From 75b274a915aaed623b82e104fc073ba46a106882 Mon Sep 17 00:00:00 2001 From: Mike Spreitzer Date: Mon, 14 Jun 2021 14:29:08 -0400 Subject: [PATCH 01/25] Doc the apiserver_flowcontrol_request_concurrency_in_use metric --- .../en/docs/concepts/cluster-administration/flow-control.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/content/en/docs/concepts/cluster-administration/flow-control.md b/content/en/docs/concepts/cluster-administration/flow-control.md index 71eb8106e5..5977992015 100644 --- a/content/en/docs/concepts/cluster-administration/flow-control.md +++ b/content/en/docs/concepts/cluster-administration/flow-control.md @@ -405,6 +405,10 @@ poorly-behaved workloads that may be harming system health. queue) requests, broken down by the labels `priority_level` and `flow_schema`. +* `apiserver_flowcontrol_request_concurrency_in_use` is a gauge vector + holding the instantaneous number of occupied seats, broken down by + the labels `priority_level` and `flow_schema`. + * `apiserver_flowcontrol_priority_level_request_count_samples` is a histogram vector of observations of the then-current number of requests broken down by the labels `phase` (which takes on the From 3501c3b9c44d5cd2cf936766a101fe66361a80a5 Mon Sep 17 00:00:00 2001 From: Tobias Nehrlich Date: Thu, 22 Apr 2021 12:39:03 +0200 Subject: [PATCH 02/25] Improve resource section of init containers --- content/en/docs/concepts/workloads/pods/init-containers.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/en/docs/concepts/workloads/pods/init-containers.md b/content/en/docs/concepts/workloads/pods/init-containers.md index 1c67e357e5..f0c02925c6 100644 --- a/content/en/docs/concepts/workloads/pods/init-containers.md +++ b/content/en/docs/concepts/workloads/pods/init-containers.md @@ -291,7 +291,8 @@ Given the ordering and execution for init containers, the following rules for resource usage apply: * The highest of any particular resource request or limit defined on all init - containers is the *effective init request/limit* + containers is the *effective init request/limit*. If any resource has no + resource limit specified this is considered as the highest limit. * The Pod's *effective request/limit* for a resource is the higher of: * the sum of all app containers request/limit for a resource * the effective init request/limit for a resource From 1df00698d48807eeab91528894a568dcee7745c1 Mon Sep 17 00:00:00 2001 From: vaibhav Date: Thu, 17 Jun 2021 18:36:05 +0530 Subject: [PATCH 03/25] Update addon resizer in cluster-large.md --- content/en/docs/setup/best-practices/cluster-large.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/content/en/docs/setup/best-practices/cluster-large.md b/content/en/docs/setup/best-practices/cluster-large.md index 88f6c711dc..0f7fb0552e 100644 --- a/content/en/docs/setup/best-practices/cluster-large.md +++ b/content/en/docs/setup/best-practices/cluster-large.md @@ -124,3 +124,6 @@ components, including cluster-critical addons. The [cluster autoscaler](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler#readme) integrates with a number of cloud providers to help you run the right number of nodes for the level of resource demand in your cluster. + +The [addon resizer](https://github.com/kubernetes/autoscaler/tree/master/addon-resizer#readme) +helps you in resizing the addons automatically as your cluster's scale changes. \ No newline at end of file From a09d4ec1cfa04b59999a9364906f0d00c5fc671d Mon Sep 17 00:00:00 2001 From: vaibhav Date: Thu, 24 Jun 2021 20:33:33 +0530 Subject: [PATCH 04/25] Update in /docs/concepts/workloads/controllers/daemonset.md --- content/en/docs/concepts/workloads/controllers/daemonset.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/content/en/docs/concepts/workloads/controllers/daemonset.md b/content/en/docs/concepts/workloads/controllers/daemonset.md index 5a98dcf7cb..b9841bc404 100644 --- a/content/en/docs/concepts/workloads/controllers/daemonset.md +++ b/content/en/docs/concepts/workloads/controllers/daemonset.md @@ -219,6 +219,8 @@ storage servers). Use a Deployment for stateless services, like frontends, where scaling up and down the number of replicas and rolling out updates are more important than controlling exactly which host the Pod runs on. Use a DaemonSet when it is important that a copy of a Pod always run on -all or certain hosts, and when it needs to start before other Pods. +all or certain hosts, if the DaemonSet provides node-level functionality that allows other Pods to run correctly on that particular node. + +For example, [network plugins](/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/) often include a component that runs as a DaemonSet. The DaemonSet component makes sure that the node where it's running has working cluster networking. From 860fd15404fa14299c071387701dcbd4de1a5d69 Mon Sep 17 00:00:00 2001 From: Qiming Teng Date: Fri, 25 Jun 2021 12:17:01 +0800 Subject: [PATCH 05/25] Add feature-gates to home page card --- .../reference/command-line-tools-reference/feature-gates.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 99e3094c18..472ca563c4 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -2,6 +2,9 @@ title: Feature Gates weight: 10 content_type: concept +card: + name: reference + weight: 60 --- From 63405a399a320f412109c4b9e269a3f725433ba3 Mon Sep 17 00:00:00 2001 From: John Gardiner Myers Date: Sat, 3 Jul 2021 13:50:42 -0700 Subject: [PATCH 06/25] Use consistent terminology for the Kubernetes general CA --- .../docs/tasks/extend-kubernetes/configure-aggregation-layer.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/tasks/extend-kubernetes/configure-aggregation-layer.md b/content/en/docs/tasks/extend-kubernetes/configure-aggregation-layer.md index 739a69d45a..3b65d6abc6 100644 --- a/content/en/docs/tasks/extend-kubernetes/configure-aggregation-layer.md +++ b/content/en/docs/tasks/extend-kubernetes/configure-aggregation-layer.md @@ -17,7 +17,7 @@ Configuring the [aggregation layer](/docs/concepts/extend-kubernetes/api-extensi {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}} {{< note >}} -There are a few setup requirements for getting the aggregation layer working in your environment to support mutual TLS auth between the proxy and extension apiservers. Kubernetes and the kube-apiserver have multiple CAs, so make sure that the proxy is signed by the aggregation layer CA and not by something else, like the master CA. +There are a few setup requirements for getting the aggregation layer working in your environment to support mutual TLS auth between the proxy and extension apiservers. Kubernetes and the kube-apiserver have multiple CAs, so make sure that the proxy is signed by the aggregation layer CA and not by something else, like the Kubernetes general CA. {{< /note >}} {{< caution >}} From f0bc1f3ef79e876d72d8eaefcda505b3aa076f27 Mon Sep 17 00:00:00 2001 From: Nitesh Seram Date: Sun, 4 Jul 2021 10:40:12 +0530 Subject: [PATCH 07/25] fix link issue --- content/en/docs/concepts/workloads/pods/pod-lifecycle.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/concepts/workloads/pods/pod-lifecycle.md b/content/en/docs/concepts/workloads/pods/pod-lifecycle.md index 778bee6c02..990ac86dbe 100644 --- a/content/en/docs/concepts/workloads/pods/pod-lifecycle.md +++ b/content/en/docs/concepts/workloads/pods/pod-lifecycle.md @@ -369,7 +369,7 @@ An example flow: as terminating (a graceful shutdown duration has been set), the kubelet begins the local Pod shutdown process. 1. If one of the Pod's containers has defined a `preStop` - [hook](/docs/concepts/containers/container-lifecycle-hooks/#hook-details), the kubelet + [hook](/docs/concepts/containers/container-lifecycle-hooks), the kubelet runs that hook inside of the container. If the `preStop` hook is still running after the grace period expires, the kubelet requests a small, one-off grace period extension of 2 seconds. From 077f0ca38f2f2b5915fbb6ff4f4be328a3f0bec8 Mon Sep 17 00:00:00 2001 From: Ritikaa96 Date: Mon, 5 Jul 2021 16:47:30 +0530 Subject: [PATCH 08/25] correcting redis address in stateless-application guestbook document Signed-off-by: Ritikaa96 --- content/en/docs/tutorials/stateless-application/guestbook.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/tutorials/stateless-application/guestbook.md b/content/en/docs/tutorials/stateless-application/guestbook.md index b8c92d66a5..c31bcbc49e 100644 --- a/content/en/docs/tutorials/stateless-application/guestbook.md +++ b/content/en/docs/tutorials/stateless-application/guestbook.md @@ -19,7 +19,7 @@ ready)_, multi-tier web application using Kubernetes and [Docker](https://www.docker.com/). This example consists of the following components: -* A single-instance [Redis](https://www.redis.com/) to store guestbook entries +* A single-instance [Redis](https://www.redis.io/) to store guestbook entries * Multiple web frontend instances ## {{% heading "objectives" %}} From 59fd242de499185c0eac40af430e83ae3fe703e1 Mon Sep 17 00:00:00 2001 From: Rishabh Bohra Date: Mon, 5 Jul 2021 18:22:31 +0530 Subject: [PATCH 09/25] docs: Make word 'Client' inline with other references. Signed-off-by: Rishabh Bohra --- content/en/docs/reference/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/reference/_index.md b/content/en/docs/reference/_index.md index 376fb69ba4..f97029028f 100644 --- a/content/en/docs/reference/_index.md +++ b/content/en/docs/reference/_index.md @@ -39,7 +39,7 @@ client libraries: - [Kubernetes Java client library](https://github.com/kubernetes-client/java) - [Kubernetes JavaScript client library](https://github.com/kubernetes-client/javascript) - [Kubernetes C# client library](https://github.com/kubernetes-client/csharp) -- [Kubernetes Haskell Client library](https://github.com/kubernetes-client/haskell) +- [Kubernetes Haskell client library](https://github.com/kubernetes-client/haskell) ## CLI From df71479a6e94dc1626a1cb23d7600856516b8b55 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lucas=20Serv=C3=A9n=20Mar=C3=ADn?= Date: Wed, 7 Jul 2021 00:49:43 +0200 Subject: [PATCH 10/25] using-api/health-checks.md: use consistent casing This commit updates two instances so that the casing of `HTTP` and `API` is consistent throughout the document. --- content/en/docs/reference/using-api/health-checks.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/docs/reference/using-api/health-checks.md b/content/en/docs/reference/using-api/health-checks.md index 2c315505db..93729846a4 100644 --- a/content/en/docs/reference/using-api/health-checks.md +++ b/content/en/docs/reference/using-api/health-checks.md @@ -25,7 +25,7 @@ The more verbose options shown below are intended to be used by human operators The following examples will show how you can interact with the health API endpoints. For all endpoints you can use the `verbose` parameter to print out the checks and their status. -This can be useful for a human operator to debug the current status of the Api server, it is not intended to be consumed by a machine: +This can be useful for a human operator to debug the current status of the API server, it is not intended to be consumed by a machine: ```shell curl -k https://localhost:6443/livez?verbose @@ -93,7 +93,7 @@ The output show that the `etcd` check is excluded: {{< feature-state state="alpha" >}} -Each individual health check exposes an http endpoint and could can be checked individually. +Each individual health check exposes an HTTP endpoint and could can be checked individually. The schema for the individual health checks is `/livez/` where `livez` and `readyz` and be used to indicate if you want to check the liveness or the readiness of the API server. The `` path can be discovered using the `verbose` flag from above and take the path between `[+]` and `ok`. These individual health checks should not be consumed by machines but can be helpful for a human operator to debug a system: From 1542bedae46d16cbc5ebf5c1bec128b7c339012b Mon Sep 17 00:00:00 2001 From: chenxuc Date: Wed, 7 Jul 2021 16:48:35 +0800 Subject: [PATCH 11/25] improve example for kubelet config file --- .../en/docs/tasks/administer-cluster/kubelet-config-file.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/content/en/docs/tasks/administer-cluster/kubelet-config-file.md b/content/en/docs/tasks/administer-cluster/kubelet-config-file.md index b49c84220a..fc3aff46e4 100644 --- a/content/en/docs/tasks/administer-cluster/kubelet-config-file.md +++ b/content/en/docs/tasks/administer-cluster/kubelet-config-file.md @@ -30,11 +30,15 @@ Here is an example of what this file might look like: ``` apiVersion: kubelet.config.k8s.io/v1beta1 kind: KubeletConfiguration +address: "192.168.0.8", +port: 20250, +serializeImagePulls: false, evictionHard: memory.available: "200Mi" ``` -In the example, the Kubelet is configured to evict Pods when available memory drops below 200Mi. +In the example, the Kubelet is configured to serve on IP address 192.168.0.8 and port 20250, pull images in parallel, +and evict Pods when available memory drops below 200Mi. All other Kubelet configuration values are left at their built-in defaults, unless overridden by flags. Command line flags which target the same value as a config file will override that value. From eb902b9ba854a742bffd75a1d933ab2d01c6bbe0 Mon Sep 17 00:00:00 2001 From: S Nitesh Singh Date: Sun, 11 Jul 2021 11:01:07 +0530 Subject: [PATCH 12/25] fixing tool lists --- content/en/docs/reference/tools/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/reference/tools/_index.md b/content/en/docs/reference/tools/_index.md index 7194ab83bd..5bc155c9e1 100644 --- a/content/en/docs/reference/tools/_index.md +++ b/content/en/docs/reference/tools/_index.md @@ -8,7 +8,7 @@ no_list: true --- -Kubernetes contains several built-in tools to help you work with the Kubernetes system. +Kubernetes contains several built-in tools and external tools that are commonly used or relevant that may as well be seen as required for Kubernetes to function. From c80e5640da8b06ae47bd5f4d23997bae1006856d Mon Sep 17 00:00:00 2001 From: rahdeck Date: Thu, 22 Jul 2021 10:43:37 +1000 Subject: [PATCH 13/25] Lowercase one of the memory suffixes Upper case 'K' suffix for memory results in an invalid request. --- .../docs/concepts/configuration/manage-resources-containers.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/concepts/configuration/manage-resources-containers.md b/content/en/docs/concepts/configuration/manage-resources-containers.md index ee4669641c..db29621809 100644 --- a/content/en/docs/concepts/configuration/manage-resources-containers.md +++ b/content/en/docs/concepts/configuration/manage-resources-containers.md @@ -115,7 +115,7 @@ CPU is always requested as an absolute quantity, never as a relative quantity; Limits and requests for `memory` are measured in bytes. You can express memory as a plain integer or as a fixed-point number using one of these suffixes: -E, P, T, G, M, K. You can also use the power-of-two equivalents: Ei, Pi, Ti, Gi, +E, P, T, G, M, k. You can also use the power-of-two equivalents: Ei, Pi, Ti, Gi, Mi, Ki. For example, the following represent roughly the same value: ```shell From 7a8389ccc21f0071d70f3940a7522bdbb1b31dc5 Mon Sep 17 00:00:00 2001 From: Tim Bannister Date: Sun, 25 Apr 2021 11:42:01 +0100 Subject: [PATCH 14/25] Revise wording for Secret concept --- .../en/docs/concepts/configuration/secret.md | 55 +++++++++++-------- 1 file changed, 32 insertions(+), 23 deletions(-) diff --git a/content/en/docs/concepts/configuration/secret.md b/content/en/docs/concepts/configuration/secret.md index 45792179b8..a0ad94da89 100644 --- a/content/en/docs/concepts/configuration/secret.md +++ b/content/en/docs/concepts/configuration/secret.md @@ -12,26 +12,33 @@ weight: 30 -Kubernetes Secrets let you store and manage sensitive information, such -as passwords, OAuth tokens, and ssh keys. Storing confidential information in a Secret -is safer and more flexible than putting it verbatim in a -{{< glossary_tooltip term_id="pod" >}} definition or in a -{{< glossary_tooltip text="container image" term_id="image" >}}. -See [Secrets design document](https://git.k8s.io/community/contributors/design-proposals/auth/secrets.md) for more information. - A Secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. Such information might otherwise be put in a -Pod specification or in an image. Users can create Secrets and the system -also creates some Secrets. +{{< glossary_tooltip term_id="pod" >}} specification or in a +{{< glossary_tooltip text="container image" term_id="image" >}}. Using a +Secret means that you don't need to include confidential data in your +application code. + +Because Secrets can be created independently of the Pods that use them, there +is less risk of the Secret (and its data) being exposed during the workflow of +creating, viewing, and editing Pods. Kubernetes, and applications that run in +your cluster, can also take additional precautions with Secrets, such as +avoiding writing confidential data to nonvolatile storage. + +Secrets are similar to {{< glossary_tooltip text="ConfigMaps" term_id="configmap" >}} +but are specifically intended to hold confidential data. {{< caution >}} -Kubernetes Secrets are, by default, stored as unencrypted base64-encoded -strings. By default they can be retrieved - as plain text - by anyone with API -access, or anyone with access to Kubernetes' underlying data store, etcd. In -order to safely use Secrets, it is recommended you (at a minimum): +Kubernetes Secrets are, by default, stored unencrypted in the API server's underlying data store (etcd). Anyone with API access can retrieve or modify a Secret, and so can anyone with access to etcd. +Additionally, anyone who is authorized to create a Pod in a namespace can use that access to read any Secret in that namespace; this includes indirect access such as the ability to create a Deployment. + +In order to safely use Secrets, take at least the following steps: 1. [Enable Encryption at Rest](/docs/tasks/administer-cluster/encrypt-data/) for Secrets. -2. [Enable or configure RBAC rules](/docs/reference/access-authn-authz/authorization/) that restrict reading and writing the Secret. Be aware that secrets can be obtained implicitly by anyone with the permission to create a Pod. +2. Enable or configure [RBAC rules](/docs/reference/access-authn-authz/authorization/) that + restrict reading data in Secrets (including via indirect means). +3. Where appropriate, also use mechanisms such as RBAC to limit which principals are allowed to create new Secrets or replace existing ones. + {{< /caution >}} @@ -47,6 +54,10 @@ A Secret can be used with a Pod in three ways: - As [container environment variable](#using-secrets-as-environment-variables). - By the [kubelet when pulling images](#using-imagepullsecrets) for the Pod. +The Kubernetes control plane also uses Secrets; for example, +[bootstrap token Secrets](#bootstrap-token-secrets) are a mechanism to +help automate node registration. + The name of a Secret object must be a valid [DNS subdomain name](/docs/concepts/overview/working-with-objects/names#dns-subdomain-names). You can specify the `data` and/or the `stringData` field when creating a @@ -407,9 +418,9 @@ stringData: There are several options to create a Secret: -- [create Secrets using `kubectl` command](/docs/tasks/configmap-secret/managing-secret-using-kubectl/) -- [create Secrets from config file](/docs/tasks/configmap-secret/managing-secret-using-config-file/) -- [create Secrets using kustomize](/docs/tasks/configmap-secret/managing-secret-using-kustomize/) +- [create Secret using `kubectl` command](/docs/tasks/configmap-secret/managing-secret-using-kubectl/) +- [create Secret from config file](/docs/tasks/configmap-secret/managing-secret-using-config-file/) +- [create Secret using kustomize](/docs/tasks/configmap-secret/managing-secret-using-kustomize/) ## Editing a Secret @@ -1164,7 +1175,7 @@ limit access using [authorization policies]( Secrets often hold values that span a spectrum of importance, many of which can cause escalations within Kubernetes (e.g. service account tokens) and to external systems. Even if an individual app can reason about the power of the -secrets it expects to interact with, other apps within the same namespace can +Secrets it expects to interact with, other apps within the same namespace can render those assumptions invalid. For these reasons `watch` and `list` requests for secrets within a namespace are @@ -1236,10 +1247,8 @@ for secret data, so that the secrets are not stored in the clear into {{< glossa if the API server policy does not allow that user to read the Secret, the user could run a Pod which exposes the secret. - ## {{% heading "whatsnext" %}} -- Learn how to [manage Secrets using `kubectl`](/docs/tasks/configmap-secret/managing-secret-using-kubectl/) -- Learn how to [manage Secrets using config file](/docs/tasks/configmap-secret/managing-secret-using-config-file/) -- Learn how to [manage Secrets using kustomize](/docs/tasks/configmap-secret/managing-secret-using-kustomize/) - +- Learn how to [manage Secret using `kubectl`](/docs/tasks/configmap-secret/managing-secret-using-kubectl/) +- Learn how to [manage Secret using config file](/docs/tasks/configmap-secret/managing-secret-using-config-file/) +- Learn how to [manage Secret using kustomize](/docs/tasks/configmap-secret/managing-secret-using-kustomize/) From 45698e8c40e9c5923513540c59b56f655011f012 Mon Sep 17 00:00:00 2001 From: yuswift Date: Mon, 26 Jul 2021 20:48:02 +0800 Subject: [PATCH 15/25] fix typo in content/en/docs/contribute/generate-ref-docs/quickstart.md Signed-off-by: yuswift --- .../contribute/generate-ref-docs/quickstart.md | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/content/en/docs/contribute/generate-ref-docs/quickstart.md b/content/en/docs/contribute/generate-ref-docs/quickstart.md index c9b15a2360..51bff81cf8 100644 --- a/content/en/docs/contribute/generate-ref-docs/quickstart.md +++ b/content/en/docs/contribute/generate-ref-docs/quickstart.md @@ -6,7 +6,7 @@ weight: 40 -This page shows how to use the `update-imported-docs` script to generate +This page shows how to use the `update-imported-docs.py` script to generate the Kubernetes reference documentation. The script automates the build setup and generates the reference documentation for a release. @@ -39,7 +39,7 @@ see the [contributing upstream guide](/docs/contribute/generate-ref-docs/contrib ## Overview of update-imported-docs -The `update-imported-docs` script is located in the `/update-imported-docs/` +The `update-imported-docs.py` script is located in the `/update-imported-docs/` directory. The script builds the following references: @@ -48,7 +48,7 @@ The script builds the following references: * The `kubectl` command reference * The Kubernetes API reference -The `update-imported-docs` script generates the Kubernetes reference documentation +The `update-imported-docs.py` script generates the Kubernetes reference documentation from the Kubernetes source code. The script creates a temporary directory under `/tmp` on your machine and clones the required repositories: `kubernetes/kubernetes` and `kubernetes-sigs/reference-docs` into this directory. @@ -69,7 +69,7 @@ The `generate-command` field defines a series of build instructions from `kubernetes-sigs/reference-docs/Makefile`. The `K8S_RELEASE` variable determines the version of the release. -The `update-imported-docs` script performs the following steps: +The `update-imported-docs.py` script performs the following steps: 1. Clones the related repositories specified in a configuration file. For the purpose of generating reference docs, the repository that is cloned by @@ -152,17 +152,17 @@ For example: ## Running the update-imported-docs tool -You can run the `update-imported-docs` tool as follows: +You can run the `update-imported-docs.py` tool as follows: ```shell cd /update-imported-docs -./update-imported-docs +./update-imported-docs.py ``` For example: ```shell -./update-imported-docs reference.yml 1.17 +./update-imported-docs.py reference.yml 1.17 ``` @@ -254,4 +254,3 @@ running the build targets, see the following guides: * [Generating Reference Documentation for kubectl Commands](/docs/contribute/generate-ref-docs/kubectl/) * [Generating Reference Documentation for the Kubernetes API](/docs/contribute/generate-ref-docs/kubernetes-api/) - From de9db22f9efb500e4ba4205e6618f64d7fa13598 Mon Sep 17 00:00:00 2001 From: Shubham Kuchhal Date: Tue, 27 Jul 2021 13:21:52 +0530 Subject: [PATCH 16/25] Correct default values for memory and cpu. --- content/en/docs/tutorials/stateful-application/cassandra.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/tutorials/stateful-application/cassandra.md b/content/en/docs/tutorials/stateful-application/cassandra.md index 91ed9efdaf..ffbf65286b 100644 --- a/content/en/docs/tutorials/stateful-application/cassandra.md +++ b/content/en/docs/tutorials/stateful-application/cassandra.md @@ -50,7 +50,7 @@ To complete this tutorial, you should already have a basic familiarity with ### Additional Minikube setup instructions {{< caution >}} -[Minikube](https://minikube.sigs.k8s.io/docs/) defaults to 1024MiB of memory and 1 CPU. +[Minikube](https://minikube.sigs.k8s.io/docs/) defaults to 2048MB of memory and 2 CPU. Running Minikube with the default resource configuration results in insufficient resource errors during this tutorial. To avoid these errors, start Minikube with the following settings: From eedecdc6855dfe673c3a3306e02a32a25d6d000a Mon Sep 17 00:00:00 2001 From: Cheng Wang Date: Tue, 27 Jul 2021 21:59:11 +0800 Subject: [PATCH 17/25] Update CSR Signers description --- .../certificate-signing-requests.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/content/en/docs/reference/access-authn-authz/certificate-signing-requests.md b/content/en/docs/reference/access-authn-authz/certificate-signing-requests.md index 6d4c97df10..f27a447737 100644 --- a/content/en/docs/reference/access-authn-authz/certificate-signing-requests.md +++ b/content/en/docs/reference/access-authn-authz/certificate-signing-requests.md @@ -67,12 +67,11 @@ Custom signerNames can also be specified. All signers should provide information This includes: 1. **Trust distribution**: how trust (CA bundles) are distributed. -1. **Permitted subjects**: any restrictions on and behavior when a disallowed subject is requested. -1. **Permitted x509 extensions**: including IP subjectAltNames, DNS subjectAltNames, Email subjectAltNames, URI subjectAltNames etc, and behavior when a disallowed extension is requested. -1. **Permitted key usages / extended key usages**: any restrictions on and behavior when usages different than the signer-determined usages are specified in the CSR. -1. **Expiration/certificate lifetime**: whether it is fixed by the signer, configurable by the admin, determined by the CSR object etc - and the behavior when an expiration is different than the signer-determined expiration that is specified in the CSR. -1. **CA bit allowed/disallowed**: and behavior if a CSR contains a request a for a CA certificate when the signer does not permit it. +1. **Permitted subjects**: any restrictions on and the behavior when a disallowed subject is requested. +1. **Permitted x509 extensions**: including IP subjectAltNames, DNS subjectAltNames, Email subjectAltNames, URI subjectAltNames etc, and the behavior when a disallowed extension is requested. +1. **Permitted key usages / extended key usages**: any restrictions on and the behavior when usages different than the signer-determined usages are specified in the CSR. +1. **Expiration/certificate lifetime**: whether it is fixed by the signer, configurable by the admin, determined by the CSR object etc, and the behavior when an expiration is different than the signer-determined expiration that is specified in the CSR. +1. **CA bit allowed/disallowed**: the behavior if a CSR contains a request for a CA certificate when the signer does not permit it. Commonly, the `status.certificate` field contains a single PEM-encoded X.509 certificate once the CSR is approved and the certificate is issued. Some From 475da9d22ae26f63f66753629a428b885dc2df6a Mon Sep 17 00:00:00 2001 From: Arhell Date: Wed, 28 Jul 2021 00:25:43 +0300 Subject: [PATCH 18/25] [it] update link to Flannel --- content/it/docs/concepts/cluster-administration/addons.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/it/docs/concepts/cluster-administration/addons.md b/content/it/docs/concepts/cluster-administration/addons.md index 3a91ff7b93..144abd006b 100644 --- a/content/it/docs/concepts/cluster-administration/addons.md +++ b/content/it/docs/concepts/cluster-administration/addons.md @@ -26,7 +26,7 @@ I componenti aggiuntivi in ogni sezione sono ordinati alfabeticamente - l'ordine * [Cilium](https://github.com/cilium/cilium) è un plug-in di criteri di rete e di rete L3 in grado di applicare in modo trasparente le politiche HTTP / API / L7. Sono supportate entrambe le modalità di routing e overlay / incapsulamento. * [CNI-Genie](https://github.com/Huawei-PaaS/CNI-Genie) consente a Kubernetes di connettersi senza problemi a una scelta di plugin CNI, come Calico, Canal, Flannel, Romana o Weave. * [Contiv](http://contiv.github.io) offre networking configurabile (L3 nativo con BGP, overlay con vxlan, L2 classico e Cisco-SDN / ACI) per vari casi d'uso e un ricco framework di policy. Il progetto Contiv è completamente [open source](http://github.com/contiv). Il [programma di installazione](http://github.com/contiv/install) fornisce sia opzioni di installazione basate su kubeadm che non su Kubeadm. -* [Flanella](https://github.com/coreos/flannel/blob/master/Documentation/kubernetes.md) è un provider di reti sovrapposte che può essere utilizzato con Kubernetes. +* [Flanella](https://github.com/flannel-io/flannel#deploying-flannel-manually) è un provider di reti sovrapposte che può essere utilizzato con Kubernetes. * [Knitter](https://github.com/ZTE/Knitter/) è una soluzione di rete che supporta più reti in Kubernetes. * [Multus](https://github.com/Intel-Corp/multus-cni) è un multi-plugin per il supporto di più reti in Kubernetes per supportare tutti i plugin CNI (es. Calico, Cilium, Contiv, Flannel), oltre a SRIOV, DPDK, OVS-DPDK e carichi di lavoro basati su VPP in Kubernetes. * [NSX-T](https://docs.vmware.com/en/VMware-NSX-T/2.0/nsxt_20_ncp_kubernetes.pdf) Container Plug-in (NCP) fornisce l'integrazione tra VMware NSX-T e orchestratori di contenitori come Kubernetes, oltre all'integrazione tra NSX-T e piattaforme CaaS / PaaS basate su container come Pivotal Container Service (PKS) e OpenShift. From 2fe20a8ac4473dab8eb8e8403477f69c26044ae7 Mon Sep 17 00:00:00 2001 From: Junaid Ali Date: Tue, 27 Jul 2021 23:34:13 +0100 Subject: [PATCH 19/25] Fix link to decoding a secret --- content/en/docs/tasks/administer-cluster/encrypt-data.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/tasks/administer-cluster/encrypt-data.md b/content/en/docs/tasks/administer-cluster/encrypt-data.md index 8499855bb0..66427133b2 100644 --- a/content/en/docs/tasks/administer-cluster/encrypt-data.md +++ b/content/en/docs/tasks/administer-cluster/encrypt-data.md @@ -157,7 +157,7 @@ program to retrieve the contents of your secret. kubectl describe secret secret1 -n default ``` - should match `mykey: bXlkYXRh`, mydata is encoded, check [decoding a secret](/docs/concepts/configuration/secret#decoding-a-secret) to + should match `mykey: bXlkYXRh`, mydata is encoded, check [decoding a secret](/docs/tasks/configmap-secret/managing-secret-using-kubectl/#decoding-secret) to completely decode the secret. From c5c8dd48b398573010547998e68c5feef951b21a Mon Sep 17 00:00:00 2001 From: Cheng Wang Date: Wed, 28 Jul 2021 10:11:36 +0800 Subject: [PATCH 20/25] Apply suggestions from code review Co-authored-by: Jordan Liggitt --- .../access-authn-authz/certificate-signing-requests.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/en/docs/reference/access-authn-authz/certificate-signing-requests.md b/content/en/docs/reference/access-authn-authz/certificate-signing-requests.md index f27a447737..e5e51ac205 100644 --- a/content/en/docs/reference/access-authn-authz/certificate-signing-requests.md +++ b/content/en/docs/reference/access-authn-authz/certificate-signing-requests.md @@ -67,10 +67,10 @@ Custom signerNames can also be specified. All signers should provide information This includes: 1. **Trust distribution**: how trust (CA bundles) are distributed. -1. **Permitted subjects**: any restrictions on and the behavior when a disallowed subject is requested. +1. **Permitted subjects**: any restrictions on requested subjects, and the behavior when a disallowed subject is requested. 1. **Permitted x509 extensions**: including IP subjectAltNames, DNS subjectAltNames, Email subjectAltNames, URI subjectAltNames etc, and the behavior when a disallowed extension is requested. -1. **Permitted key usages / extended key usages**: any restrictions on and the behavior when usages different than the signer-determined usages are specified in the CSR. -1. **Expiration/certificate lifetime**: whether it is fixed by the signer, configurable by the admin, determined by the CSR object etc, and the behavior when an expiration is different than the signer-determined expiration that is specified in the CSR. +1. **Permitted key usages / extended key usages**: any restrictions on requested usages, and the behavior when usages different than the signer-determined usages are specified in the CSR. +1. **Expiration/certificate lifetime**: whether it is fixed by the signer, configurable by the admin, determined by the CSR object etc, and the behavior when an expiration different than the signer-determined expiration is specified in the CSR. 1. **CA bit allowed/disallowed**: the behavior if a CSR contains a request for a CA certificate when the signer does not permit it. Commonly, the `status.certificate` field contains a single PEM-encoded X.509 From 651a0c2183a3bd546c9eb6323e2c7669567237ed Mon Sep 17 00:00:00 2001 From: Qiming Teng Date: Wed, 28 Jul 2021 11:30:35 +0800 Subject: [PATCH 21/25] Amend the annotation concept --- .../concepts/overview/working-with-objects/annotations.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/content/en/docs/concepts/overview/working-with-objects/annotations.md b/content/en/docs/concepts/overview/working-with-objects/annotations.md index fe31841612..f09820bc32 100644 --- a/content/en/docs/concepts/overview/working-with-objects/annotations.md +++ b/content/en/docs/concepts/overview/working-with-objects/annotations.md @@ -30,6 +30,11 @@ Annotations, like labels, are key/value maps: } ``` +{{}} +The keys and the values in the map must be strings. In other words, you cannot use +numeric, boolean, list or other types for either the keys or the values. +{{}} + Here are some examples of information that could be recorded in annotations: * Fields managed by a declarative configuration layer. Attaching these fields From 6fc10eaaa8811a6d266eb945441d23073327e40a Mon Sep 17 00:00:00 2001 From: Mengjiao Liu Date: Wed, 28 Jul 2021 15:45:11 +0800 Subject: [PATCH 22/25] [zh] memory suffixes: "k" is lowercase --- .../docs/concepts/configuration/manage-resources-containers.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/zh/docs/concepts/configuration/manage-resources-containers.md b/content/zh/docs/concepts/configuration/manage-resources-containers.md index e019c5180a..ddb89be10e 100644 --- a/content/zh/docs/concepts/configuration/manage-resources-containers.md +++ b/content/zh/docs/concepts/configuration/manage-resources-containers.md @@ -227,7 +227,7 @@ Mi, Ki. For example, the following represent roughly the same value: ## 内存的含义 {#meaning-of-memory} 内存的约束和请求以字节为单位。你可以使用以下后缀之一以一般整数或定点数字形式来表示内存: -E、P、T、G、M、K。你也可以使用对应的 2 的幂数:Ei、Pi、Ti、Gi、Mi、Ki。 +E、P、T、G、M、k。你也可以使用对应的 2 的幂数:Ei、Pi、Ti、Gi、Mi、Ki。 例如,以下表达式所代表的是大致相同的值: ``` From 83be6d319381b9fe454fb844c380e3a21d79fac8 Mon Sep 17 00:00:00 2001 From: Nitesh Seram Date: Wed, 28 Jul 2021 20:23:04 +0530 Subject: [PATCH 23/25] updating the outdated word --- .../kubelet-tls-bootstrapping.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/content/en/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping.md b/content/en/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping.md index 1b1142913f..ab795ab9b2 100644 --- a/content/en/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping.md +++ b/content/en/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping.md @@ -10,7 +10,7 @@ content_type: concept -In a Kubernetes cluster, the components on the worker nodes - kubelet and kube-proxy - need to communicate with Kubernetes master components, specifically kube-apiserver. +In a Kubernetes cluster, the components on the worker nodes - kubelet and kube-proxy - need to communicate with Kubernetes control plane components, specifically kube-apiserver. In order to ensure that communication is kept private, not interfered with, and ensure that each component of the cluster is talking to another trusted component, we strongly recommend using client TLS certificates on nodes. @@ -44,7 +44,7 @@ Note that the above process depends upon: All of the following are responsibilities of whoever sets up and manages the cluster: 1. Creating the CA key and certificate -2. Distributing the CA certificate to the master nodes, where kube-apiserver is running +2. Distributing the CA certificate to the control plane nodes, where kube-apiserver is running 3. Creating a key and certificate for each kubelet; strongly recommended to have a unique one, with a unique CN, for each kubelet 4. Signing the kubelet certificate using the CA key 5. Distributing the kubelet key and signed certificate to the specific node on which the kubelet is running @@ -90,9 +90,9 @@ In addition, you need your Kubernetes Certificate Authority (CA). ## Certificate Authority As without bootstrapping, you will need a Certificate Authority (CA) key and certificate. As without bootstrapping, these will be used -to sign the kubelet certificate. As before, it is your responsibility to distribute them to master nodes. +to sign the kubelet certificate. As before, it is your responsibility to distribute them to control plane nodes. -For the purposes of this document, we will assume these have been distributed to master nodes at `/var/lib/kubernetes/ca.pem` (certificate) and `/var/lib/kubernetes/ca-key.pem` (key). +For the purposes of this document, we will assume these have been distributed to control plane nodes at `/var/lib/kubernetes/ca.pem` (certificate) and `/var/lib/kubernetes/ca-key.pem` (key). We will refer to these as "Kubernetes CA certificate and key". All Kubernetes components that use these certificates - kubelet, kube-apiserver, kube-controller-manager - assume the key and certificate to be PEM-encoded. @@ -234,7 +234,7 @@ In order for the controller-manager to sign certificates, it needs the following ### Access to key and certificate -As described earlier, you need to create a Kubernetes CA key and certificate, and distribute it to the master nodes. +As described earlier, you need to create a Kubernetes CA key and certificate, and distribute it to the control plane nodes. These will be used by the controller-manager to sign the kubelet certificates. Since these signed certificates will, in turn, be used by the kubelet to authenticate as a regular kubelet to kube-apiserver, it is important that the CA @@ -319,7 +319,7 @@ collection. ## kubelet configuration -Finally, with the master nodes properly set up and all of the necessary authentication and authorization in place, we can configure the kubelet. +Finally, with the control plane nodes properly set up and all of the necessary authentication and authorization in place, we can configure the kubelet. The kubelet requires the following configuration to bootstrap: From 04a907ccc7c640714ea960ad19ef908123dbd43a Mon Sep 17 00:00:00 2001 From: Arhell Date: Thu, 29 Jul 2021 00:31:43 +0300 Subject: [PATCH 24/25] [it] fix addon name --- content/it/docs/concepts/cluster-administration/addons.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/it/docs/concepts/cluster-administration/addons.md b/content/it/docs/concepts/cluster-administration/addons.md index 144abd006b..7d22ac1382 100644 --- a/content/it/docs/concepts/cluster-administration/addons.md +++ b/content/it/docs/concepts/cluster-administration/addons.md @@ -26,7 +26,7 @@ I componenti aggiuntivi in ogni sezione sono ordinati alfabeticamente - l'ordine * [Cilium](https://github.com/cilium/cilium) è un plug-in di criteri di rete e di rete L3 in grado di applicare in modo trasparente le politiche HTTP / API / L7. Sono supportate entrambe le modalità di routing e overlay / incapsulamento. * [CNI-Genie](https://github.com/Huawei-PaaS/CNI-Genie) consente a Kubernetes di connettersi senza problemi a una scelta di plugin CNI, come Calico, Canal, Flannel, Romana o Weave. * [Contiv](http://contiv.github.io) offre networking configurabile (L3 nativo con BGP, overlay con vxlan, L2 classico e Cisco-SDN / ACI) per vari casi d'uso e un ricco framework di policy. Il progetto Contiv è completamente [open source](http://github.com/contiv). Il [programma di installazione](http://github.com/contiv/install) fornisce sia opzioni di installazione basate su kubeadm che non su Kubeadm. -* [Flanella](https://github.com/flannel-io/flannel#deploying-flannel-manually) è un provider di reti sovrapposte che può essere utilizzato con Kubernetes. +* [Flanell](https://github.com/flannel-io/flannel#deploying-flannel-manually) è un provider di reti sovrapposte che può essere utilizzato con Kubernetes. * [Knitter](https://github.com/ZTE/Knitter/) è una soluzione di rete che supporta più reti in Kubernetes. * [Multus](https://github.com/Intel-Corp/multus-cni) è un multi-plugin per il supporto di più reti in Kubernetes per supportare tutti i plugin CNI (es. Calico, Cilium, Contiv, Flannel), oltre a SRIOV, DPDK, OVS-DPDK e carichi di lavoro basati su VPP in Kubernetes. * [NSX-T](https://docs.vmware.com/en/VMware-NSX-T/2.0/nsxt_20_ncp_kubernetes.pdf) Container Plug-in (NCP) fornisce l'integrazione tra VMware NSX-T e orchestratori di contenitori come Kubernetes, oltre all'integrazione tra NSX-T e piattaforme CaaS / PaaS basate su container come Pivotal Container Service (PKS) e OpenShift. From 601c5b2b9bb155fb0ada22991818ce11ca3a6c66 Mon Sep 17 00:00:00 2001 From: chjtwork <32709877+chjtwork@users.noreply.github.com> Date: Thu, 29 Jul 2021 15:05:03 +0800 Subject: [PATCH 25/25] fix debug-running-pod url --- .../docs/tasks/debug-application-cluster/debug-application.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/zh/docs/tasks/debug-application-cluster/debug-application.md b/content/zh/docs/tasks/debug-application-cluster/debug-application.md index d2e95ab2b4..2e71c22af0 100644 --- a/content/zh/docs/tasks/debug-application-cluster/debug-application.md +++ b/content/zh/docs/tasks/debug-application-cluster/debug-application.md @@ -124,7 +124,7 @@ Once your pod has been scheduled, the methods described in [Debug Running Pods]( #### Pod 处于 Crashing 或别的不健康状态 一旦 Pod 被调度,就可以采用 -[调试运行中的 Pod](/zh/docs/concepts/configuration/manage-resources-containers/) +[调试运行中的 Pod](/zh/docs/tasks/debug-application-cluster/debug-running-pod/) 中的方法来进一步调试。