Merge branch 'master' of https://github.com/kubernetes/kubernetes.github.io into release-1.6

* 'master' of https://github.com/kubernetes/kubernetes.github.io: s/Wildard/Wildcard/ rephrase the sentence Fix the number of processes on Kubernetes master (#2985) Pod Security Policy doc improvements (#3010) docs/admin: document OpenID Connect plugin "extra-scopes" field # Conflicts: # docs/admin/kubelet.md # docs/user-guide/pod-security-policy/index.md
2017-03-27 16:12:50 -07:00 · 2017-03-27 16:12:50 -07:00 · 403c2c1510
parent aa100411c3 40ff2f7e72
commit 403c2c1510
6 changed files with 56 additions and 39 deletions
--- a/docs/admin/authentication.md
+++ b/docs/admin/authentication.md
@ -335,13 +335,14 @@ The first option is to use the `oidc` authenticator.  This authenticator takes y

 ```bash
 kubectl config set-credentials USER_NAME \
-   --auth-provider=oidc
+   --auth-provider=oidc \
   --auth-provider-arg=idp-issuer-url=( issuer url ) \
   --auth-provider-arg=client-id=( your client id ) \
   --auth-provider-arg=client-secret=( your client secret ) \
   --auth-provider-arg=refresh-token=( your refresh token ) \
   --auth-provider-arg=idp-certificate-authority=( path to your ca certificate ) \
-   --auth-provider-arg=id-token=( your id_token )
+   --auth-provider-arg=id-token=( your id_token ) \
+   --auth-provider-arg=extra-scopes=( comma separated list of scopes to add to "openid email profile", optional )
 ```

 As an example, running the below command after authenticating to your identity provider:
@ -354,6 +355,7 @@ kubectl config set-credentials mmosley  \
        --auth-provider-arg=client-secret=1db158f6-177d-4d9c-8a8b-d36869918ec5  \
        --auth-provider-arg=refresh-token=q1bKLFOyUiosTfawzA93TzZIDzH2TNa2SMm0zEiPKTUwME6BkEo6Sql5yUWVBSWpKUGphaWpxSVAfekBOZbBhaEW+VlFUeVRGcluyVF5JT4+haZmPsluFoFu5XkpXk5BXqHega4GAXlF+ma+vmYpFcHe5eZR+slBFpZKtQA= \
        --auth-provider-arg=idp-certificate-authority=/root/ca.pem \
+        --auth-provider-arg=extra-scopes=groups \
        --auth-provider-arg=id-token=eyJraWQiOiJDTj1vaWRjaWRwLnRyZW1vbG8ubGFuLCBPVT1EZW1vLCBPPVRybWVvbG8gU2VjdXJpdHksIEw9QXJsaW5ndG9uLCBTVD1WaXJnaW5pYSwgQz1VUy1DTj1rdWJlLWNhLTEyMDIxNDc5MjEwMzYwNzMyMTUyIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL29pZGNpZHAudHJlbW9sby5sYW46ODQ0My9hdXRoL2lkcC9PaWRjSWRQIiwiYXVkIjoia3ViZXJuZXRlcyIsImV4cCI6MTQ4MzU0OTUxMSwianRpIjoiMm96US15TXdFcHV4WDlHZUhQdy1hZyIsImlhdCI6MTQ4MzU0OTQ1MSwibmJmIjoxNDgzNTQ5MzMxLCJzdWIiOiI0YWViMzdiYS1iNjQ1LTQ4ZmQtYWIzMC0xYTAxZWU0MWUyMTgifQ.w6p4J_6qQ1HzTG9nrEOrubxIMb9K5hzcMPxc9IxPx2K4xO9l-oFiUw93daH3m5pluP6K7eOE6txBuRVfEcpJSwlelsOsW8gb8VJcnzMS9EnZpeA0tW_p-mnkFc3VcfyXuhe5R3G7aa5d8uHv70yJ9Y3-UhjiN9EhpMdfPAoEB9fYKKkJRzF7utTTIPGrSaSU6d2pcpfYKaxIwePzEkT4DfcQthoZdy9ucNvvLoi1DIC-UocFD8HLs8LYKEqSxQvOcvnThbObJ9af71EwmuE21fO5KzMW20KtAeget1gnldOosPtz1G5EwvaQ401-RPQzPGMVBld0_zMCAwZttJ4knw
 ```

@ -367,6 +369,7 @@ users:
      config:
        client-id: kubernetes
        client-secret: 1db158f6-177d-4d9c-8a8b-d36869918ec5
+        extra-scopes: groups
        id-token: eyJraWQiOiJDTj1vaWRjaWRwLnRyZW1vbG8ubGFuLCBPVT1EZW1vLCBPPVRybWVvbG8gU2VjdXJpdHksIEw9QXJsaW5ndG9uLCBTVD1WaXJnaW5pYSwgQz1VUy1DTj1rdWJlLWNhLTEyMDIxNDc5MjEwMzYwNzMyMTUyIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL29pZGNpZHAudHJlbW9sby5sYW46ODQ0My9hdXRoL2lkcC9PaWRjSWRQIiwiYXVkIjoia3ViZXJuZXRlcyIsImV4cCI6MTQ4MzU0OTUxMSwianRpIjoiMm96US15TXdFcHV4WDlHZUhQdy1hZyIsImlhdCI6MTQ4MzU0OTQ1MSwibmJmIjoxNDgzNTQ5MzMxLCJzdWIiOiI0YWViMzdiYS1iNjQ1LTQ4ZmQtYWIzMC0xYTAxZWU0MWUyMTgifQ.w6p4J_6qQ1HzTG9nrEOrubxIMb9K5hzcMPxc9IxPx2K4xO9l-oFiUw93daH3m5pluP6K7eOE6txBuRVfEcpJSwlelsOsW8gb8VJcnzMS9EnZpeA0tW_p-mnkFc3VcfyXuhe5R3G7aa5d8uHv70yJ9Y3-UhjiN9EhpMdfPAoEB9fYKKkJRzF7utTTIPGrSaSU6d2pcpfYKaxIwePzEkT4DfcQthoZdy9ucNvvLoi1DIC-UocFD8HLs8LYKEqSxQvOcvnThbObJ9af71EwmuE21fO5KzMW20KtAeget1gnldOosPtz1G5EwvaQ401-RPQzPGMVBld0_zMCAwZttJ4knw
        idp-certificate-authority: /root/ca.pem
        idp-issuer-url: https://oidcidp.tremolo.lan:8443/auth/idp/OidcIdP
--- a/docs/admin/authorization/index.md
+++ b/docs/admin/authorization/index.md
@ -94,10 +94,10 @@ properties:
    - Resource-matching properties:
      - `apiGroup`, type string; an API group.
        - Ex: `extensions`
-        - Wildard: `*` matches all API groups.
+        - Wildcard: `*` matches all API groups.
      - `namespace`, type string; a namespace.
        - Ex: `kube-system`
-        - Wildard: `*` matches all resource requests.
+        - Wildcard: `*` matches all resource requests.
      - `resource`, type string; a resource type
        - Ex: `pods`
        - Wildcard: `*` matches all resource requests.
--- a/docs/admin/kubelet.md
+++ b/docs/admin/kubelet.md
@ -16,8 +16,8 @@ various mechanisms (primarily through the apiserver) and ensures that the contai
 described in those PodSpecs are running and healthy. The kubelet doesn't manage
 containers which were not created by Kubernetes.

-Other than from an PodSpec from the apiserver, there are three ways that a container
-manifest can be provided to the Kubelet.
+Other than from a PodSpec, there are three ways that a container
+manifest can be provided to the Kubelet from the apiserver.

 File: Path passed as a flag on the command line. This file is rechecked every 20
 seconds (configurable with a flag).
--- a/docs/concepts/index.md
+++ b/docs/concepts/index.md
@ -10,7 +10,7 @@ To work with Kubernetes, you use *Kubernetes API objects* to describe your clust

 Once you've set your desired state, the *Kubernetes Control Plane* works to make the cluster's current state match the desired state. To do so, Kubernetes performs a variety of tasks automatically--such as starting or restarting containers, scaling the number of replicas of a given application, and more. The Kubernetes Control Plane consists of a collection of processes running on your cluster: 

-* The **Kubernetes Master** is a collection of four processes that run on a single node in your cluster, which is designated as the master node.
+* The **Kubernetes Master** is a collection of three processes that run on a single node in your cluster, which is designated as the master node. Those processes are: kube-apiserver, kube-controller-manager and kube-scheduler.
 * Each individual non-master node in your cluster runs two processes:
  * **kubelet**, which communicates with the Kubernetes Master.
  * **kube-proxy**, a network proxy which reflects Kubernetes networking services on each node.
--- a/docs/user-guide/pod-security-policy/index.md
+++ b/docs/user-guide/pod-security-policy/index.md
@ -4,7 +4,7 @@ assignees:
 title: Pod Security Policies
 ---

-Objects of type `podsecuritypolicy` govern the ability 
+Objects of type `PodSecurityPolicy` govern the ability
 to make requests on a pod that affect the `SecurityContext` that will be 
 applied to a pod and container.

@ -84,6 +84,7 @@ volumes field of the PSP. The allowable values of this field correspond
 to the volume sources that are defined when creating a volume:

 1. azureFile
+1. azureDisk
 1. flocker
 1. flexVolume
 1. hostPath
@ -104,9 +105,10 @@ to the volume sources that are defined when creating a volume:
 1. configMap
 1. vsphereVolume
 1. quobyte
-1. azureDisk
 1. photonPersistentDisk
+1. projected
 1. portworxVolume
+1. scaleIO
 1. \* (allow all volumes)

 The recommended minimum set of allowed volumes for new PSPs are 
@ -117,8 +119,8 @@ configMap, downwardAPI, emptyDir, persistentVolumeClaim, and secret.
 
 ## Admission

-_Admission control_ with `PodSecurityPolicy` allows for control over the creation of resources
-based on the capabilities allowed in the cluster.
+_Admission control_ with `PodSecurityPolicy` allows for control over the
+creation and modification of resources based on the capabilities allowed in the cluster.

 Admission uses the following approach to create the final security context for
 the pod:
@ -147,6 +149,28 @@ $ kubectl create -f ./psp.yaml
 podsecuritypolicy "permissive" created
 ```

+## Getting a list of Pod Security Policies
+
+To get a list of existing policies, use `kubectl get`:
+
+```shell
+$ kubectl get psp
+NAME        PRIV   CAPS  SELINUX   RUNASUSER         FSGROUP   SUPGROUP  READONLYROOTFS  VOLUMES
+permissive  false  []    RunAsAny  RunAsAny          RunAsAny  RunAsAny  false           [*]
+privileged  true   []    RunAsAny  RunAsAny          RunAsAny  RunAsAny  false           [*]
+restricted  false  []    RunAsAny  MustRunAsNonRoot  RunAsAny  RunAsAny  false           [emptyDir secret downwardAPI configMap persistentVolumeClaim]
+```
+
+## Editing a Pod Security Policy
+
+To modify policy interactively, use `kubectl edit`:
+
+```shell
+$ kubectl edit psp permissive
+```
+
+This command will open a default text editor where you will be ably to modify policy.
+
 ## Deleting a Pod Security Policy

 Once you don't need a policy anymore, simply delete it with `kubectl`:
--- a/docs/user-guide/pod-security-policy/psp.yaml
+++ b/docs/user-guide/pod-security-policy/psp.yaml
@ -1,28 +1,18 @@
-{
-  "kind": "PodSecurityPolicy",
-  "apiVersion":"extensions/v1beta1",
-  "metadata": {
-    "name": "permissive"
-  },
-  "spec": {
-      "seLinux": {
-          "rule": "RunAsAny"
-      },
-      "supplementalGroups": {
-          "rule": "RunAsAny"
-      },
-      "runAsUser": {
-          "rule": "RunAsAny"
-      },
-      "fsGroup": {
-          "rule": "RunAsAny"
-      },
-      "HostPorts": [
-          {
-          "min": 8000,
-          "max": 8080
-          }
-      ],
-      "volumes": ["*"]
-  }
-}
+apiVersion: extensions/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: permissive
+spec:
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  runAsUser:
+    rule: RunAsAny
+  fsGroup:
+    rule: RunAsAny
+  hostPorts:
+  - min: 8000
+    max: 8080
+  volumes:
+  - '*'