to access their systems
via SSH to run remote commands, get shell access, and do port forwarding.</p>
<p>Supporting SSH to containers in Kubernetes is a difficult task. You must
specify a “user” and a hostname to make an SSH connection, and <code>sshd</code> requires
real users (resolvable by NSS and PAM). Because a container belongs to a pod,
and the pod belongs to a namespace, you need to specify namespace/pod/container
to uniquely identify the target container. Unfortunately, a
namespace/pod/container is not a real user as far as SSH is concerned. Also,
most Linux systems limit user names to 32 characters, which is unlikely to be
large enough to contain namespace/pod/container. We could devise some scheme to
map each namespace/pod/container to a 32-character user name, adding entries to
<code>/etc/passwd</code> (or LDAP, etc.) and keeping those entries fully in sync all the
time. Alternatively, we could write custom NSS and PAM modules that allow the
host to resolve a namespace/pod/container to a user without needing to keep
files or LDAP in sync.</p>
<p>As an alternative to SSH, we are using a multiplexed streaming protocol that
runs on top of HTTP. There are no requirements about users being real users,
nor is there any limitation on user name length, as the protocol is under our
control. The only downside is that standard tooling that expects to use SSH
wont be able to work with this mechanism, unless adapters can be written.</p>
<h2 id="constraints-and-assumptions">Constraints and Assumptions</h2>
<ul>
<li>SSH support is not currently in scope</li>
<li>CGroup confinement is ultimately desired, but implementing that support is not currently in scope</li>
<li>SELinux confinement is ultimately desired, but implementing that support is not currently in scope</li>
</ul>
<h2 id="use-cases">Use Cases</h2>
<ul>
<li>As a user of a Kubernetes cluster, I want to run arbitrary commands in a container, attaching my local stdin/stdout/stderr to the container</li>
<li>As a user of a Kubernetes cluster, I want to be able to connect to local ports on my computer and have them forwarded to ports in the container</li>
</ul>
<h2 id="process-flow">Process Flow</h2>
<h3 id="remote-command-execution-flow">Remote Command Execution Flow</h3>
<ol>
<li>The client connects to the Kubernetes Master to initiate a remote command execution
request</li>
<li>The Master proxies the request to the Kubelet where the container lives</li>
<li>The Kubelet executes nsenter + the requested command and streams stdin/stdout/stderr back and forth between the client and the container</li>
</ol>
<h3 id="port-forwarding-flow">Port Forwarding Flow</h3>
<ol>
<li>The client connects to the Kubernetes Master to initiate a remote command execution
request</li>
<li>The Master proxies the request to the Kubelet where the container lives</li>
<li>The client listens on each specified local port, awaiting local connections</li>
<li>The client connects to one of the local listening ports</li>
<li>The client notifies the Kubelet of the new connection</li>
<li>The Kubelet executes nsenter + socat and streams data back and forth between the client and the port in the container</li>
</ol>
<h2 id="design-considerations">Design Considerations</h2>
<h3 id="streaming-protocol">Streaming Protocol</h3>
<p>The current multiplexed streaming protocol used is SPDY. This is not the
long-term desire, however. As soon as there is viable support for HTTP/2 in Go,
we will switch to that.</p>
<h3 id="master-as-first-level-proxy">Master as First Level Proxy</h3>
<p>Clients should not be allowed to communicate directly with the Kubelet for
security reasons. Therefore, the Master is currently the only suggested entry
point to be used for remote command execution and port forwarding. This is not
necessarily desirable, as it means that all remote command execution and port
forwarding traffic must travel through the Master, potentially impacting other
API requests.</p>
<p>In the future, it might make more sense to retrieve an authorization token from
the Master, and then use that token to initiate a remote command execution or
port forwarding request with a load balanced proxy service dedicated to this
functionality. This would keep the streaming traffic out of the Master.</p>
<h3 id="kubelet-as-backend-proxy">Kubelet as Backend Proxy</h3>
<p>The kubelet is currently responsible for handling remote command execution and
port forwarding requests. Just like with the Master described above, this means
that all remote command execution and port forwarding streaming traffic must
travel through the Kubelet, which could result in a degraded ability to service
other requests.</p>
<p>In the future, it might make more sense to use a separate service on the node.</p>
<p>Alternatively, we could possibly inject a process into the container that only
listens for a single request, expose that processs listening port on the node,
and then issue a redirect to the client such that it would connect to the first
level proxy, which would then proxy directly to the injected processs exposed
port. This would minimize the amount of proxying that takes place.</p>
<h3 id="scalability">Scalability</h3>
<p>There are at least 2 different ways to execute a command in a container:
<code>docker exec</code> and <code>nsenter</code>. While <code>docker exec</code> might seem like an easier and
more obvious choice, it has some drawbacks.</p>
<h4 id="docker-exec"><code>docker exec</code></h4>
<p>We could expose <code>docker exec</code> (i.e. have Docker listen on an exposed TCP port
on the node), but this would require proxying from the edge and securing the
Docker API. <code>docker exec</code> calls go through the Docker daemon, meaning that all
stdin/stdout/stderr traffic is proxied through the Daemon, adding an extra hop.
Additionally, you cant isolate 1 malicious <code>docker exec</code> call from normal
usage, meaning an attacker could initiate a denial of service or other attack
and take down the Docker daemon, or the node itself.</p>
<p>We expect remote command execution and port forwarding requests to be long
running and/or high bandwidth operations, and routing all the streaming data
through the Docker daemon feels like a bottleneck we can avoid.</p>
<h4 id="nsenter"><code>nsenter</code></h4>
<p>The implementation currently uses <code>nsenter</code> to run commands in containers,
joining the appropriate container namespaces. <code>nsenter</code> runs directly on the
node and is not proxied through any single daemon process.</p>
<h3 id="security">Security</h3>
<p>Authentication and authorization hasnt specifically been tested yet with this
functionality. We need to make sure that users are not allowed to execute
remote commands or do port forwarding to containers they arent allowed to
access.</p>
<p>Additional work is required to ensure that multiple command execution or port forwarding connections from different clients are not able to see each others data. This can most likely be achieved via SELinux labeling and unique process contexts.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/command_execution_port_forwarding.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,282 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - DaemonSet in Kubernetes</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>DaemonSet in Kubernetes</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="daemonset-in-kubernetes">DaemonSet in Kubernetes</h1>
<p><strong>Author</strong>: Ananya Kumar (@AnanyaKumar)</p>
<p><strong>Status</strong>: Implemented.</p>
<p>This document presents the design of the Kubernetes DaemonSet, describes use cases, and gives an overview of the code.</p>
<h2 id="motivation">Motivation</h2>
<p>Many users have requested for a way to run a daemon on every node in a Kubernetes cluster, or on a certain set of nodes in a cluster. This is essential for use cases such as building a sharded datastore, or running a logger on every node. In comes the DaemonSet, a way to conveniently create and manage daemon-like workloads in Kubernetes.</p>
<h2 id="use-cases">Use Cases</h2>
<p>The DaemonSet can be used for user-specified system services, cluster-level applications with strong node ties, and Kubernetes node services. Below are example use cases in each category.</p>
<h3 id="user-specified-system-services">User-Specified System Services:</h3>
<p>Logging: Some users want a way to collect statistics about nodes in a cluster and send those logs to an external database. For example, system administrators might want to know if their machines are performing as expected, if they need to add more machines to the cluster, or if they should switch cloud providers. The DaemonSet can be used to run a data collection service (for example fluentd) on every node and send the data to a service like ElasticSearch for analysis.</p>
<h3 id="cluster-level-applications">Cluster-Level Applications</h3>
<p>Datastore: Users might want to implement a sharded datastore in their cluster. A few nodes in the cluster, labeled app=datastore, might be responsible for storing data shards, and pods running on these nodes might serve data. This architecture requires a way to bind pods to specific nodes, so it cannot be achieved using a Replication Controller. A DaemonSet is a convenient way to implement such a datastore.</p>
<p>For other uses, see the related <a href="https://issues.k8s.io/1518">feature request</a></p>
<h2 id="functionality">Functionality</h2>
<p>The DaemonSet supports standard API features:
- create
- The spec for DaemonSets has a pod template field.
- Using the pods nodeSelector field, DaemonSets can be restricted to operate over nodes that have a certain label. For example, suppose that in a cluster some nodes are labeled app=database. You can use a DaemonSet to launch a datastore pod on exactly those nodes labeled app=database.
- Using the pods nodeName field, DaemonSets can be restricted to operate on a specified node.
- The PodTemplateSpec used by the DaemonSet is the same as the PodTemplateSpec used by the Replication Controller.
- The initial implementation will not guarnatee that DaemonSet pods are created on nodes before other pods.
- The initial implementation of DaemonSet does not guarantee that DaemonSet pods show up on nodes (for example because of resource limitations of the node), but makes a best effort to launch DaemonSet pods (like Replication Controllers do with pods). Subsequent revisions might ensure that DaemonSet pods show up on nodes, preempting other pods if necessary.
- The DaemonSet controller adds an annotation “kubernetes.io/created-by: &lt;json API object reference&gt;
- YAML example:</p>
<div class="highlight">
<pre><code class="language-yaml">apiVersion: v1
kind: DaemonSet
metadata:
labels:
app: datastore
name: datastore
spec:
template:
metadata:
labels:
app: datastore-shard
spec:
nodeSelector:
app: datastore-node
containers:
name: datastore-shard
image: kubernetes/sharded
ports:
- containerPort: 9042
name: main
</code></pre>
</div>
<ul>
<li>commands that get info
<ul>
<li>get (e.g. kubectl get daemonsets)</li>
<li>describe</li>
</ul>
</li>
<li>Modifiers
<ul>
<li>delete (if cascade=true, then first the client turns down all the pods controlled by the DaemonSet (by setting the nodeSelector to a uuid pair that is unlikely to be set on any node); then it deletes the DaemonSet; then it deletes the pods)</li>
<li>label</li>
<li>annotate</li>
<li>update operations like patch and replace (only allowed to selector and to nodeSelector and nodeName of pod template)</li>
<li>DaemonSets have labels, so you could, for example, list all DaemonSets with certain labels (the same way you would for a Replication Controller).</li>
</ul>
</li>
<li>In general, for all the supported features like get, describe, update, etc, the DaemonSet works in a similar way to the Replication Controller. However, note that the DaemonSet and the Replication Controller are different constructs.</li>
</ul>
<h3 id="persisting-pods">Persisting Pods</h3>
<ul>
<li>Ordinary liveness probes specified in the pod template work to keep pods created by a DaemonSet running.</li>
<li>If a daemon pod is killed or stopped, the DaemonSet will create a new replica of the daemon pod on the node.</li>
</ul>
<h3 id="cluster-mutations">Cluster Mutations</h3>
<ul>
<li>When a new node is added to the cluster, the DaemonSet controller starts daemon pods on the node for DaemonSets whose pod template nodeSelectors match the nodes labels.</li>
<li>Suppose the user launches a DaemonSet that runs a logging daemon on all nodes labeled “logger=fluentd”. If the user then adds the “logger=fluentd” label to a node (that did not initially have the label), the logging daemon will launch on the node. Additionally, if a user removes the label from a node, the logging daemon on that node will be killed.</li>
</ul>
<h2 id="alternatives-considered">Alternatives Considered</h2>
<p>We considered several alternatives, that were deemed inferior to the approach of creating a new DaemonSet abstraction.</p>
<p>One alternative is to include the daemon in the machine image. In this case it would run outside of Kubernetes proper, and thus not be monitored, health checked, usable as a service endpoint, easily upgradable, etc.</p>
<p>A related alternative is to package daemons as static pods. This would address most of the problems described above, but they would still not be easily upgradable, and more generally could not be managed through the API server interface.</p>
<p>A third alternative is to generalize the Replication Controller. We would do something like: if you set the <code>replicas</code> field of the ReplicationConrollerSpec to -1, then it means “run exactly one replica on every node matching the nodeSelector in the pod template.” The ReplicationController would pretend <code>replicas</code> had been set to some large number larger than the largest number of nodes ever expected in the cluster and would use some anti-affinity mechanism to ensure that no more than one Pod from the ReplicationController runs on any given node. There are two downsides to this approach. First, there would always be a large number of Pending pods in the scheduler (these will be scheduled onto new machines when they are added to the cluster). The second downside is more philosophical: DaemonSet and the Replication Controller are very different concepts. We believe that having small, targeted controllers for distinct purposes makes Kubernetes easier to understand and use, compared to having larger multi-functional controllers (see <a href="http://issues.k8s.io/3058">“Convert ReplicationController to a plugin”</a> for some discussion of this topic).</p>
<h2 id="design">Design</h2>
<h4 id="client">Client</h4>
<ul>
<li>Add support for DaemonSet commands to kubectl and the client. Client code was added to client/unversioned. The main files in Kubectl that were modified are kubectl/describe.go and kubectl/stop.go, since for other calls like Get, Create, and Update, the client simply forwards the request to the backend via the REST API.</li>
</ul>
<h4 id="apiserver">Apiserver</h4>
<ul>
<li>Accept, parse, validate client commands</li>
<li>REST API calls are handled in registry/daemon
<ul>
<li>In particular, the api server will add the object to etcd</li>
<li>DaemonManager listens for updates to etcd (using Framework.informer)</li>
</ul>
</li>
<li>API objects for DaemonSet were created in expapi/v1/types.go and expapi/v1/register.go</li>
<li>Validation code is in expapi/validation</li>
</ul>
<h4 id="daemon-manager">Daemon Manager</h4>
<ul>
<li>Creates new DaemonSets when requested. Launches the corresponding daemon pod on all nodes with labels matching the new DaemonSets selector.</li>
<li>Listens for addition of new nodes to the cluster, by setting up a framework.NewInformer that watches for the creation of Node API objects. When a new node is added, the daemon manager will loop through each DaemonSet. If the label of the node matches the selector of the DaemonSet, then the daemon manager will create the corresponding daemon pod in the new node.</li>
<li>The daemon manager creates a pod on a node by sending a command to the API server, requesting for a pod to be bound to the node (the node will be specified via its hostname)</li>
</ul>
<h4 id="kubelet">Kubelet</h4>
<ul>
<li>Does not need to be modified, but health checking will occur for the daemon pods and revive the pods if they are killed (we set the pod restartPolicy to Always). We reject DaemonSet objects with pod templates that dont have restartPolicy set to Always.</li>
</ul>
<h2 id="open-issues">Open Issues</h2>
<ul>
<li>Should work similarly to <a href="http://issues.k8s.io/1743">Deployment</a>.</li>
</ul>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/daemon.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,225 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Kubernetes Event Compression</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Kubernetes Event Compression</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="kubernetes-event-compression">Kubernetes Event Compression</h1>
<p>This document captures the design of event compression.</p>
<h2 id="background">Background</h2>
<p>Kubernetes components can get into a state where they generate tons of events which are identical except for the timestamp. For example, when pulling a non-existing image, Kubelet will repeatedly generate <code>image_not_existing</code> and <code>container_is_waiting</code> events until upstream components correct the image. When this happens, the spam from the repeated events makes the entire event mechanism useless. It also appears to cause memory pressure in etcd (see <a href="http://issue.k8s.io/3853">#3853</a>).</p>
<h2 id="proposal">Proposal</h2>
<p>Each binary that generates events (for example, <code>kubelet</code>) should keep track of previously generated events so that it can collapse recurring events into a single event instead of creating a new instance for each new event.</p>
<p>Event compression should be best effort (not guaranteed). Meaning, in the worst case, <code>n</code> identical (minus timestamp) events may still result in <code>n</code> event entries.</p>
<h2 id="design">Design</h2>
<p>Instead of a single Timestamp, each event object <a href="http://releases.k8s.io/release-1.1/pkg/api/types.go#L1111">contains</a> the following fields:
* <code>FirstTimestamp unversioned.Time</code>
* The date/time of the first occurrence of the event.
* <code>LastTimestamp unversioned.Time</code>
* The date/time of the most recent occurrence of the event.
* On first occurrence, this is equal to the FirstTimestamp.
* <code>Count int</code>
* The number of occurrences of this event between FirstTimestamp and LastTimestamp
* On first occurrence, this is 1.</p>
<p>Each binary that generates events:
* Maintains a historical record of previously generated events:
* Implemented with <a href="https://github.com/golang/groupcache/blob/master/lru/lru.go">“Least Recently Used Cache”</a> in <a href="https://releases.k8s.io/release-1.1/pkg/client/record/events_cache.go"><code>pkg/client/record/events_cache.go</code></a>.
* The key in the cache is generated from the event object minus timestamps/count/transient fields, specifically the following events fields are used to construct a unique key for an event:
* <code>event.Source.Component</code>
* <code>event.Source.Host</code>
* <code>event.InvolvedObject.Kind</code>
* <code>event.InvolvedObject.Namespace</code>
* <code>event.InvolvedObject.Name</code>
* <code>event.InvolvedObject.UID</code>
* <code>event.InvolvedObject.APIVersion</code>
* <code>event.Reason</code>
* <code>event.Message</code>
* The LRU cache is capped at 4096 events. That means if a component (e.g. kubelet) runs for a long period of time and generates tons of unique events, the previously generated events cache will not grow unchecked in memory. Instead, after 4096 unique events are generated, the oldest events are evicted from the cache.
* When an event is generated, the previously generated events cache is checked (see <a href="http://releases.k8s.io/release-1.1/pkg/client/unversioned/record/event.go"><code>pkg/client/unversioned/record/event.go</code></a>).
* If the key for the new event matches the key for a previously generated event (meaning all of the above fields match between the new event and some previously generated event), then the event is considered to be a duplicate and the existing event entry is updated in etcd:
* The new PUT (update) event API is called to update the existing event entry in etcd with the new last seen timestamp and count.
* The event is also updated in the previously generated events cache with an incremented count, updated last seen timestamp, name, and new resource version (all required to issue a future event update).
* If the key for the new event does not match the key for any previously generated event (meaning none of the above fields match between the new event and any previously generated events), then the event is considered to be new/unique and a new event entry is created in etcd:
* The usual POST/create event API is called to create a new event entry in etcd.
* An entry for the event is also added to the previously generated events cache.</p>
<h2 id="issuesrisks">Issues/Risks</h2>
<ul>
<li>Compression is not guaranteed, because each component keeps track of event history in memory
<ul>
<li>An application restart causes event history to be cleared, meaning event history is not preserved across application restarts and compression will not occur across component restarts.</li>
<li>Because an LRU cache is used to keep track of previously generated events, if too many unique events are generated, old events will be evicted from the cache, so events will only be compressed until they age out of the events cache, at which point any new instance of the event will cause a new entry to be created in etcd.</li>
</ul>
</li>
</ul>
<h2 id="example">Example</h2>
<p>Sample kubectl output</p>
<div class="highlight">
<pre><code class="language-console">FIRSTSEEN LASTSEEN COUNT NAME KIND SUBOBJECT REASON SOURCE MESSAGE
Thu, 12 Feb 2015 01:13:02 +0000 Thu, 12 Feb 2015 01:13:02 +0000 1 kubernetes-minion-4.c.saad-dev-vms.internal Minion starting {kubelet kubernetes-minion-4.c.saad-dev-vms.internal} Starting kubelet.
Thu, 12 Feb 2015 01:13:09 +0000 Thu, 12 Feb 2015 01:13:09 +0000 1 kubernetes-minion-1.c.saad-dev-vms.internal Minion starting {kubelet kubernetes-minion-1.c.saad-dev-vms.internal} Starting kubelet.
Thu, 12 Feb 2015 01:13:09 +0000 Thu, 12 Feb 2015 01:13:09 +0000 1 kubernetes-minion-3.c.saad-dev-vms.internal Minion starting {kubelet kubernetes-minion-3.c.saad-dev-vms.internal} Starting kubelet.
Thu, 12 Feb 2015 01:13:09 +0000 Thu, 12 Feb 2015 01:13:09 +0000 1 kubernetes-minion-2.c.saad-dev-vms.internal Minion starting {kubelet kubernetes-minion-2.c.saad-dev-vms.internal} Starting kubelet.
Thu, 12 Feb 2015 01:13:05 +0000 Thu, 12 Feb 2015 01:13:12 +0000 4 monitoring-influx-grafana-controller-0133o Pod failedScheduling {scheduler } Error scheduling: no nodes available to schedule pods
Thu, 12 Feb 2015 01:13:05 +0000 Thu, 12 Feb 2015 01:13:12 +0000 4 elasticsearch-logging-controller-fplln Pod failedScheduling {scheduler } Error scheduling: no nodes available to schedule pods
Thu, 12 Feb 2015 01:13:05 +0000 Thu, 12 Feb 2015 01:13:12 +0000 4 kibana-logging-controller-gziey Pod failedScheduling {scheduler } Error scheduling: no nodes available to schedule pods
Thu, 12 Feb 2015 01:13:05 +0000 Thu, 12 Feb 2015 01:13:12 +0000 4 skydns-ls6k1 Pod failedScheduling {scheduler } Error scheduling: no nodes available to schedule pods
Thu, 12 Feb 2015 01:13:05 +0000 Thu, 12 Feb 2015 01:13:12 +0000 4 monitoring-heapster-controller-oh43e Pod failedScheduling {scheduler } Error scheduling: no nodes available to schedule pods
Thu, 12 Feb 2015 01:13:20 +0000 Thu, 12 Feb 2015 01:13:20 +0000 1 kibana-logging-controller-gziey BoundPod implicitly required container POD pulled {kubelet kubernetes-minion-4.c.saad-dev-vms.internal} Successfully pulled image "kubernetes/pause:latest"
Thu, 12 Feb 2015 01:13:20 +0000 Thu, 12 Feb 2015 01:13:20 +0000 1 kibana-logging-controller-gziey Pod scheduled {scheduler } Successfully assigned kibana-logging-controller-gziey to kubernetes-minion-4.c.saad-dev-vms.internal
</code></pre>
</div>
<p>This demonstrates what would have been 20 separate entries (indicating scheduling failure) collapsed/compressed down to 5 entries.</p>
<h2 id="related-pull-requestsissues">Related Pull Requests/Issues</h2>
<ul>
<li>Issue <a href="http://issue.k8s.io/4073">#4073</a>: Compress duplicate events</li>
<li>PR <a href="http://issue.k8s.io/4157">#4157</a>: Add “Update Event” to Kubernetes API</li>
<li>PR <a href="http://issue.k8s.io/4206">#4206</a>: Modify Event struct to allow compressing multiple recurring events in to a single event</li>
<li>PR <a href="http://issue.k8s.io/4306">#4306</a>: Compress recurring events in to a single event to optimize etcd storage</li>
<li>PR <a href="http://pr.k8s.io/4444">#4444</a>: Switch events history to use LRU cache instead of map</li>
</ul>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/event_compression.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,687 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Variable expansion in pod command, args, and env</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Variable expansion in pod command, args, and env</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="variable-expansion-in-pod-command-args-and-env">Variable expansion in pod command, args, and env</h1>
<h2 id="abstract">Abstract</h2>
<p>A proposal for the expansion of environment variables using a simple <code>$(var)</code> syntax.</p>
<h2 id="motivation">Motivation</h2>
<p>It is extremely common for users to need to compose environment variables or pass arguments to
their commands using the values of environment variables. Kubernetes should provide a facility for
the 80% cases in order to decrease coupling and the use of workarounds.</p>
<h2 id="goals">Goals</h2>
<ol>
<li>Define the syntax format</li>
<li>Define the scoping and ordering of substitutions</li>
<li>Define the behavior for unmatched variables</li>
<li>Define the behavior for unexpected/malformed input</li>
</ol>
<h2 id="constraints-and-assumptions">Constraints and Assumptions</h2>
<ul>
<li>This design should describe the simplest possible syntax to accomplish the use-cases</li>
<li>Expansion syntax will not support more complicated shell-like behaviors such as default values
(viz: <code>$(VARIABLE_NAME:"default")</code>), inline substitution, etc.</li>
</ul>
<h2 id="use-cases">Use Cases</h2>
<ol>
<li>As a user, I want to compose new environment variables for a container using a substitution
syntax to reference other variables in the containers environment and service environment
variables</li>
<li>As a user, I want to substitute environment variables into a containers command</li>
<li>As a user, I want to do the above without requiring the containers image to have a shell</li>
<li>As a user, I want to be able to specify a default value for a service variable which may
not exist</li>
<li>As a user, I want to see an event associated with the pod if an expansion fails (ie, references
variable names that cannot be expanded)</li>
</ol>
<h3 id="use-case-composition-of-environment-variables">Use Case: Composition of environment variables</h3>
<p>Currently, containers are injected with docker-style environment variables for the services in
their pods namespace. There are several variables for each service, but users routinely need
to compose URLs based on these variables because there is not a variable for the exact format
they need. Users should be able to build new environment variables with the exact format they need.
Eventually, it should also be possible to turn off the automatic injection of the docker-style
variables into pods and let the users consume the exact information they need via the downward API
and composition.</p>
<h4 id="expanding-expanded-variables">Expanding expanded variables</h4>
<p>It should be possible to reference an variable which is itself the result of an expansion, if the
referenced variable is declared in the containers environment prior to the one referencing it.
Put another way a containers environment is expanded in order, and expanded variables are
available to subsequent expansions.</p>
<h3 id="use-case-variable-expansion-in-command">Use Case: Variable expansion in command</h3>
<p>Users frequently need to pass the values of environment variables to a containers command.
Currently, Kubernetes does not perform any expansion of variables. The workaround is to invoke a
shell in the containers command and have the shell perform the substitution, or to write a wrapper
script that sets up the environment and runs the command. This has a number of drawbacks:</p>
<ol>
<li>Solutions that require a shell are unfriendly to images that do not contain a shell</li>
<li>Wrapper scripts make it harder to use images as base images</li>
<li>Wrapper scripts increase coupling to Kubernetes</li>
</ol>
<p>Users should be able to do the 80% case of variable expansion in command without writing a wrapper
script or adding a shell invocation to their containers commands.</p>
<h3 id="use-case-images-without-shells">Use Case: Images without shells</h3>
<p>The current workaround for variable expansion in a containers command requires the containers
image to have a shell. This is unfriendly to images that do not contain a shell (<code>scratch</code> images,
for example). Users should be able to perform the other use-cases in this design without regard to
the content of their images.</p>
<h3 id="use-case-see-an-event-for-incomplete-expansions">Use Case: See an event for incomplete expansions</h3>
<p>It is possible that a container with incorrect variable values or command line may continue to run
for a long period of time, and that the end-user would have no visual or obvious warning of the
incorrect configuration. If the kubelet creates an event when an expansion references a variable
that cannot be expanded, it will help users quickly detect problems with expansions.</p>
<h2 id="design-considerations">Design Considerations</h2>
<h3 id="what-features-should-be-supported">What features should be supported?</h3>
<p>In order to limit complexity, we want to provide the right amount of functionality so that the 80%
cases can be realized and nothing more. We felt that the essentials boiled down to:</p>
<ol>
<li>Ability to perform direct expansion of variables in a string</li>
<li>Ability to specify default values via a prioritized mapping function but without support for
defaults as a syntax-level feature</li>
</ol>
<h3 id="what-should-the-syntax-be">What should the syntax be?</h3>
<p>The exact syntax for variable expansion has a large impact on how users perceive and relate to the
feature. We considered implementing a very restrictive subset of the shell <code>${var}</code> syntax. This
syntax is an attractive option on some level, because many people are familiar with it. However,
this syntax also has a large number of lesser known features such as the ability to provide
default values for unset variables, perform inline substitution, etc.</p>
<p>In the interest of preventing conflation of the expansion feature in Kubernetes with the shell
feature, we chose a different syntax similar to the one in Makefiles, <code>$(var)</code>. We also chose not
to support the bar <code>$var</code> format, since it is not required to implement the required use-cases.</p>
<p>Nested references, ie, variable expansion within variable names, are not supported.</p>
<h4 id="how-should-unmatched-references-be-treated">How should unmatched references be treated?</h4>
<p>Ideally, it should be extremely clear when a variable reference couldnt be expanded. We decided
the best experience for unmatched variable references would be to have the entire reference, syntax
included, show up in the output. As an example, if the reference <code>$(VARIABLE_NAME)</code> cannot be
expanded, then <code>$(VARIABLE_NAME)</code> should be present in the output.</p>
<h4 id="escaping-the-operator">Escaping the operator</h4>
<p>Although the <code>$(var)</code> syntax does overlap with the <code>$(command)</code> form of command substitution
supported by many shells, because unexpanded variables are present verbatim in the output, we
expect this will not present a problem to many users. If there is a collision between a variable
name and command substitution syntax, the syntax can be escaped with the form <code>$$(VARIABLE_NAME)</code>,
which will evaluate to <code>$(VARIABLE_NAME)</code> whether <code>VARIABLE_NAME</code> can be expanded or not.</p>
<h2 id="design">Design</h2>
<p>This design encompasses the variable expansion syntax and specification and the changes needed to
incorporate the expansion feature into the containers environment and command.</p>
<h3 id="syntax-and-expansion-mechanics">Syntax and expansion mechanics</h3>
<p>This section describes the expansion syntax, evaluation of variable values, and how unexpected or
malformed inputs are handled.</p>
<h4 id="syntax">Syntax</h4>
<p>The inputs to the expansion feature are:</p>
<ol>
<li>A utf-8 string (the input string) which may contain variable references</li>
<li>A function (the mapping function) that maps the name of a variable to the variables value, of
type <code>func(string) string</code></li>
</ol>
<p>Variable references in the input string are indicated exclusively with the syntax
<code>$(&lt;variable-name&gt;)</code>. The syntax tokens are:</p>
<ul>
<li><code>$</code>: the operator</li>
<li><code>(</code>: the reference opener</li>
<li><code>)</code>: the reference closer</li>
</ul>
<p>The operator has no meaning unless accompanied by the reference opener and closer tokens. The
operator can be escaped using <code>$$</code>. One literal <code>$</code> will be emitted for each <code>$$</code> in the input.</p>
<p>The reference opener and closer characters have no meaning when not part of a variable reference.
If a variable reference is malformed, viz: <code>$(VARIABLE_NAME</code> without a closing expression, the
operator and expression opening characters are treated as ordinary characters without special
meanings.</p>
<h4 id="scope-and-ordering-of-substitutions">Scope and ordering of substitutions</h4>
<p>The scope in which variable references are expanded is defined by the mapping function. Within the
mapping function, any arbitrary strategy may be used to determine the value of a variable name.
The most basic implementation of a mapping function is to use a <code>map[string]string</code> to lookup the
value of a variable.</p>
<p>In order to support default values for variables like service variables presented by the kubelet,
which may not be bound because the service that provides them does not yet exist, there should be a
mapping function that uses a list of <code>map[string]string</code> like:</p>
<div class="highlight">
<pre><code class="language-go">func MakeMappingFunc(maps ...map[string]string) func(string) string {
return func(input string) string {
for _, context := range maps {
val, ok := context[input]
if ok {
return val
}
}
return ""
}
}
// elsewhere
containerEnv := map[string]string{
"FOO": "BAR",
"ZOO": "ZAB",
"SERVICE2_HOST": "some-host",
}
serviceEnv := map[string]string{
"SERVICE_HOST": "another-host",
"SERVICE_PORT": "8083",
}
// single-map variation
mapping := MakeMappingFunc(containerEnv)
// default variables not found in serviceEnv
mappingWithDefaults := MakeMappingFunc(serviceEnv, containerEnv)
</code></pre>
</div>
<h3 id="implementation-changes">Implementation changes</h3>
<p>The necessary changes to implement this functionality are:</p>
<ol>
<li>Add a new interface, <code>ObjectEventRecorder</code>, which is like the <code>EventRecorder</code> interface, but
scoped to a single object, and a function that returns an <code>ObjectEventRecorder</code> given an
<code>ObjectReference</code> and an <code>EventRecorder</code></li>
<li>Introduce <code>third_party/golang/expansion</code> package that provides:
<ol>
<li>An <code>Expand(string, func(string) string) string</code> function</li>
<li>A <code>MappingFuncFor(ObjectEventRecorder, ...map[string]string) string</code> function</li>
</ol>
</li>
<li>Make the kubelet expand environment correctly</li>
<li>Make the kubelet expand command correctly</li>
</ol>
<h4 id="event-recording">Event Recording</h4>
<p>In order to provide an event when an expansion references undefined variables, the mapping function
must be able to create an event. In order to facilitate this, we should create a new interface in
the <code>api/client/record</code> package which is similar to <code>EventRecorder</code>, but scoped to a single object:</p>
<div class="highlight">
<pre><code class="language-go">// ObjectEventRecorder knows how to record events about a single object.
type ObjectEventRecorder interface {
// Event constructs an event from the given information and puts it in the queue for sending.
// 'reason' is the reason this event is generated. 'reason' should be short and unique; it will
// be used to automate handling of events, so imagine people writing switch statements to
// handle them. You want to make that easy.
// 'message' is intended to be human readable.
//
// The resulting event will be created in the same namespace as the reference object.
Event(reason, message string)
// Eventf is just like Event, but with Sprintf for the message field.
Eventf(reason, messageFmt string, args ...interface{})
// PastEventf is just like Eventf, but with an option to specify the event's 'timestamp' field.
PastEventf(timestamp unversioned.Time, reason, messageFmt string, args ...interface{})
}
</code></pre>
</div>
<p>There should also be a function that can construct an <code>ObjectEventRecorder</code> from a <code>runtime.Object</code>
and an <code>EventRecorder</code>:</p>
<div class="highlight">
<pre><code class="language-go">type objectRecorderImpl struct {
object runtime.Object
recorder EventRecorder
}
func (r *objectRecorderImpl) Event(reason, message string) {
r.recorder.Event(r.object, reason, message)
}
func ObjectEventRecorderFor(object runtime.Object, recorder EventRecorder) ObjectEventRecorder {
return &amp;objectRecorderImpl{object, recorder}
}
</code></pre>
</div>
<h4 id="expansion-package">Expansion package</h4>
<p>The expansion package should provide two methods:</p>
<div class="highlight">
<pre><code class="language-go">// MappingFuncFor returns a mapping function for use with Expand that
// implements the expansion semantics defined in the expansion spec; it
// returns the input string wrapped in the expansion syntax if no mapping
// for the input is found. If no expansion is found for a key, an event
// is raised on the given recorder.
func MappingFuncFor(recorder record.ObjectEventRecorder, context ...map[string]string) func(string) string {
// ...
}
// Expand replaces variable references in the input string according to
// the expansion spec using the given mapping function to resolve the
// values of variables.
func Expand(input string, mapping func(string) string) string {
// ...
}
</code></pre>
</div>
<h4 id="kubelet-changes">Kubelet changes</h4>
<p>The Kubelet should be made to correctly expand variables references in a containers environment,
command, and args. Changes will need to be made to:</p>
<ol>
<li>The <code>makeEnvironmentVariables</code> function in the kubelet; this is used by
<code>GenerateRunContainerOptions</code>, which is used by both the docker and rkt container runtimes</li>
<li>The docker manager <code>setEntrypointAndCommand</code> func has to be changed to perform variable
expansion</li>
<li>The rkt runtime should be made to support expansion in command and args when support for it is
implemented</li>
</ol>
<h3 id="examples">Examples</h3>
<h4 id="inputs-and-outputs">Inputs and outputs</h4>
<p>These examples are in the context of the mapping:</p>
<table>
<thead>
<tr>
<th>Name</th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>VAR_A</code></td>
<td><code>"A"</code></td>
</tr>
<tr>
<td><code>VAR_B</code></td>
<td><code>"B"</code></td>
</tr>
<tr>
<td><code>VAR_C</code></td>
<td><code>"C"</code></td>
</tr>
<tr>
<td><code>VAR_REF</code></td>
<td><code>$(VAR_A)</code></td>
</tr>
<tr>
<td><code>VAR_EMPTY</code></td>
<td><code>""</code></td>
</tr>
</tbody>
</table>
<p>No other variables are defined.</p>
<table>
<thead>
<tr>
<th>Input</th>
<th>Result</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>"$(VAR_A)"</code></td>
<td><code>"A"</code></td>
</tr>
<tr>
<td><code>"___$(VAR_B)___"</code></td>
<td><code>"___B___"</code></td>
</tr>
<tr>
<td><code>"___$(VAR_C)"</code></td>
<td><code>"___C"</code></td>
</tr>
<tr>
<td><code>"$(VAR_A)-$(VAR_A)"</code></td>
<td><code>"A-A"</code></td>
</tr>
<tr>
<td><code>"$(VAR_A)-1"</code></td>
<td><code>"A-1"</code></td>
</tr>
<tr>
<td><code>"$(VAR_A)_$(VAR_B)_$(VAR_C)"</code></td>
<td><code>"A_B_C"</code></td>
</tr>
<tr>
<td><code>"$$(VAR_B)_$(VAR_A)"</code></td>
<td><code>"$(VAR_B)_A"</code></td>
</tr>
<tr>
<td><code>"$$(VAR_A)_$$(VAR_B)"</code></td>
<td><code>"$(VAR_A)_$(VAR_B)"</code></td>
</tr>
<tr>
<td><code>"f000-$$VAR_A"</code></td>
<td><code>"f000-$VAR_A"</code></td>
</tr>
<tr>
<td><code>"foo\\$(VAR_C)bar"</code></td>
<td><code>"foo\Cbar"</code></td>
</tr>
<tr>
<td><code>"foo\\\\$(VAR_C)bar"</code></td>
<td><code>"foo\\Cbar"</code></td>
</tr>
<tr>
<td><code>"foo\\\\\\\\$(VAR_A)bar"</code></td>
<td><code>"foo\\\\Abar"</code></td>
</tr>
<tr>
<td><code>"$(VAR_A$(VAR_B))"</code></td>
<td><code>"$(VAR_A$(VAR_B))"</code></td>
</tr>
<tr>
<td><code>"$(VAR_A$(VAR_B)"</code></td>
<td><code>"$(VAR_A$(VAR_B)"</code></td>
</tr>
<tr>
<td><code>"$(VAR_REF)"</code></td>
<td><code>"$(VAR_A)"</code></td>
</tr>
<tr>
<td><code>"%%$(VAR_REF)--$(VAR_REF)%%"</code></td>
<td><code>"%%$(VAR_A)--$(VAR_A)%%"</code></td>
</tr>
<tr>
<td><code>"foo$(VAR_EMPTY)bar"</code></td>
<td><code>"foobar"</code></td>
</tr>
<tr>
<td><code>"foo$(VAR_Awhoops!"</code></td>
<td><code>"foo$(VAR_Awhoops!"</code></td>
</tr>
<tr>
<td><code>"f00__(VAR_A)__"</code></td>
<td><code>"f00__(VAR_A)__"</code></td>
</tr>
<tr>
<td><code>"$?_boo_$!"</code></td>
<td><code>"$?_boo_$!"</code></td>
</tr>
<tr>
<td><code>"$VAR_A"</code></td>
<td><code>"$VAR_A"</code></td>
</tr>
<tr>
<td><code>"$(VAR_DNE)"</code></td>
<td><code>"$(VAR_DNE)"</code></td>
</tr>
<tr>
<td><code>"$$$$$$(BIG_MONEY)"</code></td>
<td><code>"$$$(BIG_MONEY)"</code></td>
</tr>
<tr>
<td><code>"$$$$$$(VAR_A)"</code></td>
<td><code>"$$$(VAR_A)"</code></td>
</tr>
<tr>
<td><code>"$$$$$$$(GOOD_ODDS)"</code></td>
<td><code>"$$$$(GOOD_ODDS)"</code></td>
</tr>
<tr>
<td><code>"$$$$$$$(VAR_A)"</code></td>
<td><code>"$$$A"</code></td>
</tr>
<tr>
<td><code>"$VAR_A)"</code></td>
<td><code>"$VAR_A)"</code></td>
</tr>
<tr>
<td><code>"${VAR_A}"</code></td>
<td><code>"${VAR_A}"</code></td>
</tr>
<tr>
<td><code>"$(VAR_B)_______$(A"</code></td>
<td><code>"B_______$(A"</code></td>
</tr>
<tr>
<td><code>"$(VAR_C)_______$("</code></td>
<td><code>"C_______$("</code></td>
</tr>
<tr>
<td><code>"$(VAR_A)foobarzab$"</code></td>
<td><code>"Afoobarzab$"</code></td>
</tr>
<tr>
<td><code>"foo-\\$(VAR_A"</code></td>
<td><code>"foo-\$(VAR_A"</code></td>
</tr>
<tr>
<td><code>"--$($($($($--"</code></td>
<td><code>"--$($($($($--"</code></td>
</tr>
<tr>
<td><code>"$($($($($--foo$("</code></td>
<td><code>"$($($($($--foo$("</code></td>
</tr>
<tr>
<td><code>"foo0--$($($($("</code></td>
<td><code>"foo0--$($($($("</code></td>
</tr>
<tr>
<td><code>"$(foo$$var)</code></td>
<td><code>$(foo$$var)</code></td>
</tr>
</tbody>
</table>
<h4 id="in-a-pod-building-a-url">In a pod: building a URL</h4>
<p>Notice the <code>$(var)</code> syntax.</p>
<div class="highlight">
<pre><code class="language-yaml">apiVersion: v1
kind: Pod
metadata:
name: expansion-pod
spec:
containers:
- name: test-container
image: gcr.io/google_containers/busybox
command: [ "/bin/sh", "-c", "env" ]
env:
- name: PUBLIC_URL
value: "http://$(GITSERVER_SERVICE_HOST):$(GITSERVER_SERVICE_PORT)"
restartPolicy: Never
</code></pre>
</div>
<h4 id="in-a-pod-building-a-url-using-downward-api">In a pod: building a URL using downward API</h4>
<div class="highlight">
<pre><code class="language-yaml">apiVersion: v1
kind: Pod
metadata:
name: expansion-pod
spec:
containers:
- name: test-container
image: gcr.io/google_containers/busybox
command: [ "/bin/sh", "-c", "env" ]
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: "metadata.namespace"
- name: PUBLIC_URL
value: "http://gitserver.$(POD_NAMESPACE):$(SERVICE_PORT)"
restartPolicy: Never
</code></pre>
</div>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/expansion.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,326 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Adding custom resources to the Kubernetes API server</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Adding custom resources to the Kubernetes API server</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="adding-custom-resources-to-the-kubernetes-api-server">Adding custom resources to the Kubernetes API server</h1>
<p>This document describes the design for implementing the storage of custom API types in the Kubernetes API Server.</p>
<h2 id="resource-model">Resource Model</h2>
<h3 id="the-thirdpartyresource">The ThirdPartyResource</h3>
<p>The <code>ThirdPartyResource</code> resource describes the multiple versions of a custom resource that the user wants to add
to the Kubernetes API. <code>ThirdPartyResource</code> is a non-namespaced resource, attempting to place it in a resource
will return an error.</p>
<p>Each <code>ThirdPartyResource</code> resource has the following:
* Standard Kubernetes object metadata.
* ResourceKind - The kind of the resources described by this third party resource.
* Description - A free text description of the resource.
* APIGroup - An API group that this resource should be placed into.
* Versions - One or more <code>Version</code> objects.</p>
<h3 id="the-version-object">The <code>Version</code> Object</h3>
<p>The <code>Version</code> object describes a single concrete version of a custom resource. The <code>Version</code> object currently
only specifies:
* The <code>Name</code> of the version.
* The <code>APIGroup</code> this version should belong to.</p>
<h2 id="expectations-about-third-party-objects">Expectations about third party objects</h2>
<p>Every object that is added to a third-party Kubernetes object store is expected to contain Kubernetes
compatible <a href="../devel/api-conventions.html#metadata">object metadata</a>. This requirement enables the
Kubernetes API server to provide the following features:
* Filtering lists of objects via LabelQueries
* <code>resourceVersion</code>-based optimistic concurrency via compare-and-swap
* Versioned storage
* Event recording
* Integration with basic <code>kubectl</code> command line tooling.
* Watch for resource changes.</p>
<p>The <code>Kind</code> for an instance of a third-party object (e.g. CronTab) below is expected to be
programmatically convertible to the name of the resource using
the following conversion. Kinds are expected to be of the form <code>&lt;CamelCaseKind&gt;</code>, the
<code>APIVersion</code> for the object is expected to be <code>&lt;domain-name&gt;/&lt;api-group&gt;/&lt;api-version&gt;</code>.</p>
<p>For example <code>example.com/stable/v1</code></p>
<p><code>domain-name</code> is expected to be a fully qualified domain name.</p>
<p>CamelCaseKind is the specific type name.</p>
<p>To convert this into the <code>metadata.name</code> for the <code>ThirdPartyResource</code> resource instance,
the <code>&lt;domain-name&gt;</code> is copied verbatim, the <code>CamelCaseKind</code> is
then converted
using - instead of capitalization (camel-case), with the first character being assumed to be
capitalized. In pseudo code:</p>
<div class="highlight">
<pre><code class="language-go">var result string
for ix := range kindName {
if isCapital(kindName[ix]) {
result = append(result, '-')
}
result = append(result, toLowerCase(kindName[ix])
}
</code></pre>
</div>
<p>As a concrete example, the resource named <code>camel-case-kind.example.com</code> defines resources of Kind <code>CamelCaseKind</code>, in
the APIGroup with the prefix <code>example.com/...</code>.</p>
<p>The reason for this is to enable rapid lookup of a <code>ThirdPartyResource</code> object given the kind information.
This is also the reason why <code>ThirdPartyResource</code> is not namespaced.</p>
<h2 id="usage">Usage</h2>
<p>When a user creates a new <code>ThirdPartyResource</code>, the Kubernetes API Server reacts by creating a new, namespaced
RESTful resource path. For now, non-namespaced objects are not supported. As with existing built-in objects
deleting a namespace, deletes all third party resources in that namespace.</p>
<p>For example, if a user creates:</p>
<div class="highlight">
<pre><code class="language-yaml">metadata:
name: cron-tab.example.com
apiVersion: extensions/v1beta1
kind: ThirdPartyResource
description: "A specification of a Pod to run on a cron style schedule"
versions:
- name: stable/v1
- name: experimental/v2
</code></pre>
</div>
<p>Then the API server will program in two new RESTful resource paths:
* <code>/thirdparty/example.com/stable/v1/namespaces/&lt;namespace&gt;/crontabs/...</code>
* <code>/thirdparty/example.com/experimental/v2/namespaces/&lt;namespace&gt;/crontabs/...</code></p>
<p>Now that this schema has been created, a user can <code>POST</code>:</p>
<div class="highlight">
<pre><code class="language-json">{
"metadata": {
"name": "my-new-cron-object"
},
"apiVersion": "example.com/stable/v1",
"kind": "CronTab",
"cronSpec": "* * * * /5",
"image": "my-awesome-chron-image"
}
</code></pre>
</div>
<p>to: <code>/third-party/example.com/stable/v1/namespaces/default/crontabs/my-new-cron-object</code></p>
<p>and the corresponding data will be stored into etcd by the APIServer, so that when the user issues:</p>
<pre><code>
GET /third-party/example.com/stable/v1/namespaces/default/crontabs/my-new-cron-object`
</code></pre>
<p>And when they do that, they will get back the same data, but with additional Kubernetes metadata
(e.g. <code>resourceVersion</code>, <code>createdTimestamp</code>) filled in.</p>
<p>Likewise, to list all resources, a user can issue:</p>
<pre><code>
GET /third-party/example.com/stable/v1/namespaces/default/crontabs
</code></pre>
<p>and get back:</p>
<div class="highlight">
<pre><code class="language-json">{
"apiVersion": "example.com/stable/v1",
"kind": "CronTabList",
"items": [
{
"metadata": {
"name": "my-new-cron-object"
},
"apiVersion": "example.com/stable/v1",
"kind": "CronTab",
"cronSpec": "* * * * /5",
"image": "my-awesome-chron-image"
}
]
}
</code></pre>
</div>
<p>Because all objects are expected to contain standard Kubernetes metadata fields, these
list operations can also use <code>Label</code> queries to filter requests down to specific subsets.</p>
<p>Likewise, clients can use watch endpoints to watch for changes to stored objects.</p>
<h2 id="storage">Storage</h2>
<p>In order to store custom user data in a versioned fashion inside of etcd, we need to also introduce a
<code>Codec</code>-compatible object for persistent storage in etcd. This object is <code>ThirdPartyResourceData</code> and it contains:
* Standard API Metadata
* <code>Data</code>: The raw JSON data for this custom object.</p>
<h3 id="storage-key-specification">Storage key specification</h3>
<p>Each custom object stored by the API server needs a custom key in storage, this is described below:</p>
<h4 id="definitions">Definitions</h4>
<ul>
<li><code>resource-namespace</code> : the namespace of the particular resource that is being stored</li>
<li><code>resource-name</code>: the name of the particular resource being stored</li>
<li><code>third-party-resource-namespace</code>: the namespace of the <code>ThirdPartyResource</code> resource that represents the type for the specific instance being stored.</li>
<li><code>third-party-resource-name</code>: the name of the <code>ThirdPartyResource</code> resource that represents the type for the specific instance being stored.</li>
</ul>
<h4 id="key">Key</h4>
<p>Given the definitions above, the key for a specific third-party object is:</p>
<pre><code>
${standard-k8s-prefix}/third-party-resources/${third-party-resource-namespace}/${third-party-resource-name}/${resource-namespace}/${resource-name}
</code></pre>
<p>Thus, listing a third-party resource can be achieved by listing the directory:</p>
<pre><code>
${standard-k8s-prefix}/third-party-resources/${third-party-resource-namespace}/${third-party-resource-name}/${resource-namespace}/
</code></pre>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/extending-api.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,375 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Horizontal Pod Autoscaling</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Horizontal Pod Autoscaling</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="horizontal-pod-autoscaling">Horizontal Pod Autoscaling</h1>
<h2 id="preface">Preface</h2>
<p>This document briefly describes the design of the horizontal autoscaler for pods.
The autoscaler (implemented as a Kubernetes API resource and controller) is responsible for dynamically controlling
the number of replicas of some collection (e.g. the pods of a ReplicationController) to meet some objective(s),
for example a target per-pod CPU utilization.</p>
<p>This design supersedes <a href="http://releases.k8s.io/release-1.1/docs/proposals/autoscaling.md">autoscaling.md</a>.</p>
<h2 id="overview">Overview</h2>
<p>The resource usage of a serving application usually varies over time: sometimes the demand for the application rises,
and sometimes it drops.
In Kubernetes version 1.0, a user can only manually set the number of serving pods.
Our aim is to provide a mechanism for the automatic adjustment of the number of pods based on CPU utilization statistics
(a future version will allow autoscaling based on other resources/metrics).</p>
<h2 id="scale-subresource">Scale Subresource</h2>
<p>In Kubernetes version 1.1, we are introducing Scale subresource and implementing horizontal autoscaling of pods based on it.
Scale subresource is supported for replication controllers and deployments.
Scale subresource is a Virtual Resource (does not correspond to an object stored in etcd).
It is only present in the API as an interface that a controller (in this case the HorizontalPodAutoscaler) can use to dynamically scale
the number of replicas controlled by some other API object (currently ReplicationController and Deployment) and to learn the current number of replicas.
Scale is a subresource of the API object that it serves as the interface for.
The Scale subresource is useful because whenever we introduce another type we want to autoscale, we just need to implement the Scale subresource for it.
The wider discussion regarding Scale took place in <a href="https://github.com/kubernetes/kubernetes/issues/1629">#1629</a>.</p>
<p>Scale subresource is in API for replication controller or deployment under the following paths:</p>
<p><code>apis/extensions/v1beta1/replicationcontrollers/myrc/scale</code></p>
<p><code>apis/extensions/v1beta1/deployments/mydeployment/scale</code></p>
<p>It has the following structure:</p>
<div class="highlight">
<pre><code class="language-go">// represents a scaling request for a resource.
type Scale struct {
unversioned.TypeMeta
api.ObjectMeta
// defines the behavior of the scale.
Spec ScaleSpec
// current status of the scale.
Status ScaleStatus
}
// describes the attributes of a scale subresource
type ScaleSpec struct {
// desired number of instances for the scaled object.
Replicas int `json:"replicas,omitempty"`
}
// represents the current status of a scale subresource.
type ScaleStatus struct {
// actual number of observed instances of the scaled object.
Replicas int `json:"replicas"`
// label query over pods that should match the replicas count.
Selector map[string]string `json:"selector,omitempty"`
}
</code></pre>
</div>
<p>Writing to <code>ScaleSpec.Replicas</code> resizes the replication controller/deployment associated with
the given Scale subresource.
<code>ScaleStatus.Replicas</code> reports how many pods are currently running in the replication controller/deployment,
and <code>ScaleStatus.Selector</code> returns selector for the pods.</p>
<h2 id="horizontalpodautoscaler-object">HorizontalPodAutoscaler Object</h2>
<p>In Kubernetes version 1.1, we are introducing HorizontalPodAutoscaler object. It is accessible under:</p>
<p><code>apis/extensions/v1beta1/horizontalpodautoscalers/myautoscaler</code></p>
<p>It has the following structure:</p>
<div class="highlight">
<pre><code class="language-go">// configuration of a horizontal pod autoscaler.
type HorizontalPodAutoscaler struct {
unversioned.TypeMeta
api.ObjectMeta
// behavior of autoscaler.
Spec HorizontalPodAutoscalerSpec
// current information about the autoscaler.
Status HorizontalPodAutoscalerStatus
}
// specification of a horizontal pod autoscaler.
type HorizontalPodAutoscalerSpec struct {
// reference to Scale subresource; horizontal pod autoscaler will learn the current resource
// consumption from its status,and will set the desired number of pods by modifying its spec.
ScaleRef SubresourceReference
// lower limit for the number of pods that can be set by the autoscaler, default 1.
MinReplicas *int
// upper limit for the number of pods that can be set by the autoscaler.
// It cannot be smaller than MinReplicas.
MaxReplicas int
// target average CPU utilization (represented as a percentage of requested CPU) over all the pods;
// if not specified it defaults to the target CPU utilization at 80% of the requested resources.
CPUUtilization *CPUTargetUtilization
}
type CPUTargetUtilization struct {
// fraction of the requested CPU that should be utilized/used,
// e.g. 70 means that 70% of the requested CPU should be in use.
TargetPercentage int
}
// current status of a horizontal pod autoscaler
type HorizontalPodAutoscalerStatus struct {
// most recent generation observed by this autoscaler.
ObservedGeneration *int64
// last time the HorizontalPodAutoscaler scaled the number of pods;
// used by the autoscaler to control how often the number of pods is changed.
LastScaleTime *unversioned.Time
// current number of replicas of pods managed by this autoscaler.
CurrentReplicas int
// desired number of replicas of pods managed by this autoscaler.
DesiredReplicas int
// current average CPU utilization over all pods, represented as a percentage of requested CPU,
// e.g. 70 means that an average pod is using now 70% of its requested CPU.
CurrentCPUUtilizationPercentage *int
}
</code></pre>
</div>
<p><code>ScaleRef</code> is a reference to the Scale subresource.
<code>MinReplicas</code>, <code>MaxReplicas</code> and <code>CPUUtilization</code> define autoscaler configuration.
We are also introducing HorizontalPodAutoscalerList object to enable listing all autoscalers in a namespace:</p>
<div class="highlight">
<pre><code class="language-go">// list of horizontal pod autoscaler objects.
type HorizontalPodAutoscalerList struct {
unversioned.TypeMeta
unversioned.ListMeta
// list of horizontal pod autoscaler objects.
Items []HorizontalPodAutoscaler
}
</code></pre>
</div>
<h2 id="autoscaling-algorithm">Autoscaling Algorithm</h2>
<p>The autoscaler is implemented as a control loop. It periodically queries pods described by <code>Status.PodSelector</code> of Scale subresource, and collects their CPU utilization.
Then, it compares the arithmetic mean of the pods CPU utilization with the target defined in <code>Spec.CPUUtilization</code>,
and adjust the replicas of the Scale if needed to match the target
(preserving condition: MinReplicas &lt;= Replicas &lt;= MaxReplicas).</p>
<p>The period of the autoscaler is controlled by <code>--horizontal-pod-autoscaler-sync-period</code> flag of controller manager.
The default value is 30 seconds.</p>
<p>CPU utilization is the recent CPU usage of a pod (average across the last 1 minute) divided by the CPU requested by the pod.
In Kubernetes version 1.1, CPU usage is taken directly from Heapster.
In future, there will be API on master for this purpose
(see <a href="https://github.com/kubernetes/kubernetes/issues/11951">#11951</a>).</p>
<p>The target number of pods is calculated from the following formula:</p>
<pre><code>
TargetNumOfPods = ceil(sum(CurrentPodsCPUUtilization) / Target)
</code></pre>
<p>Starting and stopping pods may introduce noise to the metric (for instance, starting may temporarily increase CPU).
So, after each action, the autoscaler should wait some time for reliable data.
Scale-up can only happen if there was no rescaling within the last 3 minutes.
Scale-down will wait for 5 minutes from the last rescaling.
Moreover any scaling will only be made if: <code>avg(CurrentPodsConsumption) / Target</code> drops below 0.9 or increases above 1.1 (10% tolerance).
Such approach has two benefits:</p>
<ul>
<li>
<p>Autoscaler works in a conservative way.
If new user load appears, it is important for us to rapidly increase the number of pods,
so that user requests will not be rejected.
Lowering the number of pods is not that urgent.</p>
</li>
<li>
<p>Autoscaler avoids thrashing, i.e.: prevents rapid execution of conflicting decision if the load is not stable.</p>
</li>
</ul>
<h2 id="relative-vs-absolute-metrics">Relative vs. absolute metrics</h2>
<p>We chose values of the target metric to be relative (e.g. 90% of requested CPU resource) rather than absolute (e.g. 0.6 core) for the following reason.
If we choose absolute metric, user will need to guarantee that the target is lower than the request.
Otherwise, overloaded pods may not be able to consume more than the autoscalers absolute target utilization,
thereby preventing the autoscaler from seeing high enough utilization to trigger it to scale up.
This may be especially troublesome when user changes requested resources for a pod
because they would need to also change the autoscaler utilization threshold.
Therefore, we decided to choose relative metric.
For user, it is enough to set it to a value smaller than 100%, and further changes of requested resources will not invalidate it.</p>
<h2 id="support-in-kubectl">Support in kubectl</h2>
<p>To make manipulation of HorizontalPodAutoscaler object simpler, we added support for
creating/updating/deleting/listing of HorizontalPodAutoscaler to kubectl.
In addition, in future, we are planning to add kubectl support for the following use-cases:
* When creating a replication controller or deployment with <code>kubectl create [-f]</code>, there should be
a possibility to specify an additional autoscaler object.
(This should work out-of-the-box when creation of autoscaler is supported by kubectl as we may include
multiple objects in the same config file).
* <em>[future]</em> When running an image with <code>kubectl run</code>, there should be an additional option to create
an autoscaler for it.
* <em>[future]</em> We will add a new command <code>kubectl autoscale</code> that will allow for easy creation of an autoscaler object
for already existing replication controller/deployment.</p>
<h2 id="next-steps">Next steps</h2>
<p>We list here some features that are not supported in Kubernetes version 1.1.
However, we want to keep them in mind, as they will most probably be needed in future.
Our design is in general compatible with them.
* <em>[future]</em> <strong>Autoscale pods based on metrics different than CPU</strong> (e.g. memory, network traffic, qps).
This includes scaling based on a custom/application metric.
* <em>[future]</em> <strong>Autoscale pods base on an aggregate metric.</strong>
Autoscaler, instead of computing average for a target metric across pods, will use a single, external, metric (e.g. qps metric from load balancer).
The metric will be aggregated while the target will remain per-pod
(e.g. when observing 100 qps on load balancer while the target is 20 qps per pod, autoscaler will set the number of replicas to 5).
* <em>[future]</em> <strong>Autoscale pods based on multiple metrics.</strong>
If the target numbers of pods for different metrics are different, choose the largest target number of pods.
* <em>[future]</em> <strong>Scale the number of pods starting from 0.</strong>
All pods can be turned-off, and then turned-on when there is a demand for them.
When a request to service with no pods arrives, kube-proxy will generate an event for autoscaler
to create a new pod.
Discussed in <a href="https://github.com/kubernetes/kubernetes/issues/3247">#3247</a>.
* <em>[future]</em> <strong>When scaling down, make more educated decision which pods to kill.</strong>
E.g.: if two or more pods from the same replication controller are on the same node, kill one of them.
Discussed in <a href="https://github.com/kubernetes/kubernetes/issues/4301">#4301</a>.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/horizontal-pod-autoscaler.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,271 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Identifiers and Names in Kubernetes</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Identifiers and Names in Kubernetes</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="identifiers-and-names-in-kubernetes">Identifiers and Names in Kubernetes</h1>
<p>A summarization of the goals and recommendations for identifiers in Kubernetes. Described in <a href="http://issue.k8s.io/199">GitHub issue #199</a>.</p>
<h2 id="definitions">Definitions</h2>
<dl>
<dt>UID</dt>
<dd>A non-empty, opaque, system-generated value guaranteed to be unique in time and space; intended to distinguish between historical occurrences of similar entities.</dd>
<dt>Name</dt>
<dd>A non-empty string guaranteed to be unique within a given scope at a particular time; used in resource URLs; provided by clients at creation time and encouraged to be human friendly; intended to facilitate creation idempotence and space-uniqueness of singleton objects, distinguish distinct entities, and reference particular entities across operations.</dd>
<dt><a href="http://www.ietf.org/rfc/rfc1035.txt">rfc1035</a>/<a href="http://www.ietf.org/rfc/rfc1123.txt">rfc1123</a> label (DNS_LABEL)</dt>
<dd>An alphanumeric (a-z, and 0-9) string, with a maximum length of 63 characters, with the - character allowed anywhere except the first or last character, suitable for use as a hostname or segment in a domain name</dd>
<dt><a href="http://www.ietf.org/rfc/rfc1035.txt">rfc1035</a>/<a href="http://www.ietf.org/rfc/rfc1123.txt">rfc1123</a> subdomain (DNS_SUBDOMAIN)</dt>
<dd>One or more lowercase rfc1035/rfc1123 labels separated by . with a maximum length of 253 characters</dd>
<dt><a href="http://www.ietf.org/rfc/rfc4122.txt">rfc4122</a> universally unique identifier (UUID)</dt>
<dd>A 128 bit generated value that is extremely unlikely to collide across time and space and requires no central coordination</dd>
<dt><a href="https://tools.ietf.org/rfc/rfc6335.txt">rfc6335</a> port name (IANA_SVC_NAME)</dt>
<dd>An alphanumeric (a-z, and 0-9) string, with a maximum length of 15 characters, with the - character allowed anywhere except the first or the last character or adjacent to another - character, it must contain at least a (a-z) character</dd>
</dl>
<h2 id="objectives-for-names-and-uids">Objectives for names and UIDs</h2>
<ol>
<li>
<p>Uniquely identify (via a UID) an object across space and time</p>
</li>
<li>
<p>Uniquely name (via a name) an object across space</p>
</li>
<li>
<p>Provide human-friendly names in API operations and/or configuration files</p>
</li>
<li>
<p>Allow idempotent creation of API resources (#148) and enforcement of space-uniqueness of singleton objects</p>
</li>
<li>
<p>Allow DNS names to be automatically generated for some objects</p>
</li>
</ol>
<h2 id="general-design">General design</h2>
<ol>
<li>When an object is created via an API, a Name string (a DNS_SUBDOMAIN) must be specified. Name must be non-empty and unique within the apiserver. This enables idempotent and space-unique creation operations. Parts of the system (e.g. replication controller) may join strings (e.g. a base name and a random suffix) to create a unique Name. For situations where generating a name is impractical, some or all objects may support a param to auto-generate a name. Generating random names will defeat idempotency.
<ul>
<li>Examples: “guestbook.user”, “backend-x4eb1”</li>
</ul>
</li>
<li>When an object is created via an API, a Namespace string (a DNS_SUBDOMAIN? format TBD via #1114) may be specified. Depending on the API receiver, namespaces might be validated (e.g. apiserver might ensure that the namespace actually exists). If a namespace is not specified, one will be assigned by the API receiver. This assignment policy might vary across API receivers (e.g. apiserver might have a default, kubelet might generate something semi-random).
<ul>
<li>Example: “api.k8s.example.com”</li>
</ul>
</li>
<li>Upon acceptance of an object via an API, the object is assigned a UID (a UUID). UID must be non-empty and unique across space and time.
<ul>
<li>Example: “01234567-89ab-cdef-0123-456789abcdef”</li>
</ul>
</li>
</ol>
<h2 id="case-study-scheduling-a-pod">Case study: Scheduling a pod</h2>
<p>Pods can be placed onto a particular node in a number of ways. This case
study demonstrates how the above design can be applied to satisfy the
objectives.</p>
<h3 id="a-pod-scheduled-by-a-user-through-the-apiserver">A pod scheduled by a user through the apiserver</h3>
<ol>
<li>
<p>A user submits a pod with Namespace=”” and Name=”guestbook” to the apiserver.</p>
</li>
<li>The apiserver validates the input.
<ol>
<li>A default Namespace is assigned.</li>
<li>The pod name must be space-unique within the Namespace.</li>
<li>Each container within the pod has a name which must be space-unique within the pod.</li>
</ol>
</li>
<li>The pod is accepted.
<ol>
<li>A new UID is assigned.</li>
</ol>
</li>
<li>The pod is bound to a node.
<ol>
<li>The kubelet on the node is passed the pods UID, Namespace, and Name.</li>
</ol>
</li>
<li>
<p>Kubelet validates the input.</p>
</li>
<li>Kubelet runs the pod.
<ol>
<li>Each container is started up with enough metadata to distinguish the pod from whence it came.</li>
<li>Each attempt to run a container is assigned a UID (a string) that is unique across time.
<ul>
<li>This may correspond to Dockers container ID.</li>
</ul>
</li>
</ol>
</li>
</ol>
<h3 id="a-pod-placed-by-a-config-file-on-the-node">A pod placed by a config file on the node</h3>
<ol>
<li>
<p>A config file is stored on the node, containing a pod with UID=””, Namespace=””, and Name=”cadvisor”.</p>
</li>
<li>Kubelet validates the input.
<ol>
<li>Since UID is not provided, kubelet generates one.</li>
<li>Since Namespace is not provided, kubelet generates one.
<ol>
<li>The generated namespace should be deterministic and cluster-unique for the source, such as a hash of the hostname and file path.
<ul>
<li>E.g. Namespace=”file-f4231812554558a718a01ca942782d81”</li>
</ul>
</li>
</ol>
</li>
</ol>
</li>
<li>Kubelet runs the pod.
<ol>
<li>Each container is started up with enough metadata to distinguish the pod from whence it came.</li>
<li>Each attempt to run a container is assigned a UID (a string) that is unique across time.
<ol>
<li>This may correspond to Dockers container ID.</li>
</ol>
</li>
</ol>
</li>
</ol>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/identifiers.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,152 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Kubernetes Design Overview</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Kubernetes Design Overview</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="kubernetes-design-overview">Kubernetes Design Overview</h1>
<p>Kubernetes is a system for managing containerized applications across multiple hosts, providing basic mechanisms for deployment, maintenance, and scaling of applications.</p>
<p>Kubernetes establishes robust declarative primitives for maintaining the desired state requested by the user. We see these primitives as the main value added by Kubernetes. Self-healing mechanisms, such as auto-restarting, re-scheduling, and replicating containers require active controllers, not just imperative orchestration.</p>
<p>Kubernetes is primarily targeted at applications composed of multiple containers, such as elastic, distributed micro-services. It is also designed to facilitate migration of non-containerized application stacks to Kubernetes. It therefore includes abstractions for grouping containers in both loosely coupled and tightly coupled formations, and provides ways for containers to find and communicate with each other in relatively familiar ways.</p>
<p>Kubernetes enables users to ask a cluster to run a set of containers. The system automatically chooses hosts to run those containers on. While Kubernetess scheduler is currently very simple, we expect it to grow in sophistication over time. Scheduling is a policy-rich, topology-aware, workload-specific function that significantly impacts availability, performance, and capacity. The scheduler needs to take into account individual and collective resource requirements, quality of service requirements, hardware/software/policy constraints, affinity and anti-affinity specifications, data locality, inter-workload interference, deadlines, and so on. Workload-specific requirements will be exposed through the API as necessary.</p>
<p>Kubernetes is intended to run on a number of cloud providers, as well as on physical hosts.</p>
<p>A single Kubernetes cluster is not intended to span multiple availability zones. Instead, we recommend building a higher-level layer to replicate complete deployments of highly available applications across multiple zones (see <a href="../admin/multi-cluster.html">the multi-cluster doc</a> and <a href="../proposals/federation.html">cluster federation proposal</a> for more details).</p>
<p>Finally, Kubernetes aspires to be an extensible, pluggable, building-block OSS platform and toolkit. Therefore, architecturally, we want Kubernetes to be built as a collection of pluggable components and layers, with the ability to use alternative schedulers, controllers, storage systems, and distribution mechanisms, and were evolving its current code in that direction. Furthermore, we want others to be able to extend Kubernetes functionality, such as with higher-level PaaS functionality or multi-cluster layers, without modification of core Kubernetes source. Therefore, its API isnt just (or even necessarily mainly) targeted at end users, but at tool and extension developers. Its APIs are intended to serve as the foundation for an open ecosystem of tools, automation systems, and higher-level API layers. Consequently, there are no “internal” inter-component APIs. All APIs are visible and available, including the APIs used by the scheduler, the node controller, the replication-controller manager, Kubelets API, etc. Theres no glass to break in order to handle more complex use cases, one can just access the lower-level APIs in a fully transparent, composable manner.</p>
<p>For more about the Kubernetes architecture, see <a href="architecture.html">architecture</a>.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/README.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,575 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Namespaces</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Namespaces</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="namespaces">Namespaces</h1>
<h2 id="abstract">Abstract</h2>
<p>A Namespace is a mechanism to partition resources created by users into
a logically named group.</p>
<h2 id="motivation">Motivation</h2>
<p>A single cluster should be able to satisfy the needs of multiple user communities.</p>
<p>Each user community wants to be able to work in isolation from other communities.</p>
<p>Each user community has its own:</p>
<ol>
<li>resources (pods, services, replication controllers, etc.)</li>
<li>policies (who can or cannot perform actions in their community)</li>
<li>constraints (this community is allowed this much quota, etc.)</li>
</ol>
<p>A cluster operator may create a Namespace for each unique user community.</p>
<p>The Namespace provides a unique scope for:</p>
<ol>
<li>named resources (to avoid basic naming collisions)</li>
<li>delegated management authority to trusted users</li>
<li>ability to limit community resource consumption</li>
</ol>
<h2 id="use-cases">Use cases</h2>
<ol>
<li>As a cluster operator, I want to support multiple user communities on a single cluster.</li>
<li>As a cluster operator, I want to delegate authority to partitions of the cluster to trusted users
in those communities.</li>
<li>As a cluster operator, I want to limit the amount of resources each community can consume in order
to limit the impact to other communities using the cluster.</li>
<li>As a cluster user, I want to interact with resources that are pertinent to my user community in
isolation of what other user communities are doing on the cluster.</li>
</ol>
<h2 id="design">Design</h2>
<h3 id="data-model">Data Model</h3>
<p>A <em>Namespace</em> defines a logically named group for multiple <em>Kind</em>s of resources.</p>
<div class="highlight">
<pre><code class="language-go">type Namespace struct {
TypeMeta `json:",inline"`
ObjectMeta `json:"metadata,omitempty"`
Spec NamespaceSpec `json:"spec,omitempty"`
Status NamespaceStatus `json:"status,omitempty"`
}
</code></pre>
</div>
<p>A <em>Namespace</em> name is a DNS compatible label.</p>
<p>A <em>Namespace</em> must exist prior to associating content with it.</p>
<p>A <em>Namespace</em> must not be deleted if there is content associated with it.</p>
<p>To associate a resource with a <em>Namespace</em> the following conditions must be satisfied:</p>
<ol>
<li>The resources <em>Kind</em> must be registered as having <em>RESTScopeNamespace</em> with the server</li>
<li>The resources <em>TypeMeta.Namespace</em> field must have a value that references an existing <em>Namespace</em></li>
</ol>
<p>The <em>Name</em> of a resource associated with a <em>Namespace</em> is unique to that <em>Kind</em> in that <em>Namespace</em>.</p>
<p>It is intended to be used in resource URLs; provided by clients at creation time, and encouraged to be
human friendly; intended to facilitate idempotent creation, space-uniqueness of singleton objects,
distinguish distinct entities, and reference particular entities across operations.</p>
<h3 id="authorization">Authorization</h3>
<p>A <em>Namespace</em> provides an authorization scope for accessing content associated with the <em>Namespace</em>.</p>
<p>See <a href="../admin/authorization.html">Authorization plugins</a></p>
<h3 id="limit-resource-consumption">Limit Resource Consumption</h3>
<p>A <em>Namespace</em> provides a scope to limit resource consumption.</p>
<p>A <em>LimitRange</em> defines min/max constraints on the amount of resources a single entity can consume in
a <em>Namespace</em>.</p>
<p>See <a href="admission_control_limit_range.html">Admission control: Limit Range</a></p>
<p>A <em>ResourceQuota</em> tracks aggregate usage of resources in the <em>Namespace</em> and allows cluster operators
to define <em>Hard</em> resource usage limits that a <em>Namespace</em> may consume.</p>
<p>See <a href="admission_control_resource_quota.html">Admission control: Resource Quota</a></p>
<h3 id="finalizers">Finalizers</h3>
<p>Upon creation of a <em>Namespace</em>, the creator may provide a list of <em>Finalizer</em> objects.</p>
<div class="highlight">
<pre><code class="language-go">type FinalizerName string
// These are internal finalizers to Kubernetes, must be qualified name unless defined here
const (
FinalizerKubernetes FinalizerName = "kubernetes"
)
// NamespaceSpec describes the attributes on a Namespace
type NamespaceSpec struct {
// Finalizers is an opaque list of values that must be empty to permanently remove object from storage
Finalizers []FinalizerName
}
</code></pre>
</div>
<p>A <em>FinalizerName</em> is a qualified name.</p>
<p>The API Server enforces that a <em>Namespace</em> can only be deleted from storage if and only if
its <em>Namespace.Spec.Finalizers</em> is empty.</p>
<p>A <em>finalize</em> operation is the only mechanism to modify the <em>Namespace.Spec.Finalizers</em> field post creation.</p>
<p>Each <em>Namespace</em> created has <em>kubernetes</em> as an item in its list of initial <em>Namespace.Spec.Finalizers</em>
set by default.</p>
<h3 id="phases">Phases</h3>
<p>A <em>Namespace</em> may exist in the following phases.</p>
<div class="highlight">
<pre><code class="language-go">type NamespacePhase string
const(
NamespaceActive NamespacePhase = "Active"
NamespaceTerminating NamespaceTerminating = "Terminating"
)
type NamespaceStatus struct {
...
Phase NamespacePhase
}
</code></pre>
</div>
<p>A <em>Namespace</em> is in the <strong>Active</strong> phase if it does not have a <em>ObjectMeta.DeletionTimestamp</em>.</p>
<p>A <em>Namespace</em> is in the <strong>Terminating</strong> phase if it has a <em>ObjectMeta.DeletionTimestamp</em>.</p>
<p><strong>Active</strong></p>
<p>Upon creation, a <em>Namespace</em> goes in the <em>Active</em> phase. This means that content may be associated with
a namespace, and all normal interactions with the namespace are allowed to occur in the cluster.</p>
<p>If a DELETE request occurs for a <em>Namespace</em>, the <em>Namespace.ObjectMeta.DeletionTimestamp</em> is set
to the current server time. A <em>namespace controller</em> observes the change, and sets the <em>Namespace.Status.Phase</em>
to <em>Terminating</em>.</p>
<p><strong>Terminating</strong></p>
<p>A <em>namespace controller</em> watches for <em>Namespace</em> objects that have a <em>Namespace.ObjectMeta.DeletionTimestamp</em>
value set in order to know when to initiate graceful termination of the <em>Namespace</em> associated content that
are known to the cluster.</p>
<p>The <em>namespace controller</em> enumerates each known resource type in that namespace and deletes it one by one.</p>
<p>Admission control blocks creation of new resources in that namespace in order to prevent a race-condition
where the controller could believe all of a given resource type had been deleted from the namespace,
when in fact some other rogue client agent had created new objects. Using admission control in this
scenario allows each of registry implementations for the individual objects to not need to take into account Namespace life-cycle.</p>
<p>Once all objects known to the <em>namespace controller</em> have been deleted, the <em>namespace controller</em>
executes a <em>finalize</em> operation on the namespace that removes the <em>kubernetes</em> value from
the <em>Namespace.Spec.Finalizers</em> list.</p>
<p>If the <em>namespace controller</em> sees a <em>Namespace</em> whose <em>ObjectMeta.DeletionTimestamp</em> is set, and
whose <em>Namespace.Spec.Finalizers</em> list is empty, it will signal the server to permanently remove
the <em>Namespace</em> from storage by sending a final DELETE action to the API server.</p>
<h3 id="rest-api">REST API</h3>
<p>To interact with the Namespace API:</p>
<table>
<thead>
<tr>
<th>Action</th>
<th>HTTP Verb</th>
<th>Path</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>CREATE</td>
<td>POST</td>
<td>/api/{version}/namespaces</td>
<td>Create a namespace</td>
</tr>
<tr>
<td>LIST</td>
<td>GET</td>
<td>/api/{version}/namespaces</td>
<td>List all namespaces</td>
</tr>
<tr>
<td>UPDATE</td>
<td>PUT</td>
<td>/api/{version}/namespaces/{namespace}</td>
<td>Update namespace {namespace}</td>
</tr>
<tr>
<td>DELETE</td>
<td>DELETE</td>
<td>/api/{version}/namespaces/{namespace}</td>
<td>Delete namespace {namespace}</td>
</tr>
<tr>
<td>FINALIZE</td>
<td>POST</td>
<td>/api/{version}/namespaces/{namespace}/finalize</td>
<td>Finalize namespace {namespace}</td>
</tr>
<tr>
<td>WATCH</td>
<td>GET</td>
<td>/api/{version}/watch/namespaces</td>
<td>Watch all namespaces</td>
</tr>
</tbody>
</table>
<p>This specification reserves the name <em>finalize</em> as a sub-resource to namespace.</p>
<p>As a consequence, it is invalid to have a <em>resourceType</em> managed by a namespace whose kind is <em>finalize</em>.</p>
<p>To interact with content associated with a Namespace:</p>
<table>
<thead>
<tr>
<th>Action</th>
<th>HTTP Verb</th>
<th>Path</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>CREATE</td>
<td>POST</td>
<td>/api/{version}/namespaces/{namespace}/{resourceType}/</td>
<td>Create instance of {resourceType} in namespace {namespace}</td>
</tr>
<tr>
<td>GET</td>
<td>GET</td>
<td>/api/{version}/namespaces/{namespace}/{resourceType}/{name}</td>
<td>Get instance of {resourceType} in namespace {namespace} with {name}</td>
</tr>
<tr>
<td>UPDATE</td>
<td>PUT</td>
<td>/api/{version}/namespaces/{namespace}/{resourceType}/{name}</td>
<td>Update instance of {resourceType} in namespace {namespace} with {name}</td>
</tr>
<tr>
<td>DELETE</td>
<td>DELETE</td>
<td>/api/{version}/namespaces/{namespace}/{resourceType}/{name}</td>
<td>Delete instance of {resourceType} in namespace {namespace} with {name}</td>
</tr>
<tr>
<td>LIST</td>
<td>GET</td>
<td>/api/{version}/namespaces/{namespace}/{resourceType}</td>
<td>List instances of {resourceType} in namespace {namespace}</td>
</tr>
<tr>
<td>WATCH</td>
<td>GET</td>
<td>/api/{version}/watch/namespaces/{namespace}/{resourceType}</td>
<td>Watch for changes to a {resourceType} in namespace {namespace}</td>
</tr>
<tr>
<td>WATCH</td>
<td>GET</td>
<td>/api/{version}/watch/{resourceType}</td>
<td>Watch for changes to a {resourceType} across all namespaces</td>
</tr>
<tr>
<td>LIST</td>
<td>GET</td>
<td>/api/{version}/list/{resourceType}</td>
<td>List instances of {resourceType} across all namespaces</td>
</tr>
</tbody>
</table>
<p>The API server verifies the <em>Namespace</em> on resource creation matches the <em>{namespace}</em> on the path.</p>
<p>The API server will associate a resource with a <em>Namespace</em> if not populated by the end-user based on the <em>Namespace</em> context
of the incoming request. If the <em>Namespace</em> of the resource being created, or updated does not match the <em>Namespace</em> on the request,
then the API server will reject the request.</p>
<h3 id="storage">Storage</h3>
<p>A namespace provides a unique identifier space and therefore must be in the storage path of a resource.</p>
<p>In etcd, we want to continue to still support efficient WATCH across namespaces.</p>
<p>Resources that persist content in etcd will have storage paths as follows:</p>
<p>/{k8s_storage_prefix}/{resourceType}/{resource.Namespace}/{resource.Name}</p>
<p>This enables consumers to WATCH /registry/{resourceType} for changes across namespace of a particular {resourceType}.</p>
<h3 id="kubelet">Kubelet</h3>
<p>The kubelet will register pods it sources from a file or http source with a namespace associated with the
<em>cluster-id</em></p>
<h3 id="example-openshift-origin-managing-a-kubernetes-namespace">Example: OpenShift Origin managing a Kubernetes Namespace</h3>
<p>In this example, we demonstrate how the design allows for agents built on-top of
Kubernetes that manage their own set of resource types associated with a <em>Namespace</em>
to take part in Namespace termination.</p>
<p>OpenShift creates a Namespace in Kubernetes</p>
<div class="highlight">
<pre><code class="language-json">{
"apiVersion":"v1",
"kind": "Namespace",
"metadata": {
"name": "development",
"labels": {
"name": "development"
}
},
"spec": {
"finalizers": ["openshift.com/origin", "kubernetes"]
},
"status": {
"phase": "Active"
}
}
</code></pre>
</div>
<p>OpenShift then goes and creates a set of resources (pods, services, etc) associated
with the “development” namespace. It also creates its own set of resources in its
own storage associated with the “development” namespace unknown to Kubernetes.</p>
<p>User deletes the Namespace in Kubernetes, and Namespace now has following state:</p>
<div class="highlight">
<pre><code class="language-json">{
"apiVersion":"v1",
"kind": "Namespace",
"metadata": {
"name": "development",
"deletionTimestamp": "..."
"labels": {
"name": "development"
}
},
"spec": {
"finalizers": ["openshift.com/origin", "kubernetes"]
},
"status": {
"phase": "Terminating"
}
}
</code></pre>
</div>
<p>The Kubernetes <em>namespace controller</em> observes the namespace has a <em>deletionTimestamp</em>
and begins to terminate all of the content in the namespace that it knows about. Upon
success, it executes a <em>finalize</em> action that modifies the <em>Namespace</em> by
removing <em>kubernetes</em> from the list of finalizers:</p>
<div class="highlight">
<pre><code class="language-json">{
"apiVersion":"v1",
"kind": "Namespace",
"metadata": {
"name": "development",
"deletionTimestamp": "..."
"labels": {
"name": "development"
}
},
"spec": {
"finalizers": ["openshift.com/origin"]
},
"status": {
"phase": "Terminating"
}
}
</code></pre>
</div>
<p>OpenShift Origin has its own <em>namespace controller</em> that is observing cluster state, and
it observes the same namespace had a <em>deletionTimestamp</em> assigned to it. It too will go
and purge resources from its own storage that it manages associated with that namespace.
Upon completion, it executes a <em>finalize</em> action and removes the reference to “openshift.com/origin”
from the list of finalizers.</p>
<p>This results in the following state:</p>
<div class="highlight">
<pre><code class="language-json">{
"apiVersion":"v1",
"kind": "Namespace",
"metadata": {
"name": "development",
"deletionTimestamp": "..."
"labels": {
"name": "development"
}
},
"spec": {
"finalizers": []
},
"status": {
"phase": "Terminating"
}
}
</code></pre>
</div>
<p>At this point, the Kubernetes <em>namespace controller</em> in its sync loop will see that the namespace
has a deletion timestamp and that its list of finalizers is empty. As a result, it knows all
content associated from that namespace has been purged. It performs a final DELETE action
to remove that Namespace from the storage.</p>
<p>At this point, all content associated with that Namespace, and the Namespace itself are gone.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/namespaces.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,314 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Networking</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Networking</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="networking">Networking</h1>
<p>There are 4 distinct networking problems to solve:</p>
<ol>
<li>Highly-coupled container-to-container communications</li>
<li>Pod-to-Pod communications</li>
<li>Pod-to-Service communications</li>
<li>External-to-internal communications</li>
</ol>
<h2 id="model-and-motivation">Model and motivation</h2>
<p>Kubernetes deviates from the default Docker networking model (though as of
Docker 1.8 their network plugins are getting closer). The goal is for each pod
to have an IP in a flat shared networking namespace that has full communication
with other physical computers and containers across the network. IP-per-pod
creates a clean, backward-compatible model where pods can be treated much like
VMs or physical hosts from the perspectives of port allocation, networking,
naming, service discovery, load balancing, application configuration, and
migration.</p>
<p>Dynamic port allocation, on the other hand, requires supporting both static
ports (e.g., for externally accessible services) and dynamically allocated
ports, requires partitioning centrally allocated and locally acquired dynamic
ports, complicates scheduling (since ports are a scarce resource), is
inconvenient for users, complicates application configuration, is plagued by
port conflicts and reuse and exhaustion, requires non-standard approaches to
naming (e.g. consul or etcd rather than DNS), requires proxies and/or
redirection for programs using standard naming/addressing mechanisms (e.g. web
browsers), requires watching and cache invalidation for address/port changes
for instances in addition to watching group membership changes, and obstructs
container/pod migration (e.g. using CRIU). NAT introduces additional complexity
by fragmenting the addressing space, which breaks self-registration mechanisms,
among other problems.</p>
<h2 id="container-to-container">Container to container</h2>
<p>All containers within a pod behave as if they are on the same host with regard
to networking. They can all reach each others ports on localhost. This offers
simplicity (static ports know a priori), security (ports bound to localhost
are visible within the pod but never outside it), and performance. This also
reduces friction for applications moving from the world of uncontainerized apps
on physical or virtual hosts. People running application stacks together on
the same host have already figured out how to make ports not conflict and have
arranged for clients to find them.</p>
<p>The approach does reduce isolation between containers within a pod —
ports could conflict, and there can be no container-private ports, but these
seem to be relatively minor issues with plausible future workarounds. Besides,
the premise of pods is that containers within a pod share some resources
(volumes, cpu, ram, etc.) and therefore expect and tolerate reduced isolation.
Additionally, the user can control what containers belong to the same pod
whereas, in general, they dont control what pods land together on a host.</p>
<h2 id="pod-to-pod">Pod to pod</h2>
<p>Because every pod gets a “real” (not machine-private) IP address, pods can
communicate without proxies or translations. The pod can use well-known port
numbers and can avoid the use of higher-level service discovery systems like
DNS-SD, Consul, or Etcd.</p>
<p>When any container calls ioctl(SIOCGIFADDR) (get the address of an interface),
it sees the same IP that any peer container would see them coming from —
each pod has its own IP address that other pods can know. By making IP addresses
and ports the same both inside and outside the pods, we create a NAT-less, flat
address space. Running “ip addr show” should work as expected. This would enable
all existing naming/discovery mechanisms to work out of the box, including
self-registration mechanisms and applications that distribute IP addresses. We
should be optimizing for inter-pod network communication. Within a pod,
containers are more likely to use communication through volumes (e.g., tmpfs) or
IPC.</p>
<p>This is different from the standard Docker model. In that mode, each container
gets an IP in the 172-dot space and would only see that 172-dot address from
SIOCGIFADDR. If these containers connect to another container the peer would see
the connect coming from a different IP than the container itself knows. In short
— you can never self-register anything from a container, because a
container can not be reached on its private IP.</p>
<p>An alternative we considered was an additional layer of addressing: pod-centric
IP per container. Each container would have its own local IP address, visible
only within that pod. This would perhaps make it easier for containerized
applications to move from physical/virtual hosts to pods, but would be more
complex to implement (e.g., requiring a bridge per pod, split-horizon/VP DNS)
and to reason about, due to the additional layer of address translation, and
would break self-registration and IP distribution mechanisms.</p>
<p>Like Docker, ports can still be published to the host nodes interface(s), but
the need for this is radically diminished.</p>
<h2 id="implementation">Implementation</h2>
<p>For the Google Compute Engine cluster configuration scripts, we use <a href="https://developers.google.com/compute/docs/networking#routing">advanced
routing rules</a>
and ip-forwarding-enabled VMs so that each VM has an extra 256 IP addresses that
get routed to it. This is in addition to the main IP address assigned to the
VM that is NAT-ed for Internet access. The container bridge (called <code>cbr0</code> to
differentiate it from <code>docker0</code>) is set up outside of Docker proper.</p>
<p>Example of GCEs advanced routing rules:</p>
<div class="highlight">
<pre><code class="language-sh">gcloud compute routes add "${MINION_NAMES[$i]}" \
--project "${PROJECT}" \
--destination-range "${MINION_IP_RANGES[$i]}" \
--network "${NETWORK}" \
--next-hop-instance "${MINION_NAMES[$i]}" \
--next-hop-instance-zone "${ZONE}" &amp;
</code></pre>
</div>
<p>GCE itself does not know anything about these IPs, though. This means that when
a pod tries to egress beyond GCEs project the packets must be SNATed
(masqueraded) to the VMs IP, which GCE recognizes and allows.</p>
<h3 id="other-implementations">Other implementations</h3>
<p>With the primary aim of providing IP-per-pod-model, other implementations exist
to serve the purpose outside of GCE.
- <a href="../admin/ovs-networking.html">OpenVSwitch with GRE/VxLAN</a>
- <a href="https://github.com/coreos/flannel#flannel">Flannel</a>
- <a href="http://blog.oddbit.com/2014/08/11/four-ways-to-connect-a-docker/">L2 networks</a>
(“With Linux Bridge devices” section)
- <a href="https://github.com/zettio/weave">Weave</a> is yet another way to build an
overlay network, primarily aiming at Docker integration.
- <a href="https://github.com/Metaswitch/calico">Calico</a> uses BGP to enable real
container IPs.</p>
<h2 id="pod-to-service">Pod to service</h2>
<p>The <a href="../user-guide/services.html">service</a> abstraction provides a way to group pods under a
common access policy (e.g. load-balanced). The implementation of this creates a
virtual IP which clients can access and which is transparently proxied to the
pods in a Service. Each node runs a kube-proxy process which programs
<code>iptables</code> rules to trap access to service IPs and redirect them to the correct
backends. This provides a highly-available load-balancing solution with low
performance overhead by balancing client traffic from a node on that same node.</p>
<h2 id="external-to-internal">External to internal</h2>
<p>So far the discussion has been about how to access a pod or service from within
the cluster. Accessing a pod from outside the cluster is a bit more tricky. We
want to offer highly-available, high-performance load balancing to target
Kubernetes Services. Most public cloud providers are simply not flexible enough
yet.</p>
<p>The way this is generally implemented is to set up external load balancers (e.g.
GCEs ForwardingRules or AWSs ELB) which target all nodes in a cluster. When
traffic arrives at a node it is recognized as being part of a particular Service
and routed to an appropriate backend Pod. This does mean that some traffic will
get double-bounced on the network. Once cloud providers have better offerings
we can take advantage of those.</p>
<h2 id="challenges-and-future-work">Challenges and future work</h2>
<h3 id="docker-api">Docker API</h3>
<p>Right now, docker inspect doesnt show the networking configuration of the
containers, since they derive it from another container. That information should
be exposed somehow.</p>
<h3 id="external-ip-assignment">External IP assignment</h3>
<p>We want to be able to assign IP addresses externally from Docker
<a href="https://github.com/dotcloud/docker/issues/6743">#6743</a> so that we dont need
to statically allocate fixed-size IP ranges to each node, so that IP addresses
can be made stable across pod infra container restarts
(<a href="https://github.com/dotcloud/docker/issues/2801">#2801</a>), and to facilitate
pod migration. Right now, if the pod infra container dies, all the user
containers must be stopped and restarted because the netns of the pod infra
container will change on restart, and any subsequent user container restart
will join that new netns, thereby not being able to see its peers.
Additionally, a change in IP address would encounter DNS caching/TTL problems.
External IP assignment would also simplify DNS support (see below).</p>
<h3 id="ipv6">IPv6</h3>
<p>IPv6 would be a nice option, also, but we cant depend on it yet. Docker support is in progress: <a href="https://github.com/dotcloud/docker/issues/2974">Docker issue #2974</a>, <a href="https://github.com/dotcloud/docker/issues/6923">Docker issue #6923</a>, <a href="https://github.com/dotcloud/docker/issues/6975">Docker issue #6975</a>. Additionally, direct ipv6 assignment to instances doesnt appear to be supported by major cloud providers (e.g., AWS EC2, GCE) yet. Wed happily take pull requests from people running Kubernetes on bare metal, though. :-)</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/networking.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,418 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Persistent Storage</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Persistent Storage</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="persistent-storage">Persistent Storage</h1>
<p>This document proposes a model for managing persistent, cluster-scoped storage for applications requiring long lived data.</p>
<h3 id="tldr">tl;dr</h3>
<p>Two new API kinds:</p>
<p>A <code>PersistentVolume</code> (PV) is a storage resource provisioned by an administrator. It is analogous to a node. See <a href="../user-guide/persistent-volumes/">Persistent Volume Guide</a> for how to use it.</p>
<p>A <code>PersistentVolumeClaim</code> (PVC) is a users request for a persistent volume to use in a pod. It is analogous to a pod.</p>
<p>One new system component:</p>
<p><code>PersistentVolumeClaimBinder</code> is a singleton running in master that watches all PersistentVolumeClaims in the system and binds them to the closest matching available PersistentVolume. The volume manager watches the API for newly created volumes to manage.</p>
<p>One new volume:</p>
<p><code>PersistentVolumeClaimVolumeSource</code> references the users PVC in the same namespace. This volume finds the bound PV and mounts that volume for the pod. A <code>PersistentVolumeClaimVolumeSource</code> is, essentially, a wrapper around another type of volume that is owned by someone else (the system).</p>
<p>Kubernetes makes no guarantees at runtime that the underlying storage exists or is available. High availability is left to the storage provider.</p>
<h3 id="goals">Goals</h3>
<ul>
<li>Allow administrators to describe available storage</li>
<li>Allow pod authors to discover and request persistent volumes to use with pods</li>
<li>Enforce security through access control lists and securing storage to the same namespace as the pod volume</li>
<li>Enforce quotas through admission control</li>
<li>Enforce scheduler rules by resource counting</li>
<li>Ensure developers can rely on storage being available without being closely bound to a particular disk, server, network, or storage device.</li>
</ul>
<h4 id="describe-available-storage">Describe available storage</h4>
<p>Cluster administrators use the API to manage <em>PersistentVolumes</em>. A custom store <code>NewPersistentVolumeOrderedIndex</code> will index volumes by access modes and sort by storage capacity. The <code>PersistentVolumeClaimBinder</code> watches for new claims for storage and binds them to an available volume by matching the volumes characteristics (AccessModes and storage size) to the users request.</p>
<p>PVs are system objects and, thus, have no namespace.</p>
<p>Many means of dynamic provisioning will be eventually be implemented for various storage types.</p>
<h5 id="persistentvolume-api">PersistentVolume API</h5>
<table>
<thead>
<tr>
<th>Action</th>
<th>HTTP Verb</th>
<th>Path</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>CREATE</td>
<td>POST</td>
<td>/api/{version}/persistentvolumes/</td>
<td>Create instance of PersistentVolume</td>
</tr>
<tr>
<td>GET</td>
<td>GET</td>
<td>/api/{version}persistentvolumes/{name}</td>
<td>Get instance of PersistentVolume with {name}</td>
</tr>
<tr>
<td>UPDATE</td>
<td>PUT</td>
<td>/api/{version}/persistentvolumes/{name}</td>
<td>Update instance of PersistentVolume with {name}</td>
</tr>
<tr>
<td>DELETE</td>
<td>DELETE</td>
<td>/api/{version}/persistentvolumes/{name}</td>
<td>Delete instance of PersistentVolume with {name}</td>
</tr>
<tr>
<td>LIST</td>
<td>GET</td>
<td>/api/{version}/persistentvolumes</td>
<td>List instances of PersistentVolume</td>
</tr>
<tr>
<td>WATCH</td>
<td>GET</td>
<td>/api/{version}/watch/persistentvolumes</td>
<td>Watch for changes to a PersistentVolume</td>
</tr>
</tbody>
</table>
<h4 id="request-storage">Request Storage</h4>
<p>Kubernetes users request persistent storage for their pod by creating a <code>PersistentVolumeClaim</code>. Their request for storage is described by their requirements for resources and mount capabilities.</p>
<p>Requests for volumes are bound to available volumes by the volume manager, if a suitable match is found. Requests for resources can go unfulfilled.</p>
<p>Users attach their claim to their pod using a new <code>PersistentVolumeClaimVolumeSource</code> volume source.</p>
<h5 id="persistentvolumeclaim-api">PersistentVolumeClaim API</h5>
<table>
<thead>
<tr>
<th>Action</th>
<th>HTTP Verb</th>
<th>Path</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>CREATE</td>
<td>POST</td>
<td>/api/{version}/namespaces/{ns}/persistentvolumeclaims/</td>
<td>Create instance of PersistentVolumeClaim in namespace {ns}</td>
</tr>
<tr>
<td>GET</td>
<td>GET</td>
<td>/api/{version}/namespaces/{ns}/persistentvolumeclaims/{name}</td>
<td>Get instance of PersistentVolumeClaim in namespace {ns} with {name}</td>
</tr>
<tr>
<td>UPDATE</td>
<td>PUT</td>
<td>/api/{version}/namespaces/{ns}/persistentvolumeclaims/{name}</td>
<td>Update instance of PersistentVolumeClaim in namespace {ns} with {name}</td>
</tr>
<tr>
<td>DELETE</td>
<td>DELETE</td>
<td>/api/{version}/namespaces/{ns}/persistentvolumeclaims/{name}</td>
<td>Delete instance of PersistentVolumeClaim in namespace {ns} with {name}</td>
</tr>
<tr>
<td>LIST</td>
<td>GET</td>
<td>/api/{version}/namespaces/{ns}/persistentvolumeclaims</td>
<td>List instances of PersistentVolumeClaim in namespace {ns}</td>
</tr>
<tr>
<td>WATCH</td>
<td>GET</td>
<td>/api/{version}/watch/namespaces/{ns}/persistentvolumeclaims</td>
<td>Watch for changes to PersistentVolumeClaim in namespace {ns}</td>
</tr>
</tbody>
</table>
<h4 id="scheduling-constraints">Scheduling constraints</h4>
<p>Scheduling constraints are to be handled similar to pod resource constraints. Pods will need to be annotated or decorated with the number of resources it requires on a node. Similarly, a node will need to list how many it has used or available.</p>
<p>TBD</p>
<h4 id="events">Events</h4>
<p>The implementation of persistent storage will not require events to communicate to the user the state of their claim. The CLI for bound claims contains a reference to the backing persistent volume. This is always present in the API and CLI, making an event to communicate the same unnecessary.</p>
<p>Events that communicate the state of a mounted volume are left to the volume plugins.</p>
<h3 id="example">Example</h3>
<h4 id="admin-provisions-storage">Admin provisions storage</h4>
<p>An administrator provisions storage by posting PVs to the API. Various way to automate this task can be scripted. Dynamic provisioning is a future feature that can maintain levels of PVs.</p>
<div class="highlight">
<pre><code class="language-yaml">POST:
kind: PersistentVolume
apiVersion: v1
metadata:
name: pv0001
spec:
capacity:
storage: 10
persistentDisk:
pdName: "abc123"
fsType: "ext4"
</code></pre>
</div>
<div class="highlight">
<pre><code class="language-console">$ kubectl get pv
NAME LABELS CAPACITY ACCESSMODES STATUS CLAIM REASON
pv0001 map[] 10737418240 RWO Pending
</code></pre>
</div>
<h4 id="users-request-storage">Users request storage</h4>
<p>A user requests storage by posting a PVC to the API. Their request contains the AccessModes they wish their volume to have and the minimum size needed.</p>
<p>The user must be within a namespace to create PVCs.</p>
<div class="highlight">
<pre><code class="language-yaml">POST:
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: myclaim-1
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 3
</code></pre>
</div>
<div class="highlight">
<pre><code class="language-console">$ kubectl get pvc
NAME LABELS STATUS VOLUME
myclaim-1 map[] pending
</code></pre>
</div>
<h4 id="matching-and-binding">Matching and binding</h4>
<p>The <code>PersistentVolumeClaimBinder</code> attempts to find an available volume that most closely matches the users request. If one exists, they are bound by putting a reference on the PV to the PVC. Requests can go unfulfilled if a suitable match is not found.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl get pv
NAME LABELS CAPACITY ACCESSMODES STATUS CLAIM REASON
pv0001 map[] 10737418240 RWO Bound myclaim-1 / f4b3d283-c0ef-11e4-8be4-80e6500a981e
kubectl get pvc
NAME LABELS STATUS VOLUME
myclaim-1 map[] Bound b16e91d6-c0ef-11e4-8be4-80e6500a981e
</code></pre>
</div>
<h4 id="claim-usage">Claim usage</h4>
<p>The claim holder can use their claim as a volume. The <code>PersistentVolumeClaimVolumeSource</code> knows to fetch the PV backing the claim and mount its volume for a pod.</p>
<p>The claim holder owns the claim and its data for as long as the claim exists. The pod using the claim can be deleted, but the claim remains in the users namespace. It can be used again and again by many pods.</p>
<div class="highlight">
<pre><code class="language-yaml">POST:
kind: Pod
apiVersion: v1
metadata:
name: mypod
spec:
containers:
- image: nginx
name: myfrontend
volumeMounts:
- mountPath: "/var/www/html"
name: mypd
volumes:
- name: mypd
source:
persistentVolumeClaim:
accessMode: ReadWriteOnce
claimRef:
name: myclaim-1
</code></pre>
</div>
<h4 id="releasing-a-claim-and-recycling-a-volume">Releasing a claim and Recycling a volume</h4>
<p>When a claim holder is finished with their data, they can delete their claim.</p>
<div class="highlight">
<pre><code class="language-console">$ kubectl delete pvc myclaim-1
</code></pre>
</div>
<p>The <code>PersistentVolumeClaimBinder</code> will reconcile this by removing the claim reference from the PV and change the PVs status to Released.</p>
<p>Admins can script the recycling of released volumes. Future dynamic provisioners will understand how a volume should be recycled.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/persistent-storage.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,203 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Design Principles</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Design Principles</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="design-principles">Design Principles</h1>
<p>Principles to follow when extending Kubernetes.</p>
<h2 id="api">API</h2>
<p>See also the <a href="../devel/api-conventions.html">API conventions</a>.</p>
<ul>
<li>All APIs should be declarative.</li>
<li>API objects should be complementary and composable, not opaque wrappers.</li>
<li>The control plane should be transparent there are no hidden internal APIs.</li>
<li>The cost of API operations should be proportional to the number of objects intentionally operated upon. Therefore, common filtered lookups must be indexed. Beware of patterns of multiple API calls that would incur quadratic behavior.</li>
<li>Object status must be 100% reconstructable by observation. Any history kept must be just an optimization and not required for correct operation.</li>
<li>Cluster-wide invariants are difficult to enforce correctly. Try not to add them. If you must have them, dont enforce them atomically in master components, that is contention-prone and doesnt provide a recovery path in the case of a bug allowing the invariant to be violated. Instead, provide a series of checks to reduce the probability of a violation, and make every component involved able to recover from an invariant violation.</li>
<li>Low-level APIs should be designed for control by higher-level systems. Higher-level APIs should be intent-oriented (think SLOs) rather than implementation-oriented (think control knobs).</li>
</ul>
<h2 id="control-logic">Control logic</h2>
<ul>
<li>Functionality must be <em>level-based</em>, meaning the system must operate correctly given the desired state and the current/observed state, regardless of how many intermediate state updates may have been missed. Edge-triggered behavior must be just an optimization.</li>
<li>Assume an open world: continually verify assumptions and gracefully adapt to external events and/or actors. Example: we allow users to kill pods under control of a replication controller; it just replaces them.</li>
<li>Do not define comprehensive state machines for objects with behaviors associated with state transitions and/or “assumed” states that cannot be ascertained by observation.</li>
<li>Dont assume a components decisions will not be overridden or rejected, nor for the component to always understand why. For example, etcd may reject writes. Kubelet may reject pods. The scheduler may not be able to schedule pods. Retry, but back off and/or make alternative decisions.</li>
<li>Components should be self-healing. For example, if you must keep some state (e.g., cache) the content needs to be periodically refreshed, so that if an item does get erroneously stored or a deletion event is missed etc, it will be soon fixed, ideally on timescales that are shorter than what will attract attention from humans.</li>
<li>Component behavior should degrade gracefully. Prioritize actions so that the most important activities can continue to function even when overloaded and/or in states of partial failure.</li>
</ul>
<h2 id="architecture">Architecture</h2>
<ul>
<li>Only the apiserver should communicate with etcd/store, and not other components (scheduler, kubelet, etc.).</li>
<li>Compromising a single node shouldnt compromise the cluster.</li>
<li>Components should continue to do what they were last told in the absence of new instructions (e.g., due to network partition or component outage).</li>
<li>All components should keep all relevant state in memory all the time. The apiserver should write through to etcd/store, other components should write through to the apiserver, and they should watch for updates made by other clients.</li>
<li>Watch is preferred over polling.</li>
</ul>
<h2 id="extensibility">Extensibility</h2>
<p>TODO: pluggability</p>
<h2 id="bootstrapping">Bootstrapping</h2>
<ul>
<li><a href="http://issue.k8s.io/246">Self-hosting</a> of all components is a goal.</li>
<li>Minimize the number of dependencies, particularly those required for steady-state operation.</li>
<li>Stratify the dependencies that remain via principled layering.</li>
<li>Break any circular dependencies by converting hard dependencies to soft dependencies.
<ul>
<li>Also accept that data from other components from another source, such as local files, which can then be manually populated at bootstrap time and then continuously updated once those other components are available.</li>
<li>State should be rediscoverable and/or reconstructable.</li>
<li>Make it easy to run temporary, bootstrap instances of all components in order to create the runtime state needed to run the components in the steady state; use a lock (master election for distributed components, file lock for local components like Kubelet) to coordinate handoff. We call this technique “pivoting”.</li>
<li>Have a solution to restart dead components. For distributed components, replication works well. For local components such as Kubelet, a process manager or even a simple shell loop works.</li>
</ul>
</li>
</ul>
<h2 id="availability">Availability</h2>
<p>TODO</p>
<h2 id="general-principles">General principles</h2>
<ul>
<li><a href="https://en.wikipedia.org/wiki/Unix_philosophy#Eric_Raymond.E2.80.99s_17_Unix_Rules">Eric Raymonds 17 UNIX rules</a></li>
</ul>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/principles.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,424 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - The Kubernetes resource model</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>The Kubernetes resource model</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<p><strong>Note: this is a design doc, which describes features that have not been completely implemented.
User documentation of the current state is <a href="../user-guide/compute-resources.html">here</a>. The tracking issue for
implementation of this model is
<a href="http://issue.k8s.io/168">#168</a>. Currently, both limits and requests of memory and
cpu on containers (not pods) are supported. “memory” is in bytes and “cpu” is in
milli-cores.</strong></p>
<h1 id="the-kubernetes-resource-model">The Kubernetes resource model</h1>
<p>To do good pod placement, Kubernetes needs to know how big pods are, as well as the sizes of the nodes onto which they are being placed. The definition of “how big” is given by the Kubernetes resource model — the subject of this document.</p>
<p>The resource model aims to be:
* simple, for common cases;
* extensible, to accommodate future growth;
* regular, with few special cases; and
* precise, to avoid misunderstandings and promote pod portability.</p>
<h2 id="the-resource-model">The resource model</h2>
<p>A Kubernetes <em>resource</em> is something that can be requested by, allocated to, or consumed by a pod or container. Examples include memory (RAM), CPU, disk-time, and network bandwidth.</p>
<p>Once resources on a node have been allocated to one pod, they should not be allocated to another until that pod is removed or exits. This means that Kubernetes schedulers should ensure that the sum of the resources allocated (requested and granted) to its pods never exceeds the usable capacity of the node. Testing whether a pod will fit on a node is called <em>feasibility checking</em>.</p>
<p>Note that the resource model currently prohibits over-committing resources; we will want to relax that restriction later.</p>
<h3 id="resource-types">Resource types</h3>
<p>All resources have a <em>type</em> that is identified by their <em>typename</em> (a string, e.g., “memory”). Several resource types are predefined by Kubernetes (a full list is below), although only two will be supported at first: CPU and memory. Users and system administrators can define their own resource types if they wish (e.g., Hadoop slots).</p>
<p>A fully-qualified resource typename is constructed from a DNS-style <em>subdomain</em>, followed by a slash <code>/</code>, followed by a name.
* The subdomain must conform to <a href="http://www.ietf.org/rfc/rfc1123.txt">RFC 1123</a> (e.g., <code>kubernetes.io</code>, <code>example.com</code>).
* The name must be not more than 63 characters, consisting of upper- or lower-case alphanumeric characters, with the <code>-</code>, <code>_</code>, and <code>.</code> characters allowed anywhere except the first or last character.
* As a shorthand, any resource typename that does not start with a subdomain and a slash will automatically be prefixed with the built-in Kubernetes <em>namespace</em>, <code>kubernetes.io/</code> in order to fully-qualify it. This namespace is reserved for code in the open source Kubernetes repository; as a result, all user typenames MUST be fully qualified, and cannot be created in this namespace.</p>
<p>Some example typenames include <code>memory</code> (which will be fully-qualified as <code>kubernetes.io/memory</code>), and <code>example.com/Shiny_New-Resource.Type</code>.</p>
<p>For future reference, note that some resources, such as CPU and network bandwidth, are <em>compressible</em>, which means that their usage can potentially be throttled in a relatively benign manner. All other resources are <em>incompressible</em>, which means that any attempt to throttle them is likely to cause grief. This distinction will be important if a Kubernetes implementation supports over-committing of resources.</p>
<h3 id="resource-quantities">Resource quantities</h3>
<p>Initially, all Kubernetes resource types are <em>quantitative</em>, and have an associated <em>unit</em> for quantities of the associated resource (e.g., bytes for memory, bytes per seconds for bandwidth, instances for software licences). The units will always be a resource types natural base units (e.g., bytes, not MB), to avoid confusion between binary and decimal multipliers and the underlying unit multiplier (e.g., is memory measured in MiB, MB, or GB?).</p>
<p>Resource quantities can be added and subtracted: for example, a node has a fixed quantity of each resource type that can be allocated to pods/containers; once such an allocation has been made, the allocated resources cannot be made available to other pods/containers without over-committing the resources.</p>
<p>To make life easier for people, quantities can be represented externally as unadorned integers, or as fixed-point integers with one of these SI suffices (E, P, T, G, M, K, m) or their power-of-two equivalents (Ei, Pi, Ti, Gi, Mi, Ki). For example, the following represent roughly the same value: 128974848, “129e6”, “129M” , “123Mi”. Small quantities can be represented directly as decimals (e.g., 0.3), or using milli-units (e.g., “300m”).
* “Externally” means in user interfaces, reports, graphs, and in JSON or YAML resource specifications that might be generated or read by people.
* Case is significant: “m” and “M” are not the same, so “k” is not a valid SI suffix. There are no power-of-two equivalents for SI suffixes that represent multipliers less than 1.
* These conventions only apply to resource quantities, not arbitrary values.</p>
<p>Internally (i.e., everywhere else), Kubernetes will represent resource quantities as integers so it can avoid problems with rounding errors, and will not use strings to represent numeric values. To achieve this, quantities that naturally have fractional parts (e.g., CPU seconds/second) will be scaled to integral numbers of milli-units (e.g., milli-CPUs) as soon as they are read in. Internal APIs, data structures, and protobufs will use these scaled integer units. Raw measurement data such as usage may still need to be tracked and calculated using floating point values, but internally they should be rescaled to avoid some values being in milli-units and some not.
* Note that reading in a resource quantity and writing it out again may change the way its values are represented, and truncate precision (e.g., 1.0001 may become 1.000), so comparison and difference operations (e.g., by an updater) must be done on the internal representations.
* Avoiding milli-units in external representations has advantages for people who will use Kubernetes, but runs the risk of developers forgetting to rescale or accidentally using floating-point representations. That seems like the right choice. We will try to reduce the risk by providing libraries that automatically do the quantization for JSON/YAML inputs.</p>
<h3 id="resource-specifications">Resource specifications</h3>
<p>Both users and a number of system components, such as schedulers, (horizontal) auto-scalers, (vertical) auto-sizers, load balancers, and worker-pool managers need to reason about resource requirements of workloads, resource capacities of nodes, and resource usage. Kubernetes divides specifications of <em>desired state</em>, aka the Spec, and representations of <em>current state</em>, aka the Status. Resource requirements and total node capacity fall into the specification category, while resource usage, characterizations derived from usage (e.g., maximum usage, histograms), and other resource demand signals (e.g., CPU load) clearly fall into the status category and are discussed in the Appendix for now.</p>
<p>Resource requirements for a container or pod should have the following form:</p>
<div class="highlight">
<pre><code class="language-yaml">resourceRequirementSpec: [
request: [ cpu: 2.5, memory: "40Mi" ],
limit: [ cpu: 4.0, memory: "99Mi" ],
]
</code></pre>
</div>
<p>Where:
* <em>request</em> [optional]: the amount of resources being requested, or that were requested and have been allocated. Scheduler algorithms will use these quantities to test feasibility (whether a pod will fit onto a node). If a container (or pod) tries to use more resources than its <em>request</em>, any associated SLOs are voided — e.g., the program it is running may be throttled (compressible resource types), or the attempt may be denied. If <em>request</em> is omitted for a container, it defaults to <em>limit</em> if that is explicitly specified, otherwise to an implementation-defined value; this will always be 0 for a user-defined resource type. If <em>request</em> is omitted for a pod, it defaults to the sum of the (explicit or implicit) <em>request</em> values for the containers it encloses.</p>
<ul>
<li><em>limit</em> [optional]: an upper bound or cap on the maximum amount of resources that will be made available to a container or pod; if a container or pod uses more resources than its <em>limit</em>, it may be terminated. The <em>limit</em> defaults to “unbounded”; in practice, this probably means the capacity of an enclosing container, pod, or node, but may result in non-deterministic behavior, especially for memory.</li>
</ul>
<p>Total capacity for a node should have a similar structure:</p>
<div class="highlight">
<pre><code class="language-yaml">resourceCapacitySpec: [
total: [ cpu: 12, memory: "128Gi" ]
]
</code></pre>
</div>
<p>Where:
* <em>total</em>: the total allocatable resources of a node. Initially, the resources at a given scope will bound the resources of the sum of inner scopes.</p>
<h4 id="notes">Notes</h4>
<ul>
<li>
<p>It is an error to specify the same resource type more than once in each list.</p>
</li>
<li>
<p>It is an error for the <em>request</em> or <em>limit</em> values for a pod to be less than the sum of the (explicit or defaulted) values for the containers it encloses. (We may relax this later.)</p>
</li>
<li>
<p>If multiple pods are running on the same node and attempting to use more resources than they have requested, the result is implementation-defined. For example: unallocated or unused resources might be spread equally across claimants, or the assignment might be weighted by the size of the original request, or as a function of limits, or priority, or the phase of the moon, perhaps modulated by the direction of the tide. Thus, although its not mandatory to provide a <em>request</em>, its probably a good idea. (Note that the <em>request</em> could be filled in by an automated system that is observing actual usage and/or historical data.)</p>
</li>
<li>
<p>Internally, the Kubernetes master can decide the defaulting behavior and the kubelet implementation may expected an absolute specification. For example, if the master decided that “the default is unbounded” it would pass 2^64 to the kubelet.</p>
</li>
</ul>
<h2 id="kubernetes-defined-resource-types">Kubernetes-defined resource types</h2>
<p>The following resource types are predefined (“reserved”) by Kubernetes in the <code>kubernetes.io</code> namespace, and so cannot be used for user-defined resources. Note that the syntax of all resource types in the resource spec is deliberately similar, but some resource types (e.g., CPU) may receive significantly more support than simply tracking quantities in the schedulers and/or the Kubelet.</p>
<h3 id="processor-cycles">Processor cycles</h3>
<ul>
<li>Name: <code>cpu</code> (or <code>kubernetes.io/cpu</code>)</li>
<li>Units: Kubernetes Compute Unit seconds/second (i.e., CPU cores normalized to a canonical “Kubernetes CPU”)</li>
<li>Internal representation: milli-KCUs</li>
<li>Compressible? yes</li>
<li>Qualities: this is a placeholder for the kind of thing that may be supported in the future — see <a href="http://issue.k8s.io/147">#147</a>
<ul>
<li>[future] <code>schedulingLatency</code>: as per lmctfy</li>
<li>[future] <code>cpuConversionFactor</code>: property of a node: the speed of a CPU core on the nodes processor divided by the speed of the canonical Kubernetes CPU (a floating point value; default = 1.0).</li>
</ul>
</li>
</ul>
<p>To reduce performance portability problems for pods, and to avoid worse-case provisioning behavior, the units of CPU will be normalized to a canonical “Kubernetes Compute Unit” (KCU, pronounced ˈko͝oko͞o), which will roughly be equivalent to a single CPU hyperthreaded core for some recent x86 processor. The normalization may be implementation-defined, although some reasonable defaults will be provided in the open-source Kubernetes code.</p>
<p>Note that requesting 2 KCU wont guarantee that precisely 2 physical cores will be allocated — control of aspects like this will be handled by resource <em>qualities</em> (a future feature).</p>
<h3 id="memory">Memory</h3>
<ul>
<li>Name: <code>memory</code> (or <code>kubernetes.io/memory</code>)</li>
<li>Units: bytes</li>
<li>Compressible? no (at least initially)</li>
</ul>
<p>The precise meaning of what “memory” means is implementation dependent, but the basic idea is to rely on the underlying <code>memcg</code> mechanisms, support, and definitions.</p>
<p>Note that most people will want to use power-of-two suffixes (Mi, Gi) for memory quantities
rather than decimal ones: “64MiB” rather than “64MB”.</p>
<h2 id="resource-metadata">Resource metadata</h2>
<p>A resource type may have an associated read-only ResourceType structure, that contains metadata about the type. For example:</p>
<div class="highlight">
<pre><code class="language-yaml">resourceTypes: [
"kubernetes.io/memory": [
isCompressible: false, ...
]
"kubernetes.io/cpu": [
isCompressible: true,
internalScaleExponent: 3, ...
]
"kubernetes.io/disk-space": [ ... ]
]
</code></pre>
</div>
<p>Kubernetes will provide ResourceType metadata for its predefined types. If no resource metadata can be found for a resource type, Kubernetes will assume that it is a quantified, incompressible resource that is not specified in milli-units, and has no default value.</p>
<p>The defined properties are as follows:</p>
<table>
<thead>
<tr>
<th>field name</th>
<th>type</th>
<th>contents</th>
</tr>
</thead>
<tbody>
<tr>
<td>name</td>
<td>string, required</td>
<td>the typename, as a fully-qualified string (e.g., <code>kubernetes.io/cpu</code>)</td>
</tr>
<tr>
<td>internalScaleExponent</td>
<td>int, default=0</td>
<td>external values are multiplied by 10 to this power for internal storage (e.g., 3 for milli-units)</td>
</tr>
<tr>
<td>units</td>
<td>string, required</td>
<td>format: <code>unit* [per unit+]</code> (e.g., <code>second</code>, <code>byte per second</code>). An empty unit field means “dimensionless”.</td>
</tr>
<tr>
<td>isCompressible</td>
<td>bool, default=false</td>
<td>true if the resource type is compressible</td>
</tr>
<tr>
<td>defaultRequest</td>
<td>string, default=none</td>
<td>in the same format as a user-supplied value</td>
</tr>
<tr>
<td><em>[future]</em> quantization</td>
<td>number, default=1</td>
<td>smallest granularity of allocation: requests may be rounded up to a multiple of this unit; implementation-defined unit (e.g., the page size for RAM).</td>
</tr>
</tbody>
</table>
<h1 id="appendix-future-extensions">Appendix: future extensions</h1>
<p>The following are planned future extensions to the resource model, included here to encourage comments.</p>
<h2 id="usage-data">Usage data</h2>
<p>Because resource usage and related metrics change continuously, need to be tracked over time (i.e., historically), can be characterized in a variety of ways, and are fairly voluminous, we will not include usage in core API objects, such as <a href="../user-guide/pods.html">Pods</a> and Nodes, but will provide separate APIs for accessing and managing that data. See the Appendix for possible representations of usage data, but the representation well use is TBD.</p>
<p>Singleton values for observed and predicted future usage will rapidly prove inadequate, so we will support the following structure for extended usage information:</p>
<div class="highlight">
<pre><code class="language-yaml">resourceStatus: [
usage: [ cpu: &lt;CPU-info&gt;, memory: &lt;memory-info&gt; ],
maxusage: [ cpu: &lt;CPU-info&gt;, memory: &lt;memory-info&gt; ],
predicted: [ cpu: &lt;CPU-info&gt;, memory: &lt;memory-info&gt; ],
]
</code></pre>
</div>
<p>where a <code>&lt;CPU-info&gt;</code> or <code>&lt;memory-info&gt;</code> structure looks like this:</p>
<div class="highlight">
<pre><code class="language-yaml">{
mean: &lt;value&gt; # arithmetic mean
max: &lt;value&gt; # minimum value
min: &lt;value&gt; # maximum value
count: &lt;value&gt; # number of data points
percentiles: [ # map from %iles to values
"10": &lt;10th-percentile-value&gt;,
"50": &lt;median-value&gt;,
"99": &lt;99th-percentile-value&gt;,
"99.9": &lt;99.9th-percentile-value&gt;,
...
]
}
</code></pre>
</div>
<p>All parts of this structure are optional, although we strongly encourage including quantities for 50, 90, 95, 99, 99.5, and 99.9 percentiles. <em>[In practice, it will be important to include additional info such as the length of the time window over which the averages are calculated, the confidence level, and information-quality metrics such as the number of dropped or discarded data points.]</em>
and predicted</p>
<h2 id="future-resource-types">Future resource types</h2>
<h3 id="future-network-bandwidth"><em>[future] Network bandwidth</em></h3>
<ul>
<li>Name: “network-bandwidth” (or <code>kubernetes.io/network-bandwidth</code>)</li>
<li>Units: bytes per second</li>
<li>Compressible? yes</li>
</ul>
<h3 id="future-network-operations"><em>[future] Network operations</em></h3>
<ul>
<li>Name: “network-iops” (or <code>kubernetes.io/network-iops</code>)</li>
<li>Units: operations (messages) per second</li>
<li>Compressible? yes</li>
</ul>
<h3 id="future-storage-space"><em>[future] Storage space</em></h3>
<ul>
<li>Name: “storage-space” (or <code>kubernetes.io/storage-space</code>)</li>
<li>Units: bytes</li>
<li>Compressible? no</li>
</ul>
<p>The amount of secondary storage space available to a container. The main target is local disk drives and SSDs, although this could also be used to qualify remotely-mounted volumes. Specifying whether a resource is a raw disk, an SSD, a disk array, or a file system fronting any of these, is left for future work.</p>
<h3 id="future-storage-time"><em>[future] Storage time</em></h3>
<ul>
<li>Name: storage-time (or <code>kubernetes.io/storage-time</code>)</li>
<li>Units: seconds per second of disk time</li>
<li>Internal representation: milli-units</li>
<li>Compressible? yes</li>
</ul>
<p>This is the amount of time a container spends accessing disk, including actuator and transfer time. A standard disk drive provides 1.0 diskTime seconds per second.</p>
<h3 id="future-storage-operations"><em>[future] Storage operations</em></h3>
<ul>
<li>Name: “storage-iops” (or <code>kubernetes.io/storage-iops</code>)</li>
<li>Units: operations per second</li>
<li>Compressible? yes</li>
</ul>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/resources.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,771 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Abstract</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Abstract</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h2 id="abstract">Abstract</h2>
<p>A proposal for the distribution of <a href="../user-guide/secrets.html">secrets</a> (passwords, keys, etc) to the Kubelet and to
containers inside Kubernetes using a custom <a href="../user-guide/volumes.html#secrets">volume</a> type. See the <a href="../user-guide/secrets/">secrets example</a> for more information.</p>
<h2 id="motivation">Motivation</h2>
<p>Secrets are needed in containers to access internal resources like the Kubernetes master or
external resources such as git repositories, databases, etc. Users may also want behaviors in the
kubelet that depend on secret data (credentials for image pull from a docker registry) associated
with pods.</p>
<p>Goals of this design:</p>
<ol>
<li>Describe a secret resource</li>
<li>Define the various challenges attendant to managing secrets on the node</li>
<li>Define a mechanism for consuming secrets in containers without modification</li>
</ol>
<h2 id="constraints-and-assumptions">Constraints and Assumptions</h2>
<ul>
<li>This design does not prescribe a method for storing secrets; storage of secrets should be
pluggable to accommodate different use-cases</li>
<li>Encryption of secret data and node security are orthogonal concerns</li>
<li>It is assumed that node and master are secure and that compromising their security could also
compromise secrets:
<ul>
<li>If a node is compromised, the only secrets that could potentially be exposed should be the
secrets belonging to containers scheduled onto it</li>
<li>If the master is compromised, all secrets in the cluster may be exposed</li>
</ul>
</li>
<li>Secret rotation is an orthogonal concern, but it should be facilitated by this proposal</li>
<li>A user who can consume a secret in a container can know the value of the secret; secrets must
be provisioned judiciously</li>
</ul>
<h2 id="use-cases">Use Cases</h2>
<ol>
<li>As a user, I want to store secret artifacts for my applications and consume them securely in
containers, so that I can keep the configuration for my applications separate from the images
that use them:
<ol>
<li>As a cluster operator, I want to allow a pod to access the Kubernetes master using a custom
<code>.kubeconfig</code> file, so that I can securely reach the master</li>
<li>As a cluster operator, I want to allow a pod to access a Docker registry using credentials
from a <code>.dockercfg</code> file, so that containers can push images</li>
<li>As a cluster operator, I want to allow a pod to access a git repository using SSH keys,
so that I can push to and fetch from the repository</li>
</ol>
</li>
<li>As a user, I want to allow containers to consume supplemental information about services such
as username and password which should be kept secret, so that I can share secrets about a
service amongst the containers in my application securely</li>
<li>As a user, I want to associate a pod with a <code>ServiceAccount</code> that consumes a secret and have
the kubelet implement some reserved behaviors based on the types of secrets the service account
consumes:
<ol>
<li>Use credentials for a docker registry to pull the pods docker image</li>
<li>Present Kubernetes auth token to the pod or transparently decorate traffic between the pod
and master service</li>
</ol>
</li>
<li>As a user, I want to be able to indicate that a secret expires and for that secrets value to
be rotated once it expires, so that the system can help me follow good practices</li>
</ol>
<h3 id="use-case-configuration-artifacts">Use-Case: Configuration artifacts</h3>
<p>Many configuration files contain secrets intermixed with other configuration information. For
example, a users application may contain a properties file than contains database credentials,
SaaS API tokens, etc. Users should be able to consume configuration artifacts in their containers
and be able to control the path on the containers filesystems where the artifact will be
presented.</p>
<h3 id="use-case-metadata-about-services">Use-Case: Metadata about services</h3>
<p>Most pieces of information about how to use a service are secrets. For example, a service that
provides a MySQL database needs to provide the username, password, and database name to consumers
so that they can authenticate and use the correct database. Containers in pods consuming the MySQL
service would also consume the secrets associated with the MySQL service.</p>
<h3 id="use-case-secrets-associated-with-service-accounts">Use-Case: Secrets associated with service accounts</h3>
<p><a href="service_accounts.html">Service Accounts</a> are proposed as a
mechanism to decouple capabilities and security contexts from individual human users. A
<code>ServiceAccount</code> contains references to some number of secrets. A <code>Pod</code> can specify that it is
associated with a <code>ServiceAccount</code>. Secrets should have a <code>Type</code> field to allow the Kubelet and
other system components to take action based on the secrets type.</p>
<h4 id="example-service-account-consumes-auth-token-secret">Example: service account consumes auth token secret</h4>
<p>As an example, the service account proposal discusses service accounts consuming secrets which
contain Kubernetes auth tokens. When a Kubelet starts a pod associated with a service account
which consumes this type of secret, the Kubelet may take a number of actions:</p>
<ol>
<li>Expose the secret in a <code>.kubernetes_auth</code> file in a well-known location in the containers
file system</li>
<li>Configure that nodes <code>kube-proxy</code> to decorate HTTP requests from that pod to the
<code>kubernetes-master</code> service with the auth token, e. g. by adding a header to the request
(see the <a href="http://issue.k8s.io/2209">LOAS Daemon</a> proposal)</li>
</ol>
<h4 id="example-service-account-consumes-docker-registry-credentials">Example: service account consumes docker registry credentials</h4>
<p>Another example use case is where a pod is associated with a secret containing docker registry
credentials. The Kubelet could use these credentials for the docker pull to retrieve the image.</p>
<h3 id="use-case-secret-expiry-and-rotation">Use-Case: Secret expiry and rotation</h3>
<p>Rotation is considered a good practice for many types of secret data. It should be possible to
express that a secret has an expiry date; this would make it possible to implement a system
component that could regenerate expired secrets. As an example, consider a component that rotates
expired secrets. The rotator could periodically regenerate the values for expired secrets of
common types and update their expiry dates.</p>
<h2 id="deferral-consuming-secrets-as-environment-variables">Deferral: Consuming secrets as environment variables</h2>
<p>Some images will expect to receive configuration items as environment variables instead of files.
We should consider what the best way to allow this is; there are a few different options:</p>
<ol>
<li>
<p>Force the user to adapt files into environment variables. Users can store secrets that need to
be presented as environment variables in a format that is easy to consume from a shell:</p>
<pre><code>$ cat /etc/secrets/my-secret.txt
export MY_SECRET_ENV=MY_SECRET_VALUE
</code></pre>
<p>The user could <code>source</code> the file at <code>/etc/secrets/my-secret</code> prior to executing the command for
the image either inline in the command or in an init script,</p>
</li>
<li>
<p>Give secrets an attribute that allows users to express the intent that the platform should
generate the above syntax in the file used to present a secret. The user could consume these
files in the same manner as the above option.</p>
</li>
<li>
<p>Give secrets attributes that allow the user to express that the secret should be presented to
the container as an environment variable. The containers environment would contain the
desired values and the software in the container could use them without accommodation the
command or setup script.</p>
</li>
</ol>
<p>For our initial work, we will treat all secrets as files to narrow the problem space. There will
be a future proposal that handles exposing secrets as environment variables.</p>
<h2 id="flow-analysis-of-secret-data-with-respect-to-the-api-server">Flow analysis of secret data with respect to the API server</h2>
<p>There are two fundamentally different use-cases for access to secrets:</p>
<ol>
<li>CRUD operations on secrets by their owners</li>
<li>Read-only access to the secrets needed for a particular node by the kubelet</li>
</ol>
<h3 id="use-case-crud-operations-by-owners">Use-Case: CRUD operations by owners</h3>
<p>In use cases for CRUD operations, the user experience for secrets should be no different than for
other API resources.</p>
<h4 id="data-store-backing-the-rest-api">Data store backing the REST API</h4>
<p>The data store backing the REST API should be pluggable because different cluster operators will
have different preferences for the central store of secret data. Some possibilities for storage:</p>
<ol>
<li>An etcd collection alongside the storage for other API resources</li>
<li>A collocated <a href="http://en.wikipedia.org/wiki/Hardware_security_module">HSM</a></li>
<li>A secrets server like <a href="https://www.vaultproject.io/">Vault</a> or <a href="https://square.github.io/keywhiz/">Keywhiz</a></li>
<li>An external datastore such as an external etcd, RDBMS, etc.</li>
</ol>
<h4 id="size-limit-for-secrets">Size limit for secrets</h4>
<p>There should be a size limit for secrets in order to:</p>
<ol>
<li>Prevent DOS attacks against the API server</li>
<li>Allow kubelet implementations that prevent secret data from touching the nodes filesystem</li>
</ol>
<p>The size limit should satisfy the following conditions:</p>
<ol>
<li>Large enough to store common artifact types (encryption keypairs, certificates, small
configuration files)</li>
<li>Small enough to avoid large impact on node resource consumption (storage, RAM for tmpfs, etc)</li>
</ol>
<p>To begin discussion, we propose an initial value for this size limit of <strong>1MB</strong>.</p>
<h4 id="other-limitations-on-secrets">Other limitations on secrets</h4>
<p>Defining a policy for limitations on how a secret may be referenced by another API resource and how
constraints should be applied throughout the cluster is tricky due to the number of variables
involved:</p>
<ol>
<li>Should there be a maximum number of secrets a pod can reference via a volume?</li>
<li>Should there be a maximum number of secrets a service account can reference?</li>
<li>Should there be a total maximum number of secrets a pod can reference via its own spec and its
associated service account?</li>
<li>Should there be a total size limit on the amount of secret data consumed by a pod?</li>
<li>How will cluster operators want to be able to configure these limits?</li>
<li>How will these limits impact API server validations?</li>
<li>How will these limits affect scheduling?</li>
</ol>
<p>For now, we will not implement validations around these limits. Cluster operators will decide how
much node storage is allocated to secrets. It will be the operators responsibility to ensure that
the allocated storage is sufficient for the workload scheduled onto a node.</p>
<p>For now, kubelets will only attach secrets to api-sourced pods, and not file- or http-sourced
ones. Doing so would:
- confuse the secrets admission controller in the case of mirror pods.
- create an apiserver-liveness dependency avoiding this dependency is a main reason to use non-api-source pods.</p>
<h3 id="use-case-kubelet-read-of-secrets-for-node">Use-Case: Kubelet read of secrets for node</h3>
<p>The use-case where the kubelet reads secrets has several additional requirements:</p>
<ol>
<li>Kubelets should only be able to receive secret data which is required by pods scheduled onto
the kubelets node</li>
<li>Kubelets should have read-only access to secret data</li>
<li>Secret data should not be transmitted over the wire insecurely</li>
<li>Kubelets must ensure pods do not have access to each others secrets</li>
</ol>
<h4 id="read-of-secret-data-by-the-kubelet">Read of secret data by the Kubelet</h4>
<p>The Kubelet should only be allowed to read secrets which are consumed by pods scheduled onto that
Kubelets node and their associated service accounts. Authorization of the Kubelet to read this
data would be delegated to an authorization plugin and associated policy rule.</p>
<h4 id="secret-data-on-the-node-data-at-rest">Secret data on the node: data at rest</h4>
<p>Consideration must be given to whether secret data should be allowed to be at rest on the node:</p>
<ol>
<li>If secret data is not allowed to be at rest, the size of secret data becomes another draw on
the nodes RAM - should it affect scheduling?</li>
<li>If secret data is allowed to be at rest, should it be encrypted?
<ol>
<li>If so, how should be this be done?</li>
<li>If not, what threats exist? What types of secret are appropriate to store this way?</li>
</ol>
</li>
</ol>
<p>For the sake of limiting complexity, we propose that initially secret data should not be allowed
to be at rest on a node; secret data should be stored on a node-level tmpfs filesystem. This
filesystem can be subdivided into directories for use by the kubelet and by the volume plugin.</p>
<h4 id="secret-data-on-the-node-resource-consumption">Secret data on the node: resource consumption</h4>
<p>The Kubelet will be responsible for creating the per-node tmpfs file system for secret storage.
It is hard to make a prescriptive declaration about how much storage is appropriate to reserve for
secrets because different installations will vary widely in available resources, desired pod to
node density, overcommit policy, and other operation dimensions. That being the case, we propose
for simplicity that the amount of secret storage be controlled by a new parameter to the kubelet
with a default value of <strong>64MB</strong>. It is the cluster operators responsibility to handle choosing
the right storage size for their installation and configuring their Kubelets correctly.</p>
<p>Configuring each Kubelet is not the ideal story for operator experience; it is more intuitive that
the cluster-wide storage size be readable from a central configuration store like the one proposed
in <a href="http://issue.k8s.io/1553">#1553</a>. When such a store
exists, the Kubelet could be modified to read this configuration item from the store.</p>
<p>When the Kubelet is modified to advertise node resources (as proposed in
<a href="http://issue.k8s.io/4441">#4441</a>), the capacity calculation
for available memory should factor in the potential size of the node-level tmpfs in order to avoid
memory overcommit on the node.</p>
<h4 id="secret-data-on-the-node-isolation">Secret data on the node: isolation</h4>
<p>Every pod will have a <a href="security_context.html">security context</a>.
Secret data on the node should be isolated according to the security context of the container. The
Kubelet volume plugin API will be changed so that a volume plugin receives the security context of
a volume along with the volume spec. This will allow volume plugins to implement setting the
security context of volumes they manage.</p>
<h2 id="community-work">Community work</h2>
<p>Several proposals / upstream patches are notable as background for this proposal:</p>
<ol>
<li><a href="https://github.com/docker/docker/issues/10310">Docker vault proposal</a></li>
<li><a href="https://github.com/docker/docker/issues/9277">Specification for image/container standardization based on volumes</a></li>
<li><a href="service_accounts.html">Kubernetes service account proposal</a></li>
<li><a href="https://github.com/docker/docker/pull/6075">Secrets proposal for docker (1)</a></li>
<li><a href="https://github.com/docker/docker/pull/6697">Secrets proposal for docker (2)</a></li>
</ol>
<h2 id="proposed-design">Proposed Design</h2>
<p>We propose a new <code>Secret</code> resource which is mounted into containers with a new volume type. Secret
volumes will be handled by a volume plugin that does the actual work of fetching the secret and
storing it. Secrets contain multiple pieces of data that are presented as different files within
the secret volume (example: SSH key pair).</p>
<p>In order to remove the burden from the end user in specifying every file that a secret consists of,
it should be possible to mount all files provided by a secret with a single <code>VolumeMount</code> entry
in the container specification.</p>
<h3 id="secret-api-resource">Secret API Resource</h3>
<p>A new resource for secrets will be added to the API:</p>
<div class="highlight">
<pre><code class="language-go">type Secret struct {
TypeMeta
ObjectMeta
// Data contains the secret data. Each key must be a valid DNS_SUBDOMAIN.
// The serialized form of the secret data is a base64 encoded string,
// representing the arbitrary (possibly non-string) data value here.
Data map[string][]byte `json:"data,omitempty"`
// Used to facilitate programmatic handling of secret data.
Type SecretType `json:"type,omitempty"`
}
type SecretType string
const (
SecretTypeOpaque SecretType = "Opaque" // Opaque (arbitrary data; default)
SecretTypeServiceAccountToken SecretType = "kubernetes.io/service-account-token" // Kubernetes auth token
SecretTypeDockercfg SecretType = "kubernetes.io/dockercfg" // Docker registry auth
// FUTURE: other type values
)
const MaxSecretSize = 1 * 1024 * 1024
</code></pre>
</div>
<p>A Secret can declare a type in order to provide type information to system components that work
with secrets. The default type is <code>opaque</code>, which represents arbitrary user-owned data.</p>
<p>Secrets are validated against <code>MaxSecretSize</code>. The keys in the <code>Data</code> field must be valid DNS
subdomains.</p>
<p>A new REST API and registry interface will be added to accompany the <code>Secret</code> resource. The
default implementation of the registry will store <code>Secret</code> information in etcd. Future registry
implementations could store the <code>TypeMeta</code> and <code>ObjectMeta</code> fields in etcd and store the secret
data in another data store entirely, or store the whole object in another data store.</p>
<h4 id="other-validations-related-to-secrets">Other validations related to secrets</h4>
<p>Initially there will be no validations for the number of secrets a pod references, or the number of
secrets that can be associated with a service account. These may be added in the future as the
finer points of secrets and resource allocation are fleshed out.</p>
<h3 id="secret-volume-source">Secret Volume Source</h3>
<p>A new <code>SecretSource</code> type of volume source will be added to the <code>VolumeSource</code> struct in the
API:</p>
<div class="highlight">
<pre><code class="language-go">type VolumeSource struct {
// Other fields omitted
// SecretSource represents a secret that should be presented in a volume
SecretSource *SecretSource `json:"secret"`
}
type SecretSource struct {
Target ObjectReference
}
</code></pre>
</div>
<p>Secret volume sources are validated to ensure that the specified object reference actually points
to an object of type <code>Secret</code>.</p>
<p>In the future, the <code>SecretSource</code> will be extended to allow:</p>
<ol>
<li>Fine-grained control over which pieces of secret data are exposed in the volume</li>
<li>The paths and filenames for how secret data are exposed</li>
</ol>
<h3 id="secret-volume-plugin">Secret Volume Plugin</h3>
<p>A new Kubelet volume plugin will be added to handle volumes with a secret source. This plugin will
require access to the API server to retrieve secret data and therefore the volume <code>Host</code> interface
will have to change to expose a client interface:</p>
<div class="highlight">
<pre><code class="language-go">type Host interface {
// Other methods omitted
// GetKubeClient returns a client interface
GetKubeClient() client.Interface
}
</code></pre>
</div>
<p>The secret volume plugin will be responsible for:</p>
<ol>
<li>Returning a <code>volume.Builder</code> implementation from <code>NewBuilder</code> that:
<ol>
<li>Retrieves the secret data for the volume from the API server</li>
<li>Places the secret data onto the containers filesystem</li>
<li>Sets the correct security attributes for the volume based on the pods <code>SecurityContext</code></li>
</ol>
</li>
<li>Returning a <code>volume.Cleaner</code> implementation from <code>NewClear</code> that cleans the volume from the
containers filesystem</li>
</ol>
<h3 id="kubelet-node-level-secret-storage">Kubelet: Node-level secret storage</h3>
<p>The Kubelet must be modified to accept a new parameter for the secret storage size and to create
a tmpfs file system of that size to store secret data. Rough accounting of specific changes:</p>
<ol>
<li>The Kubelet should have a new field added called <code>secretStorageSize</code>; units are megabytes</li>
<li><code>NewMainKubelet</code> should accept a value for secret storage size</li>
<li>The Kubelet server should have a new flag added for secret storage size</li>
<li>The Kubelets <code>setupDataDirs</code> method should be changed to create the secret storage</li>
</ol>
<h3 id="kubelet-new-behaviors-for-secrets-associated-with-service-accounts">Kubelet: New behaviors for secrets associated with service accounts</h3>
<p>For use-cases where the Kubelets behavior is affected by the secrets associated with a pods
<code>ServiceAccount</code>, the Kubelet will need to be changed. For example, if secrets of type
<code>docker-reg-auth</code> affect how the pods images are pulled, the Kubelet will need to be changed
to accommodate this. Subsequent proposals can address this on a type-by-type basis.</p>
<h2 id="examples">Examples</h2>
<p>For clarity, lets examine some detailed examples of some common use-cases in terms of the
suggested changes. All of these examples are assumed to be created in a namespace called
<code>example</code>.</p>
<h3 id="use-case-pod-with-ssh-keys">Use-Case: Pod with ssh keys</h3>
<p>To create a pod that uses an ssh key stored as a secret, we first need to create a secret:</p>
<div class="highlight">
<pre><code class="language-json">{
"kind": "Secret",
"apiVersion": "v1",
"metadata": {
"name": "ssh-key-secret"
},
"data": {
"id-rsa": "dmFsdWUtMg0KDQo=",
"id-rsa.pub": "dmFsdWUtMQ0K"
}
}
</code></pre>
</div>
<p><strong>Note:</strong> The serialized JSON and YAML values of secret data are encoded as
base64 strings. Newlines are not valid within these strings and must be
omitted.</p>
<p>Now we can create a pod which references the secret with the ssh key and consumes it in a volume:</p>
<div class="highlight">
<pre><code class="language-json">{
"kind": "Pod",
"apiVersion": "v1",
"metadata": {
"name": "secret-test-pod",
"labels": {
"name": "secret-test"
}
},
"spec": {
"volumes": [
{
"name": "secret-volume",
"secret": {
"secretName": "ssh-key-secret"
}
}
],
"containers": [
{
"name": "ssh-test-container",
"image": "mySshImage",
"volumeMounts": [
{
"name": "secret-volume",
"readOnly": true,
"mountPath": "/etc/secret-volume"
}
]
}
]
}
}
</code></pre>
</div>
<p>When the containers command runs, the pieces of the key will be available in:</p>
<pre><code>/etc/secret-volume/id-rsa.pub
/etc/secret-volume/id-rsa
</code></pre>
<p>The container is then free to use the secret data to establish an ssh connection.</p>
<h3 id="use-case-pods-with-pod--test-credentials">Use-Case: Pods with pod / test credentials</h3>
<p>This example illustrates a pod which consumes a secret containing prod
credentials and another pod which consumes a secret with test environment
credentials.</p>
<p>The secrets:</p>
<div class="highlight">
<pre><code class="language-json">{
"apiVersion": "v1",
"kind": "List",
"items":
[{
"kind": "Secret",
"apiVersion": "v1",
"metadata": {
"name": "prod-db-secret"
},
"data": {
"password": "dmFsdWUtMg0KDQo=",
"username": "dmFsdWUtMQ0K"
}
},
{
"kind": "Secret",
"apiVersion": "v1",
"metadata": {
"name": "test-db-secret"
},
"data": {
"password": "dmFsdWUtMg0KDQo=",
"username": "dmFsdWUtMQ0K"
}
}]
}
</code></pre>
</div>
<p>The pods:</p>
<div class="highlight">
<pre><code class="language-json">{
"apiVersion": "v1",
"kind": "List",
"items":
[{
"kind": "Pod",
"apiVersion": "v1",
"metadata": {
"name": "prod-db-client-pod",
"labels": {
"name": "prod-db-client"
}
},
"spec": {
"volumes": [
{
"name": "secret-volume",
"secret": {
"secretName": "prod-db-secret"
}
}
],
"containers": [
{
"name": "db-client-container",
"image": "myClientImage",
"volumeMounts": [
{
"name": "secret-volume",
"readOnly": true,
"mountPath": "/etc/secret-volume"
}
]
}
]
}
},
{
"kind": "Pod",
"apiVersion": "v1",
"metadata": {
"name": "test-db-client-pod",
"labels": {
"name": "test-db-client"
}
},
"spec": {
"volumes": [
{
"name": "secret-volume",
"secret": {
"secretName": "test-db-secret"
}
}
],
"containers": [
{
"name": "db-client-container",
"image": "myClientImage",
"volumeMounts": [
{
"name": "secret-volume",
"readOnly": true,
"mountPath": "/etc/secret-volume"
}
]
}
]
}
}]
}
</code></pre>
</div>
<p>The specs for the two pods differ only in the value of the object referred to by the secret volume
source. Both containers will have the following files present on their filesystems:</p>
<pre><code>/etc/secret-volume/username
/etc/secret-volume/password
</code></pre>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/secrets.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,283 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Security in Kubernetes</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Security in Kubernetes</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="security-in-kubernetes">Security in Kubernetes</h1>
<p>Kubernetes should define a reasonable set of security best practices that allows processes to be isolated from each other, from the cluster infrastructure, and which preserves important boundaries between those who manage the cluster, and those who use the cluster.</p>
<p>While Kubernetes today is not primarily a multi-tenant system, the long term evolution of Kubernetes will increasingly rely on proper boundaries between users and administrators. The code running on the cluster must be appropriately isolated and secured to prevent malicious parties from affecting the entire cluster.</p>
<h2 id="high-level-goals">High Level Goals</h2>
<ol>
<li>Ensure a clear isolation between the container and the underlying host it runs on</li>
<li>Limit the ability of the container to negatively impact the infrastructure or other containers</li>
<li><a href="http://en.wikipedia.org/wiki/Principle_of_least_privilege">Principle of Least Privilege</a> - ensure components are only authorized to perform the actions they need, and limit the scope of a compromise by limiting the capabilities of individual components</li>
<li>Reduce the number of systems that have to be hardened and secured by defining clear boundaries between components</li>
<li>Allow users of the system to be cleanly separated from administrators</li>
<li>Allow administrative functions to be delegated to users where necessary</li>
<li>Allow applications to be run on the cluster that have “secret” data (keys, certs, passwords) which is properly abstracted from “public” data.</li>
</ol>
<h2 id="use-cases">Use cases</h2>
<h3 id="roles">Roles</h3>
<p>We define “user” as a unique identity accessing the Kubernetes API server, which may be a human or an automated process. Human users fall into the following categories:</p>
<ol>
<li>k8s admin - administers a Kubernetes cluster and has access to the underlying components of the system</li>
<li>k8s project administrator - administrates the security of a small subset of the cluster</li>
<li>k8s developer - launches pods on a Kubernetes cluster and consumes cluster resources</li>
</ol>
<p>Automated process users fall into the following categories:</p>
<ol>
<li>k8s container user - a user that processes running inside a container (on the cluster) can use to access other cluster resources independent of the human users attached to a project</li>
<li>k8s infrastructure user - the user that Kubernetes infrastructure components use to perform cluster functions with clearly defined roles</li>
</ol>
<h3 id="description-of-roles">Description of roles</h3>
<ul>
<li>Developers:
<ul>
<li>write pod specs.</li>
<li>making some of their own images, and using some “community” docker images</li>
<li>know which pods need to talk to which other pods</li>
<li>decide which pods should share files with other pods, and which should not.</li>
<li>reason about application level security, such as containing the effects of a local-file-read exploit in a webserver pod.</li>
<li>do not often reason about operating system or organizational security.</li>
<li>are not necessarily comfortable reasoning about the security properties of a system at the level of detail of Linux Capabilities, SELinux, AppArmor, etc.</li>
</ul>
</li>
<li>Project Admins:
<ul>
<li>allocate identity and roles within a namespace</li>
<li>reason about organizational security within a namespace
<ul>
<li>dont give a developer permissions that are not needed for role.</li>
<li>protect files on shared storage from unnecessary cross-team access</li>
</ul>
</li>
<li>are less focused about application security</li>
</ul>
</li>
<li>Administrators:
<ul>
<li>are less focused on application security. Focused on operating system security.</li>
<li>protect the node from bad actors in containers, and properly-configured innocent containers from bad actors in other containers.</li>
<li>comfortable reasoning about the security properties of a system at the level of detail of Linux Capabilities, SELinux, AppArmor, etc.</li>
<li>decides who can use which Linux Capabilities, run privileged containers, use hostPath, etc.
<ul>
<li>e.g. a team that manages Ceph or a mysql server might be trusted to have raw access to storage devices in some organizations, but teams that develop the applications at higher layers would not.</li>
</ul>
</li>
</ul>
</li>
</ul>
<h2 id="proposed-design">Proposed Design</h2>
<p>A pod runs in a <em>security context</em> under a <em>service account</em> that is defined by an administrator or project administrator, and the <em>secrets</em> a pod has access to is limited by that <em>service account</em>.</p>
<ol>
<li>The API should authenticate and authorize user actions <a href="access.html">authn and authz</a></li>
<li>All infrastructure components (kubelets, kube-proxies, controllers, scheduler) should have an infrastructure user that they can authenticate with and be authorized to perform only the functions they require against the API.</li>
<li>Most infrastructure components should use the API as a way of exchanging data and changing the system, and only the API should have access to the underlying data store (etcd)</li>
<li>When containers run on the cluster and need to talk to other containers or the API server, they should be identified and authorized clearly as an autonomous process via a <a href="service_accounts.html">service account</a>
<ol>
<li>If the user who started a long-lived process is removed from access to the cluster, the process should be able to continue without interruption</li>
<li>If the user who started processes are removed from the cluster, administrators may wish to terminate their processes in bulk</li>
<li>When containers run with a service account, the user that created / triggered the service account behavior must be associated with the containers action</li>
</ol>
</li>
<li>When container processes run on the cluster, they should run in a <a href="security_context.html">security context</a> that isolates those processes via Linux user security, user namespaces, and permissions.
<ol>
<li>Administrators should be able to configure the cluster to automatically confine all container processes as a non-root, randomly assigned UID</li>
<li>Administrators should be able to ensure that container processes within the same namespace are all assigned the same unix user UID</li>
<li>Administrators should be able to limit which developers and project administrators have access to higher privilege actions</li>
<li>Project administrators should be able to run pods within a namespace under different security contexts, and developers must be able to specify which of the available security contexts they may use</li>
<li>Developers should be able to run their own images or images from the community and expect those images to run correctly</li>
<li>Developers may need to ensure their images work within higher security requirements specified by administrators</li>
<li>When available, Linux kernel user namespaces can be used to ensure 5.2 and 5.4 are met.</li>
<li>When application developers want to share filesystem data via distributed filesystems, the Unix user ids on those filesystems must be consistent across different container processes</li>
</ol>
</li>
<li>Developers should be able to define <a href="secrets.html">secrets</a> that are automatically added to the containers when pods are run
<ol>
<li>Secrets are files injected into the container whose values should not be displayed within a pod. Examples:
<ol>
<li>An SSH private key for git cloning remote data</li>
<li>A client certificate for accessing a remote system</li>
<li>A private key and certificate for a web server</li>
<li>A .kubeconfig file with embedded cert / token data for accessing the Kubernetes master</li>
<li>A .dockercfg file for pulling images from a protected registry</li>
</ol>
</li>
<li>Developers should be able to define the pod spec so that a secret lands in a specific location</li>
<li>Project administrators should be able to limit developers within a namespace from viewing or modifying secrets (anyone who can launch an arbitrary pod can view secrets)</li>
<li>Secrets are generally not copied from one namespace to another when a developers application definitions are copied</li>
</ol>
</li>
</ol>
<h3 id="related-design-discussion">Related design discussion</h3>
<ul>
<li><a href="access.html">Authorization and authentication</a></li>
<li><a href="http://pr.k8s.io/2030">Secret distribution via files</a></li>
<li><a href="https://github.com/docker/docker/pull/6697">Docker secrets</a></li>
<li><a href="https://github.com/docker/docker/issues/10310">Docker vault</a></li>
<li><a href="service_accounts.html">Service Accounts:</a></li>
<li><a href="http://pr.k8s.io/4126">Secret volumes</a></li>
</ul>
<h2 id="specific-design-points">Specific Design Points</h2>
<h3 id="todo-authorization-authentication">TODO: authorization, authentication</h3>
<h3 id="isolate-the-data-store-from-the-nodes-and-supporting-infrastructure">Isolate the data store from the nodes and supporting infrastructure</h3>
<p>Access to the central data store (etcd) in Kubernetes allows an attacker to run arbitrary containers on hosts, to gain access to any protected information stored in either volumes or in pods (such as access tokens or shared secrets provided as environment variables), to intercept and redirect traffic from running services by inserting middlemen, or to simply delete the entire history of the custer.</p>
<p>As a general principle, access to the central data store should be restricted to the components that need full control over the system and which can apply appropriate authorization and authentication of change requests. In the future, etcd may offer granular access control, but that granularity will require an administrator to understand the schema of the data to properly apply security. An administrator must be able to properly secure Kubernetes at a policy level, rather than at an implementation level, and schema changes over time should not risk unintended security leaks.</p>
<p>Both the Kubelet and Kube Proxy need information related to their specific roles - for the Kubelet, the set of pods it should be running, and for the Proxy, the set of services and endpoints to load balance. The Kubelet also needs to provide information about running pods and historical termination data. The access pattern for both Kubelet and Proxy to load their configuration is an efficient “wait for changes” request over HTTP. It should be possible to limit the Kubelet and Proxy to only access the information they need to perform their roles and no more.</p>
<p>The controller manager for Replication Controllers and other future controllers act on behalf of a user via delegation to perform automated maintenance on Kubernetes resources. Their ability to access or modify resource state should be strictly limited to their intended duties and they should be prevented from accessing information not pertinent to their role. For example, a replication controller needs only to create a copy of a known pod configuration, to determine the running state of an existing pod, or to delete an existing pod that it created - it does not need to know the contents or current state of a pod, nor have access to any data in the pods attached volumes.</p>
<p>The Kubernetes pod scheduler is responsible for reading data from the pod to fit it onto a node in the cluster. At a minimum, it needs access to view the ID of a pod (to craft the binding), its current state, any resource information necessary to identify placement, and other data relevant to concerns like anti-affinity, zone or region preference, or custom logic. It does not need the ability to modify pods or see other resources, only to create bindings. It should not need the ability to delete bindings unless the scheduler takes control of relocating components on failed hosts (which could be implemented by a separate component that can delete bindings but not create them). The scheduler may need read access to user or project-container information to determine preferential location (underspecified at this time).</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/security.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,314 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Security Contexts</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Security Contexts</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="security-contexts">Security Contexts</h1>
<h2 id="abstract">Abstract</h2>
<p>A security context is a set of constraints that are applied to a container in order to achieve the following goals (from <a href="security.html">security design</a>):</p>
<ol>
<li>Ensure a clear isolation between container and the underlying host it runs on</li>
<li>Limit the ability of the container to negatively impact the infrastructure or other containers</li>
</ol>
<h2 id="background">Background</h2>
<p>The problem of securing containers in Kubernetes has come up <a href="http://issue.k8s.io/398">before</a> and the potential problems with container security are <a href="http://opensource.com/business/14/7/docker-security-selinux">well known</a>. Although it is not possible to completely isolate Docker containers from their hosts, new features like <a href="https://github.com/docker/libcontainer/pull/304">user namespaces</a> make it possible to greatly reduce the attack surface.</p>
<h2 id="motivation">Motivation</h2>
<h3 id="container-isolation">Container isolation</h3>
<p>In order to improve container isolation from host and other containers running on the host, containers should only be
granted the access they need to perform their work. To this end it should be possible to take advantage of Docker
features such as the ability to <a href="https://docs.docker.com/reference/run/#runtime-privilege-linux-capabilities-and-lxc-configuration">add or remove capabilities</a> and <a href="https://docs.docker.com/reference/run/#security-configuration">assign MCS labels</a>
to the container process.</p>
<p>Support for user namespaces has recently been <a href="https://github.com/docker/libcontainer/pull/304">merged</a> into Dockers libcontainer project and should soon surface in Docker itself. It will make it possible to assign a range of unprivileged uids and gids from the host to each container, improving the isolation between host and container and between containers.</p>
<h3 id="external-integration-with-shared-storage">External integration with shared storage</h3>
<p>In order to support external integration with shared storage, processes running in a Kubernetes cluster
should be able to be uniquely identified by their Unix UID, such that a chain of ownership can be established.
Processes in pods will need to have consistent UID/GID/SELinux category labels in order to access shared disks.</p>
<h2 id="constraints-and-assumptions">Constraints and Assumptions</h2>
<ul>
<li>It is out of the scope of this document to prescribe a specific set
of constraints to isolate containers from their host. Different use cases need different
settings.</li>
<li>The concept of a security context should not be tied to a particular security mechanism or platform
(ie. SELinux, AppArmor)</li>
<li>Applying a different security context to a scope (namespace or pod) requires a solution such as the one proposed for
<a href="service_accounts.html">service accounts</a>.</li>
</ul>
<h2 id="use-cases">Use Cases</h2>
<p>In order of increasing complexity, following are example use cases that would
be addressed with security contexts:</p>
<ol>
<li>Kubernetes is used to run a single cloud application. In order to protect
nodes from containers:
<ul>
<li>All containers run as a single non-root user</li>
<li>Privileged containers are disabled</li>
<li>All containers run with a particular MCS label</li>
<li>Kernel capabilities like CHOWN and MKNOD are removed from containers</li>
</ul>
</li>
<li>Just like case #1, except that I have more than one application running on
the Kubernetes cluster.
<ul>
<li>Each application is run in its own namespace to avoid name collisions</li>
<li>For each application a different uid and MCS label is used</li>
</ul>
</li>
<li>Kubernetes is used as the base for a PAAS with
multiple projects, each project represented by a namespace.
<ul>
<li>Each namespace is associated with a range of uids/gids on the node that
are mapped to uids/gids on containers using linux user namespaces.</li>
<li>Certain pods in each namespace have special privileges to perform system
actions such as talking back to the server for deployment, run docker
builds, etc.</li>
<li>External NFS storage is assigned to each namespace and permissions set
using the range of uids/gids assigned to that namespace.</li>
</ul>
</li>
</ol>
<h2 id="proposed-design">Proposed Design</h2>
<h3 id="overview">Overview</h3>
<p>A <em>security context</em> consists of a set of constraints that determine how a container
is secured before getting created and run. A security context resides on the container and represents the runtime parameters that will
be used to create and run the container via container APIs. A <em>security context provider</em> is passed to the Kubelet so it can have a chance
to mutate Docker API calls in order to apply the security context.</p>
<p>It is recommended that this design be implemented in two phases:</p>
<ol>
<li>Implement the security context provider extension point in the Kubelet
so that a default security context can be applied on container run and creation.</li>
<li>Implement a security context structure that is part of a service account. The
default context provider can then be used to apply a security context based
on the service account associated with the pod.</li>
</ol>
<h3 id="security-context-provider">Security Context Provider</h3>
<p>The Kubelet will have an interface that points to a <code>SecurityContextProvider</code>. The <code>SecurityContextProvider</code> is invoked before creating and running a given container:</p>
<div class="highlight">
<pre><code class="language-go">type SecurityContextProvider interface {
// ModifyContainerConfig is called before the Docker createContainer call.
// The security context provider can make changes to the Config with which
// the container is created.
// An error is returned if it's not possible to secure the container as
// requested with a security context.
ModifyContainerConfig(pod *api.Pod, container *api.Container, config *docker.Config)
// ModifyHostConfig is called before the Docker runContainer call.
// The security context provider can make changes to the HostConfig, affecting
// security options, whether the container is privileged, volume binds, etc.
// An error is returned if it's not possible to secure the container as requested
// with a security context.
ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *docker.HostConfig)
}
</code></pre>
</div>
<p>If the value of the SecurityContextProvider field on the Kubelet is nil, the kubelet will create and run the container as it does today.</p>
<h3 id="security-context">Security Context</h3>
<p>A security context resides on the container and represents the runtime parameters that will
be used to create and run the container via container APIs. Following is an example of an initial implementation:</p>
<div class="highlight">
<pre><code class="language-go">type Container struct {
... other fields omitted ...
// Optional: SecurityContext defines the security options the pod should be run with
SecurityContext *SecurityContext
}
// SecurityContext holds security configuration that will be applied to a container. SecurityContext
// contains duplication of some existing fields from the Container resource. These duplicate fields
// will be populated based on the Container configuration if they are not set. Defining them on
// both the Container AND the SecurityContext will result in an error.
type SecurityContext struct {
// Capabilities are the capabilities to add/drop when running the container
Capabilities *Capabilities
// Run the container in privileged mode
Privileged *bool
// SELinuxOptions are the labels to be applied to the container
// and volumes
SELinuxOptions *SELinuxOptions
// RunAsUser is the UID to run the entrypoint of the container process.
RunAsUser *int64
}
// SELinuxOptions are the labels to be applied to the container.
type SELinuxOptions struct {
// SELinux user label
User string
// SELinux role label
Role string
// SELinux type label
Type string
// SELinux level label.
Level string
}
</code></pre>
</div>
<h3 id="admission">Admission</h3>
<p>It is up to an admission plugin to determine if the security context is acceptable or not. At the
time of writing, the admission control plugin for security contexts will only allow a context that
has defined capabilities or privileged. Contexts that attempt to define a UID or SELinux options
will be denied by default. In the future the admission plugin will base this decision upon
configurable policies that reside within the <a href="http://pr.k8s.io/2297">service account</a>.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/security_context.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,303 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Service Accounts</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Service Accounts</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h1 id="service-accounts">Service Accounts</h1>
<h2 id="motivation">Motivation</h2>
<p>Processes in Pods may need to call the Kubernetes API. For example:
- scheduler
- replication controller
- node controller
- a map-reduce type framework which has a controller that then tries to make a dynamically determined number of workers and watch them
- continuous build and push system
- monitoring system</p>
<p>They also may interact with services other than the Kubernetes API, such as:
- an image repository, such as docker both when the images are pulled to start the containers, and for writing
images in the case of pods that generate images.
- accessing other cloud services, such as blob storage, in the context of a large, integrated, cloud offering (hosted
or private).
- accessing files in an NFS volume attached to the pod</p>
<h2 id="design-overview">Design Overview</h2>
<p>A service account binds together several things:
- a <em>name</em>, understood by users, and perhaps by peripheral systems, for an identity
- a <em>principal</em> that can be authenticated and <a href="../admin/authorization.html">authorized</a>
- a <a href="security_context.html">security context</a>, which defines the Linux Capabilities, User IDs, Groups IDs, and other
capabilities and controls on interaction with the file system and OS.
- a set of <a href="secrets.html">secrets</a>, which a container may use to
access various networked resources.</p>
<h2 id="design-discussion">Design Discussion</h2>
<p>A new object Kind is added:</p>
<div class="highlight">
<pre><code class="language-go">type ServiceAccount struct {
TypeMeta `json:",inline" yaml:",inline"`
ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
username string
securityContext ObjectReference // (reference to a securityContext object)
secrets []ObjectReference // (references to secret objects
}
</code></pre>
</div>
<p>The name ServiceAccount is chosen because it is widely used already (e.g. by Kerberos and LDAP)
to refer to this type of account. Note that it has no relation to Kubernetes Service objects.</p>
<p>The ServiceAccount object does not include any information that could not be defined separately:
- username can be defined however users are defined.
- securityContext and secrets are only referenced and are created using the REST API.</p>
<p>The purpose of the serviceAccount object is twofold:
- to bind usernames to securityContexts and secrets, so that the username can be used to refer succinctly
in contexts where explicitly naming securityContexts and secrets would be inconvenient
- to provide an interface to simplify allocation of new securityContexts and secrets.
These features are explained later.</p>
<h3 id="names">Names</h3>
<p>From the standpoint of the Kubernetes API, a <code>user</code> is any principal which can authenticate to Kubernetes API.
This includes a human running <code>kubectl</code> on her desktop and a container in a Pod on a Node making API calls.</p>
<p>There is already a notion of a username in Kubernetes, which is populated into a request context after authentication.
However, there is no API object representing a user. While this may evolve, it is expected that in mature installations,
the canonical storage of user identifiers will be handled by a system external to Kubernetes.</p>
<p>Kubernetes does not dictate how to divide up the space of user identifier strings. User names can be
simple Unix-style short usernames, (e.g. <code>alice</code>), or may be qualified to allow for federated identity (
<code>alice@example.com</code> vs <code>alice@example.org</code>.) Naming convention may distinguish service accounts from user
accounts (e.g. <code>alice@example.com</code> vs <code>build-service-account-a3b7f0@foo-namespace.service-accounts.example.com</code>),
but Kubernetes does not require this.</p>
<p>Kubernetes also does not require that there be a distinction between human and Pod users. It will be possible
to setup a cluster where Alice the human talks to the Kubernetes API as username <code>alice</code> and starts pods that
also talk to the API as user <code>alice</code> and write files to NFS as user <code>alice</code>. But, this is not recommended.</p>
<p>Instead, it is recommended that Pods and Humans have distinct identities, and reference implementations will
make this distinction.</p>
<p>The distinction is useful for a number of reasons:
- the requirements for humans and automated processes are different:
- Humans need a wide range of capabilities to do their daily activities. Automated processes often have more narrowly-defined activities.
- Humans may better tolerate the exceptional conditions created by expiration of a token. Remembering to handle
this in a program is more annoying. So, either long-lasting credentials or automated rotation of credentials is
needed.
- A Human typically keeps credentials on a machine that is not part of the cluster and so not subject to automatic
management. A VM with a role/service-account can have its credentials automatically managed.
- the identity of a Pod cannot in general be mapped to a single human.
- If policy allows, it may be created by one human, and then updated by another, and another, until its behavior cannot be attributed to a single human.</p>
<p><strong>TODO</strong>: consider getting rid of separate serviceAccount object and just rolling its parts into the SecurityContext or
Pod Object.</p>
<p>The <code>secrets</code> field is a list of references to /secret objects that an process started as that service account should
have access to be able to assert that role.</p>
<p>The secrets are not inline with the serviceAccount object. This way, most or all users can have permission to <code>GET /serviceAccounts</code> so they can remind themselves
what serviceAccounts are available for use.</p>
<p>Nothing will prevent creation of a serviceAccount with two secrets of type <code>SecretTypeKubernetesAuth</code>, or secrets of two
different types. Kubelet and client libraries will have some behavior, TBD, to handle the case of multiple secrets of a
given type (pick first or provide all and try each in order, etc).</p>
<p>When a serviceAccount and a matching secret exist, then a <code>User.Info</code> for the serviceAccount and a <code>BearerToken</code> from the secret
are added to the map of tokens used by the authentication process in the apiserver, and similarly for other types. (We
might have some types that do not do anything on apiserver but just get pushed to the kubelet.)</p>
<h3 id="pods">Pods</h3>
<p>The <code>PodSpec</code> is extended to have a <code>Pods.Spec.ServiceAccountUsername</code> field. If this is unset, then a
default value is chosen. If it is set, then the corresponding value of <code>Pods.Spec.SecurityContext</code> is set by the
Service Account Finalizer (see below).</p>
<p>TBD: how policy limits which users can make pods with which service accounts.</p>
<h3 id="authorization">Authorization</h3>
<p>Kubernetes API Authorization Policies refer to users. Pods created with a <code>Pods.Spec.ServiceAccountUsername</code> typically
get a <code>Secret</code> which allows them to authenticate to the Kubernetes APIserver as a particular user. So any
policy that is desired can be applied to them.</p>
<p>A higher level workflow is needed to coordinate creation of serviceAccounts, secrets and relevant policy objects.
Users are free to extend Kubernetes to put this business logic wherever is convenient for them, though the
Service Account Finalizer is one place where this can happen (see below).</p>
<h3 id="kubelet">Kubelet</h3>
<p>The kubelet will treat as “not ready to run” (needing a finalizer to act on it) any Pod which has an empty
SecurityContext.</p>
<p>The kubelet will set a default, restrictive, security context for any pods created from non-Apiserver config
sources (http, file).</p>
<p>Kubelet watches apiserver for secrets which are needed by pods bound to it.</p>
<p><strong>TODO</strong>: how to only let kubelet see secrets it needs to know.</p>
<h3 id="the-service-account-finalizer">The service account finalizer</h3>
<p>There are several ways to use Pods with SecurityContexts and Secrets.</p>
<p>One way is to explicitly specify the securityContext and all secrets of a Pod when the pod is initially created,
like this:</p>
<p><strong>TODO</strong>: example of pod with explicit refs.</p>
<p>Another way is with the <em>Service Account Finalizer</em>, a plugin process which is optional, and which handles
business logic around service accounts.</p>
<p>The Service Account Finalizer watches Pods, Namespaces, and ServiceAccount definitions.</p>
<p>First, if it finds pods which have a <code>Pod.Spec.ServiceAccountUsername</code> but no <code>Pod.Spec.SecurityContext</code> set,
then it copies in the referenced securityContext and secrets references for the corresponding <code>serviceAccount</code>.</p>
<p>Second, if ServiceAccount definitions change, it may take some actions.
<strong>TODO</strong>: decide what actions it takes when a serviceAccount definition changes. Does it stop pods, or just
allow someone to list ones that are out of spec? In general, people may want to customize this?</p>
<p>Third, if a new namespace is created, it may create a new serviceAccount for that namespace. This may include
a new username (e.g. <code>NAMESPACE-default-service-account@serviceaccounts.$CLUSTERID.kubernetes.io</code>), a new
securityContext, a newly generated secret to authenticate that serviceAccount to the Kubernetes API, and default
policies for that service account.
<strong>TODO</strong>: more concrete example. What are typical default permissions for default service account (e.g. readonly access
to services in the same namespace and read-write access to events in that namespace?)</p>
<p>Finally, it may provide an interface to automate creation of new serviceAccounts. In that case, the user may want
to GET serviceAccounts to see what has been created.</p>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/service_accounts.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

View File

@ -0,0 +1,268 @@
<!Doctype html>
<html id="docs">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/styles.css"/>
<script src="/js/script.js"></script>
<script src="/js/jquery-2.2.0.min.js"></script>
<script src="/js/non-mini.js"></script>
<title>Kubernetes - Simple rolling update</title>
</head>
<body>
<div id="cellophane" onclick="kub.toggleMenu()"></div>
<header>
<a href="/" class="logo"></a>
<div class="nav-buttons" data-auto-burger="primary">
<a href="/docs" class="button" id="viewDocs">View Documentation</a>
<a href="/get-started" class="button" id="tryKubernetes">Try Kubernetes</a>
<button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
</div>
<nav id="mainNav">
<main data-auto-burger="primary">
<div class="nav-box">
<h3><a href="">Get Started</a></h3>
<p>Built for a multi-cloud world, public, private or hybrid. Seamlessly roll out new features.</p>
</div>
<div class="nav-box">
<h3><a href="">Documentation</a></h3>
<p>Pellentesque in ipsum id orci porta dapibus. Nulla porttitor accumsan tincidunt. </p>
</div>
<div class="nav-box">
<h3><a href="">Community</a></h3>
<p>Vestibulum ac diam sit amet quam vehicula elementum sed sit amet dui. </p>
</div>
<div class="nav-box">
<h3><a href="">Blog</a></h3>
<p>Curabitur arcu erat, accumsan id imperdiet et, porttitor at sem. Quisque velit nisi, pretium ut lacinia in. </p>
</div>
</main>
<main data-auto-burger="primary">
<div class="left">
<h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
<a href="" class="button">View On Github</a>
</div>
<div class="right">
<h5 class="github-invite">Explore the community</h5>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="Twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
</div>
</div>
<div class="clear" style="clear: both"></div>
</main>
</nav>
</header>
<!-- HERO -->
<section id="hero" class="light-text">
<h1></h1>
<h5></h5>
<div id="vendorStrip" class="light-text">
<ul>
<li><a href="/v1.1/guides">GUIDES</a></li>
<li><a href="/v1.1/reference">REFERENCE</a></li>
<li><a href="/v1.1/samples">SAMPLES</a></li>
<li><a href="/v1.1/support">SUPPORT</a></li>
</ul>
<div class="dropdown">
<div class="readout"></div>
<a href="/v1.1">Version 1.1</a>
<a href="/v1.0">Version 1.0</a>
</div>
<input type="text" id="search" placeholder="Search the docs">
</div>
</section>
<section id="encyclopedia">
<div id="docsToc">
<div class="pi-accordion">
</div> <!-- /pi-accordion -->
</div> <!-- /docsToc -->
<div id="docsContent">
<h1>Simple rolling update</h1>
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
<h2 id="simple-rolling-update">Simple rolling update</h2>
<p>This is a lightweight design document for simple <a href="../user-guide/kubectl/kubectl_rolling-update.html">rolling update</a> in <code>kubectl</code>.</p>
<p>Complete execution flow can be found <a href="#execution-details">here</a>. See the <a href="../user-guide/update-demo/">example of rolling update</a> for more information.</p>
<h3 id="lightweight-rollout">Lightweight rollout</h3>
<p>Assume that we have a current replication controller named <code>foo</code> and it is running image <code>image:v1</code></p>
<p><code>kubectl rolling-update foo [foo-v2] --image=myimage:v2</code></p>
<p>If the user doesnt specify a name for the next replication controller, then the next replication controller is renamed to
the name of the original replication controller.</p>
<p>Obviously there is a race here, where if you kill the client between delete foo, and creating the new version of foo you might be surprised about what is there, but I think thats ok.
See <a href="#recovery">Recovery</a> below</p>
<p>If the user does specify a name for the next replication controller, then the next replication controller is retained with its existing name,
and the old foo replication controller is deleted. For the purposes of the rollout, we add a unique-ifying label <code>kubernetes.io/deployment</code> to both the <code>foo</code> and <code>foo-next</code> replication controllers.
The value of that label is the hash of the complete JSON representation of the<code>foo-next</code> or<code>foo</code> replication controller. The name of this label can be overridden by the user with the <code>--deployment-label-key</code> flag.</p>
<h4 id="recovery">Recovery</h4>
<p>If a rollout fails or is terminated in the middle, it is important that the user be able to resume the roll out.
To facilitate recovery in the case of a crash of the updating process itself, we add the following annotations to each replication controller in the <code>kubernetes.io/</code> annotation namespace:
* <code>desired-replicas</code> The desired number of replicas for this replication controller (either N or zero)
* <code>update-partner</code> A pointer to the replication controller resource that is the other half of this update (syntax <code>&lt;name&gt;</code> the namespace is assumed to be identical to the namespace of this replication controller.)</p>
<p>Recovery is achieved by issuing the same command again:</p>
<div class="highlight">
<pre><code class="language-sh">kubectl rolling-update foo [foo-v2] --image=myimage:v2
</code></pre>
</div>
<p>Whenever the rolling update command executes, the kubectl client looks for replication controllers called <code>foo</code> and <code>foo-next</code>, if they exist, an attempt is
made to roll <code>foo</code> to <code>foo-next</code>. If <code>foo-next</code> does not exist, then it is created, and the rollout is a new rollout. If <code>foo</code> doesnt exist, then
it is assumed that the rollout is nearly completed, and <code>foo-next</code> is renamed to <code>foo</code>. Details of the execution flow are given below.</p>
<h3 id="aborting-a-rollout">Aborting a rollout</h3>
<p>Abort is assumed to want to reverse a rollout in progress.</p>
<p><code>kubectl rolling-update foo [foo-v2] --rollback</code></p>
<p>This is really just semantic sugar for:</p>
<p><code>kubectl rolling-update foo-v2 foo</code></p>
<p>With the added detail that it moves the <code>desired-replicas</code> annotation from <code>foo-v2</code> to <code>foo</code></p>
<h3 id="execution-details">Execution Details</h3>
<p>For the purposes of this example, assume that we are rolling from <code>foo</code> to <code>foo-next</code> where the only change is an image update from <code>v1</code> to <code>v2</code></p>
<p>If the user doesnt specify a <code>foo-next</code> name, then it is either discovered from the <code>update-partner</code> annotation on <code>foo</code>. If that annotation doesnt exist,
then <code>foo-next</code> is synthesized using the pattern <code>&lt;controller-name&gt;-&lt;hash-of-next-controller-JSON&gt;</code></p>
<h4 id="initialization">Initialization</h4>
<ul>
<li>If <code>foo</code> and <code>foo-next</code> do not exist:
<ul>
<li>Exit, and indicate an error to the user, that the specified controller doesnt exist.</li>
</ul>
</li>
<li>If <code>foo</code> exists, but <code>foo-next</code> does not:
<ul>
<li>Create <code>foo-next</code> populate it with the <code>v2</code> image, set <code>desired-replicas</code> to <code>foo.Spec.Replicas</code></li>
<li>Goto Rollout</li>
</ul>
</li>
<li>If <code>foo-next</code> exists, but <code>foo</code> does not:
<ul>
<li>Assume that we are in the rename phase.</li>
<li>Goto Rename</li>
</ul>
</li>
<li>If both <code>foo</code> and <code>foo-next</code> exist:
<ul>
<li>Assume that we are in a partial rollout</li>
<li>If <code>foo-next</code> is missing the <code>desired-replicas</code> annotation
<ul>
<li>Populate the <code>desired-replicas</code> annotation to <code>foo-next</code> using the current size of <code>foo</code></li>
</ul>
</li>
<li>Goto Rollout</li>
</ul>
</li>
</ul>
<h4 id="rollout">Rollout</h4>
<ul>
<li>While size of <code>foo-next</code> &lt; <code>desired-replicas</code> annotation on <code>foo-next</code>
<ul>
<li>increase size of <code>foo-next</code></li>
<li>if size of <code>foo</code> &gt; 0
decrease size of <code>foo</code></li>
</ul>
</li>
<li>Goto Rename</li>
</ul>
<h4 id="rename">Rename</h4>
<ul>
<li>delete <code>foo</code></li>
<li>create <code>foo</code> that is identical to <code>foo-next</code></li>
<li>delete <code>foo-next</code></li>
</ul>
<h4 id="abort">Abort</h4>
<ul>
<li>If <code>foo-next</code> doesnt exist
<ul>
<li>Exit and indicate to the user that they may want to simply do a new rollout with the old version</li>
</ul>
</li>
<li>If <code>foo</code> doesnt exist
<ul>
<li>Exit and indicate not found to the user</li>
</ul>
</li>
<li>Otherwise, <code>foo-next</code> and <code>foo</code> both exist
<ul>
<li>Set <code>desired-replicas</code> annotation on <code>foo</code> to match the annotation on <code>foo-next</code></li>
<li>Goto Rollout with <code>foo</code> and <code>foo-next</code> trading places.</li>
</ul>
</li>
</ul>
<!-- BEGIN MUNGE: IS_VERSIONED -->
<!-- TAG IS_VERSIONED -->
<!-- END MUNGE: IS_VERSIONED -->
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
<p><a href=""><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/simple-rolling-update.md?pixel" alt="Analytics" /></a>
<!-- END MUNGE: GENERATED_ANALYTICS --></p>
</div>
</section>
<footer>
<main class="light-text">
<nav>
<a href="/getting-started.html">Getting Started</a>
<a href="/docs.html">Documentation</a>
<a href="http://blog.kubernetes.io/">Blog</a>
<a href="/foobang.html">Community</a>
</nav>
<div class="social">
<a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
<a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
<a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
<a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>stackoverflow</span></a>
<a href="https://groups.google.com/forum/#!forum/google-containers" class="mailing-list"><span>Mailing List</span></a>
<label for="wishField">I wish this page <input type="text" id="wishField" name="wishField" placeholder="made better textfield suggestions"></label>
</div>
<div class="center">&copy; 2016 Kubernetes</div>
</main>
</footer>
</body>
</html>

Some files were not shown because too many files have changed in this diff Show More