Kubernetes Prow Robot
GitHub
commit
e2509cb624
|
|
@ -214,7 +214,7 @@ allow-list:
|
|||
|
||||
Additionally, the `cardinality_enforcement_unexpected_categorizations_total` meta-metric records the
|
||||
count of unexpected categorizations during cardinality enforcement, that is, whenever a label value
|
||||
is encountered that is not allowed with respect to the allow-list contraints.
|
||||
is encountered that is not allowed with respect to the allow-list constraints.
|
||||
|
||||
## {{% heading "whatsnext" %}}
|
||||
|
||||
|
|
|
|||
|
|
@ -114,7 +114,7 @@ The general workflow of a device plugin includes the following steps:
|
|||
// informed allocation decision when possible.
|
||||
rpc GetPreferredAllocation(PreferredAllocationRequest) returns (PreferredAllocationResponse) {}
|
||||
|
||||
// PreStartContainer is called, if indicated by Device Plugin during registeration phase,
|
||||
// PreStartContainer is called, if indicated by Device Plugin during registration phase,
|
||||
// before each container start. Device plugin can run device specific operations
|
||||
// such as resetting the device before making devices available to the container.
|
||||
rpc PreStartContainer(PreStartContainerRequest) returns (PreStartContainerResponse) {}
|
||||
|
|
@ -346,7 +346,7 @@ update and Kubelet needs to be restarted to reflect the correct resource capacit
|
|||
{{< /note >}}
|
||||
|
||||
```gRPC
|
||||
// AllocatableResourcesResponses contains informations about all the devices known by the kubelet
|
||||
// AllocatableResourcesResponses contains information about all the devices known by the kubelet
|
||||
message AllocatableResourcesResponse {
|
||||
repeated ContainerDevices devices = 1;
|
||||
repeated int64 cpu_ids = 2;
|
||||
|
|
|
|||
|
|
@ -64,5 +64,5 @@ Dynamic Admission Controllers that act as flexible policy engines are being deve
|
|||
## Apply policies using Kubelet configurations
|
||||
|
||||
Kubernetes allows configuring the Kubelet on each worker node. Some Kubelet configurations act as policies:
|
||||
* [Process ID limts and reservations](/docs/concepts/policy/pid-limiting/) are used to limit and reserve allocatable PIDs.
|
||||
* [Process ID limits and reservations](/docs/concepts/policy/pid-limiting/) are used to limit and reserve allocatable PIDs.
|
||||
* [Node Resource Managers](/docs/concepts/policy/node-resource-managers/) can manage compute, memory, and device resources for latency-critical and high-throughput workloads.
|
||||
|
|
|
|||
|
|
@ -390,7 +390,7 @@ availability state and recommended to improve your security posture:
|
|||
|
||||
[`NodeRestriction`](/docs/reference/access-authn-authz/admission-controllers/#noderestriction)
|
||||
: Restricts kubelet's permissions to only modify the pods API resources they own
|
||||
or the node API ressource that represent themselves. It also prevents kubelet
|
||||
or the node API resource that represent themselves. It also prevents kubelet
|
||||
from using the `node-restriction.kubernetes.io/` annotation, which can be used
|
||||
by an attacker with access to the kubelet's credentials to influence pod
|
||||
placement to the controlled node.
|
||||
|
|
|
|||
|
|
@ -210,7 +210,7 @@ perfectly full distribution of EndpointSlices. As an example, if there are 10
|
|||
new endpoints to add and 2 EndpointSlices with room for 5 more endpoints each,
|
||||
this approach will create a new EndpointSlice instead of filling up the 2
|
||||
existing EndpointSlices. In other words, a single EndpointSlice creation is
|
||||
preferrable to multiple EndpointSlice updates.
|
||||
preferable to multiple EndpointSlice updates.
|
||||
|
||||
With kube-proxy running on each Node and watching EndpointSlices, every change
|
||||
to an EndpointSlice becomes relatively expensive since it will be transmitted to
|
||||
|
|
|
|||
|
|
@ -395,7 +395,7 @@ for pod failures independently for each index. To do so, set the
|
|||
`.spec.backoffLimitPerIndex` to specify the maximal number of pod failures
|
||||
per index.
|
||||
|
||||
When the per-index backoff limit is exceeded for an index, Kuberentes considers the index as failed and adds it to the
|
||||
When the per-index backoff limit is exceeded for an index, Kubernetes considers the index as failed and adds it to the
|
||||
`.status.failedIndexes` field. The succeeded indexes, those with a successfully
|
||||
executed pods, are recorded in the `.status.completedIndexes` field, regardless of whether you set
|
||||
the `backoffLimitPerIndex` field.
|
||||
|
|
@ -940,7 +940,7 @@ the Job status, allowing the Pod to be removed by other controllers or users.
|
|||
|
||||
{{< note >}}
|
||||
See [My pod stays terminating](/docs/tasks/debug/debug-application/debug-pods/) if you
|
||||
observe that pods from a Job are stucked with the tracking finalizer.
|
||||
observe that pods from a Job are stuck with the tracking finalizer.
|
||||
{{< /note >}}
|
||||
|
||||
### Elastic Indexed Jobs
|
||||
|
|
|
|||
|
|
@ -225,7 +225,7 @@ pod1 1/1 Running 0 36s
|
|||
pod2 1/1 Running 0 36s
|
||||
```
|
||||
|
||||
In this manner, a ReplicaSet can own a non-homogenous set of Pods
|
||||
In this manner, a ReplicaSet can own a non-homogeneous set of Pods
|
||||
|
||||
## Writing a ReplicaSet manifest
|
||||
|
||||
|
|
|
|||
|
|
@ -624,7 +624,7 @@ caption and the diagram referral.
|
|||
flowchart
|
||||
A[Diagram<br><br>Inline Mermaid or<br>SVG image files]
|
||||
B[Diagram Caption<br><br>Add Figure Number. and<br>Caption Text]
|
||||
C[Diagram Referral<br><br>Referenence Figure Number<br>in text]
|
||||
C[Diagram Referral<br><br>Reference Figure Number<br>in text]
|
||||
|
||||
classDef box fill:#fff,stroke:#000,stroke-width:1px,color:#000;
|
||||
class A,B,C box
|
||||
|
|
|
|||
|
|
@ -438,7 +438,7 @@ controller in the cluster, so they have several security features:
|
|||
`<signerNameDomain>/*`.
|
||||
* Signer-linked ClusterTrustBundles **must** be named with a prefix derived from
|
||||
their `spec.signerName` field. Slashes (`/`) are replaced with colons (`:`),
|
||||
and a final colon is appended. This is followed by an arbitary name. For
|
||||
and a final colon is appended. This is followed by an arbitrary name. For
|
||||
example, the signer `example.com/mysigner` can be linked to a
|
||||
ClusterTrustBundle `example.com:mysigner:<arbitrary-name>`.
|
||||
|
||||
|
|
|
|||
|
|
@ -166,7 +166,7 @@ purged by the control plane.
|
|||
If users use an invalidated auto-generated token, the token validator will
|
||||
|
||||
1. add an audit annotation for the key-value pair
|
||||
`authentication.k8s.io/legacy-token-invalidated: <secret name>/<namepace>`,
|
||||
`authentication.k8s.io/legacy-token-invalidated: <secret name>/<namespace>`,
|
||||
1. increment the `invalid_legacy_auto_token_uses_total` metric count,
|
||||
1. update the Secret label `kubernetes.io/legacy-token-last-used` with the new
|
||||
date,
|
||||
|
|
|
|||
|
|
@ -375,7 +375,7 @@ When an API request is validated with this admission policy, the resulting audit
|
|||
```
|
||||
|
||||
In this example the annotation will only be included if the `spec.replicas` of the Deployment is more than
|
||||
50, otherwise the CEL expression evalutes to null and the annotation will not be included.
|
||||
50, otherwise the CEL expression evaluates to null and the annotation will not be included.
|
||||
|
||||
Note that audit annotation keys are prefixed by the name of the `ValidatingAdmissionWebhook` and a `/`. If
|
||||
another admission controller, such as an admission webhook, uses the exact same audit annotation key, the
|
||||
|
|
|
|||
|
|
@ -13,5 +13,5 @@ stages:
|
|||
Extend the kubelet's pod resources gRPC endpoint to
|
||||
to include resources allocated in `ResourceClaims` via `DynamicResourceAllocation` API.
|
||||
See [resource allocation reporting](/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/#monitoring-device-plugin-resources) for more details.
|
||||
with informations about the allocatable resources, enabling clients to properly
|
||||
with information about the allocatable resources, enabling clients to properly
|
||||
track the free compute resources on a node.
|
||||
|
|
|
|||
|
|
@ -609,7 +609,7 @@ ZeroLimitedNominalConcurrencyShares=true|false (BETA - default=false)<br/>
|
|||
<td colspan="2">--kube-reserved strings Default: <None></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td></td><td style="line-height: 130%; word-wrap: break-word;">A set of <code><resource name>=<resource quantity></code> (e.g. "<code>cpu=200m,memory=500Mi,ephemeral-storage=1Gi,pid='100'</code>&auot;) pairs that describe resources reserved for kubernetes system components. Currently <code>cpu</code>, <code>memory</code> and local <code>ephemeral-storage</code> for root file system are supported. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#kube-reserved">here</a> for more detail. (DEPRECATED: This parameter should be set via the config file specified by the kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
|
||||
<td></td><td style="line-height: 130%; word-wrap: break-word;">A set of <code><resource name>=<resource quantity></code> (e.g. "<code>cpu=200m,memory=500Mi,ephemeral-storage=1Gi,pid='100'</code>") pairs that describe resources reserved for kubernetes system components. Currently <code>cpu</code>, <code>memory</code> and local <code>ephemeral-storage</code> for root file system are supported. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#kube-reserved">here</a> for more detail. (DEPRECATED: This parameter should be set via the config file specified by the kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
|
||||
</tr>
|
||||
|
||||
<tr>
|
||||
|
|
@ -1088,4 +1088,3 @@ Insecure values:
|
|||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
|
|
|||
|
|
@ -898,7 +898,7 @@ This is achieved via _SelectorSpreadPriority_.
|
|||
_SelectorSpreadPriority_ is a best effort placement. If the zones in your cluster are
|
||||
heterogeneous (for example: different numbers of nodes, different types of nodes, or different pod
|
||||
resource requirements), this placement might prevent equal spreading of your Pods across zones.
|
||||
If desired, you can use homogenous zones (same number and types of nodes) to reduce the probability
|
||||
If desired, you can use homogeneous zones (same number and types of nodes) to reduce the probability
|
||||
of unequal spreading.
|
||||
|
||||
The scheduler (through the _VolumeZonePredicate_ predicate) also will ensure that Pods,
|
||||
|
|
@ -1375,7 +1375,7 @@ Example: `batch.kubernetes.io/controller-uid: "$UID"`
|
|||
Used on: Jobs and Pods controlled by Jobs
|
||||
|
||||
This label is used as a programmatic way to get all Pods corresponding to a Job.
|
||||
The `controller-uid` is a unique identifer that gets set in the `selector` field so the Job
|
||||
The `controller-uid` is a unique identifier that gets set in the `selector` field so the Job
|
||||
controller can get all the corresponding Pods.
|
||||
|
||||
### scheduler.alpha.kubernetes.io/defaultTolerations {#scheduleralphakubernetesio-defaulttolerations}
|
||||
|
|
@ -1948,7 +1948,7 @@ Example: `service.beta.kubernetes.io/aws-load-balancer-security-groups: "sg-53fa
|
|||
|
||||
Used on: Service
|
||||
|
||||
The AWS load balancer controller uses this annotation to specify a comma seperated list
|
||||
The AWS load balancer controller uses this annotation to specify a comma separated list
|
||||
of security groups you want to attach to an AWS load balancer. Both name and ID of security
|
||||
are supported where name matches a `Name` tag, not the `groupName` attribute.
|
||||
|
||||
|
|
|
|||
|
|
@ -115,7 +115,7 @@ Example: `validation.policy.admission.k8s.io/validation_failure: '[{"message": "
|
|||
|
||||
Used by Kubernetes version v1.27 and later.
|
||||
|
||||
This annotation indicates that a admission policy validation evaluted to false
|
||||
This annotation indicates that a admission policy validation evaluated to false
|
||||
for an API request, or that the validation resulted in an error while the policy
|
||||
was configured with `failurePolicy: Fail`.
|
||||
|
||||
|
|
|
|||
|
|
@ -68,7 +68,7 @@ POST /checkpoint/{namespace}/{pod}/{container}
|
|||
- **timeout** (*in query*): integer
|
||||
|
||||
Timeout in seconds to wait until the checkpoint creation is finished.
|
||||
If zero or no timeout is specfied the default {{<glossary_tooltip
|
||||
If zero or no timeout is specified the default {{<glossary_tooltip
|
||||
term_id="cri" text="CRI">}} timeout value will be used. Checkpoint
|
||||
creation time depends directly on the used memory of the container.
|
||||
The more memory a container uses the more time is required to create
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ Read a file containing the kubeadm configuration API and report any validation p
|
|||
|
||||
This command lets you validate a kubeadm configuration API file and report any warnings and errors.
|
||||
If there are no errors the exit status will be zero, otherwise it will be non-zero.
|
||||
Any unmarshaling problems such as unknown API fields will trigger errors. Unknown API versions and
|
||||
Any unmarshalling problems such as unknown API fields will trigger errors. Unknown API versions and
|
||||
fields with invalid values will also trigger errors. Any other errors or warnings may be reported
|
||||
depending on contents of the input file.
|
||||
|
||||
|
|
|
|||
|
|
@ -192,7 +192,7 @@ Rules](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition
|
|||
are fully type checked.
|
||||
|
||||
Some Kubernetes API fields contain partially type checked CEL expressions. A
|
||||
partially type checked expression is an experessions where some of the variables
|
||||
partially type checked expression is an expressions where some of the variables
|
||||
are statically typed but others are dynamically typed. For example, in the CEL
|
||||
expressions of
|
||||
[ValidatingAdmissionPolicies](/docs/reference/access-authn-authz/validating-admission-policy/)
|
||||
|
|
|
|||
|
|
@ -135,7 +135,7 @@ request fails.
|
|||
It is however possible to change `.metadata.managedFields` through an
|
||||
**update**, or through a **patch** operation that does not use Server-Side Apply.
|
||||
Doing so is highly discouraged, but might be a reasonable option to try if,
|
||||
for example, the `.metatadata.managedFields` get into an inconsistent state
|
||||
for example, the `.metadata.managedFields` get into an inconsistent state
|
||||
(which should not happen in normal operations).
|
||||
|
||||
The format of `managedFields` is [described](/docs/reference/kubernetes-api/common-definitions/object-meta/#System)
|
||||
|
|
|
|||
|
|
@ -445,7 +445,7 @@ a new `kubelet.conf.csr`, sign the certificate, embed it in `kubelet.conf`
|
|||
and restart the kubelet.
|
||||
|
||||
If this does not apply to your setup, you can skip processing the `kubelet.conf.csr`
|
||||
on secondary control plane and on workers nodes (all nodes tha call `kubeadm join ...`).
|
||||
on secondary control plane and on workers nodes (all nodes that call `kubeadm join ...`).
|
||||
That is because the active kube-controller-manager will be responsible
|
||||
for signing new kubelet client certificates.
|
||||
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@ If the version of the plugin is missing in the CNI plugin config, the pod may
|
|||
run. However, stopping the pod generates an error similar to:
|
||||
|
||||
```
|
||||
ERRO[2022-04-26T00:43:24.518165483Z] StopPodSandbox for "b" failed
|
||||
ERROR[2022-04-26T00:43:24.518165483Z] StopPodSandbox for "b" failed
|
||||
error="failed to destroy network for sandbox \"bbc85f891eaf060c5a879e27bba9b6b06450210161dfdecfbb2732959fb6500a\": invalid version \"\": the version is empty"
|
||||
```
|
||||
|
||||
|
|
|
|||
|
|
@ -55,7 +55,7 @@ To learn more about keyless signing, please refer to [Keyless Signatures](https:
|
|||
|
||||
Previous versions of Cosign required that you set `COSIGN_EXPERIMENTAL=1`.
|
||||
|
||||
For additional information, plase refer to the [sigstore Blog](https://blog.sigstore.dev/cosign-2-0-released/)
|
||||
For additional information, please refer to the [sigstore Blog](https://blog.sigstore.dev/cosign-2-0-released/)
|
||||
{{< /note >}}
|
||||
|
||||
## Verifying image signatures
|
||||
|
|
|
|||
|
|
@ -185,14 +185,14 @@ command line argument to `kubectl create token` (the actual duration of the issu
|
|||
token might be shorter, or could even be longer).
|
||||
|
||||
When the `ServiceAccountTokenNodeBinding` and `ServiceAccountTokenNodeBindingValidation`
|
||||
features are enabled and the `KUBECTL_NODE_BOUND_TOKENS` enviroment variable is set to `true`,
|
||||
features are enabled and the `KUBECTL_NODE_BOUND_TOKENS` environment variable is set to `true`,
|
||||
it is possible to create a service account token that is directly bound to a `Node`:
|
||||
|
||||
```shell
|
||||
KUBECTL_NODE_BOUND_TOKENS=true kubectl create token build-robot --bound-object-kind Node --bound-object-name node-001 --bound-object-uid 123...456
|
||||
```
|
||||
|
||||
The token will be valid until it expires or either the assocaited `Node` or service account are deleted.
|
||||
The token will be valid until it expires or either the associated `Node` or service account are deleted.
|
||||
|
||||
{{< note >}}
|
||||
Versions of Kubernetes before v1.22 automatically created long term credentials for
|
||||
|
|
|
|||
|
|
@ -109,15 +109,15 @@ If your pod is not behaving as you expected, it may be that there was an error i
|
|||
pod description (e.g. `mypod.yaml` file on your local machine), and that the error
|
||||
was silently ignored when you created the pod. Often a section of the pod description
|
||||
is nested incorrectly, or a key name is typed incorrectly, and so the key is ignored.
|
||||
For example, if you misspelled `command` as `commnd` then the pod will be created but
|
||||
For example, if you misspelled `command` as `command` then the pod will be created but
|
||||
will not use the command line you intended it to use.
|
||||
|
||||
The first thing to do is to delete your pod and try creating it again with the `--validate` option.
|
||||
For example, run `kubectl apply --validate -f mypod.yaml`.
|
||||
If you misspelled `command` as `commnd` then will give an error like this:
|
||||
If you misspelled `command` as `command` then will give an error like this:
|
||||
|
||||
```shell
|
||||
I0805 10:43:25.129850 46757 schema.go:126] unknown field: commnd
|
||||
I0805 10:43:25.129850 46757 schema.go:126] unknown field: command
|
||||
I0805 10:43:25.129973 46757 schema.go:129] this may be a false alarm, see https://github.com/kubernetes/kubernetes/issues/6842
|
||||
pods/mypod
|
||||
```
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ content_type: concept
|
|||
|
||||
{{< note >}}
|
||||
If using containerd as your container runtime the pause image is specified in the
|
||||
`plugins.plugins.cri.sandbox_image` field of the of config.toml configration file.
|
||||
`plugins.plugins.cri.sandbox_image` field of the of config.toml configuration file.
|
||||
{{< /note >}}
|
||||
|
||||
1. My pods show status as `ErrImgPull` or `ImagePullBackOff`
|
||||
|
|
|
|||
|
|
@ -394,7 +394,7 @@ would be sent to the API server.
|
|||
#### Controlling pruning
|
||||
|
||||
By default, all unspecified fields for a custom resource, across all versions, are pruned. It is possible though to
|
||||
opt-out of that for specifc sub-trees of fields by adding `x-kubernetes-preserve-unknown-fields: true` in the
|
||||
opt-out of that for specific sub-trees of fields by adding `x-kubernetes-preserve-unknown-fields: true` in the
|
||||
[structural OpenAPI v3 validation schema](#specifying-a-structural-schema).
|
||||
|
||||
For example:
|
||||
|
|
|
|||
|
|
@ -91,7 +91,7 @@ apiVersion: v1
|
|||
clusters:
|
||||
- cluster:
|
||||
certificate-authority-data: LRMEMMW2 # shortened for readability
|
||||
server: https://<API_SERVER_IP_ADRESS>:6443 # the "Kubernetes API" server, in other words the IP address of kubernetes-remote-server.example
|
||||
server: https://<API_SERVER_IP_ADDRESS>:6443 # the "Kubernetes API" server, in other words the IP address of kubernetes-remote-server.example
|
||||
proxy-url: socks5://localhost:1080 # the "SSH SOCKS5 proxy" in the diagram above
|
||||
name: default
|
||||
contexts:
|
||||
|
|
|
|||
Loading…
Reference in New Issue