This PR makes sure the manifests under `content/en/examples`
are valid in v1.28. The primary fixes are:
- Updated the go.mod/go.sum file for testing against v1.28.0 release.
- Revise test case code to ensure newly added manifests are tested;
- Adapt Pod validation options to upstream validation code change;
- Move a ValidatingWebhookConfiguration YAML back to inline because
the manifest cannot validate against the validator. The CA bundle
referenced is not a valid string (base64 encoded). That means the
YAML cannot be used/tested as is by users.
* document per namespace params
* switch examples to codenew, fixup some typos
* more formatting and codenew
* use codenew instead of code
* fixup headings
- move Understanding Kubernetes Objects to be section overview
- within the section, consistently link to the new (moved) page from the
first mention of “object”
- add a redirect
Co-authored-by: Divya Mohan <divya.mohan0209@gmail.com>
- Some examples are actually not good "examples", i.e. they are not
not ready for the users to try out.
- Some examples are failing the validation in their current format.
- Some examples skipped the test case.
These issues are fixed.
Rather than mention trust bundles as a subtopic of certificate signing
requests, reshape the page so that:
- it's clear that CSRs are stable but ClusterTrustBundles are alpha
- the task for issuing a certificate to a user stands separately from
the concepts explained elsewhere in the page
- it's clear that signers are relevant to both CSRs and
ClusterTrustBundles
Document the API types as they exist today, plus a hint of the future
integrations that will be available.
Co-Authored-By: Taahir Ahmed <taahm@google.com>
* about apiGroups
Look at the source code, apiGroups is an empty set and not all are allowed, you need to use * to be able to, if it is an empty set if the resource does not have apiGroups then it will not be accessible
Refer to:
https://github.com/kubernetes/kubernetes/blob/master/pkg/apis/rbac/v1/evaluation_helpers.go#L85https://github.com/kubernetes/api/blob/master/rbac/v1/types.go#L29
* Update content/en/docs/reference/access-authn-authz/rbac.md
Co-authored-by: Jordan Liggitt <jordan@liggitt.net>
* Update rbac.md
* Update rbac.md
* Update content/en/docs/reference/access-authn-authz/rbac.md
the comma
Co-authored-by: Jordan Liggitt <jordan@liggitt.net>
* Update rbac.md
All changed
* Update content/en/docs/reference/access-authn-authz/rbac.md
Co-authored-by: Qiming Teng <tengqm@outlook.com>
* Update content/en/docs/reference/access-authn-authz/rbac.md
Co-authored-by: Qiming Teng <tengqm@outlook.com>
* Update content/en/docs/reference/access-authn-authz/rbac.md
Co-authored-by: Qiming Teng <tengqm@outlook.com>
---------
Co-authored-by: Jordan Liggitt <jordan@liggitt.net>
Co-authored-by: Qiming Teng <tengqm@outlook.com>
Note the shortcomings of the implementation of this admission plugin
Co-authored-by: Tim Bannister <tim@scalefactory.com>
Co-authored-by: Qiming Teng <tengqm@outlook.com>
The `admission.k8s.io/v1` API group is not generated into the v2/v3 OpenAPI
specification as part of Kubernetes API because it is not officially "served".
However, the structs in the API group are used in other APIs that are user-facing.
This PR addes the reference API and fixes references to it.
Document EndpointSlice as the preferred and most appropriate mechanism
to record the backing endpoints of a Service.
Co-authored-by: Rob Scott <rob.scott87@gmail.com>
Co-authored-by: Shannon Kularathna <ax3shannonkularathna@gmail.com>
* Make example service account output match 1.24+ output with auto-generated tokens omitted
* Prefer `kubectl create token` as token creation mechanism
Signed-off-by: Tom Kivlin <tom.kivlin@vodafone.com>
added link to best practice doc
update from sftim comments
update from liggitt comments
Update content/en/docs/reference/access-authn-authz/rbac.md
Co-authored-by: Jordan Liggitt <jordan@liggitt.net>
update from liggitt comment
This PR updates the admission controllers page by:
- removing two plugins which have been removed since 1.18
- removing text about ancient history
- removing shortcode about plugins that graduated into GA a long time ago;
--service-account-key-file flag to the kube-api-server is used to verify ServiceAccount tokens (and not to sign them).
--service-account-signing-key-file is the kube-api-server flag that's used to sign ServiceAccount tokens (short-lived ones).
--service-account-private-key-file is the kube-controller-manager flag that's used to sign ServiceAccount tokens (long-lived ones).
The `get`, `list` and `watch` verbs can all be used to retrieve the full details of a resource. It is not an uncommon assumption amongst users that they return different data (e.g. that `list` only returns the names of resources; when it can return the full object).
This adds a caution block to highlight this potential gotcha.
This PR removes outdated information about `admissionregistration.v1beta1` API groups
which are no longer supported in 1.24. Additional notes are added to
avoid confusion when parsing the examples.
* Callout that impersonation needs (ClusterRole)Binding
I learned through trial and error that impersonation does not work with Role and RoleBinding - this was not obvious. It would be good if the docs call this out.
* Update content/en/docs/reference/access-authn-authz/authentication.md
Co-authored-by: Qiming Teng <tengqm@outlook.com>
* Update content/en/docs/reference/access-authn-authz/authentication.md
Co-authored-by: Tim Bannister <tim@scalefactory.com>
* Update content/en/docs/reference/access-authn-authz/authentication.md
Co-authored-by: ZSC <zacharysarah@users.noreply.github.com>
* Update content/en/docs/reference/access-authn-authz/authentication.md
Co-authored-by: ZSC <zacharysarah@users.noreply.github.com>
Co-authored-by: Qiming Teng <tengqm@outlook.com>
Co-authored-by: Tim Bannister <tim@scalefactory.com>
Co-authored-by: ZSC <zacharysarah@users.noreply.github.com>
This PR fixes several things in the admission-controllers page:
- The `PodSecurity` plugin is enabled by default, but it was not listed so;
- The `apiserver.config.k8s.io/v1alpha1` has been deprecated since v1.17, we are still documenting it side by side with the `apiserver.config.k8s.io/v1` API group;
- The `eventratelimit.admission.k8s.io/v1alpha1` API could use a better reference rather than the design doc; **The imagepolicy.v1alpha1 API is not documented anywhere, I'll add it later on.**
- There are statements about future, which should be removed;
- We are supposed refer to the `LimitRage` API reference rather than pointing users to the design docs;
- We are supposed refer to the `ResourceQuota` API reference rather than pointing users to the design docs;
- There are long lines in the page source which could have been wrapped properly.
The `kubelet-authentication-authorization` and the `kubelet-tls-bootstrapping`
pages do not belong to `reference/command-line-tools-reference` topic.
This PR moves them into `reference/access-authn-authz` subdirectory
which is a better fit.
The `static/_redirects` file is updated to point to the new location.
The logical navigation definitely works better if Pod Security admission
and PodSecurityPolicy are pages in the same section. Make It So.
Co-authored-by: Rey Lejano <rlejano@gmail.com>
- This page referenced the "CertificationSigningRequests API," but this should be "CertificateSigningRequests API" or "Certificates API."
- Added a link to the documentation for CertificateSigningRequests.
The previous commit for configuration APIs has some nits to fix:
- The client-authentication API has both v1beta1 and v1 supported.
We need to include both.
- The kube-scheduler v1alpha1 is superceded by v1alpha3 which is new.
- The links to some external type definitions should point to the 1.23
API rather than old versions.
*should* implies that an `extra` can be mixed case. but really it can't because a mixed case `extra` will mismatch on an RBAC `ClusterRole` once the header is canonicalized.
Add example for querying SA permissions
Add missing example for querying the API authorization layer for checking the permissions of a Service Account
Add missing SA identifying prefix
Improve suggested text to align with current content
Co-authored-by: Sam Roth <2413031+sejr@users.noreply.github.com>
Improve suggested text to align with current content
Co-authored-by: Sam Roth <2413031+sejr@users.noreply.github.com>
* Clarified scenarios that could lead to privilege escalation
Made it clearer that it's not just creating pods which enables the privilege escalation. It's all workloads, all reconfiguration of workloads, and conceptually the creation and reconfiguration of custom resources which create workloads.
* Allowing link to priv escalation heading if required
* Update content/en/docs/reference/access-authn-authz/authorization.md
Co-authored-by: Tim Bannister <tim@scalefactory.com>
* Adding further clarifications
* Retitled escalation section
* Apply suggestions from vjftw
Co-authored-by: VJ Patel <VJftw@users.noreply.github.com>
* Clarified CRDs and reduced duplication
* Updating caution based on Geoffrey's comments
* Updating controller comment and linking out to reference docs
Co-authored-by: Tim Bannister <tim@scalefactory.com>
Co-authored-by: VJ Patel <VJftw@users.noreply.github.com>
Qiming Teng
nnlkcncff
Matheus Moraes
Mengjiao Liu
Kubernetes Prow Robot
Tim Bannister
Amine
Alex Zielenski
Jiahui Feng
Marek Skrobacki
Andrey Goran
windsonsea
Rishit Dagli
Nabarun Pal
mtardy
shubham82
zhenghao.zhu
Dave Protasowski
Eric Chiang
Tomoya Usami
Min Ni
Maksim Nabokikh
m.nabokikh
Ismail Alidzhikov
Taahir Ahmed
Mickey Boxell
Aitor
zmquan
Joe Betz
Tim Allclair
samitks
liulijin
Cici Huang
Eric Fortin
Guangwen Feng
Richard Tweed
Mathieu Benoit
Saloni1814
Yash Pimple
Sam Stoelinga
Marcus Noble
Sergey Kanzhelev
Sergey Shevchenko
Michael
Abigail McCarthy
lakshmi prasuna
houjun
Gaël Jourdan-Weil
Jordan Liggitt
W Geng
whitebear009
Tom Kivlin
carolina valencia
Meha Bhalodiya
Rohit Agarwal
Sam Cook
Osuolale Emmanuel
Raki
Sean Wei
kadtendulkar
wei.wang
Nate W
xin.li
CJ Cullen
Mads Jensen
Cezary Czekalski
Margo Crawford
Jay Beale
Marc Boorshtein
Jesse Butler
Wang
Hemant Kumar
Rodrigo Queiro
Jonas Steinberg
Pranshu Srivastava
chirangaalwis