diff --git a/config.toml b/config.toml index 932d91867056e..9a4e71fbeff86 100644 --- a/config.toml +++ b/config.toml @@ -63,10 +63,10 @@ time_format_blog = "Monday, January 02, 2006" description = "Production-Grade Container Orchestration" showedit = true -latest = "v1.11" +latest = "v1.12" -fullversion = "v1.11.0" -version = "v1.11" +fullversion = "v1.12.0" +version = "v1.12" githubbranch = "master" docsbranch = "master" deprecated = false @@ -76,10 +76,10 @@ githubWebsiteRepo = "github.com/kubernetes/website" githubWebsiteRaw = "raw.githubusercontent.com/kubernetes/website" [[params.versions]] -fullversion = "v1.11.0" -version = "v1.11" -githubbranch = "v1.11.0" -docsbranch = "release-1.11" +fullversion = "v1.12.0" +version = "v1.12" +githubbranch = "v1.12.0" +docsbranch = "release-1.12" url = "https://kubernetes.io" [params.pushAssets] @@ -93,6 +93,13 @@ js = [ "script" ] +[[params.versions]] +fullversion = "v1.11.3" +version = "v1.11" +githubbranch = "v1.11.3" +docsbranch = "release-1.11" +url = "https://v1-11.docs.kubernetes.io" + [[params.versions]] fullversion = "v1.10.3" version = "v1.10" @@ -114,12 +121,6 @@ githubbranch = "v1.8.4" docsbranch = "release-1.8" url = "https://v1-8.docs.kubernetes.io" -[[params.versions]] -fullversion = "v1.7.6" -version = "v1.7" -githubbranch = "v1.7.6" -docsbranch = "release-1.7" -url = "https://v1-7.docs.kubernetes.io" # Language definitions. diff --git a/content/en/docs/concepts/architecture/nodes.md b/content/en/docs/concepts/architecture/nodes.md index f5868cc2bf99a..222a21c0203c2 100644 --- a/content/en/docs/concepts/architecture/nodes.md +++ b/content/en/docs/concepts/architecture/nodes.md @@ -76,11 +76,9 @@ the `Terminating` or `Unknown` state. In cases where Kubernetes cannot deduce fr permanently left a cluster, the cluster administrator may need to delete the node object by hand. Deleting the node object from Kubernetes causes all the Pod objects running on the node to be deleted from the apiserver, and frees up their names. -Version 1.8 introduced an alpha feature that automatically creates +In version 1.12, `TaintNodesByCondition` feature is promoted to beta,so node lifecycle controller automatically creates [taints](/docs/concepts/configuration/taint-and-toleration/) that represent conditions. -To enable this behavior, pass an additional feature gate flag `--feature-gates=...,TaintNodesByCondition=true` -to the API server, controller manager, and scheduler. -When `TaintNodesByCondition` is enabled, the scheduler ignores conditions when considering a Node; instead +Similarly the scheduler ignores conditions when considering a Node; instead it looks at the Node's taints and a Pod's tolerations. Now users can choose between the old scheduling model and a new, more flexible scheduling model. diff --git a/content/en/docs/concepts/cluster-administration/cloud-providers.md b/content/en/docs/concepts/cluster-administration/cloud-providers.md index 6bc4729e6a42d..f87b567ca341f 100644 --- a/content/en/docs/concepts/cluster-administration/cloud-providers.md +++ b/content/en/docs/concepts/cluster-administration/cloud-providers.md @@ -9,7 +9,47 @@ This page explains how to manage Kubernetes running on a specific cloud provider. {{% /capture %}} +{{< toc >}} + {{% capture body %}} +### kubeadm +[kubeadm](/docs/reference/setup-tools/kubeadm/kubeadm/) is a popular option for creating kubernetes clusters. +kubeadm has configuration options to specify configuration information for cloud providers. For example a typical +in-tree cloud provider can be configured using kubeadm as shown below: + +```yaml +apiVersion: kubeadm.k8s.io/v1alpha3 +kind: InitConfiguration +nodeRegistration: + kubeletExtraArgs: + cloud-provider: "openstack" + cloud-config: "/etc/kubernetes/cloud.conf" +--- +kind: ClusterConfiguration +apiVersion: kubeadm.k8s.io/v1alpha3 +kubernetesVersion: v1.12.0 +apiServerExtraArgs: + cloud-provider: "openstack" + cloud-config: "/etc/kubernetes/cloud.conf" +apiServerExtraVolumes: +- name: cloud + hostPath: "/etc/kubernetes/cloud.conf" + mountPath: "/etc/kubernetes/cloud.conf" +controllerManagerExtraArgs: + cloud-provider: "openstack" + cloud-config: "/etc/kubernetes/cloud.conf" +controllerManagerExtraVolumes: +- name: cloud + hostPath: "/etc/kubernetes/cloud.conf" + mountPath: "/etc/kubernetes/cloud.conf" +``` + +The in-tree cloud providers typically need both `--cloud-provider` and `--cloud-config` specified in the command lines +for the [kube-apiserver](/docs/admin/kube-apiserver/), [kube-controller-manager](/docs/admin/kube-controller-manager/) and the +[kubelet](/docs/admin/kubelet/). The contents of the file specified in `--cloud-config` for each provider is documented below as well. + +For all external cloud providers, please follow the instructions on the individual repositories. + ## AWS This section describes all the possible configurations which can be used when running Kubernetes on Amazon Web Services. diff --git a/content/en/docs/concepts/cluster-administration/proxies.md b/content/en/docs/concepts/cluster-administration/proxies.md index 419e422da79a7..8e03334d12b8e 100644 --- a/content/en/docs/concepts/cluster-administration/proxies.md +++ b/content/en/docs/concepts/cluster-administration/proxies.md @@ -36,7 +36,7 @@ There are several different proxies you may encounter when using Kubernetes: 1. The [kube proxy](/docs/concepts/services-networking/service/#ips-and-vips): - runs on each node - - proxies UDP and TCP + - proxies UDP, TCP and SCTP - does not understand HTTP - provides load balancing - is just used to reach services @@ -51,7 +51,8 @@ There are several different proxies you may encounter when using Kubernetes: - are provided by some cloud providers (e.g. AWS ELB, Google Cloud Load Balancer) - are created automatically when the Kubernetes service has type `LoadBalancer` - - use UDP/TCP only + - usually supports UDP/TCP only + - SCTP support is up to the load balancer implementation of the cloud provider - implementation varies by cloud provider. Kubernetes users will typically not need to worry about anything other than the first two types. The cluster admin diff --git a/content/en/docs/concepts/configuration/pod-priority-preemption.md b/content/en/docs/concepts/configuration/pod-priority-preemption.md index 689dfbe754826..f94f42f84d2ec 100644 --- a/content/en/docs/concepts/configuration/pod-priority-preemption.md +++ b/content/en/docs/concepts/configuration/pod-priority-preemption.md @@ -42,7 +42,7 @@ other pods to be evicted/not get scheduled. To resolve this issue, [ResourceQuota](https://kubernetes.io/docs/concepts/policy/resource-quotas/) is augmented to support Pod priority. An admin can create ResourceQuota for users at specific priority levels, preventing them from creating pods at high -priorities. However, this feature is in alpha as of Kubernetes 1.11. +priorities. This feature is in beta since Kubernetes 1.12. {{< /warning >}} {{% /capture %}} diff --git a/content/en/docs/concepts/configuration/scheduler-perf-tuning.md b/content/en/docs/concepts/configuration/scheduler-perf-tuning.md new file mode 100644 index 0000000000000..f0dcfa47edd6d --- /dev/null +++ b/content/en/docs/concepts/configuration/scheduler-perf-tuning.md @@ -0,0 +1,112 @@ +--- +reviewers: +- bsalamat +title: Scheduler Performance Tuning +content_template: templates/concept +weight: 70 +--- + +{{% capture overview %}} + +{{< feature-state for_k8s_version="1.12" >}} + +Kube-scheduler is the Kubernetes default scheduler. It is responsible for +placement of Pods on Nodes in a cluster. Nodes in a cluster that meet the +scheduling requirements of a Pod are called "feasible" Nodes for the Pod. The +scheduler finds feasible Nodes for a Pod and then runs a set of functions to +score the feasible Nodes and picks a Node with the highest score among the +feasible ones to run the Pod. The scheduler then notifies the API server about this +decision in a process called "Binding". + +{{% /capture %}} + +{{% capture body %}} + +## Percentage of Nodes to Score + +Before Kubernetes 1.12, Kube-scheduler used to check the feasibility of all the +nodes in a cluster and then scored the feasible ones. Kubernetes 1.12 has a new +feature that allows the scheduler to stop looking for more feasible nodes once +it finds a certain number of them. This improves the scheduler's performance in +large clusters. The number is specified as a percentage of the cluster size and +is controlled by a configuration option called `percentageOfNodesToScore`. The +range should be between 1 and 100. Other values are considered as 100%. The +default value of this option is 50%. A cluster administrator can change this value by providing a +different value in the scheduler configuration. However, it may not be necessary to change this value. + +```yaml +apiVersion: componentconfig/v1alpha1 +kind: KubeSchedulerConfiguration +algorithmSource: + provider: DefaultProvider + +... + +percentageOfNodesToScore: 50 +``` + +{{< note >}} **Note**: In clusters with zero or less than 50 feasible nodes, the +scheduler still checks all the nodes, simply because there are not enough +feasible nodes to stop the scheduler's search early. {{< /note >}} + +**To disable this feature**, you can set `percentageOfNodesToScore` to 100. + +### Tuning percentageOfNodesToScore + +`percentageOfNodesToScore` must be a value between 1 and 100 +with the default value of 50. There is also a hardcoded minimum value of 50 +nodes which is applied internally. The scheduler tries to find at +least 50 nodes regardless of the value of `percentageOfNodesToScore`. This means +that changing this option to lower values in clusters with several hundred nodes +will not have much impact on the number of feasible nodes that the scheduler +tries to find. This is intentional as this option is unlikely to improve +performance noticeably in smaller clusters. In large clusters with over a 1000 +nodes setting this value to lower numbers may show a noticeable performance +improvement. + +An important note to consider when setting this value is that when a smaller +number of nodes in a cluster are checked for feasibility, some nodes are not +sent to be scored for a given Pod. As a result, a Node which could possibly +score a higher value for running the given Pod might not even be passed to the +scoring phase. This would result in a less than ideal placement of the Pod. For +this reason, the value should not be set to very low percentages. A general rule +of thumb is to never set the value to anything lower than 30. Lower values +should be used only when the scheduler's throughput is critical for your +application and the score of nodes is not important. In other words, you prefer +to run the Pod on any Node as long as it is feasible. + +It is not recommended to lower this value from its default if your cluster has +only several hundred Nodes. It is unlikely to improve the scheduler's +performance significantly. + +### How the scheduler iterates over Nodes + +This section is intended for those who want to understand the internal details +of this feature. + +In order to give all the Nodes in a cluster a fair chance of being considered +for running Pods, the scheduler iterates over the nodes in a round robin +fashion. You can imagine that Nodes are in an array. The scheduler starts from +the start of the array and checks feasibility of the nodes until it finds enough +Nodes as specified by `percentageOfNodesToScore`. For the next Pod, the +scheduler continues from the point in the Node array that it stopped at when checking +feasibility of Nodes for the previous Pod. + +If Nodes are in multiple zones, the scheduler iterates over Nodes in various +zones to ensure that Nodes from different zones are considered in the +feasibility checks. As an example, consider six nodes in two zones: + +``` +Zone 1: Node 1, Node 2, Node 3, Node 4 +Zone 2: Node 5, Node 6 +``` + +The Scheduler evaluates feasibility of the nodes in this order: + +``` +Node 1, Node 5, Node 2, Node 6, Node 3, Node 4 +``` + +After going over all the Nodes, it goes back to Node 1. + +{{% /capture %}} diff --git a/content/en/docs/concepts/configuration/secret.md b/content/en/docs/concepts/configuration/secret.md index 4be830729a133..13a319fc71af4 100644 --- a/content/en/docs/concepts/configuration/secret.md +++ b/content/en/docs/concepts/configuration/secret.md @@ -343,9 +343,15 @@ files. When a secret being already consumed in a volume is updated, projected keys are eventually updated as well. Kubelet is checking whether the mounted secret is fresh on every periodic sync. -However, it is using its local ttl-based cache for getting the current value of the secret. -As a result, the total delay from the moment when the secret is updated to the moment when new keys are -projected to the pod can be as long as kubelet sync period + ttl of secrets cache in kubelet. +However, it is using its local cache for getting the current value of the Secret. +The type of the cache is configurable using the (`ConfigMapAndSecretChangeDetectionStrategy` field in +[KubeletConfiguration struct](https://github.com/kubernetes/kubernetes/blob/{{< param "docsbranch" >}}/pkg/kubelet/apis/kubeletconfig/v1beta1/types.go)). +It can be either propagated via watch (default), ttl-based, or simply redirecting +all requests to directly kube-apiserver. +As a result, the total delay from the moment when the Secret is updated to the moment +when new keys are projected to the Pod can be as long as kubelet sync period + cache +propagation delay, where cache propagation delay depends on the chosen cache type +(it equals to watch propagation delay, ttl of cache, or zero corespondingly). {{< note >}} **Note:** A container using a Secret as a diff --git a/content/en/docs/concepts/configuration/taint-and-toleration.md b/content/en/docs/concepts/configuration/taint-and-toleration.md index 9292ebcaae48b..ceab0e271acf3 100644 --- a/content/en/docs/concepts/configuration/taint-and-toleration.md +++ b/content/en/docs/concepts/configuration/taint-and-toleration.md @@ -279,9 +279,10 @@ which matches the behavior when this feature is disabled. ## Taint Nodes by Condition -Version 1.8 introduces an alpha feature that causes the node controller to create taints corresponding to -Node conditions. When this feature is enabled (you can do this by including `TaintNodesByCondition=true` in the `--feature-gates` command line flag to the scheduler, such as -`--feature-gates=FooBar=true,TaintNodesByCondition=true`), the scheduler does not check Node conditions; instead the scheduler checks taints. This assures that Node conditions don't affect what's scheduled onto the Node. The user can choose to ignore some of the Node's problems (represented as Node conditions) by adding appropriate Pod tolerations. +In version 1.12, `TaintNodesByCondition` feature is promoted to beta, so node lifecycle controller automatically creates taints corresponding to +Node conditions. +Similarly the scheduler does not check Node conditions; instead the scheduler checks taints. This assures that Node conditions don't affect what's scheduled onto the Node. The user can choose to ignore some of the Node's problems (represented as Node conditions) by adding appropriate Pod tolerations. +Note that `TaintNodesByCondition` only taints nodes with `NoSchedule` effect. `NoExecute` effect is controlled by `TaintBasedEviction` which is an alpha feature and disabled by default. Starting in Kubernetes 1.8, the DaemonSet controller automatically adds the following `NoSchedule` tolerations to all daemons, to prevent DaemonSets from diff --git a/content/en/docs/concepts/containers/images.md b/content/en/docs/concepts/containers/images.md index dd2c40c067565..045529d5b8cbe 100644 --- a/content/en/docs/concepts/containers/images.md +++ b/content/en/docs/concepts/containers/images.md @@ -32,6 +32,26 @@ you can do one of the following: Note that you should avoid using `:latest` tag, see [Best Practices for Configuration](/docs/concepts/configuration/overview/#container-images) for more information. +## Building Multi-architecture Images with Manifests + +Docker CLI now supports the following command `docker manifest` with sub commands like `create`, `annotate` and `push`. These commands can be used to build and push the manifests. You can use `docker manifest inspect` to view the manifest. + +Please see docker documentation here: +https://docs.docker.com/edge/engine/reference/commandline/manifest/ + +See examples on how we use this in our build harness: +https://cs.k8s.io/?q=docker%20manifest%20(create%7Cpush%7Cannotate)&i=nope&files=&repos= + +These commands rely on and are implemented purely on the Docker CLI. You will need to either edit the `$HOME/.docker/config.json` and set `experimental` key to `enabled` or you can just set `DOCKER_CLI_EXPERIMENTAL` environment variable to `enabled` when you call the CLI commands. + +{{< note >}} +**Note:** Please use Docker *18.06 or above*, versions below that either have bugs or do not support the experimental command line option. Example https://github.com/docker/cli/issues/1135 causes problems under containerd. +{{< /note >}} + +If you run into trouble with uploading stale manifests, just clean up the older manifests in `$HOME/.docker/manifests` to start fresh. + +For Kubernetes, we have typically used images with suffix `-$(ARCH)`. For backward compatability, please generate the older images with suffixes. The idea is to generate say `pause` image which has the manifest for all the arch(es) and say `pause-amd64` which is backwards compatible for older configurations or YAML files which may have hard coded the images with suffixes. + ## Using a Private Registry Private registries may require keys to read images from them. diff --git a/content/en/docs/concepts/containers/runtime-class.md b/content/en/docs/concepts/containers/runtime-class.md new file mode 100644 index 0000000000000..eef2a4f0066cf --- /dev/null +++ b/content/en/docs/concepts/containers/runtime-class.md @@ -0,0 +1,122 @@ +--- +reviewers: +- tallclair +- dchen1107 +title: Runtime Class +content_template: templates/concept +weight: 20 +--- + +{{% capture overview %}} + +{{< feature-state for_k8s_version="v1.12" state="alpha" >}} + +This page describes the RuntimeClass resource and runtime selection mechanism. + +{{% /capture %}} + +{{< toc >}} + +{{% capture body %}} + +## Runtime Class + +RuntimeClass is an alpha feature for selecting the container runtime configuration to use to run a +pod's containers. + +### Set Up + +As an early alpha feature, there are some additional setup steps that must be taken in order to use +the RuntimeClass feature: + +1. Enable the RuntimeClass feature gate (on apiservers & kubelets, requires version 1.12+) +2. Install the RuntimeClass CRD +3. Configure the CRI implementation on nodes (runtime dependent) +4. Create the corresponding RuntimeClass resources + +#### 1. Enable the RuntimeClass feature gate + +See [Feature Gates](/docs/reference/command-line-tools-reference/feature-gates/) for an explanation +of enabling feature gates. The `RuntimeClass` feature gate must be enabled on apiservers _and_ +kubelets. + +#### 2. Install the RuntimeClass CRD + +The RuntimeClass [CustomResourceDefinition][/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/] (CRD) can be found in the addons directory of the +Kubernetes git repo: + +https://github.com/kubernetes/kubernetes/tree/release-1.12/cluster/addons/runtimeclass/runtimeclass_crd.yaml + +Install the CRD with `kubectl apply -f runtimeclass_crd.yaml`. + +[CustomResourceDefinition][/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/] + +#### 3. Configure the CRI implementation on nodes + +The configurations to select between with RuntimeClass are CRI implementation dependent. See the +corresponding documentation for your CRI implementation for how to configure. As this is an alpha +feature, not all CRIs support multiple RuntimeClasses yet. + +{{< note >}} +**Note:** RuntimeClass currently assumes a homogeneous node configuration across the cluster +(which means that all nodes are configured the same way with respect to container runtimes). Any heterogeneity (varying configurations) must be +managed independently of RuntimeClass through scheduling features (see [Assigning Pods to +Nodes](/docs/concepts/configuration/assign-pod-node/)). +{{< /note >}} + +The configurations have a corresponding `RuntimeHandler` name, referenced by the RuntimeClass. The +RuntimeHandler must be a valid DNS 1123 subdomain (alpha-numeric + `-` and `.` characters). + +#### 4. Create the corresponding RuntimeClass resources + +The configurations setup in step 3 should each have an associated `RuntimeHandler` name, which +identifies the configuration. For each RuntimeHandler (and optionally the empty `""` handler), +create a corresponding RuntimeClass object. + +The RuntimeClass resource currently only has 2 significant fields: the RuntimeClass name +(`metadata.name`) and the RuntimeHandler (`spec.runtimeHandler`). The object definition looks like this: + +```yaml +apiVersion: node.k8s.io/v1alpha1 # RuntimeClass is defined in the node.k8s.io API group +kind: RuntimeClass +metadata: + name: myclass # The name the RuntimeClass will be referenced by + # RuntimeClass is a non-namespaced resource +spec: + runtimeHandler: myconfiguration # The name of the correpsonding CRI configuration +``` + + +{{< note >}} + +**Note:** It is recommended that RuntimeClass write operations (create/update/patch/delete) be +restricted to the cluster administrator. This is typically the default. See [Authorization +Overview](https://kubernetes.io/docs/reference/access-authn-authz/authorization/) for more details. + +{{< /note >}} + +### Usage + +Once RuntimeClasses are configured for the cluster, using them is very simple. Specify a +`runtimeClassName` in the Pod spec. For example: + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: mypod +spec: + runtimeClassName: myclass + # ... +``` + +This will instruct the Kubelet to use the named RuntimeClass to run this pod. If the named +RuntimeClass does not exist, or the CRI cannot run the corresponding handler, the pod will enter the +`Failed` terminal [phase](/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase). Look for a +corresponding [event](/docs/tasks/debug-application-cluster/debug-application-introspection/) for an +error message. + +If no `runtimeClassName` is specified, the default RuntimeHandler will be used, which is equivalent +to the behavior when the RuntimeClass feature is disabled. + +{{% /capture %}} diff --git a/content/en/docs/concepts/policy/pod-security-policy.md b/content/en/docs/concepts/policy/pod-security-policy.md index 432d7c1662723..8570ea99a3dca 100644 --- a/content/en/docs/concepts/policy/pod-security-policy.md +++ b/content/en/docs/concepts/policy/pod-security-policy.md @@ -42,6 +42,7 @@ administrator to control the following: | Restricting escalation to root privileges | [`allowPrivilegeEscalation`, `defaultAllowPrivilegeEscalation`](#privilege-escalation) | | Linux capabilities | [`defaultAddCapabilities`, `requiredDropCapabilities`, `allowedCapabilities`](#capabilities) | | The SELinux context of the container | [`seLinux`](#selinux) | +| The Allowed Proc Mount types for the container | [`allowedProcMountTypes`](#allowedProcMountTypes) | | The AppArmor profile used by containers | [annotations](#apparmor) | | The seccomp profile used by containers | [annotations](#seccomp) | | The sysctl profile used by containers | [annotations](#sysctl) | @@ -421,6 +422,9 @@ The **recommended minimum set** of allowed volumes for new PSPs are: - *MustRunAs* - Requires at least one `range` to be specified. Uses the minimum value of the first range as the default. Validates against all ranges. +- *MayRunAs* - Requires at least one `range` to be specified. Allows +`FSGroups` to be left unset without providing a default. Validates against +all ranges if `FSGroups` is set. - *RunAsAny* - No default provided. Allows any `fsGroup` ID to be specified. **AllowedHostPaths** - This specifies a whitelist of host paths that are allowed @@ -487,10 +491,24 @@ image. No default provided. Setting `allowPrivilegeEscalation=false` is strongly recommended with this strategy. - *RunAsAny* - No default provided. Allows any `runAsUser` to be specified. +**RunAsGroup** - Controls the what primary group ID containers run as. + +- *MustRunAs* - Requires at least one `range` to be specified. Uses the +minimum value of the first range as the default. Validates against all ranges. +- *MustRunAsNonRoot* - Requires that the pod be submitted with a non-zero +`runAsUser` or have the `USER` directive defined (using a numeric GID) in the +image. No default provided. Setting `allowPrivilegeEscalation=false` is strongly +recommended with this strategy. +- *RunAsAny* - No default provided. Allows any `runAsGroup` to be specified. + + **SupplementalGroups** - Controls which group IDs containers add. - *MustRunAs* - Requires at least one `range` to be specified. Uses the minimum value of the first range as the default. Validates against all ranges. +- *MayRunAs* - Requires at least one `range` to be specified. Allows +`supplementalGroups` to be left unset without providing a default. +Validates against all ranges if `supplementalGroups` is set. - *RunAsAny* - No default provided. Allows any `supplementalGroups` to be specified. @@ -548,6 +566,21 @@ for the default list of capabilities when using the Docker runtime. - *RunAsAny* - No default provided. Allows any `seLinuxOptions` to be specified. +### AllowedProcMountTypes + +`allowedProcMountTypes` is a whitelist of allowed ProcMountTypes. +Empty or nil indicates that only the `DefaultProcMountType` may be used. + +`DefaultProcMount` uses the container runtime defaults for readonly and masked +paths for /proc. Most container runtimes mask certain paths in /proc to avoid +accidental security exposure of special devices or information. This is denoted +as the string `Default`. + +The only other ProcMountType is `UnmaskedProcMount`, which bypasses the +default masking behavior of the container runtime and ensures the newly +created /proc the container stays in tact with no modifications. This is +denoted as the string `Unmasked`. + ### AppArmor Controlled via annotations on the PodSecurityPolicy. Refer to the [AppArmor diff --git a/content/en/docs/concepts/policy/resource-quotas.md b/content/en/docs/concepts/policy/resource-quotas.md index e4ad1274b03ca..55c9a6880062c 100644 --- a/content/en/docs/concepts/policy/resource-quotas.md +++ b/content/en/docs/concepts/policy/resource-quotas.md @@ -194,7 +194,7 @@ The `Terminating`, `NotTerminating`, and `NotBestEffort` scopes restrict a quota ### Resource Quota Per PriorityClass -{{< feature-state for_k8s_version="1.11" state="alpha" >}} +{{< feature-state for_k8s_version="1.12" state="beta" >}} Pods can be created at a specific [priority](/docs/concepts/configuration/pod-priority-preemption/#pod-priority). You can control a pod's consumption of system resources based on a pod's priority, by using the `scopeSelector` @@ -548,7 +548,7 @@ kind: AdmissionConfiguration plugins: - name: "ResourceQuota" configuration: - apiVersion: resourcequota.admission.k8s.io/v1alpha1 + apiVersion: resourcequota.admission.k8s.io/v1beta1 kind: Configuration limitedResources: - resource: pods @@ -568,10 +568,6 @@ For example: values: ["cluster-services"] ``` -{{< note >}} -**Note:** `scopeSelector` is an alpha field and feature gate `ResourceQuotaScopeSelectors` must be enabled before using it. -{{< /note >}} - See [LimitedResources](https://github.com/kubernetes/kubernetes/pull/36765) and [Quota supoport for priority class design doc](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/scheduling/pod-priority-resourcequota.md) for more information. ## Example diff --git a/content/en/docs/concepts/services-networking/network-policies.md b/content/en/docs/concepts/services-networking/network-policies.md index 89ff50f6d6493..45f68088c5962 100644 --- a/content/en/docs/concepts/services-networking/network-policies.md +++ b/content/en/docs/concepts/services-networking/network-policies.md @@ -246,6 +246,15 @@ spec: This ensures that even pods that aren't selected by any other NetworkPolicy will not be allowed ingress or egress traffic. +## SCTP support + +{{< feature-state for_k8s_version="v1.12" state="alpha" >}} + +Kubernetes supports SCTP as a `protocol` value in `NetworkPolicy` definitions as an alpha feature. To enable this feature, the cluster administrator needs to enable the `SCTPSupport` feature gate on the apiserver, for example, `“--feature-gates=SCTPSupport=true,...”`. When the feature gate is enabled, users can set the `protocol` field of a `NetworkPolicy` to `SCTP`. Kubernetes sets up the network accordingly for the SCTP associations, just like it does for TCP connections. + +The CNI plugin has to support SCTP as `protocol` value in `NetworkPolicy`. + + {{% /capture %}} {{% capture whatsnext %}} diff --git a/content/en/docs/concepts/services-networking/service.md b/content/en/docs/concepts/services-networking/service.md index a361ccbac9bc4..ce529a53bfc66 100644 --- a/content/en/docs/concepts/services-networking/service.md +++ b/content/en/docs/concepts/services-networking/service.md @@ -84,9 +84,13 @@ deploying and evolving your `Services`. For example, you can change the port number that pods expose in the next version of your backend software, without breaking clients. -Kubernetes `Services` support `TCP` and `UDP` for protocols. The default +Kubernetes `Services` support `TCP`, `UDP` and `SCTP` for protocols. The default is `TCP`. +{{< note >}} +**Note:** SCTP support is an alpha feature since Kubernetes 1.12 +{{< /note >}} + ### Services without selectors Services generally abstract access to Kubernetes `Pods`, but they can also @@ -459,6 +463,12 @@ cloud provider does not support the feature, the field will be ignored. public IP address resource needs to be created first, and it should be in the same resource group of the other automatically created resources of the cluster. For example, `MC_myResourceGroup_myAKSCluster_eastus`. Specify the assigned IP address as loadBalancerIP. Ensure that you have updated the securityGroupName in the cloud provider configuration file. For information about troubleshooting `CreatingLoadBalancerFailed` permission issues see, [Use a static IP address with the Azure Kubernetes Service (AKS) load balancer](https://docs.microsoft.com/en-us/azure/aks/static-ip) or [CreatingLoadBalancerFailed on AKS cluster with advanced networking](https://github.com/Azure/AKS/issues/357). +{{< note >}} +**Note:** The support of SCTP in the cloud provider's load balancer is up to the cloud provider's +load balancer implementation. If SCTP is not supported by the cloud provider's load balancer the +Service creation request is accepted but the creation of the load balancer fails. +{{< /note >}} + #### Internal load balancer In a mixed environment it is sometimes necessary to route traffic from services inside the same VPC. @@ -922,6 +932,32 @@ Service is a top-level resource in the Kubernetes REST API. More details about t API object can be found at: [Service API object](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#service-v1-core). +## SCTP support + +{{< feature-state for_k8s_version="v1.12" state="alpha" >}} + +Kubernetes supports SCTP as a `protocol` value in `Service`, `Endpoint`, `NetworkPolicy` and `Pod` definitions as an alpha feature. To enable this feature, the cluster administrator needs to enable the `SCTPSupport` feature gate on the apiserver, for example, `“--feature-gates=SCTPSupport=true,...”`. When the feature gate is enabled, users can set the `protocol` field of a `Service`, `Endpoint`, `NetworkPolicy` and `Pod` to `SCTP`. Kubernetes sets up the network accordingly for the SCTP associations, just like it does for TCP connections. + +### Warnings + +#### The support of multihomed SCTP associations + +The support of multihomed SCTP associations requires that the CNI plugin can support the assignment of multiple interfaces and IP addresses to a `Pod`. + +NAT for multihomed SCTP assoications requires special logic in the corresponding kernel modules. + +#### Service with type=LoadBalancer + +A `Service` with `type` LoadBalancer and `protocol` SCTP can be created only if the cloud provider's load balancer implementation supports SCTP as a protocol. Otherwise the `Service` creation request is rejected. The current set of cloud load balancer providers (`Azure`, `AWS`, `CloudStack`, `GCE`, `OpenStack`) do not support SCTP. + +#### Windows + +SCTP is not supported on Windows based nodes. + +#### Userspace kube-proxy + +The kube-proxy does not support the management of SCTP associations when it is in userspace mode. + {{% /capture %}} {{% capture whatsnext %}} diff --git a/content/en/docs/concepts/storage/dynamic-provisioning.md b/content/en/docs/concepts/storage/dynamic-provisioning.md index ee8c0777d8d3f..cb180fb706f72 100644 --- a/content/en/docs/concepts/storage/dynamic-provisioning.md +++ b/content/en/docs/concepts/storage/dynamic-provisioning.md @@ -124,6 +124,13 @@ Note that there can be at most one *default* storage class on a cluster, or a `PersistentVolumeClaim` without `storageClassName` explicitly specified cannot be created. +## Topology Awareness + +In [Multi-Zone](/docs/setup/multiple-zones) clusters, Pods can be spread across +Zones in a Region. Single-Zone storage backends should be provisioned in the Zones where +Pods are scheduled. This can be accomplished by setting the [Volume Binding +Mode](/docs/concepts/storage/storage-classes/#volume-binding-mode). + {{% /capture %}} diff --git a/content/en/docs/concepts/storage/persistent-volumes.md b/content/en/docs/concepts/storage/persistent-volumes.md index ec3f87bead2e7..688a142f6622c 100644 --- a/content/en/docs/concepts/storage/persistent-volumes.md +++ b/content/en/docs/concepts/storage/persistent-volumes.md @@ -631,6 +631,34 @@ Volume binding matrix for statically provisioned volumes: **Note:** Only statically provisioned volumes are supported for alpha release. Administrators should take care to consider these values when working with raw block devices. {{< /note >}} +## Volume Snapshot and Restore Volume from Snapshot Support + +{{< feature-state for_k8s_version="v1.12" state="alpha" >}} + +Volume snapshot feature was added to support CSI Volume Plugins only. For details, see [volume snapshots](/docs/concepts/storage/volume-snapshots/). + +To enable support for restoring a volume from a volume snapshot data source, enable the +`VolumeSnapshotDataSource` feature gate on the apiserver and controller-manager. + +### Create Persistent Volume Claim from Volume Snapshot +```yaml +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: restore-pvc +spec: + storageClassName: csi-hostpath-sc + dataSource: + name: new-snapshot-test + kind: VolumeSnapshot + apiGroup: snapshot.storage.k8s.io + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi +``` + ## Writing Portable Configuration If you're writing configuration templates or examples that run on a wide range of clusters diff --git a/content/en/docs/concepts/storage/storage-classes.md b/content/en/docs/concepts/storage/storage-classes.md index ce189c3c51c9b..0cd7d0afbcc0a 100644 --- a/content/en/docs/concepts/storage/storage-classes.md +++ b/content/en/docs/concepts/storage/storage-classes.md @@ -55,6 +55,7 @@ parameters: reclaimPolicy: Retain mountOptions: - debug +volumeBindingMode: Immediate ``` ### Provisioner @@ -64,7 +65,7 @@ for provisioning PVs. This field must be specified. | Volume Plugin | Internal Provisioner| Config Example | | :--- | :---: | :---: | -| AWSElasticBlockStore | ✓ | [AWS](#aws) | +| AWSElasticBlockStore | ✓ | [AWS EBS](#aws-ebs) | | AzureFile | ✓ | [Azure File](#azure-file) | | AzureDisk | ✓ | [Azure Disk](#azure-disk) | | CephFS | - | - | @@ -72,7 +73,7 @@ for provisioning PVs. This field must be specified. | FC | - | - | | Flexvolume | - | - | | Flocker | ✓ | - | -| GCEPersistentDisk | ✓ | [GCE](#gce) | +| GCEPersistentDisk | ✓ | [GCE PD](#gce-pd) | | Glusterfs | ✓ | [Glusterfs](#glusterfs) | | iSCSI | - | - | | Quobyte | ✓ | [Quobyte](#quobyte) | @@ -118,6 +119,74 @@ If the volume plugin does not support mount options but mount options are specified, provisioning will fail. Mount options are not validated on either the class or PV, so mount of the PV will simply fail if one is invalid. +### Volume Binding Mode + +{{< feature-state for_k8s_version="v1.12" state="beta" >}} + +**Note:** This feature requires the `VolumeScheduling` feature gate to be +enabled. + +The `volumeBindingMode` field controls when [volume binding and dynamic +provisioning](/docs/concepts/storage/persistent-volumes/#provisioning) should occur. + +By default, the `Immediate` mode indicates that volume binding and dynamic +provisioning occurs once the PersistentVolumeClaim is created. For storage +backends that are topology-constrained and not globally accessible from all Nodes +in the cluster, PersistentVolumes will be bound or provisioned without knowledge of the Pod's scheduling +requirements. This may result in unschedulable Pods. + +A cluster administrator can address this issue by specifying the `WaitForFirstConsumer` mode which +will delay the binding and provisioning of a PersistentVolume until a Pod using the PersistentVolumeClaim is created. +PersistentVolumes will be selected or provisioned conforming to the topology that is +specified by the Pod's scheduling constraints. These include, but are not limited to, [resource +requirements](/docs/concepts/configuration/manage-compute-resources-container), +[node selectors](/docs/concepts/configuration/assign-pod-node/#nodeselector), +[pod affinity and +anti-affinity](/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity), +and [taints and tolerations](/docs/concepts/configuration/taint-and-toleration). + +The following plugins support `WaitForFirstConsumer` with dynamic provisioning: + +* [AWSElasticBlockStore](#aws-ebs) +* [GCEPersistentDisk](#gce-pd) +* [AzureDisk](#azure-disk) + +The following plugins support `WaitForFirstConsumer` with pre-created PersistentVolume binding: + +* All of the above +* [Local](#local) + +### Allowed Topologies +{{< feature-state for_k8s_version="v1.12" state="beta" >}} + +**Note:** This feature requires the `VolumeScheduling` feature gate to be +enabled. + +When a cluster operactor specifies the `WaitForFirstConsumer` volume binding mode, it is no longer necessary +to restrict provisioning to specific topologies in most situations. However, +if still required, `allowedTopologies` can be specified. + +This example demonstrates how to restrict the topology of provisioned volumes to specific +zones and should be used as a replacement for the `zone` and `zones` parameters for the +supported plugins. + +```yaml +kind: StorageClass +apiVersion: storage.k8s.io/v1 +metadata: + name: standard +provisioner: kubernetes.io/gce-pd +parameters: + type: pd-standard +volumeBindingMode: WaitForFirstConsumer +allowedTopologies: +- matchLabelExpressions: + - key: failure-domain.beta.kubernetes.io/zone + values: + - us-central1-a + - us-central1-b +``` + ## Parameters Storage classes have parameters that describe volumes belonging to the storage @@ -126,7 +195,7 @@ class. Different parameters may be accepted depending on the `provisioner`. For `iopsPerGB` are specific to EBS. When a parameter is omitted, some default is used. -### AWS +### AWS EBS ```yaml kind: StorageClass @@ -136,7 +205,6 @@ metadata: provisioner: kubernetes.io/aws-ebs parameters: type: io1 - zones: us-east-1d, us-east-1c iopsPerGB: "10" fsType: ext4 ``` @@ -144,10 +212,10 @@ parameters: * `type`: `io1`, `gp2`, `sc1`, `st1`. See [AWS docs](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) for details. Default: `gp2`. -* `zone`: AWS zone. If neither `zone` nor `zones` is specified, volumes are +* `zone` (Deprecated): AWS zone. If neither `zone` nor `zones` is specified, volumes are generally round-robin-ed across all active zones where Kubernetes cluster has a node. `zone` and `zones` parameters must not be used at the same time. -* `zones`: A comma separated list of AWS zone(s). If neither `zone` nor `zones` +* `zones` (Deprecated): A comma separated list of AWS zone(s). If neither `zone` nor `zones` is specified, volumes are generally round-robin-ed across all active zones where Kubernetes cluster has a node. `zone` and `zones` parameters must not be used at the same time. @@ -164,7 +232,10 @@ parameters: encrypting the volume. If none is supplied but `encrypted` is true, a key is generated by AWS. See AWS docs for valid ARN value. -### GCE +**Note:** `zone` and `zones` parameters are deprecated and replaced with +[allowedTopologies](#allowed-topologies) + +### GCE PD ```yaml kind: StorageClass @@ -174,15 +245,14 @@ metadata: provisioner: kubernetes.io/gce-pd parameters: type: pd-standard - zones: us-central1-a, us-central1-b replication-type: none ``` * `type`: `pd-standard` or `pd-ssd`. Default: `pd-standard` -* `zone`: GCE zone. If neither `zone` nor `zones` is specified, volumes are +* `zone` (Deprecated): GCE zone. If neither `zone` nor `zones` is specified, volumes are generally round-robin-ed across all active zones where Kubernetes cluster has a node. `zone` and `zones` parameters must not be used at the same time. -* `zones`: A comma separated list of GCE zone(s). If neither `zone` nor `zones` +* `zones` (Deprecated): A comma separated list of GCE zone(s). If neither `zone` nor `zones` is specified, volumes are generally round-robin-ed across all active zones where Kubernetes cluster has a node. `zone` and `zones` parameters must not be used at the same time. @@ -199,6 +269,9 @@ specified, Kubernetes will arbitrarily choose among the specified zones. If the `zones` parameter is omitted, Kubernetes will arbitrarily choose among zones managed by the cluster. +**Note:** `zone` and `zones` parameters are deprecated and replaced with +[allowedTopologies](#allowed-topologies) + ### Glusterfs ```yaml diff --git a/content/en/docs/concepts/storage/storage-limits.md b/content/en/docs/concepts/storage/storage-limits.md index d291c6eca2b68..b01d54e89dd5f 100644 --- a/content/en/docs/concepts/storage/storage-limits.md +++ b/content/en/docs/concepts/storage/storage-limits.md @@ -11,11 +11,11 @@ content_template: templates/concept {{% capture overview %}} This page describes the maximum number of volumes that can be attached -to a node for various cloud providers. +to a Node for various cloud providers. Cloud providers like Google, Amazon, and Microsoft typically have a limit on -how many volumes can be attached to a node. It is important for Kubernetes to -respect those limits. Otherwise, Pods scheduled on a node could get stuck +how many volumes can be attached to a Node. It is important for Kubernetes to +respect those limits. Otherwise, Pods scheduled on a Node could get stuck waiting for volumes to attach. {{% /capture %}} @@ -25,10 +25,10 @@ waiting for volumes to attach. ## Kubernetes default limits The Kubernetes scheduler has default limits on the number of volumes -that can be attached to a node: +that can be attached to a Node: - + @@ -40,28 +40,28 @@ You can change these limits by setting the value of the `KUBE_MAX_PD_VOLS` environment variable, and then starting the scheduler. Use caution if you set a limit that is higher than the default limit. Consult -the cloud provider's documentation to make sure that nodes can actually support +the cloud provider's documentation to make sure that Nodes can actually support the limit you set. -The limit applies to the entire cluster, so it affects all nodes. +The limit applies to the entire cluster, so it affects all Nodes. ## Dynamic volume limits -{{< feature-state state="alpha" for_k8s_version="v1.11" >}} +{{< feature-state state="beta" for_k8s_version="v1.12" >}} -Kubernetes 1.11 introduces dynamic volume limits based on node type. This -is an alpha feature that supports these services: +Kubernetes 1.11 introduced support for dynamic volume limits based on Node type as an Alpha feature. +In Kubernetes 1.12 this feature is graduating to Beta and will be enabled by default. + +Dynamic volume limits is supported for following volume types. - Amazon EBS - Google Persistent Disk - Azure Disk +- CSI -To enable dynamic volume limits, set the `AttachVolumeLimit` -[feature gate](/docs/reference/command-line-tools-reference/feature-gates/) -to True. When the dynamic volume limits feature is enabled, Kubernetes automatically -determines the node type and supports the appropriate number of attachable +determines the Node type and enforces the appropriate number of attachable volumes for the node. For example: * On @@ -69,11 +69,14 @@ volumes for the node. For example: up to 128 volumes can be attached to a node, [depending on the node type](https://cloud.google.com/compute/docs/disks/#pdnumberlimits). -* For Amazon EBS disks on M5/C5 instance types, Kubernetes allows only 25 -volumes to be attached to a node. For other instance types on +* For Amazon EBS disks on M5,C5,R5,T3 and Z1D instance types, Kubernetes allows only 25 +volumes to be attached to a Node. For other instance types on Amazon Elastic Compute Cloud (EC2), -Kubernetes allows 39 volumes to be attached to a node. +Kubernetes allows 39 volumes to be attached to a Node. * On Azure, up to 64 disks can be attached to a node, depending on the node type. For more details, refer to [Sizes for virtual machines in Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sizes). +* For CSI, any driver that advertises volume attach limits via CSI specs will have those limits available as the Node's allocatable property + and the Scheduler will not schedule Pods with volumes on any Node that is already at its capacity. Refer to the [CSI specs](https://github.com/container-storage-interface/spec/blob/master/spec.md#nodegetinfo) for more details. + {{% /capture %}} diff --git a/content/en/docs/concepts/storage/volume-snapshot-classes.md b/content/en/docs/concepts/storage/volume-snapshot-classes.md new file mode 100644 index 0000000000000..5ad05107eb647 --- /dev/null +++ b/content/en/docs/concepts/storage/volume-snapshot-classes.md @@ -0,0 +1,64 @@ +--- +reviewers: +- jsafrane +- saad-ali +- thockin +- msau42 +title: Volume Snapshot Classes +content_template: templates/concept +weight: 30 +--- + +{{% capture overview %}} + +This document describes the concept of `VolumeSnapshotClass` in Kubernetes. Familiarity +with [volume snapshots](/docs/concepts/storage/volume-snapshots/) and +[storage classes](/docs/concepts/storage/storage-classes) is suggested. + +{{% /capture %}} + +{{< toc >}} + +{{% capture body %}} + +## Introduction + +Just like `StorageClass` provides a way for administrators to describe the "classes" +of storage they offer when provisioning a volume, `VolumeSnapshotClass` provides a +way to describe the "classes" of storage when provisioning a volume snapshot. + +## The VolumeSnapshotClass Resource + +Each `VolumeSnapshotClass` contains the fields `snapshotter` and `parameters`, +which are used when a `VolumeSnapshot` belonging to the class needs to be +dynamically provisioned. + +The name of a `VolumeSnapshotClass` object is significant, and is how users can +request a particular class. Administrators set the name and other parameters +of a class when first creating `VolumeSnapshotClass` objects, and the objects cannot +be updated once they are created. + +Administrators can specify a default `VolumeSnapshotClass` just for VolumeSnapshots +that don't request any particular class to bind to. + +```yaml +apiVersion: snapshot.storage.k8s.io/v1alpha1 +kind: VolumeSnapshotClass +metadata: + name: csi-hostpath-snapclass +snapshotter: csi-hostpath +parameters: +``` + +### Snapshotter + +Volume snapshot classes have a snapshotter that determines what CSI volume plugin is +used for provisioning VolumeSnapshots. This field must be specified. + +## Parameters + +Volume snapshot classes have parameters that describe volume snapshots belonging to +the volume snapshot class. Different parameters may be accepted depending on the +`snapshotter`. + +{{% /capture %}} diff --git a/content/en/docs/concepts/storage/volume-snapshots.md b/content/en/docs/concepts/storage/volume-snapshots.md new file mode 100644 index 0000000000000..73647b7825789 --- /dev/null +++ b/content/en/docs/concepts/storage/volume-snapshots.md @@ -0,0 +1,127 @@ +--- +reviewers: +- jsafrane +- saad-ali +- thockin +- msau42 +title: Volume Snapshots +content_template: templates/concept +weight: 20 +--- + +{{% capture overview %}} + +This document describes the current state of `VolumeSnapshots` in Kubernetes. Familiarity with [persistent volumes](/docs/concepts/storage/persistent-volumes/) is suggested. + +{{% /capture %}} + +{{< toc >}} + +{{% capture body %}} + +## Introduction + +Similar to how API resources `PersistentVolume` and `PersistentVolumeClaim` are used to provision volumes for users and administrators, `VolumeSnapshotContent` and `VolumeSnapshot` API resources are provided to create volume snapshots for users and administrators. + +A `VolumeSnapshotContent` is a snapshot taken from a volume in the cluster that has been provisioned by an administrator. It is a resource in the cluster just like a PersistentVolume is a cluster resource. + +A `VolumeSnapshot` is a request for snapshot of a volume by a user. It is similar to a PersistentVolumeClaim. + +While `VolumeSnapshots` allow a user to consume abstract storage resources, cluster administrators +need to be able to offer a variety of `VolumeSnapshotContents` without exposing +users to the details of how those volume snapshots should be provisioned. For these needs +there is the `VolumeSnapshotClass` resource. + +Users need to be aware of the following when using this feature: + +* API Objects `VolumeSnapshot`, `VolumeSnapshotContent`, and `VolumeSnapshotClass` are CRDs, not part of the core API. +* `VolumeSnapshot` support is only available for CSI drivers. +* As part of the deployment process, the Kubernetes team provides a sidecar helper container for the snapshot controller called `external-snapshotter`. It watches `VolumeSnapshot` objects and triggers `CreateSnapshot` and `DeleteSnapshot` operations against a CSI endpoint. +* CSI drivers may or may not have implemented the volume snapshot functionality. The CSI drivers that have provided support for volume snapshot will likely use `external-snapshotter`. +* The CSI drivers that support volume snapshot will automatically install CRDs defined for the volume snapshots. + +## Lifecycle of a volume snapshot and volume snapshot content + +`VolumeSnapshotContents` are resources in the cluster. `VolumeSnapshots` are requests for those resources. The interaction between `VolumeSnapshotContents` and `VolumeSnapshots` follow this lifecycle: + +### Provisioning Volume Snapshot + +There are two ways snapshots may be provisioned: statically or dynamically. + +#### Static +A cluster administrator creates a number of `VolumeSnapshotContents`. They carry the details of the real storage which is available for use by cluster users. They exist in the Kubernetes API and are available for consumption. + +#### Dynamic +When none of the static `VolumeSnapshotContents` the administrator created matches a user's `VolumeSnapshot`, +the cluster may try to dynamically provision a volume snapshot specially for the `VolumeSnapshot` object. +This provisioning is based on `VolumeSnapshotClasses`: the `VolumeSnapshot` must request a +[volume snapshot class](/docs/concepts/storage/volume-snapshot-classes/) and +the administrator must have created and configured that class in order for dynamic +provisioning to occur. + +### Binding + +A user creates, or has already created in the case of dynamic provisioning, a `VolumeSnapshot` with a specific amount of storage requested and with certain access modes. A control loop watches for new VolumeSnapshots, finds a matching VolumeSnapshotContent (if possible), and binds them together. If a VolumeSnapshotContent was dynamically provisioned for a new VolumeSnapshot, the loop will always bind that VolumeSnapshotContent to the VolumeSnapshot. Once bound, `VolumeSnapshot` binds are exclusive, regardless of how they were bound. A VolumeSnapshot to VolumeSnapshotContent binding is a one-to-one mapping. + +VolumeSnapshots will remain unbound indefinitely if a matching VolumeSnapshotContent does not exist. VolumeSnapshots will be bound as matching VolumeSnapshotContents become available. + +### Delete + +Deletion removes both the `VolumeSnapshotContent` object from the Kubernetes API, as well as the associated storage asset in the external infrastructure. + +## Volume Snapshot Contents + +Each VolumeSnapshotContent contains a spec, which is the specification of the volume snapshot. + +```yaml +apiVersion: snapshot.storage.k8s.io/v1alpha1 +kind: VolumeSnapshotContent +metadata: + name: new-snapshot-content-test +spec: + snapshotClassName: csi-hostpath-snapclass + source: + name: pvc-test + kind: PersistentVolumeClaim + volumeSnapshotSource: + csiVolumeSnapshotSource: + creationTime: 1535478900692119403 + driver: csi-hostpath + restoreSize: 10Gi + snapshotHandle: 7bdd0de3-aaeb-11e8-9aae-0242ac110002 +``` + +### Class + +A VolumeSnapshotContent can have a class, which is specified by setting the +`snapshotClassName` attribute to the name of a +[VolumeSnapshotClass](/docs/concepts/storage/volume-snapshot-classes/). +A VolumeSnapshotContent of a particular class can only be bound to VolumeSnapshots requesting +that class. A VolumeSnapshotContent with no `snapshotClassName` has no class and can only be bound +to VolumeSnapshots that request no particular class. + +## VolumeSnapshots + +Each VolumeSnapshot contains a spec and a status, which is the specification and status of the volume snapshot. + +```yaml +apiVersion: snapshot.storage.k8s.io/v1alpha1 +kind: VolumeSnapshot +metadata: + name: new-snapshot-test +spec: + snapshotClassName: csi-hostpath-snapclass + source: + name: pvc-test + kind: PersistentVolumeClaim +``` + +### Class + +A volume snapshot can request a particular class by specifying the name of a +[VolumeSnapshotClass](/docs/concepts/storage/volume-snapshot-classes/) +using the attribute `snapshotClassName`. +Only VolumeSnapshotContents of the requested class, ones with the same `snapshotClassName` +as the VolumeSnapshot, can be bound to the VolumeSnapshot. + +{{% /capture %}} diff --git a/content/en/docs/concepts/storage/volumes.md b/content/en/docs/concepts/storage/volumes.md index 327ba55a1e51a..5ad6ec22c24c8 100644 --- a/content/en/docs/concepts/storage/volumes.md +++ b/content/en/docs/concepts/storage/volumes.md @@ -656,7 +656,8 @@ All sources are required to be in the same namespace as the Pod. For more detail see the [all-in-one volume design document](https://github.com/kubernetes/community/blob/{{< param "githubbranch" >}}/contributors/design-proposals/node/all-in-one-volume.md). The projection of service account tokens is a feature introduced in Kubernetes -1.11. To enable this feature, you need to explicitly set the `TokenRequestProjection` +1.11 and promoted to Beta in 1.12. +To enable this feature on 1.11, you need to explicitly set the `TokenRequestProjection` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) to True. @@ -1236,16 +1237,9 @@ More details can be found [here](https://github.com/kubernetes/community/blob/ma ## Mount propagation -{{< feature-state for_k8s_version="v1.10" state="beta" >}} - Mount propagation allows for sharing volumes mounted by a Container to other Containers in the same Pod, or even to other Pods on the same node. -If the "`MountPropagation`" feature is disabled or a Pod does not explicitly -specify specific mount propagation, volume mounts in the Pod's Containers are -not propagated. That is, Containers run with `private` mount propagation as -described in the [Linux kernel documentation](https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt). - Mount propagation of a volume is controlled by `mountPropagation` field in Container.volumeMounts. Its values are: diff --git a/content/en/docs/concepts/workloads/controllers/daemonset.md b/content/en/docs/concepts/workloads/controllers/daemonset.md index 422a03e847e40..92a995b042a97 100644 --- a/content/en/docs/concepts/workloads/controllers/daemonset.md +++ b/content/en/docs/concepts/workloads/controllers/daemonset.md @@ -103,7 +103,7 @@ If you do not specify either, then the DaemonSet controller will create Pods on ## How Daemon Pods are Scheduled -### Scheduled by DaemonSet controller (default) +### Scheduled by DaemonSet controller (disabled by default since 1.12) Normally, the machine that a Pod runs on is selected by the Kubernetes scheduler. However, Pods created by the DaemonSet controller have the machine already selected (`.spec.nodeName` is specified @@ -115,9 +115,9 @@ when the Pod is created, so it is ignored by the scheduler). Therefore: bootstrap. -### Scheduled by default scheduler +### Scheduled by default scheduler (enabled by default since 1.12) -{{< feature-state state="alpha" for-kubernetes-version="1.11" >}} +{{< feature-state state="beta" for-kubernetes-version="1.12" >}} A DaemonSet ensures that all eligible nodes run a copy of a Pod. Normally, the node that a Pod runs on is selected by the Kubernetes scheduler. However, @@ -151,14 +151,8 @@ nodeAffinity: ``` In addition, `node.kubernetes.io/unschedulable:NoSchedule` toleration is added -automatically to DaemonSet Pods. The DaemonSet controller ignores -`unschedulable` Nodes when scheduling DaemonSet Pods. You must enable -`TaintNodesByCondition` to ensure that the default scheduler behaves the same -way and schedules DaemonSet pods on `unschedulable` nodes. - -When this feature and `TaintNodesByCondition` are enabled together, if DaemonSet -uses the host network, you must also add the -`node.kubernetes.io/network-unavailable:NoSchedule toleration`. +automatically to DaemonSet Pods. The default scheduler ignores +`unschedulable` Nodes when scheduling DaemonSet Pods. ### Taints and Tolerations @@ -170,13 +164,12 @@ the related features. | Toleration Key | Effect | Alpha Features | Version | Description | | ---------------------------------------- | ---------- | ------------------------------------------------------------ | ------- | ------------------------------------------------------------ | -| `node.kubernetes.io/not-ready` | NoExecute | `TaintBasedEvictions` | 1.8+ | when `TaintBasedEvictions` is enabled,they will not be evicted when there are node problems such as a network partition. | -| `node.kubernetes.io/unreachable` | NoExecute | `TaintBasedEvictions` | 1.8+ | when `TaintBasedEvictions` is enabled,they will not be evicted when there are node problems such as a network partition. | -| `node.kubernetes.io/disk-pressure` | NoSchedule | `TaintNodesByCondition` | 1.8+ | | -| `node.kubernetes.io/memory-pressure` | NoSchedule | `TaintNodesByCondition` | 1.8+ | | -| `node.kubernetes.io/unschedulable` | NoSchedule | `ScheduleDaemonSetPods`, `TaintNodesByCondition` | 1.11+ | When ` ScheduleDaemonSetPods` is enabled, ` TaintNodesByCondition` is necessary to make sure DaemonSet pods tolerate unschedulable attributes by default scheduler. | -| `node.kubernetes.io/network-unavailable` | NoSchedule | `ScheduleDaemonSetPods`, `TaintNodesByCondition`, hostnework | 1.11+ | When ` ScheduleDaemonSetPods` is enabled, ` TaintNodesByCondition` is necessary to make sure DaemonSet pods, who uses host network, tolerate network-unavailable attributes by default scheduler. | -| `node.kubernetes.io/out-of-disk` | NoSchedule | `ExperimentalCriticalPodAnnotation` (critical pod only), `TaintNodesByCondition` | 1.8+ | | +| `node.kubernetes.io/not-ready` | NoExecute | `TaintBasedEvictions` | 1.8+ | When `TaintBasedEvictions` is enabled, they will not be evicted when there are node problems such as a network partition. | +| `node.kubernetes.io/unreachable` | NoExecute | `TaintBasedEvictions` | 1.8+ | When `TaintBasedEvictions` is enabled, they will not be evicted when there are node problems such as a network partition. | +| `node.kubernetes.io/disk-pressure` | NoSchedule | | 1.8+ | | +| `node.kubernetes.io/memory-pressure` | NoSchedule | | 1.8+ | | +| `node.kubernetes.io/unschedulable` | NoSchedule | | 1.12+ | DaemonSet pods tolerate unschedulable attributes by default scheduler. | +| `node.kubernetes.io/network-unavailable` | NoSchedule | | 1.12+ | DaemonSet pods, who uses host network, tolerate network-unavailable attributes by default scheduler. | diff --git a/content/en/docs/concepts/workloads/controllers/jobs-run-to-completion.md b/content/en/docs/concepts/workloads/controllers/jobs-run-to-completion.md index fabfbcc435b48..9e6ec9f9c97a8 100644 --- a/content/en/docs/concepts/workloads/controllers/jobs-run-to-completion.md +++ b/content/en/docs/concepts/workloads/controllers/jobs-run-to-completion.md @@ -251,6 +251,59 @@ spec: Note that both the Job Spec and the [Pod Template Spec](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/#detailed-behavior) within the Job have an `activeDeadlineSeconds` field. Ensure that you set this field at the proper level. +## Clean Up Finished Jobs Automatically + +Finished Jobs are usually no longer needed in the system. Keeping them around in +the system will put pressure on the API server. If the Jobs are managed directly +by a higher level controller, such as +[CronJobs](/docs/concepts/workloads/controllers/cron-jobs/), the Jobs can be +cleaned up by CronJobs based on the specified capacity-based cleanup policy. + +### TTL Mechanism for Finished Jobs + +{{< feature-state for_k8s_version="v1.12" state="alpha" >}} + +Another way to clean up finished Jobs (either `Complete` or `Failed`) +automatically is to use a TTL mechanism provided by a +[TTL controller](/docs/concepts/workloads/controllers/ttlafterfinished/) for +finished resources, by specifying the `.spec.ttlSecondsAfterFinished` field of +the Job. + +When the TTL controller cleans up the Job, it will delete the Job cascadingly, +i.e. delete its dependent objects, such as Pods, together with the Job. Note +that when the Job is deleted, its lifecycle guarantees, such as finalizers, will +be honored. + +For example: + +```yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: pi-with-ttl +spec: +spec: + ttlSecondsAfterFinished: 100 + template: + spec: + containers: + - name: pi + image: perl + command: ["perl", "-Mbignum=bpi", "-wle", "print bpi(2000)"] + restartPolicy: Never +``` + +The Job `pi-with-ttl` will be eligible to be automatically deleted, `100` +seconds after it finishes. + +If the field is set to `0`, the Job will be eligible to be automatically deleted +immediately after it finishes. If the field is unset, this Job won't be cleaned +up by the TTL controller after it finishes. + +Note that this TTL mechanism is alpha, with feature gate `TTLAfterFinished`. For +more information, see the documentation for +[TTL controller](/docs/concepts/workloads/controllers/ttlafterfinished/) for +finished resources. ## Job Patterns diff --git a/content/en/docs/concepts/workloads/controllers/ttlafterfinished.md b/content/en/docs/concepts/workloads/controllers/ttlafterfinished.md new file mode 100644 index 0000000000000..1f8e355ff8325 --- /dev/null +++ b/content/en/docs/concepts/workloads/controllers/ttlafterfinished.md @@ -0,0 +1,90 @@ +--- +reviewers: +- janetkuo +title: TTL Controller for Finished Resources +content_template: templates/concept +weight: 65 +--- + +{{% capture overview %}} + +{{< feature-state for_k8s_version="v1.12" state="alpha" >}} + +The TTL controller provides a TTL mechanism to limit the lifetime of resource +objects that have finished execution. TTL controller only handles +[Jobs](/docs/concepts/workloads/controllers/jobs-run-to-completion/) for +now, and may be expanded to handle other resources that will finish execution, +such as Pods and custom resources. + +Alpha Disclaimer: this feature is currently alpha, and can be enabled with +[feature gate](/docs/reference/command-line-tools-reference/feature-gates/) +`TTLAfterFinished`. + + +{{% /capture %}} + + +{{< toc >}} + + +{{% capture body %}} + +## TTL Controller + +The TTL controller only supports Jobs for now. A cluster operator can use this feature to clean +up finished Jobs (either `Complete` or `Failed`) automatically by specifying the +`.spec.ttlSecondsAfterFinished` field of a Job, as in this +[example](/docs/concepts/workloads/controllers/jobs-run-to-completion/#clean-up-finished-jobs-automatically). +The TTL controller will assume that a resource is eligible to be cleaned up +TTL seconds after the resource has finished, in other words, when the TTL has expired. When the +TTL controller cleans up a resource, it will delete it cascadingly, i.e. delete +its dependent objects together with it. Note that when the resource is deleted, +its lifecycle guarantees, such as finalizers, will be honored. + +The TTL seconds can be set at any time. Here are some examples for setting the +`.spec.ttlSecondsAfterFinished` field of a Job: + +* Specify this field in the resource manifest, so that a Job can be cleaned up + automatically some time after it finishes. +* Set this field of existing, already finished resources, to adopt this new + feature. +* Use a + [mutating admission webhook](/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks) + to set this field dynamically at resource creation time. Cluster administrators can + use this to enforce a TTL policy for finished resources. +* Use a + [mutating admission webhook](/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks) + to set this field dynamically after the resource has finished, and choose + different TTL values based on resource status, labels, etc. + +## Caveat + +### Updating TTL Seconds + +Note that the TTL period, e.g. `.spec.ttlSecondsAfterFinished` field of Jobs, +can be modified after the resource is created or has finished. However, once the +Job becomes eligible to be deleted (when the TTL has expired), the system won't +guarantee that the Jobs will be kept, even if an update to extend the TTL +returns a successful API response. + +### Time Skew + +Because TTL controller uses timestamps stored in the Kubernetes resources to +determine whether the TTL has expired or not, this feature is sensitive to time +skew in the cluster, which may cause TTL controller to clean up resource objects +at the wrong time. + +In Kubernetes, it's required to run NTP on all nodes +(see [#6159](https://github.com/kubernetes/kubernetes/issues/6159#issuecomment-93844058)) +to avoid time skew. Clocks aren't always correct, but the difference should be +very small. Please be aware of this risk when setting a non-zero TTL. + +{{% /capture %}} + +{{% capture whatsnext %}} + +[Clean up Jobs automatically](/docs/concepts/workloads/controllers/jobs-run-to-completion/#clean-up-finished-jobs-automatically) + +[Design doc](https://github.com/kubernetes/community/blob/master/keps/sig-apps/0026-ttl-after-finish.md) + +{{% /capture %}} diff --git a/content/en/docs/concepts/workloads/pods/pod-lifecycle.md b/content/en/docs/concepts/workloads/pods/pod-lifecycle.md index ff2e841a520ac..2b559bd6a225d 100644 --- a/content/en/docs/concepts/workloads/pods/pod-lifecycle.md +++ b/content/en/docs/concepts/workloads/pods/pod-lifecycle.md @@ -157,7 +157,7 @@ Note that the information reported as Pod status depends on the current ## Pod readiness gate -{{< feature-state for_k8s_version="v1.11" state="alpha" >}} +{{< feature-state for_k8s_version="v1.12" state="beta" >}} In order to add extensibility to Pod readiness by enabling the injection of extra feedbacks or signals into `PodStatus`, Kubernetes 1.11 introduced a @@ -203,9 +203,11 @@ when both the following statements are true: To facilitate this change to Pod readiness evaluation, a new Pod condition `ContainersReady` is introduced to capture the old Pod `Ready` condition. -As an alpha feature, the "Pod Ready++" feature has to be explicitly enabled by +In K8s 1.11, as an alpha feature, the "Pod Ready++" feature has to be explicitly enabled by setting the `PodReadinessGates` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) -to True. +to true. + +In K8s 1.12, the feature is enabled by default. ## Restart policy diff --git a/content/en/docs/reference/access-authn-authz/rbac.md b/content/en/docs/reference/access-authn-authz/rbac.md index 94648a856427e..bf009af58769b 100644 --- a/content/en/docs/reference/access-authn-authz/rbac.md +++ b/content/en/docs/reference/access-authn-authz/rbac.md @@ -672,13 +672,19 @@ These roles include: The RBAC API prevents users from escalating privileges by editing roles or role bindings. Because this is enforced at the API level, it applies even when the RBAC authorizer is not in use. -A user can only create/update a role if they already have all the permissions contained in the role, -at the same scope as the role (cluster-wide for a `ClusterRole`, within the same namespace or cluster-wide for a `Role`). +A user can only create/update a role if at least one of the following things is true: + +1. they already have all the permissions contained in the role, at the same scope as the object being modified +(cluster-wide for a `ClusterRole`, within the same namespace or cluster-wide for a `Role`) +2. they are given explicit permission to perform the `escalate` verb on the `roles` or `clusterroles` resource in the `rbac.authorization.k8s.io` API group (Kubernetes 1.12 and newer) + For example, if "user-1" does not have the ability to list secrets cluster-wide, they cannot create a `ClusterRole` containing that permission. To allow a user to create/update roles: 1. Grant them a role that allows them to create/update `Role` or `ClusterRole` objects, as desired. -2. Grant them roles containing the permissions you would want them to be able to set in a `Role` or `ClusterRole`. If they attempt to create or modify a `Role` or `ClusterRole` with permissions they themselves have not been granted, the API request will be forbidden. +2. Grant them permission to include specific permissions in the roles the create/update: + * implicitly, by giving them those permissions (if they attempt to create or modify a `Role` or `ClusterRole` with permissions they themselves have not been granted, the API request will be forbidden) + * or explicitly allow specifying any permission in a `Role` or `ClusterRole` by giving them permission to perform the `escalate` verb on `roles` or `clusterroles` resources in the `rbac.authorization.k8s.io` API group (Kubernetes 1.12 and newer) A user can only create/update a role binding if they already have all the permissions contained in the referenced role (at the same scope as the role binding) *or* if they've been given explicit permission to perform the `bind` verb on the referenced role. diff --git a/content/en/docs/reference/command-line-tools-reference/cloud-controller-manager.md b/content/en/docs/reference/command-line-tools-reference/cloud-controller-manager.md index fd7e36d8233f3..4ddb32c0db6da 100644 --- a/content/en/docs/reference/command-line-tools-reference/cloud-controller-manager.md +++ b/content/en/docs/reference/command-line-tools-reference/cloud-controller-manager.md @@ -5,6 +5,7 @@ notitle: true ## cloud-controller-manager + ### Synopsis @@ -25,17 +26,59 @@ cloud-controller-manager [flags] - + - + - + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -66,6 +109,13 @@ cloud-controller-manager [flags] + + + + + + + @@ -122,11 +172,18 @@ cloud-controller-manager [flags] + + + + + + + - + @@ -242,17 +299,45 @@ cloud-controller-manager [flags] - + - + - + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -263,10 +348,10 @@ cloud-controller-manager [flags] - + - + diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 6c229f7538ef4..ec632df09748f 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -29,10 +29,11 @@ different Kubernetes components. |---------|---------|-------|-------|-------| | `Accelerators` | `false` | Alpha | 1.6 | 1.10 | | `AdvancedAuditing` | `false` | Alpha | 1.7 | 1.7 | -| `AdvancedAuditing` | `true` | Beta | 1.8 | | +| `AdvancedAuditing` | `true` | Beta | 1.8 | 1.11 | +| `AdvancedAuditing` | `true` | GA | 1.12 | - | | `AffinityInAnnotations` | `false` | Alpha | 1.6 | 1.7 | | `AllowExtTrafficLocalEndpoints` | `false` | Beta | 1.4 | 1.6 | -| `AllowExtTrafficLocalEndpoints` | `true` | GA | 1.7 | | +| `AllowExtTrafficLocalEndpoints` | `true` | GA | 1.7 | - | | `APIListChunking` | `false` | Alpha | 1.8 | 1.8 | | `APIListChunking` | `true` | Beta | 1.9 | | | `APIResponseCompression` | `false` | Alpha | 1.7 | | @@ -56,7 +57,7 @@ different Kubernetes components. | `DevicePlugins` | `true` | Beta | 1.10 | | | `DynamicKubeletConfig` | `false` | Alpha | 1.4 | 1.10 | | `DynamicKubeletConfig` | `true` | Beta | 1.11 | | -| `DynamicProvisioningScheduling` | `false` | Alpha | 1.11 | | +| `DynamicProvisioningScheduling` | `false` | Alpha | 1.11 | 1.11 | | `DynamicVolumeProvisioning` | `true` | Alpha | 1.3 | 1.7 | | `DynamicVolumeProvisioning` | `true` | GA | 1.8 | | | `EnableEquivalenceClassCache` | `false` | Alpha | 1.8 | | @@ -71,23 +72,29 @@ different Kubernetes components. | `HyperVContainer` | `false` | Alpha | 1.10 | | | `Initializers` | `false` | Alpha | 1.7 | | | `KubeletConfigFile` | `false` | Alpha | 1.8 | 1.9 | -| `KubeletPluginsWatcher` | `false` | Alpha | 1.11 | | +| `KubeletPluginsWatcher` | `false` | Alpha | 1.11 | 1.11 | +| `KubeletPluginsWatcher` | `true` | Beta | 1.12 | | | `LocalStorageCapacityIsolation` | `false` | Alpha | 1.7 | 1.9 | | `LocalStorageCapacityIsolation` | `true` | Beta| 1.10 | | | `MountContainers` | `false` | Alpha | 1.9 | | | `MountPropagation` | `false` | Alpha | 1.8 | 1.9 | -| `MountPropagation` | `true` | Beta | 1.10 | | +| `MountPropagation` | `true` | Beta | 1.10 | 1.11 | +| `MountPropagation` | `true` | GA | 1.12 | | | `PersistentLocalVolumes` | `false` | Alpha | 1.7 | 1.9 | | `PersistentLocalVolumes` | `true` | Beta | 1.10 | | | `PodPriority` | `false` | Alpha | 1.8 | | | `PodReadinessGates` | `false` | Alpha | 1.11 | | +| `PodReadinessGates` | `true` | Beta | 1.12 | | | `PodShareProcessNamespace` | `false` | Alpha | 1.10 | | +| `PodShareProcessNamespace` | `true` | Beta | 1.12 | | | `PVCProtection` | `false` | Alpha | 1.9 | 1.9 | | `ReadOnlyAPIDataVolumes` | `true` | Deprecated | 1.10 | | | `ResourceLimitsPriorityFunction` | `false` | Alpha | 1.9 | | | `RotateKubeletClientCertificate` | `true` | Beta | 1.7 | | | `RotateKubeletServerCertificate` | `false` | Alpha | 1.7 | | | `RunAsGroup` | `false` | Alpha | 1.10 | | +| `RuntimeClass` | `false` | Alpha | 1.12 | | +| `SCTPSupport` | `false` | Alpha | 1.12 | | | `ServiceNodeExclusion` | `false` | Alpha | 1.8 | | | `StorageObjectInUseProtection` | `true` | Beta | 1.10 | 1.10 | | `StorageObjectInUseProtection` | `true` | GA | 1.11 | | @@ -100,12 +107,16 @@ different Kubernetes components. | `Sysctls` | `true` | Beta | 1.11 | | | `TaintBasedEvictions` | `false` | Alpha | 1.6 | | | `TaintNodesByCondition` | `false` | Alpha | 1.8 | | -| `TokenRequest` | `false` | Alpha | 1.10 | | -| `TokenRequestProjection` | `false` | Alpha | 1.11 | | +| `TaintNodesByCondition` | `true` | Beta | 1.12 | | +| `TokenRequest` | `false` | Alpha | 1.10 | 1.11 | +| `TokenRequest` | `True` | Beta | 1.12 | | +| `TokenRequestProjection` | `false` | Alpha | 1.11 | 1.11 | +| `TokenRequestProjection` | `True` | Beta | 1.12 | | +| `TTLAfterFinished` | `false` | Alpha | 1.12 | | | `VolumeScheduling` | `false` | Alpha | 1.9 | 1.9 | | `VolumeScheduling` | `true` | Beta | 1.10 | | | `VolumeSubpathEnvExpansion` | `false` | Alpha | 1.11 | | -| `ScheduleDaemonSetPods` | `false` | Alpha | 1.11 | | +| `ScheduleDaemonSetPods` | `true` | Beta | 1.12 | | ## Using a Feature @@ -183,6 +194,7 @@ Each feature gate is designed for enabling/disabling a specific feature: based resource provisioning on nodes. - `DynamicKubeletConfig`: Enable the dynamic configuration of kubelet. See [Reconfigure kubelet](/docs/tasks/administer-cluster/reconfigure-kubelet/). - `DynamicProvisioningScheduling`: Extend the default scheduler to be aware of volume topology and handle PV provisioning. + This feature is superceded by the `VolumeScheduling` feature completely in v1.12. - `DynamicVolumeProvisioning`(*deprecated*): Enable the [dynamic provisioning](/docs/concepts/storage/dynamic-provisioning/) of persistent volumes to Pods. - `EnableEquivalenceClassCache`: Enable the scheduler to cache equivalence of nodes when scheduling Pods. - `ExpandInUsePersistentVolumes`: Enable expanding in-use PVCs. See [Resizing an in-use PersistentVolumeClaim](/docs/concepts/storage/persistent-volumes/#resizing-an-in-use-persistentvolumeclaim). @@ -227,7 +239,9 @@ Each feature gate is designed for enabling/disabling a specific feature: - `RotateKubeletServerCertificate`: Enable the rotation of the server TLS certificate on the kubelet. See [kubelet configuration](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration) for more details. - `RunAsGroup`: Enable control over the primary group ID set on the init processes of containers. +- `RuntimeClass`: Enable the [RuntimeClass](/docs/concepts/containers/runtime-class/) feature for selecting container runtime configurations. - `ScheduleDaemonSetPods`: Enable DaemonSet Pods to be scheduled by the default scheduler instead of the DaemonSet controller. +- `SCTPSupport`: Enables the usage of SCTP as `protocol` value in `Service`, `Endpoint`, `NetworkPolicy` and `Pod` definitions - `ServiceNodeExclusion`: Enable the exclusion of nodes from load balancers created by a cloud provider. A node is eligible for exclusion if annotated with "`alpha.service-controller.kubernetes.io/exclude-balancer`" key. - `StorageObjectInUseProtection`: Postpone the deletion of PersistentVolume or @@ -246,6 +260,7 @@ Each feature gate is designed for enabling/disabling a specific feature: - `TokenRequest`: Enable the `TokenRequest` endpoint on service account resources. - `TokenRequestProjection`: Enable the injection of service account tokens into a Pod through the [`projected` volume](/docs/concepts/storage/volumes/#projected). +- `TTLAfterFinished`: Allow a [TTL controller](/docs/concepts/workloads/controllers/ttlafterfinished/) to clean up resources after they finish execution. - `VolumeScheduling`: Enable volume topology aware scheduling and make the PersistentVolumeClaim (PVC) binding aware of scheduling decisions. It also enables the usage of [`local`](/docs/concepts/storage/volumes/#local) volume diff --git a/content/en/docs/reference/command-line-tools-reference/federation-apiserver.md b/content/en/docs/reference/command-line-tools-reference/federation-apiserver.md index e7e420381e6ff..09a672d78ea2b 100644 --- a/content/en/docs/reference/command-line-tools-reference/federation-apiserver.md +++ b/content/en/docs/reference/command-line-tools-reference/federation-apiserver.md @@ -1,8 +1,3 @@ ---- -title: federation-apiserver -notitle: true -weight: 100 ---- ## federation-apiserver @@ -150,4 +145,4 @@ VolumeScheduling=true|false (ALPHA - default=false) --watch-cache-sizes strings List of watch cache sizes for every resource (pods, nodes, etc.), comma separated. The individual override format: resource[.group]#size, where resource is lowercase plural (no version), group is optional, and size is a number. It takes effect when watch-cache is enabled. Some resources (replicationcontrollers, endpoints, nodes, pods, services, apiservices.apiregistration.k8s.io) have system defaults set by heuristics, others default to default-watch-cache-size ``` -###### Auto generated by spf13/cobra on 25-Mar-2018 +###### Auto generated by spf13/cobra on 24-Sep-2018 diff --git a/content/en/docs/reference/command-line-tools-reference/federation-controller-manager.md b/content/en/docs/reference/command-line-tools-reference/federation-controller-manager.md index f3d841a1c8e9a..a6527d97f61a4 100644 --- a/content/en/docs/reference/command-line-tools-reference/federation-controller-manager.md +++ b/content/en/docs/reference/command-line-tools-reference/federation-controller-manager.md @@ -1,8 +1,3 @@ ---- -title: federation-controller-manager -notitle: true -weight: 110 ---- ## federation-controller-manager @@ -56,4 +51,4 @@ federation-controller-manager [flags] --zone-name string Zone name, like example.com. ``` -###### Auto generated by spf13/cobra on 25-Mar-2018 +###### Auto generated by spf13/cobra on 24-Sep-2018 diff --git a/content/en/docs/reference/command-line-tools-reference/kube-apiserver.md b/content/en/docs/reference/command-line-tools-reference/kube-apiserver.md index da2e787ffcf98..0bc8a51723f22 100644 --- a/content/en/docs/reference/command-line-tools-reference/kube-apiserver.md +++ b/content/en/docs/reference/command-line-tools-reference/kube-apiserver.md @@ -70,21 +70,21 @@ kube-apiserver [flags] - + - + - + @@ -98,7 +98,7 @@ kube-apiserver [flags] - + @@ -108,7 +108,7 @@ kube-apiserver [flags] - + @@ -164,7 +164,7 @@ kube-apiserver [flags] - + @@ -178,7 +178,7 @@ kube-apiserver [flags] - + @@ -227,7 +227,7 @@ kube-apiserver [flags] - + @@ -262,7 +262,7 @@ kube-apiserver [flags] - + @@ -409,21 +409,21 @@ kube-apiserver [flags] - + - + - + @@ -542,7 +542,7 @@ kube-apiserver [flags] - + @@ -759,7 +759,7 @@ kube-apiserver [flags] - + @@ -794,7 +794,7 @@ kube-apiserver [flags] - + @@ -825,6 +825,13 @@ kube-apiserver [flags] + + + + + + + @@ -860,13 +867,6 @@ kube-apiserver [flags] - - - - - - - diff --git a/content/en/docs/reference/command-line-tools-reference/kube-controller-manager.md b/content/en/docs/reference/command-line-tools-reference/kube-controller-manager.md index be3aa7a122f7f..55d4404c6cbd1 100644 --- a/content/en/docs/reference/command-line-tools-reference/kube-controller-manager.md +++ b/content/en/docs/reference/command-line-tools-reference/kube-controller-manager.md @@ -32,24 +32,66 @@ kube-controller-manager [flags] - + - + - + - + - + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -80,6 +122,13 @@ kube-controller-manager [flags] + + + + + + + @@ -178,6 +227,13 @@ kube-controller-manager [flags] + + + + + + + @@ -210,7 +266,7 @@ kube-controller-manager [flags] - + @@ -273,7 +329,7 @@ kube-controller-manager [flags] - + @@ -291,38 +347,38 @@ kube-controller-manager [flags] - + - + - + - + - + - + - + - + - + - + @@ -479,13 +535,6 @@ kube-controller-manager [flags] - - - - - - - @@ -542,6 +591,41 @@ kube-controller-manager [flags] + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -571,10 +655,17 @@ kube-controller-manager [flags] - + + + + + + + + - + diff --git a/content/en/docs/reference/command-line-tools-reference/kube-proxy.md b/content/en/docs/reference/command-line-tools-reference/kube-proxy.md index 848eaf3994009..802edd5169084 100644 --- a/content/en/docs/reference/command-line-tools-reference/kube-proxy.md +++ b/content/en/docs/reference/command-line-tools-reference/kube-proxy.md @@ -11,7 +11,7 @@ notitle: true The Kubernetes network proxy runs on each node. This reflects services as defined in the Kubernetes API on each node and can do simple -TCP and UDP stream forwarding or round robin TCP and UDP forwarding across a set of backends. +TCP, UDP, and SCTP stream forwarding or round robin TCP, UDP, and SCTP forwarding across a set of backends. Service cluster IPs and ports are currently found through Docker-links-compatible environment variables specifying ports opened by the service proxy. There is an optional addon that provides cluster DNS for these cluster IPs. The user must create a service @@ -111,7 +111,7 @@ kube-proxy [flags] - + diff --git a/content/en/docs/reference/command-line-tools-reference/kube-scheduler.md b/content/en/docs/reference/command-line-tools-reference/kube-scheduler.md index 382ba3784b36f..fc52d55775875 100644 --- a/content/en/docs/reference/command-line-tools-reference/kube-scheduler.md +++ b/content/en/docs/reference/command-line-tools-reference/kube-scheduler.md @@ -69,7 +69,7 @@ kube-scheduler [flags] - + diff --git a/content/en/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping.md b/content/en/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping.md index a2a84d9ffc52f..192cf963d24a7 100644 --- a/content/en/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping.md +++ b/content/en/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping.md @@ -1,17 +1,20 @@ --- reviewers: -- ericchiang - mikedanese -- jcbsmpsn +- liggitt +- smarterclayton +- awly title: TLS bootstrapping content_template: templates/concept --- {{% capture overview %}} -This document describes how to set up TLS client certificate bootstrapping for kubelets. -Kubernetes 1.4 introduced an API for requesting certificates from a cluster-level Certificate Authority (CA). The original intent of this API is to enable provisioning of TLS client certificates for kubelets. The proposal can be found [here](https://github.com/kubernetes/kubernetes/pull/20439) -and progress on the feature is being tracked as [feature #43](https://github.com/kubernetes/features/issues/43). +This document describes how to set up TLS client certificate bootstrapping for +kubelets. Kubernetes 1.4 introduced an API for requesting certificates from a +cluster-level Certificate Authority (CA). The original intent of this API is to +enable provisioning of TLS client certificates for kubelets. The proposal can be +found [here](https://github.com/kubernetes/kubernetes/pull/20439). {{% /capture %}} @@ -19,53 +22,76 @@ and progress on the feature is being tracked as [feature #43](https://github.com ## kube-apiserver configuration -The API server should be configured with an [authenticator](/docs/reference/access-authn-authz/authentication/) that can authenticate tokens as a user in the `system:bootstrappers` group. +The API server should be configured with an +[authenticator](/docs/reference/access-authn-authz/authentication/) that can +authenticate tokens as a user in the `system:bootstrappers` group. -This group will later be used in the controller-manager configuration to scope approvals in the default approval -controller. As this feature matures, you should ensure tokens are bound to a Role-Based Access Control (RBAC) policy which limits requests -(using the bootstrap token) strictly to client requests related to certificate provisioning. With RBAC in place, scoping the tokens to a group allows for great flexibility (e.g. you could disable a particular bootstrap group's access when you are done provisioning the nodes). +This group will later be used in the controller-manager configuration to scope +approvals in the default approval controller. As this feature matures, you +should ensure tokens are bound to a Role Based Access Control (RBAC) policy +which limits requests (using the [bootstrap +token](/docs/reference/access-authn-authz/bootstrap-tokens/)) strictly to client +requests related to certificate provisioning. With RBAC in place, scoping the +tokens to a group allows for great flexibility (e.g. you could disable a +particular bootstrap group's access when you are done provisioning the nodes). -While any authentication strategy can be used for the kubelet's initial bootstrap credentials, the following two authenticators are recommended for ease of provisioning. +While any authentication strategy can be used for the kubelet's initial +bootstrap credentials, the following two authenticators are recommended for ease +of provisioning. 1. [Bootstrap Tokens](/docs/reference/access-authn-authz/bootstrap-tokens/) - __beta__ 2. [Token authentication file](#token-authentication-file) -Using bootstrap tokens is currently __beta__ and will simplify the management of bootstrap token management especially in a HA scenario. +Using bootstrap tokens is currently __beta__ and will simplify the management of +bootstrap token management especially in a HA scenario. ### Token authentication file -Tokens are arbitrary but should represent at least 128 bits of entropy derived from a secure random number -generator (such as /dev/urandom on most modern systems). There are multiple ways you can generate a token. For example: + +Tokens are arbitrary but should represent at least 128 bits of entropy derived +from a secure random number generator (such as /dev/urandom on most modern Linux +systems). There are multiple ways you can generate a token. For example: ``` head -c 16 /dev/urandom | od -An -t x | tr -d ' ' ``` -will generate tokens that look like `02b50b05283e98dd0fd71db496ef01e8` +will generate tokens that look like `02b50b05283e98dd0fd71db496ef01e8`. -The token file should look like the following example, where the first three values can be anything and the quoted group -name should be as depicted: +The token file should look like the following example, where the first three +values can be anything and the quoted group name should be as depicted: ``` 02b50b05283e98dd0fd71db496ef01e8,kubelet-bootstrap,10001,"system:bootstrappers" ``` -Add the `--token-auth-file=FILENAME` flag to the kube-apiserver command (in your systemd unit file perhaps) to enable the token file. -See docs [here](/docs/reference/access-authn-authz/authentication/#static-token-file) for further details. +Add the `--token-auth-file=FILENAME` flag to the kube-apiserver command (in your +systemd unit file perhaps) to enable the token file. See docs +[here](/docs/reference/access-authn-authz/authentication/#static-token-file) for +further details. ### Client certificate CA bundle -Add the `--client-ca-file=FILENAME` flag to the kube-apiserver command to enable client certificate authentication, -referencing a certificate authority bundle containing the signing certificate (e.g. `--client-ca-file=/var/lib/kubernetes/ca.pem`). +Add the `--client-ca-file=FILENAME` flag to the kube-apiserver command to enable +client certificate authentication, referencing a certificate authority bundle +containing the signing certificate (e.g. +`--client-ca-file=/var/lib/kubernetes/ca.pem`). ## kube-controller-manager configuration -The API for requesting certificates adds a certificate-issuing control loop to the Kubernetes Controller Manager. This takes the form of a -[cfssl](https://blog.cloudflare.com/introducing-cfssl/) local signer using assets on disk. Currently, all certificates issued have one year validity and a default set of key usages. + +The API for requesting certificates adds a certificate-issuing control loop to +the Kubernetes Controller Manager. This takes the form of a +[cfssl](https://blog.cloudflare.com/introducing-cfssl/) local signer using +assets on disk. Currently, all certificates issued have one year validity and a +default set of key usages. ### Signing assets -You must provide a Certificate Authority in order to provide the cryptographic materials necessary to issue certificates. -This CA should be trusted by kube-apiserver for authentication with the `--client-ca-file=FILENAME` flag. The management -of the CA is beyond the scope of this document but it is recommended that you generate a dedicated CA for Kubernetes. -Both certificate and key are assumed to be PEM-encoded. + +You must provide a Certificate Authority in order to provide the cryptographic +materials necessary to issue certificates. This CA should be trusted by +kube-apiserver for authentication with the `--client-ca-file=FILENAME` flag. The +management of the CA is beyond the scope of this document but it is recommended +that you generate a dedicated CA for Kubernetes. Both certificate and key are +assumed to be PEM-encoded. The kube-controller-manager flags are: @@ -73,31 +99,31 @@ The kube-controller-manager flags are: --cluster-signing-cert-file="/etc/path/to/kubernetes/ca/ca.crt" --cluster-signing-key-file="/etc/path/to/kubernetes/ca/ca.key" ``` -### Approval controller +The validity duration of signed certificates can be configured with flag: -In 1.7 the experimental "group auto approver" controller is dropped in favor of the new `csrapproving` controller -that ships as part of [kube-controller-manager](/docs/admin/kube-controller-manager/) and is enabled by default. -The controller uses the [`SubjectAccessReview` API](/docs/reference/access-authn-authz/authorization/#checking-api-access) to determine -if a given user is authorized to request a CSR, then approves based on the authorization outcome. To prevent -conflicts with other approvers, the builtin approver doesn't explicitly deny CSRs, only ignoring unauthorized requests. +``` +--experimental-cluster-signing-duration +``` -The controller categorizes CSRs into three subresources: +### SubjectAccessReview Approval Controller -1. `nodeclient` - a request by a user for a client certificate with `O=system:nodes` and `CN=system:node:(node name)`. -2. `selfnodeclient` - a node renewing a client certificate with the same `O` and `CN`. -3. `selfnodeserver` - a node renewing a serving certificate. (ALPHA, requires feature gate) +The `csrapproving` controller that ships as part of +[kube-controller-manager](/docs/admin/kube-controller-manager/) and is enabled +by default. The controller uses the [`SubjectAccessReview` +API](/docs/reference/access-authn-authz/authorization/#checking-api-access) to +determine if a given user is authorized to request a CSR, then approves based on +the authorization outcome. To prevent conflicts with other approvers, the +builtin approver doesn't explicitly deny CSRs. It only ignores unauthorized +requests. The controller also prunes expired certificates as part of garbage +collection. -The checks to determine if a CSR is a `selfnodeserver` request is currently tied to the kubelet's credential rotation -implementation, an __alpha__ feature. As such, the definition of `selfnodeserver` will likely change in a future and -requires the `RotateKubeletServerCertificate` feature gate on the controller manager. The feature progress can be -tracked at [kubernetes/features#267](https://github.com/kubernetes/features/issues/267). +The controller categorizes CSRs into three subresources: -``` ---feature-gates=RotateKubeletServerCertificate=true -``` +1. `nodeclient` - a request by a user for a client certificate with `O=system:nodes` and `CN=system:node:(node name)`. +2. `selfnodeclient` - a node renewing a client certificate with the same `O` and `CN`. A node can use its existing client certificate to authenticate this request. -The following RBAC `ClusterRoles` represent the `nodeclient`, `selfnodeclient`, and `selfnodeserver` capabilities. Similar roles -may be automatically created in future releases. +The following RBAC `ClusterRoles` represent the `nodeclient` and +`selfnodeclient`, capabilities. ```yml # A ClusterRole which instructs the CSR approver to approve a user requesting @@ -121,36 +147,21 @@ rules: - apiGroups: ["certificates.k8s.io"] resources: ["certificatesigningrequests/selfnodeclient"] verbs: ["create"] ---- -# A ClusterRole which instructs the CSR approver to approve a node requesting a -# serving cert matching its client cert. -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: approve-node-server-renewal-csr -rules: -- apiGroups: ["certificates.k8s.io"] - resources: ["certificatesigningrequests/selfnodeserver"] - verbs: ["create"] ``` -As of 1.8, equivalent roles to the ones listed above are automatically created as part of the default RBAC roles. -For 1.8 clusters admins are recommended to bind tokens to the following roles instead of creating their own: +As of 1.8, equivalent roles to the ones listed above are automatically created +as part of the default RBAC roles. For 1.8 clusters admins are recommended to +bind node bootstrap identities to the following roles instead of creating their +own: * `system:certificates.k8s.io:certificatesigningrequests:nodeclient` - Automatically approve CSRs for client certs bound to this role. * `system:certificates.k8s.io:certificatesigningrequests:selfnodeclient` - Automatically approve CSRs when a client bound to its role renews its own certificate. -These powers can be granted to credentials, such as bootstrapping tokens. For example, to replicate the behavior -provided by the removed auto-approval flag, of approving all CSRs by a single group: - -``` -# REMOVED: This flag no longer works as of 1.7. ---insecure-experimental-approve-all-kubelet-csrs-for-group="system:bootstrappers" -``` - -An admin would create a `ClusterRoleBinding` targeting that group. +For example, to grant these permissions to identities attached to bootstrap +tokens, an admin would create a `ClusterRoleBinding` targeting the +`system:bootstrappers` group: ```yml # Approve all CSRs for the group "system:bootstrappers" @@ -168,8 +179,8 @@ roleRef: apiGroup: rbac.authorization.k8s.io ``` -To let a node renew its own credentials, an admin can construct a `ClusterRoleBinding` targeting -that node's credentials: +To let all nodes renew their own credentials, an admin can create a +`ClusterRoleBinding` targeting node identities: ```yml kind: ClusterRoleBinding @@ -177,8 +188,8 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: node1-client-cert-renewal subjects: -- kind: User - name: system:node:node-1 # Let "node-1" renew its client certificate. +- kind: Group + name: system:nodes apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole @@ -186,18 +197,28 @@ roleRef: apiGroup: rbac.authorization.k8s.io ``` -Deleting the binding will prevent the node from renewing its client credentials, effectively -removing it from the cluster once its certificate expires. - ## kubelet configuration -To request a client certificate from kube-apiserver, the kubelet first needs a path to a kubeconfig file that contains the -bootstrap authentication token. You can use `kubectl config set-cluster`, `set-credentials`, and `set-context` to build this kubeconfig. Provide the name `kubelet-bootstrap` to `kubectl config set-credentials` and include `--token=` as follows: + +To request a client certificate from kube-apiserver, the kubelet first needs a +path to a kubeconfig file that contains the credentials for the identity that it +will use to bootstrap its individual node identity. + +If you are using a bootstrap token, you can use `kubectl config set-cluster`, +`set-credentials`, and `set-context` to build this kubeconfig. Provide the name +`kubelet-bootstrap` to `kubectl config set-credentials` and include +`--token=` as follows: ``` kubectl config set-credentials kubelet-bootstrap --token=${BOOTSTRAP_TOKEN} --kubeconfig=bootstrap.kubeconfig ``` -When starting the kubelet, if the file specified by `--kubeconfig` does not exist, the bootstrap kubeconfig is used to request a client certificate from the API server. On approval of the certificate request and receipt back by the kubelet, a kubeconfig file referencing the generated key and obtained certificate is written to the path specified by `--kubeconfig`. The certificate and key file will be placed in the directory specified by `--cert-dir`. +When starting the kubelet, if the file specified via `--kubeconfig` does not +exist, the bootstrap kubeconfig specified via `--bootstrap-kubeconfig` is used +to request a client certificate from the API server. On approval of the +certificate request and receipt back by the kubelet, a kubeconfig file +referencing the generated key and obtained certificate is written to the path +specified by `--kubeconfig`. The certificate and key file will be placed in the +directory specified by `--cert-dir`. {{< note >}} **Note:** The following flags are required to enable this bootstrapping when starting the kubelet: @@ -207,25 +228,49 @@ When starting the kubelet, if the file specified by `--kubeconfig` does not exis ``` {{< /note >}} -Additionally, in 1.7 the kubelet implements __alpha__ features for enabling rotation of both its client and/or serving certs. -These can be enabled through the respective `RotateKubeletClientCertificate` and `RotateKubeletServerCertificate` feature -flags on the kubelet, but may change in backward incompatible ways in future releases. +Additionally, in 1.7 the kubelet implements __beta__ features for enabling +rotation of both its client and/or serving certs. These can be enabled through +the respective `RotateKubeletClientCertificate` and +`RotateKubeletServerCertificate` feature flags on the kubelet and are enabled by +default. + +`RotateKubeletClientCertificate` causes the kubelet to rotate its client +certificates by creating new CSRs as its existing credentials expire. To enable +this feature pass the following flag to the kubelet: + +``` +--rotate-certificates +``` + +`RotateKubeletServerCertificate` causes the kubelet to both request a serving +certificate after bootstrapping its client credentials and to rotate that +certificate. To enable this feature pass the following flag to the kubelet: ``` ---feature-gates=RotateKubeletClientCertificate=true,RotateKubeletServerCertificate=true +--rotate-server-certificates ``` -`RotateKubeletClientCertificate` causes the kubelet to rotate its client certificates by creating new CSRs as its existing -credentials expire. `RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after -bootstrapping its client credentials and rotate the certificate. The serving cert currently does not request DNS or IP -SANs. +{{< note >}} +**Note:** The CSR approving controllers implemented in core Kubernetes do not +approve node serving certificates for [security +reasons](https://github.com/kubernetes/community/pull/1982). To use +`RotateKubeletServerCertificate` operators need to run a custom approving +controller, or manually approve the serving certificate requests. +{{< /note >}} ## kubectl approval -The signing controller does not immediately sign all certificate requests. Instead, it waits until they have been flagged with an -"Approved" status by an appropriately-privileged user. This is intended to eventually be an automated process handled by an external -approval controller, but for the alpha version of the API it can be done manually by a cluster administrator using kubectl. -An administrator can list CSRs with `kubectl get csr` and describe one in detail with `kubectl describe csr `. Before the 1.6 release there were -[no direct approve/deny commands](https://github.com/kubernetes/kubernetes/issues/30163) so an approver had to update -the Status field directly ([rough how-to](https://github.com/gtank/csrctl)). Later versions of Kubernetes offer `kubectl certificate approve ` and `kubectl certificate deny ` commands. + +CSRs can be approved outside of the approval flows builtin to the controller +manager. + +The signing controller does not immediately sign all certificate requests. +Instead, it waits until they have been flagged with an "Approved" status by an +appropriately-privileged user. This flow is intended to allow for automated +approval handled by an external approval controller or the approval controller +implemented in the core controller-manager. However cluster administrators can +also manually approve certificate requests using kubectl. An administrator can +list CSRs with `kubectl get csr` and describe one in detail with `kubectl +describe csr `. An administrator can approve or deny a CSR with `kubectl +certificate approve ` and `kubectl certificate deny `. {{% /capture %}} diff --git a/content/en/docs/reference/command-line-tools-reference/kubelet.md b/content/en/docs/reference/command-line-tools-reference/kubelet.md index 9f4902659b748..8102198ef8143 100644 --- a/content/en/docs/reference/command-line-tools-reference/kubelet.md +++ b/content/en/docs/reference/command-line-tools-reference/kubelet.md @@ -142,13 +142,6 @@ kubelet [flags] - - - - - - - diff --git a/content/en/docs/reference/glossary/quantity.md b/content/en/docs/reference/glossary/quantity.md new file mode 100644 index 0000000000000..c0c0edd52b537 --- /dev/null +++ b/content/en/docs/reference/glossary/quantity.md @@ -0,0 +1,30 @@ +--- +title: Quantity +id: quantity +date: 2018-08-07 +full_link: +short_description: > + A whole-number representation of small or large numbers using SI suffixes. + +aka: +tags: +--- + A whole-number representation of small or large numbers using SI suffixes. + + + +Quantities are representations of small or large numbers using a compact, +whole-number notation with SI suffixes. Fractional numbers are represented +using milli-units, while large numbers can be represented using kilo-units, +mega-units, giga-units, etc. + +For instance, the number `1.5` is represented `1500m`, while the number `1000` +can be represented as `1k`, and `1000000` as `1M`. You can also specify +binary-notation suffixes; the number 2048 can be written as `2Ki`. + +The accepted decimal (power-of-10) units are `m` (milli), `k` (kilo, +intentionally lowercase), `M` (mega), `G` (giga), `T` (terra), `P` (peta), +`E` (exa). + +The accepted binary (power-of-2) units are `Ki` (kibi), `Mi` (mebi), `Gi` (gibi), +`Ti` (tebi), `Pi` (pebi), `Ei` (exbi). diff --git a/content/en/docs/reference/kubectl/kubectl.md b/content/en/docs/reference/kubectl/kubectl.md index 923ad9a84c3a6..c32a7cad88a56 100755 --- a/content/en/docs/reference/kubectl/kubectl.md +++ b/content/en/docs/reference/kubectl/kubectl.md @@ -2,13 +2,13 @@ title: kubectl notitle: true --- - ## kubectl kubectl controls the Kubernetes cluster manager ### Synopsis + kubectl controls the Kubernetes cluster manager. Find more information at: https://kubernetes.io/docs/reference/kubectl/overview/ @@ -19,35 +19,236 @@ kubectl [flags] ### Options -``` - --alsologtostderr log to standard error as well as files - --as string Username to impersonate for the operation - --as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups. - --cache-dir string Default HTTP cache directory (default "/home/username/.kube/http-cache") - --certificate-authority string Path to a cert file for the certificate authority - --client-certificate string Path to a client certificate file for TLS - --client-key string Path to a client key file for TLS - --cluster string The name of the kubeconfig cluster to use - --context string The name of the kubeconfig context to use - -h, --help help for kubectl - --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure - --kubeconfig string Path to the kubeconfig file to use for CLI requests. - --log-backtrace-at traceLocation when logging hits line file:N, emit a stack trace (default :0) - --log-dir string If non-empty, write log files in this directory - --logtostderr log to standard error instead of files - --match-server-version Require server version to match client version - -n, --namespace string If present, the namespace scope for this CLI request - --request-timeout string The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0") - -s, --server string The address and port of the Kubernetes API server - --stderrthreshold severity logs at or above this threshold go to stderr (default 2) - --token string Bearer token for authentication to the API server - --user string The name of the kubeconfig user to use - -v, --v Level log level for V logs - --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging -``` +
Cloud serviceMaximum volumes per node
Cloud serviceMaximum volumes per Node
Amazon Elastic Block Store (EBS)39
Google Persistent Disk16
Microsoft Azure Disk Storage16
--address ip     Default: 0.0.0.0--allocate-node-cidrs
DEPRECATED: the IP address on which to listen for the --port port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces). See --bind-address instead.Should CIDRs for Pods be allocated and set on the cloud provider.
--allocate-node-cidrs--authentication-kubeconfig string
Should CIDRs for Pods be allocated and set on the cloud provider.kubeconfig file pointing at the 'core' kubernetes server with enough rights to create tokenaccessreviews.authentication.k8s.io. This is optional. If empty, all token requests are considered to be anonymous and no client CA is looked up in the cluster.
--authentication-skip-lookup
If false, the authentication-kubeconfig will be used to lookup missing authentication configuration from the cluster.
--authentication-token-webhook-cache-ttl duration     Default: 10s
The duration to cache responses from the webhook token authenticator.
--authorization-always-allow-paths stringSlice     Default: [/healthz]
A list of HTTP paths to skip during authorization, i.e. these are authorized without contacting the 'core' kubernetes server.
--authorization-kubeconfig string
kubeconfig file pointing at the 'core' kubernetes server with enough rights to create subjectaccessreviews.authorization.k8s.io. This is optional. If empty, all requests not skipped by authorization are forbidden.
--authorization-webhook-cache-authorized-ttl duration     Default: 10s
The duration to cache 'authorized' responses from the webhook authorizer.
--authorization-webhook-cache-unauthorized-ttl duration     Default: 10s
The duration to cache 'unauthorized' responses from the webhook authorizer.
Type of CIDR allocator to use
--client-ca-file string
If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate.
--cloud-config string
Interval between starting controller managers.
--external-cloud-volume-plugin string
The plugin to use when cloud provider is set to external. Can be empty, should only be set when cloud-provider is external. Currently used to allow node and volume controllers to work for in tree cloud providers.
--feature-gates mapStringBool
A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
APIListChunking=true|false (BETA - default=true)
APIResponseCompression=true|false (ALPHA - default=false)
AdvancedAuditing=true|false (BETA - default=true)
AllAlpha=true|false (ALPHA - default=false)
AppArmor=true|false (BETA - default=true)
AttachVolumeLimit=true|false (ALPHA - default=false)
BalanceAttachedNodeVolumes=true|false (ALPHA - default=false)
BlockVolume=true|false (ALPHA - default=false)
CPUManager=true|false (BETA - default=true)
CRIContainerLogRotation=true|false (BETA - default=true)
CSIBlockVolume=true|false (ALPHA - default=false)
CSIPersistentVolume=true|false (BETA - default=true)
CustomPodDNS=true|false (BETA - default=true)
CustomResourceSubresources=true|false (BETA - default=true)
CustomResourceValidation=true|false (BETA - default=true)
DebugContainers=true|false (ALPHA - default=false)
DevicePlugins=true|false (BETA - default=true)
DynamicKubeletConfig=true|false (BETA - default=true)
DynamicProvisioningScheduling=true|false (ALPHA - default=false)
EnableEquivalenceClassCache=true|false (ALPHA - default=false)
ExpandInUsePersistentVolumes=true|false (ALPHA - default=false)
ExpandPersistentVolumes=true|false (BETA - default=true)
ExperimentalCriticalPodAnnotation=true|false (ALPHA - default=false)
ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
GCERegionalPersistentDisk=true|false (BETA - default=true)
HugePages=true|false (BETA - default=true)
HyperVContainer=true|false (ALPHA - default=false)
Initializers=true|false (ALPHA - default=false)
KubeletPluginsWatcher=true|false (ALPHA - default=false)
LocalStorageCapacityIsolation=true|false (BETA - default=true)
MountContainers=true|false (ALPHA - default=false)
MountPropagation=true|false (BETA - default=true)
PersistentLocalVolumes=true|false (BETA - default=true)
PodPriority=true|false (BETA - default=true)
PodReadinessGates=true|false (BETA - default=false)
PodShareProcessNamespace=true|false (ALPHA - default=false)
QOSReserved=true|false (ALPHA - default=false)
ReadOnlyAPIDataVolumes=true|false (DEPRECATED - default=true)
ResourceLimitsPriorityFunction=true|false (ALPHA - default=false)
ResourceQuotaScopeSelectors=true|false (ALPHA - default=false)
RotateKubeletClientCertificate=true|false (BETA - default=true)
RotateKubeletServerCertificate=true|false (ALPHA - default=false)
RunAsGroup=true|false (ALPHA - default=false)
ScheduleDaemonSetPods=true|false (ALPHA - default=false)
ServiceNodeExclusion=true|false (ALPHA - default=false)
ServiceProxyAllowExternalIPs=true|false (DEPRECATED - default=false)
StorageObjectInUseProtection=true|false (default=true)
StreamingProxyRedirects=true|false (BETA - default=true)
SupportIPVSProxyMode=true|false (default=true)
SupportPodPidsLimit=true|false (ALPHA - default=false)
Sysctls=true|false (BETA - default=true)
TaintBasedEvictions=true|false (ALPHA - default=false)
TaintNodesByCondition=true|false (ALPHA - default=false)
TokenRequest=true|false (ALPHA - default=false)
TokenRequestProjection=true|false (ALPHA - default=false)
VolumeScheduling=true|false (BETA - default=true)
VolumeSubpath=true|false (default=true)
VolumeSubpathEnvExpansion=true|false (ALPHA - default=false)		A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
APIListChunking=true|false (BETA - default=true)
APIResponseCompression=true|false (ALPHA - default=false)
AllAlpha=true|false (ALPHA - default=false)
AppArmor=true|false (BETA - default=true)
AttachVolumeLimit=true|false (BETA - default=false)
BalanceAttachedNodeVolumes=true|false (ALPHA - default=false)
BlockVolume=true|false (ALPHA - default=false)
CPUManager=true|false (BETA - default=true)
CRIContainerLogRotation=true|false (BETA - default=true)
CSIBlockVolume=true|false (ALPHA - default=false)
CSIDriverRegistry=true|false (ALPHA - default=false)
CSINodeInfo=true|false (ALPHA - default=false)
CSIPersistentVolume=true|false (BETA - default=true)
CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)
CustomPodDNS=true|false (BETA - default=true)
CustomResourceSubresources=true|false (BETA - default=true)
CustomResourceValidation=true|false (BETA - default=true)
DebugContainers=true|false (ALPHA - default=false)
DevicePlugins=true|false (BETA - default=true)
DryRun=true|false (ALPHA - default=false)
DynamicKubeletConfig=true|false (BETA - default=true)
EnableEquivalenceClassCache=true|false (ALPHA - default=false)
ExpandInUsePersistentVolumes=true|false (ALPHA - default=false)
ExpandPersistentVolumes=true|false (BETA - default=true)
ExperimentalCriticalPodAnnotation=true|false (ALPHA - default=false)
ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
GCERegionalPersistentDisk=true|false (BETA - default=true)
HugePages=true|false (BETA - default=true)
HyperVContainer=true|false (ALPHA - default=false)
Initializers=true|false (ALPHA - default=false)
KubeletPluginsWatcher=true|false (BETA - default=true)
LocalStorageCapacityIsolation=true|false (BETA - default=true)
MountContainers=true|false (ALPHA - default=false)
NodeLease=true|false (ALPHA - default=false)
PersistentLocalVolumes=true|false (BETA - default=true)
PodPriority=true|false (BETA - default=true)
PodReadinessGates=true|false (BETA - default=true)
PodShareProcessNamespace=true|false (BETA - default=true)
ProcMountType=true|false (ALPHA - default=false)
QOSReserved=true|false (ALPHA - default=false)
ResourceLimitsPriorityFunction=true|false (ALPHA - default=false)
ResourceQuotaScopeSelectors=true|false (BETA - default=true)
RotateKubeletClientCertificate=true|false (BETA - default=true)
RotateKubeletServerCertificate=true|false (BETA - default=true)
RunAsGroup=true|false (ALPHA - default=false)
RuntimeClass=true|false (ALPHA - default=false)
SCTPSupport=true|false (ALPHA - default=false)
ScheduleDaemonSetPods=true|false (BETA - default=true)
ServiceNodeExclusion=true|false (ALPHA - default=false)
StreamingProxyRedirects=true|false (BETA - default=true)
SupportPodPidsLimit=true|false (ALPHA - default=false)
Sysctls=true|false (BETA - default=true)
TTLAfterFinished=true|false (ALPHA - default=false)
TaintBasedEvictions=true|false (ALPHA - default=false)
TaintNodesByCondition=true|false (BETA - default=true)
TokenRequest=true|false (BETA - default=true)
TokenRequestProjection=true|false (BETA - default=true)
VolumeScheduling=true|false (BETA - default=true)
VolumeSnapshotDataSource=true|false (ALPHA - default=false)
VolumeSubpathEnvExpansion=true|false (ALPHA - default=false)
--port int     Default: 10253--profiling
DEPRECATED: the port on which to serve HTTP insecurely without authentication and authorization. If 0, don't serve HTTPS at all. See --secure-port instead.Enable profiling via web interface host:port/debug/pprof/
--profiling--requestheader-allowed-names stringSlice
Enable profiling via web interface host:port/debug/pprof/List of client certificate common names to allow to provide usernames in headers specified by --requestheader-username-headers. If empty, any client certificate validated by the authorities in --requestheader-client-ca-file is allowed.
--requestheader-client-ca-file string
Root certificate bundle to use to verify client certificates on incoming requests before trusting usernames in headers specified by --requestheader-username-headers. WARNING: generally do not depend on authorization being already done for incoming requests.
--requestheader-extra-headers-prefix stringSlice     Default: [x-remote-extra-]
List of request header prefixes to inspect. X-Remote-Extra- is suggested.
--requestheader-group-headers stringSlice     Default: [x-remote-group]
List of request headers to inspect for groups. X-Remote-Group is suggested.
--requestheader-username-headers stringSlice     Default: [x-remote-user]
List of request headers to inspect for usernames. X-Remote-User is common.
--secure-port int--secure-port int     Default: 10258
The port on which to serve HTTPS with authentication and authorization. If 0, don't serve HTTPS at all.The port on which to serve HTTPS with authentication and authorization.If 0, don't serve HTTPS at all.
--audit-log-batch-max-size int     Default: 400--audit-log-batch-max-size int     Default: 1
The maximum size of a batch. Only used in batch mode.
--audit-log-batch-max-wait duration     Default: 30s--audit-log-batch-max-wait duration
The amount of time to wait before force writing the batch that hadn't reached the max size. Only used in batch mode.
--audit-log-batch-throttle-burst int     Default: 15--audit-log-batch-throttle-burst int
Maximum number of requests sent at the same moment if ThrottleQPS was not utilized before. Only used in batch mode.
--audit-log-batch-throttle-qps float32     Default: 10--audit-log-batch-throttle-qps float32
Maximum average number of batches per second. Only used in batch mode.--audit-log-format string     Default: "json"
Format of saved audits. "legacy" indicates 1-line text format for each event. "json" indicates structured json format. Requires the 'AdvancedAuditing' feature gate. Known formats are legacy,json.Format of saved audits. "legacy" indicates 1-line text format for each event. "json" indicates structured json format. Known formats are legacy,json.
--audit-log-truncate-max-event-size int     Default: 102400
Maximum size of the audit event sent to the underlying backend. If the size of an event is greater than this number, first request and response are removed, andif this doesn't reduce the size enough, event is discarded.Maximum size of the audit event sent to the underlying backend. If the size of an event is greater than this number, first request and response are removed, and if this doesn't reduce the size enough, event is discarded.
--audit-policy-file string
Path to the file that defines the audit policy configuration. Requires the 'AdvancedAuditing' feature gate. With AdvancedAuditing, a profile is required to enable auditing.Path to the file that defines the audit policy configuration.
--audit-webhook-config-file string
Path to a kubeconfig formatted file that defines the audit webhook configuration. Requires the 'AdvancedAuditing' feature gate.Path to a kubeconfig formatted file that defines the audit webhook configuration.
--audit-webhook-truncate-max-event-size int     Default: 102400
Maximum size of the audit event sent to the underlying backend. If the size of an event is greater than this number, first request and response are removed, andif this doesn't reduce the size enough, event is discarded.Maximum size of the audit event sent to the underlying backend. If the size of an event is greater than this number, first request and response are removed, and if this doesn't reduce the size enough, event is discarded.
--disable-admission-plugins stringSlice
admission plugins that should be disabled although they are in the default enabled plugins list. Comma-delimited list of admission plugins: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, DefaultStorageClass, DefaultTolerationSeconds, DenyEscalatingExec, DenyExecOnPrivileged, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, Initializers, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodPreset, PodSecurityPolicy, PodTolerationRestriction, Priority, ResourceQuota, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, ValidatingAdmissionWebhook. The order of plugins in this flag does not matter.admission plugins that should be disabled although they are in the default enabled plugins list (NamespaceLifecycle, LimitRanger, ServiceAccount, Priority, DefaultTolerationSeconds, DefaultStorageClass, PersistentVolumeClaimResize, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, ResourceQuota). Comma-delimited list of admission plugins: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, DefaultStorageClass, DefaultTolerationSeconds, DenyEscalatingExec, DenyExecOnPrivileged, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, Initializers, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodPreset, PodSecurityPolicy, PodTolerationRestriction, Priority, ResourceQuota, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, ValidatingAdmissionWebhook. The order of plugins in this flag does not matter.
--enable-admission-plugins stringSlice
admission plugins that should be enabled in addition to default enabled ones. Comma-delimited list of admission plugins: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, DefaultStorageClass, DefaultTolerationSeconds, DenyEscalatingExec, DenyExecOnPrivileged, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, Initializers, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodPreset, PodSecurityPolicy, PodTolerationRestriction, Priority, ResourceQuota, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, ValidatingAdmissionWebhook. The order of plugins in this flag does not matter.admission plugins that should be enabled in addition to default enabled ones (NamespaceLifecycle, LimitRanger, ServiceAccount, Priority, DefaultTolerationSeconds, DefaultStorageClass, PersistentVolumeClaimResize, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, ResourceQuota). Comma-delimited list of admission plugins: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, DefaultStorageClass, DefaultTolerationSeconds, DenyEscalatingExec, DenyExecOnPrivileged, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, Initializers, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodPreset, PodSecurityPolicy, PodTolerationRestriction, Priority, ResourceQuota, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, ValidatingAdmissionWebhook. The order of plugins in this flag does not matter.
--enable-aggregator-routing
Turns on aggregator routing requests to endoints IP rather than cluster IP.Turns on aggregator routing requests to endpoints IP rather than cluster IP.
--feature-gates mapStringBool
A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
APIListChunking=true|false (BETA - default=true)
APIResponseCompression=true|false (ALPHA - default=false)
AdvancedAuditing=true|false (BETA - default=true)
AllAlpha=true|false (ALPHA - default=false)
AppArmor=true|false (BETA - default=true)
AttachVolumeLimit=true|false (ALPHA - default=false)
BalanceAttachedNodeVolumes=true|false (ALPHA - default=false)
BlockVolume=true|false (ALPHA - default=false)
CPUManager=true|false (BETA - default=true)
CRIContainerLogRotation=true|false (BETA - default=true)
CSIBlockVolume=true|false (ALPHA - default=false)
CSIPersistentVolume=true|false (BETA - default=true)
CustomPodDNS=true|false (BETA - default=true)
CustomResourceSubresources=true|false (BETA - default=true)
CustomResourceValidation=true|false (BETA - default=true)
DebugContainers=true|false (ALPHA - default=false)
DevicePlugins=true|false (BETA - default=true)
DynamicKubeletConfig=true|false (BETA - default=true)
DynamicProvisioningScheduling=true|false (ALPHA - default=false)
EnableEquivalenceClassCache=true|false (ALPHA - default=false)
ExpandInUsePersistentVolumes=true|false (ALPHA - default=false)
ExpandPersistentVolumes=true|false (BETA - default=true)
ExperimentalCriticalPodAnnotation=true|false (ALPHA - default=false)
ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
GCERegionalPersistentDisk=true|false (BETA - default=true)
HugePages=true|false (BETA - default=true)
HyperVContainer=true|false (ALPHA - default=false)
Initializers=true|false (ALPHA - default=false)
KubeletPluginsWatcher=true|false (ALPHA - default=false)
LocalStorageCapacityIsolation=true|false (BETA - default=true)
MountContainers=true|false (ALPHA - default=false)
MountPropagation=true|false (BETA - default=true)
PersistentLocalVolumes=true|false (BETA - default=true)
PodPriority=true|false (BETA - default=true)
PodReadinessGates=true|false (BETA - default=false)
PodShareProcessNamespace=true|false (ALPHA - default=false)
QOSReserved=true|false (ALPHA - default=false)
ReadOnlyAPIDataVolumes=true|false (DEPRECATED - default=true)
ResourceLimitsPriorityFunction=true|false (ALPHA - default=false)
ResourceQuotaScopeSelectors=true|false (ALPHA - default=false)
RotateKubeletClientCertificate=true|false (BETA - default=true)
RotateKubeletServerCertificate=true|false (ALPHA - default=false)
RunAsGroup=true|false (ALPHA - default=false)
ScheduleDaemonSetPods=true|false (ALPHA - default=false)
ServiceNodeExclusion=true|false (ALPHA - default=false)
ServiceProxyAllowExternalIPs=true|false (DEPRECATED - default=false)
StorageObjectInUseProtection=true|false (default=true)
StreamingProxyRedirects=true|false (BETA - default=true)
SupportIPVSProxyMode=true|false (default=true)
SupportPodPidsLimit=true|false (ALPHA - default=false)
Sysctls=true|false (BETA - default=true)
TaintBasedEvictions=true|false (ALPHA - default=false)
TaintNodesByCondition=true|false (ALPHA - default=false)
TokenRequest=true|false (ALPHA - default=false)
TokenRequestProjection=true|false (ALPHA - default=false)
VolumeScheduling=true|false (BETA - default=true)
VolumeSubpath=true|false (default=true)
VolumeSubpathEnvExpansion=true|false (ALPHA - default=false)		A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
APIListChunking=true|false (BETA - default=true)
APIResponseCompression=true|false (ALPHA - default=false)
AllAlpha=true|false (ALPHA - default=false)
AppArmor=true|false (BETA - default=true)
AttachVolumeLimit=true|false (BETA - default=false)
BalanceAttachedNodeVolumes=true|false (ALPHA - default=false)
BlockVolume=true|false (ALPHA - default=false)
CPUManager=true|false (BETA - default=true)
CRIContainerLogRotation=true|false (BETA - default=true)
CSIBlockVolume=true|false (ALPHA - default=false)
CSIDriverRegistry=true|false (ALPHA - default=false)
CSINodeInfo=true|false (ALPHA - default=false)
CSIPersistentVolume=true|false (BETA - default=true)
CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)
CustomPodDNS=true|false (BETA - default=true)
CustomResourceSubresources=true|false (BETA - default=true)
CustomResourceValidation=true|false (BETA - default=true)
DebugContainers=true|false (ALPHA - default=false)
DevicePlugins=true|false (BETA - default=true)
DryRun=true|false (ALPHA - default=false)
DynamicKubeletConfig=true|false (BETA - default=true)
EnableEquivalenceClassCache=true|false (ALPHA - default=false)
ExpandInUsePersistentVolumes=true|false (ALPHA - default=false)
ExpandPersistentVolumes=true|false (BETA - default=true)
ExperimentalCriticalPodAnnotation=true|false (ALPHA - default=false)
ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
GCERegionalPersistentDisk=true|false (BETA - default=true)
HugePages=true|false (BETA - default=true)
HyperVContainer=true|false (ALPHA - default=false)
Initializers=true|false (ALPHA - default=false)
KubeletPluginsWatcher=true|false (BETA - default=true)
LocalStorageCapacityIsolation=true|false (BETA - default=true)
MountContainers=true|false (ALPHA - default=false)
NodeLease=true|false (ALPHA - default=false)
PersistentLocalVolumes=true|false (BETA - default=true)
PodPriority=true|false (BETA - default=true)
PodReadinessGates=true|false (BETA - default=true)
PodShareProcessNamespace=true|false (BETA - default=true)
ProcMountType=true|false (ALPHA - default=false)
QOSReserved=true|false (ALPHA - default=false)
ResourceLimitsPriorityFunction=true|false (ALPHA - default=false)
ResourceQuotaScopeSelectors=true|false (BETA - default=true)
RotateKubeletClientCertificate=true|false (BETA - default=true)
RotateKubeletServerCertificate=true|false (BETA - default=true)
RunAsGroup=true|false (ALPHA - default=false)
RuntimeClass=true|false (ALPHA - default=false)
SCTPSupport=true|false (ALPHA - default=false)
ScheduleDaemonSetPods=true|false (BETA - default=true)
ServiceNodeExclusion=true|false (ALPHA - default=false)
StreamingProxyRedirects=true|false (BETA - default=true)
SupportPodPidsLimit=true|false (ALPHA - default=false)
Sysctls=true|false (BETA - default=true)
TTLAfterFinished=true|false (ALPHA - default=false)
TaintBasedEvictions=true|false (ALPHA - default=false)
TaintNodesByCondition=true|false (BETA - default=true)
TokenRequest=true|false (BETA - default=true)
TokenRequestProjection=true|false (BETA - default=true)
VolumeScheduling=true|false (BETA - default=true)
VolumeSnapshotDataSource=true|false (ALPHA - default=false)
VolumeSubpathEnvExpansion=true|false (ALPHA - default=false)
--requestheader-client-ca-file string
Root certificate bundle to use to verify client certificates on incoming requests before trusting usernames in headers specified by --requestheader-username-headers. WARNING: do **not** reuse a CA that is used in a different context (for example with --client-ca-file) unless you understand the risks and the mechanisms to protect the CA's usage. Generally it is recommended to not depend on authorization being already done for incoming requests.Root certificate bundle to use to verify client certificates on incoming requests before trusting usernames in headers specified by --requestheader-username-headers. WARNING: generally do not depend on authorization being already done for incoming requests.
--secure-port int     Default: 6443
The port on which to serve HTTPS with authentication and authorization. If 0, don't serve HTTPS at all.The port on which to serve HTTPS with authentication and authorization.It cannot be switched off with 0.
If true, validate ServiceAccount tokens exist in etcd as part of authentication.
--service-account-max-token-expiration duration
The maximum validity duration of a token created by the service account token issuer. If an otherwise valid TokenRequest with a validity duration larger than this value is requested, a token will be issued with a validity duration of this value.
--service-account-signing-key-file string
The media type to use to store objects in storage. Some resources or storage backends may only support a specific media type and will ignore this setting.
--storage-versions string     Default: "admission.k8s.io/v1beta1,
admissionregistration.k8s.io/v1beta1,
apps/v1,
authentication.k8s.io/v1,
authorization.k8s.io/v1,
autoscaling/v1,
batch/v1,
certificates.k8s.io/v1beta1,
componentconfig/v1alpha1,
events.k8s.io/v1beta1,
extensions/v1beta1,
imagepolicy.k8s.io/v1alpha1,
networking.k8s.io/v1,
policy/v1beta1,
rbac.authorization.k8s.io/v1,
scheduling.k8s.io/v1beta1,
settings.k8s.io/v1alpha1,
storage.k8s.io/v1,
v1"
The per-group version to store resources in. Specified in the format "group1/version1,group2/version2,...". In the case where objects are moved from one group to the other, you may specify the format "group1=group2/v1beta1,group3/v1beta1,...". You only need to pass the groups you wish to change from the defaults. It defaults to a list of preferred versions of all known groups.
--target-ram-mb int
--address ip     Default: 0.0.0.0--allocate-node-cidrs
DEPRECATED: the IP address on which to listen for the --port port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces). See --bind-address instead.Should CIDRs for Pods be allocated and set on the cloud provider.
--allocate-node-cidrs--attach-detach-reconcile-sync-period duration     Default: 1m0s
Should CIDRs for Pods be allocated and set on the cloud provider.The reconciler sync wait time between volume attach detach. This duration must be larger than one second, and increasing this value from the default may allow for volumes to be mismatched with pods.
--attach-detach-reconcile-sync-period duration     Default: 1m0s--authentication-kubeconfig string
The reconciler sync wait time between volume attach detach. This duration must be larger than one second, and increasing this value from the default may allow for volumes to be mismatched with pods.kubeconfig file pointing at the 'core' kubernetes server with enough rights to create tokenaccessreviews.authentication.k8s.io. This is optional. If empty, all token requests are considered to be anonymous and no client CA is looked up in the cluster.
--authentication-skip-lookup
If false, the authentication-kubeconfig will be used to lookup missing authentication configuration from the cluster.
--authentication-token-webhook-cache-ttl duration     Default: 10s
The duration to cache responses from the webhook token authenticator.
--authorization-always-allow-paths stringSlice     Default: [/healthz]
A list of HTTP paths to skip during authorization, i.e. these are authorized without contacting the 'core' kubernetes server.
--authorization-kubeconfig string
kubeconfig file pointing at the 'core' kubernetes server with enough rights to create subjectaccessreviews.authorization.k8s.io. This is optional. If empty, all requests not skipped by authorization are forbidden.
--authorization-webhook-cache-authorized-ttl duration     Default: 10s
The duration to cache 'authorized' responses from the webhook authorizer.
--authorization-webhook-cache-unauthorized-ttl duration     Default: 10s
The duration to cache 'unauthorized' responses from the webhook authorizer.
Type of CIDR allocator to use
--client-ca-file string
If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate.
--cloud-config string
The number of service account token objects that are allowed to sync concurrently. Larger number = more responsive token generation, but more CPU (and network) load
--concurrent-ttl-after-finished-syncs int32     Default: 5
The number of TTL-after-finished controller workers that are allowed to sync concurrently.
--concurrent_rc_syncs int32     Default: 5
--controllers stringSlice     Default: [*]
A list of controllers to enable. '*' enables all on-by-default controllers, 'foo' enables the controller named 'foo', '-foo' disables the controller named 'foo'.
All controllers: attachdetach, bootstrapsigner, clusterrole-aggregation, cronjob, csrapproving, csrcleaner, csrsigning, daemonset, deployment, disruption, endpoint, garbagecollector, horizontalpodautoscaling, job, namespace, nodeipam, nodelifecycle, persistentvolume-binder, persistentvolume-expander, podgc, pv-protection, pvc-protection, replicaset, replicationcontroller, resourcequota, route, service, serviceaccount, serviceaccount-token, statefulset, tokencleaner, ttl
Disabled-by-default controllers: bootstrapsigner, tokencleaner		A list of controllers to enable. '*' enables all on-by-default controllers, 'foo' enables the controller named 'foo', '-foo' disables the controller named 'foo'.
All controllers: attachdetach, bootstrapsigner, clusterrole-aggregation, cronjob, csrapproving, csrcleaner, csrsigning, daemonset, deployment, disruption, endpoint, garbagecollector, horizontalpodautoscaling, job, namespace, nodeipam, nodelifecycle, persistentvolume-binder, persistentvolume-expander, podgc, pv-protection, pvc-protection, replicaset, replicationcontroller, resourcequota, route, service, serviceaccount, serviceaccount-token, statefulset, tokencleaner, ttl, ttl-after-finished
Disabled-by-default controllers: bootstrapsigner, tokencleaner
--feature-gates mapStringBool
A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
APIListChunking=true|false (BETA - default=true)
APIResponseCompression=true|false (ALPHA - default=false)
AdvancedAuditing=true|false (BETA - default=true)
AllAlpha=true|false (ALPHA - default=false)
AppArmor=true|false (BETA - default=true)
AttachVolumeLimit=true|false (ALPHA - default=false)
BalanceAttachedNodeVolumes=true|false (ALPHA - default=false)
BlockVolume=true|false (ALPHA - default=false)
CPUManager=true|false (BETA - default=true)
CRIContainerLogRotation=true|false (BETA - default=true)
CSIBlockVolume=true|false (ALPHA - default=false)
CSIPersistentVolume=true|false (BETA - default=true)
CustomPodDNS=true|false (BETA - default=true)
CustomResourceSubresources=true|false (BETA - default=true)
CustomResourceValidation=true|false (BETA - default=true)
DebugContainers=true|false (ALPHA - default=false)
DevicePlugins=true|false (BETA - default=true)
DynamicKubeletConfig=true|false (BETA - default=true)
DynamicProvisioningScheduling=true|false (ALPHA - default=false)
EnableEquivalenceClassCache=true|false (ALPHA - default=false)
ExpandInUsePersistentVolumes=true|false (ALPHA - default=false)
ExpandPersistentVolumes=true|false (BETA - default=true)
ExperimentalCriticalPodAnnotation=true|false (ALPHA - default=false)
ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
GCERegionalPersistentDisk=true|false (BETA - default=true)
HugePages=true|false (BETA - default=true)
HyperVContainer=true|false (ALPHA - default=false)
Initializers=true|false (ALPHA - default=false)
KubeletPluginsWatcher=true|false (ALPHA - default=false)
LocalStorageCapacityIsolation=true|false (BETA - default=true)
MountContainers=true|false (ALPHA - default=false)
MountPropagation=true|false (BETA - default=true)
PersistentLocalVolumes=true|false (BETA - default=true)
PodPriority=true|false (BETA - default=true)
PodReadinessGates=true|false (BETA - default=false)
PodShareProcessNamespace=true|false (ALPHA - default=false)
QOSReserved=true|false (ALPHA - default=false)
ReadOnlyAPIDataVolumes=true|false (DEPRECATED - default=true)
ResourceLimitsPriorityFunction=true|false (ALPHA - default=false)
ResourceQuotaScopeSelectors=true|false (ALPHA - default=false)
RotateKubeletClientCertificate=true|false (BETA - default=true)
RotateKubeletServerCertificate=true|false (ALPHA - default=false)
RunAsGroup=true|false (ALPHA - default=false)
ScheduleDaemonSetPods=true|false (ALPHA - default=false)
ServiceNodeExclusion=true|false (ALPHA - default=false)
ServiceProxyAllowExternalIPs=true|false (DEPRECATED - default=false)
StorageObjectInUseProtection=true|false (default=true)
StreamingProxyRedirects=true|false (BETA - default=true)
SupportIPVSProxyMode=true|false (default=true)
SupportPodPidsLimit=true|false (ALPHA - default=false)
Sysctls=true|false (BETA - default=true)
TaintBasedEvictions=true|false (ALPHA - default=false)
TaintNodesByCondition=true|false (ALPHA - default=false)
TokenRequest=true|false (ALPHA - default=false)
TokenRequestProjection=true|false (ALPHA - default=false)
VolumeScheduling=true|false (BETA - default=true)
VolumeSubpath=true|false (default=true)
VolumeSubpathEnvExpansion=true|false (ALPHA - default=false)		A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
APIListChunking=true|false (BETA - default=true)
APIResponseCompression=true|false (ALPHA - default=false)
AllAlpha=true|false (ALPHA - default=false)
AppArmor=true|false (BETA - default=true)
AttachVolumeLimit=true|false (BETA - default=false)
BalanceAttachedNodeVolumes=true|false (ALPHA - default=false)
BlockVolume=true|false (ALPHA - default=false)
CPUManager=true|false (BETA - default=true)
CRIContainerLogRotation=true|false (BETA - default=true)
CSIBlockVolume=true|false (ALPHA - default=false)
CSIDriverRegistry=true|false (ALPHA - default=false)
CSINodeInfo=true|false (ALPHA - default=false)
CSIPersistentVolume=true|false (BETA - default=true)
CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)
CustomPodDNS=true|false (BETA - default=true)
CustomResourceSubresources=true|false (BETA - default=true)
CustomResourceValidation=true|false (BETA - default=true)
DebugContainers=true|false (ALPHA - default=false)
DevicePlugins=true|false (BETA - default=true)
DryRun=true|false (ALPHA - default=false)
DynamicKubeletConfig=true|false (BETA - default=true)
EnableEquivalenceClassCache=true|false (ALPHA - default=false)
ExpandInUsePersistentVolumes=true|false (ALPHA - default=false)
ExpandPersistentVolumes=true|false (BETA - default=true)
ExperimentalCriticalPodAnnotation=true|false (ALPHA - default=false)
ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
GCERegionalPersistentDisk=true|false (BETA - default=true)
HugePages=true|false (BETA - default=true)
HyperVContainer=true|false (ALPHA - default=false)
Initializers=true|false (ALPHA - default=false)
KubeletPluginsWatcher=true|false (BETA - default=true)
LocalStorageCapacityIsolation=true|false (BETA - default=true)
MountContainers=true|false (ALPHA - default=false)
NodeLease=true|false (ALPHA - default=false)
PersistentLocalVolumes=true|false (BETA - default=true)
PodPriority=true|false (BETA - default=true)
PodReadinessGates=true|false (BETA - default=true)
PodShareProcessNamespace=true|false (BETA - default=true)
ProcMountType=true|false (ALPHA - default=false)
QOSReserved=true|false (ALPHA - default=false)
ResourceLimitsPriorityFunction=true|false (ALPHA - default=false)
ResourceQuotaScopeSelectors=true|false (BETA - default=true)
RotateKubeletClientCertificate=true|false (BETA - default=true)
RotateKubeletServerCertificate=true|false (BETA - default=true)
RunAsGroup=true|false (ALPHA - default=false)
RuntimeClass=true|false (ALPHA - default=false)
SCTPSupport=true|false (ALPHA - default=false)
ScheduleDaemonSetPods=true|false (BETA - default=true)
ServiceNodeExclusion=true|false (ALPHA - default=false)
StreamingProxyRedirects=true|false (BETA - default=true)
SupportPodPidsLimit=true|false (ALPHA - default=false)
Sysctls=true|false (BETA - default=true)
TTLAfterFinished=true|false (ALPHA - default=false)
TaintBasedEvictions=true|false (ALPHA - default=false)
TaintNodesByCondition=true|false (BETA - default=true)
TokenRequest=true|false (BETA - default=true)
TokenRequestProjection=true|false (BETA - default=true)
VolumeScheduling=true|false (BETA - default=true)
VolumeSnapshotDataSource=true|false (ALPHA - default=false)
VolumeSubpathEnvExpansion=true|false (ALPHA - default=false)
--horizontal-pod-autoscaler-downscale-delay duration     Default: 5m0s--horizontal-pod-autoscaler-cpu-initialization-period duration     Default: 5m0s
The period since last downscale, before another downscale can be performed in horizontal pod autoscaler.The period after pod start when CPU samples might be skipped.
--horizontal-pod-autoscaler-sync-period duration     Default: 30s--horizontal-pod-autoscaler-downscale-stabilization duration     Default: 5m0s
The period for syncing the number of pods in horizontal pod autoscaler.The period for which autoscaler will look backwards and not scale down below any recommendation it made during that period.
--horizontal-pod-autoscaler-tolerance float     Default: 0.1--horizontal-pod-autoscaler-initial-readiness-delay duration     Default: 30s
The minimum change (from 1.0) in the desired-to-actual metrics ratio for the horizontal pod autoscaler to consider scaling.The period after pod start during which readiness changes will be treated as initial readiness.
--horizontal-pod-autoscaler-upscale-delay duration     Default: 3m0s--horizontal-pod-autoscaler-sync-period duration     Default: 15s
The period since last upscale, before another upscale can be performed in horizontal pod autoscaler.The period for syncing the number of pods in horizontal pod autoscaler.
--horizontal-pod-autoscaler-use-rest-clients     Default: true--horizontal-pod-autoscaler-tolerance float     Default: 0.1
If set to true, causes the horizontal pod autoscaler controller to use REST clients through the kube-aggregator, instead of using the legacy metrics client through the API server proxy. This is required for custom metrics support in the horizontal pod autoscaler.The minimum change (from 1.0) in the desired-to-actual metrics ratio for the horizontal pod autoscaler to consider scaling.
The grace period for deleting pods on failed nodes.
--port int     Default: 10252
DEPRECATED: the port on which to serve HTTP insecurely without authentication and authorization. If 0, don't serve HTTPS at all. See --secure-port instead.
--profiling
The period for syncing persistent volumes and persistent volume claims
--requestheader-allowed-names stringSlice
List of client certificate common names to allow to provide usernames in headers specified by --requestheader-username-headers. If empty, any client certificate validated by the authorities in --requestheader-client-ca-file is allowed.
--requestheader-client-ca-file string
Root certificate bundle to use to verify client certificates on incoming requests before trusting usernames in headers specified by --requestheader-username-headers. WARNING: generally do not depend on authorization being already done for incoming requests.
--requestheader-extra-headers-prefix stringSlice     Default: [x-remote-extra-]
List of request header prefixes to inspect. X-Remote-Extra- is suggested.
--requestheader-group-headers stringSlice     Default: [x-remote-group]
List of request headers to inspect for groups. X-Remote-Group is suggested.
--requestheader-username-headers stringSlice     Default: [x-remote-user]
List of request headers to inspect for usernames. X-Remote-User is common.
--resource-quota-sync-period duration     Default: 5m0s
--secure-port int--secure-port int     Default: 10257
The port on which to serve HTTPS with authentication and authorization.If 0, don't serve HTTPS at all.
--service-account-private-key-file string
The port on which to serve HTTPS with authentication and authorization. If 0, don't serve HTTPS at all.Filename containing a PEM-encoded private RSA or ECDSA key used to sign service account tokens.
--feature-gates mapStringBool
A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
APIListChunking=true|false (BETA - default=true)
APIResponseCompression=true|false (ALPHA - default=false)
AdvancedAuditing=true|false (BETA - default=true)
AllAlpha=true|false (ALPHA - default=false)
AppArmor=true|false (BETA - default=true)
AttachVolumeLimit=true|false (ALPHA - default=false)
BalanceAttachedNodeVolumes=true|false (ALPHA - default=false)
BlockVolume=true|false (ALPHA - default=false)
CPUManager=true|false (BETA - default=true)
CRIContainerLogRotation=true|false (BETA - default=true)
CSIBlockVolume=true|false (ALPHA - default=false)
CSIPersistentVolume=true|false (BETA - default=true)
CustomPodDNS=true|false (BETA - default=true)
CustomResourceSubresources=true|false (BETA - default=true)
CustomResourceValidation=true|false (BETA - default=true)
DebugContainers=true|false (ALPHA - default=false)
DevicePlugins=true|false (BETA - default=true)
DynamicKubeletConfig=true|false (BETA - default=true)
DynamicProvisioningScheduling=true|false (ALPHA - default=false)
EnableEquivalenceClassCache=true|false (ALPHA - default=false)
ExpandInUsePersistentVolumes=true|false (ALPHA - default=false)
ExpandPersistentVolumes=true|false (BETA - default=true)
ExperimentalCriticalPodAnnotation=true|false (ALPHA - default=false)
ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
GCERegionalPersistentDisk=true|false (BETA - default=true)
HugePages=true|false (BETA - default=true)
HyperVContainer=true|false (ALPHA - default=false)
Initializers=true|false (ALPHA - default=false)
KubeletPluginsWatcher=true|false (ALPHA - default=false)
LocalStorageCapacityIsolation=true|false (BETA - default=true)
MountContainers=true|false (ALPHA - default=false)
MountPropagation=true|false (BETA - default=true)
PersistentLocalVolumes=true|false (BETA - default=true)
PodPriority=true|false (BETA - default=true)
PodReadinessGates=true|false (BETA - default=false)
PodShareProcessNamespace=true|false (ALPHA - default=false)
QOSReserved=true|false (ALPHA - default=false)
ReadOnlyAPIDataVolumes=true|false (DEPRECATED - default=true)
ResourceLimitsPriorityFunction=true|false (ALPHA - default=false)
ResourceQuotaScopeSelectors=true|false (ALPHA - default=false)
RotateKubeletClientCertificate=true|false (BETA - default=true)
RotateKubeletServerCertificate=true|false (ALPHA - default=false)
RunAsGroup=true|false (ALPHA - default=false)
ScheduleDaemonSetPods=true|false (ALPHA - default=false)
ServiceNodeExclusion=true|false (ALPHA - default=false)
ServiceProxyAllowExternalIPs=true|false (DEPRECATED - default=false)
StorageObjectInUseProtection=true|false (default=true)
StreamingProxyRedirects=true|false (BETA - default=true)
SupportIPVSProxyMode=true|false (default=true)
SupportPodPidsLimit=true|false (ALPHA - default=false)
Sysctls=true|false (BETA - default=true)
TaintBasedEvictions=true|false (ALPHA - default=false)
TaintNodesByCondition=true|false (ALPHA - default=false)
TokenRequest=true|false (ALPHA - default=false)
TokenRequestProjection=true|false (ALPHA - default=false)
VolumeScheduling=true|false (BETA - default=true)
VolumeSubpath=true|false (default=true)
VolumeSubpathEnvExpansion=true|false (ALPHA - default=false)		A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
APIListChunking=true|false (BETA - default=true)
APIResponseCompression=true|false (ALPHA - default=false)
AllAlpha=true|false (ALPHA - default=false)
AppArmor=true|false (BETA - default=true)
AttachVolumeLimit=true|false (BETA - default=false)
BalanceAttachedNodeVolumes=true|false (ALPHA - default=false)
BlockVolume=true|false (ALPHA - default=false)
CPUManager=true|false (BETA - default=true)
CRIContainerLogRotation=true|false (BETA - default=true)
CSIBlockVolume=true|false (ALPHA - default=false)
CSIDriverRegistry=true|false (ALPHA - default=false)
CSINodeInfo=true|false (ALPHA - default=false)
CSIPersistentVolume=true|false (BETA - default=true)
CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)
CustomPodDNS=true|false (BETA - default=true)
CustomResourceSubresources=true|false (BETA - default=true)
CustomResourceValidation=true|false (BETA - default=true)
DebugContainers=true|false (ALPHA - default=false)
DevicePlugins=true|false (BETA - default=true)
DryRun=true|false (ALPHA - default=false)
DynamicKubeletConfig=true|false (BETA - default=true)
EnableEquivalenceClassCache=true|false (ALPHA - default=false)
ExpandInUsePersistentVolumes=true|false (ALPHA - default=false)
ExpandPersistentVolumes=true|false (BETA - default=true)
ExperimentalCriticalPodAnnotation=true|false (ALPHA - default=false)
ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
GCERegionalPersistentDisk=true|false (BETA - default=true)
HugePages=true|false (BETA - default=true)
HyperVContainer=true|false (ALPHA - default=false)
Initializers=true|false (ALPHA - default=false)
KubeletPluginsWatcher=true|false (BETA - default=true)
LocalStorageCapacityIsolation=true|false (BETA - default=true)
MountContainers=true|false (ALPHA - default=false)
NodeLease=true|false (ALPHA - default=false)
PersistentLocalVolumes=true|false (BETA - default=true)
PodPriority=true|false (BETA - default=true)
PodReadinessGates=true|false (BETA - default=true)
PodShareProcessNamespace=true|false (BETA - default=true)
ProcMountType=true|false (ALPHA - default=false)
QOSReserved=true|false (ALPHA - default=false)
ResourceLimitsPriorityFunction=true|false (ALPHA - default=false)
ResourceQuotaScopeSelectors=true|false (BETA - default=true)
RotateKubeletClientCertificate=true|false (BETA - default=true)
RotateKubeletServerCertificate=true|false (BETA - default=true)
RunAsGroup=true|false (ALPHA - default=false)
RuntimeClass=true|false (ALPHA - default=false)
SCTPSupport=true|false (ALPHA - default=false)
ScheduleDaemonSetPods=true|false (BETA - default=true)
ServiceNodeExclusion=true|false (ALPHA - default=false)
StreamingProxyRedirects=true|false (BETA - default=true)
SupportPodPidsLimit=true|false (ALPHA - default=false)
Sysctls=true|false (BETA - default=true)
TTLAfterFinished=true|false (ALPHA - default=false)
TaintBasedEvictions=true|false (ALPHA - default=false)
TaintNodesByCondition=true|false (BETA - default=true)
TokenRequest=true|false (BETA - default=true)
TokenRequestProjection=true|false (BETA - default=true)
VolumeScheduling=true|false (BETA - default=true)
VolumeSnapshotDataSource=true|false (ALPHA - default=false)
VolumeSubpathEnvExpansion=true|false (ALPHA - default=false)
--feature-gates mapStringBool
A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
APIListChunking=true|false (BETA - default=true)
APIResponseCompression=true|false (ALPHA - default=false)
AdvancedAuditing=true|false (BETA - default=true)
AllAlpha=true|false (ALPHA - default=false)
AppArmor=true|false (BETA - default=true)
AttachVolumeLimit=true|false (ALPHA - default=false)
BalanceAttachedNodeVolumes=true|false (ALPHA - default=false)
BlockVolume=true|false (ALPHA - default=false)
CPUManager=true|false (BETA - default=true)
CRIContainerLogRotation=true|false (BETA - default=true)
CSIBlockVolume=true|false (ALPHA - default=false)
CSIPersistentVolume=true|false (BETA - default=true)
CustomPodDNS=true|false (BETA - default=true)
CustomResourceSubresources=true|false (BETA - default=true)
CustomResourceValidation=true|false (BETA - default=true)
DebugContainers=true|false (ALPHA - default=false)
DevicePlugins=true|false (BETA - default=true)
DynamicKubeletConfig=true|false (BETA - default=true)
DynamicProvisioningScheduling=true|false (ALPHA - default=false)
EnableEquivalenceClassCache=true|false (ALPHA - default=false)
ExpandInUsePersistentVolumes=true|false (ALPHA - default=false)
ExpandPersistentVolumes=true|false (BETA - default=true)
ExperimentalCriticalPodAnnotation=true|false (ALPHA - default=false)
ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
GCERegionalPersistentDisk=true|false (BETA - default=true)
HugePages=true|false (BETA - default=true)
HyperVContainer=true|false (ALPHA - default=false)
Initializers=true|false (ALPHA - default=false)
KubeletPluginsWatcher=true|false (ALPHA - default=false)
LocalStorageCapacityIsolation=true|false (BETA - default=true)
MountContainers=true|false (ALPHA - default=false)
MountPropagation=true|false (BETA - default=true)
PersistentLocalVolumes=true|false (BETA - default=true)
PodPriority=true|false (BETA - default=true)
PodReadinessGates=true|false (BETA - default=false)
PodShareProcessNamespace=true|false (ALPHA - default=false)
QOSReserved=true|false (ALPHA - default=false)
ReadOnlyAPIDataVolumes=true|false (DEPRECATED - default=true)
ResourceLimitsPriorityFunction=true|false (ALPHA - default=false)
ResourceQuotaScopeSelectors=true|false (ALPHA - default=false)
RotateKubeletClientCertificate=true|false (BETA - default=true)
RotateKubeletServerCertificate=true|false (ALPHA - default=false)
RunAsGroup=true|false (ALPHA - default=false)
ScheduleDaemonSetPods=true|false (ALPHA - default=false)
ServiceNodeExclusion=true|false (ALPHA - default=false)
ServiceProxyAllowExternalIPs=true|false (DEPRECATED - default=false)
StorageObjectInUseProtection=true|false (default=true)
StreamingProxyRedirects=true|false (BETA - default=true)
SupportIPVSProxyMode=true|false (default=true)
SupportPodPidsLimit=true|false (ALPHA - default=false)
Sysctls=true|false (BETA - default=true)
TaintBasedEvictions=true|false (ALPHA - default=false)
TaintNodesByCondition=true|false (ALPHA - default=false)
TokenRequest=true|false (ALPHA - default=false)
TokenRequestProjection=true|false (ALPHA - default=false)
VolumeScheduling=true|false (BETA - default=true)
VolumeSubpath=true|false (default=true)
VolumeSubpathEnvExpansion=true|false (ALPHA - default=false)		A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
APIListChunking=true|false (BETA - default=true)
APIResponseCompression=true|false (ALPHA - default=false)
AllAlpha=true|false (ALPHA - default=false)
AppArmor=true|false (BETA - default=true)
AttachVolumeLimit=true|false (BETA - default=false)
BalanceAttachedNodeVolumes=true|false (ALPHA - default=false)
BlockVolume=true|false (ALPHA - default=false)
CPUManager=true|false (BETA - default=true)
CRIContainerLogRotation=true|false (BETA - default=true)
CSIBlockVolume=true|false (ALPHA - default=false)
CSIDriverRegistry=true|false (ALPHA - default=false)
CSINodeInfo=true|false (ALPHA - default=false)
CSIPersistentVolume=true|false (BETA - default=true)
CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)
CustomPodDNS=true|false (BETA - default=true)
CustomResourceSubresources=true|false (BETA - default=true)
CustomResourceValidation=true|false (BETA - default=true)
DebugContainers=true|false (ALPHA - default=false)
DevicePlugins=true|false (BETA - default=true)
DryRun=true|false (ALPHA - default=false)
DynamicKubeletConfig=true|false (BETA - default=true)
EnableEquivalenceClassCache=true|false (ALPHA - default=false)
ExpandInUsePersistentVolumes=true|false (ALPHA - default=false)
ExpandPersistentVolumes=true|false (BETA - default=true)
ExperimentalCriticalPodAnnotation=true|false (ALPHA - default=false)
ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)
GCERegionalPersistentDisk=true|false (BETA - default=true)
HugePages=true|false (BETA - default=true)
HyperVContainer=true|false (ALPHA - default=false)
Initializers=true|false (ALPHA - default=false)
KubeletPluginsWatcher=true|false (BETA - default=true)
LocalStorageCapacityIsolation=true|false (BETA - default=true)
MountContainers=true|false (ALPHA - default=false)
NodeLease=true|false (ALPHA - default=false)
PersistentLocalVolumes=true|false (BETA - default=true)
PodPriority=true|false (BETA - default=true)
PodReadinessGates=true|false (BETA - default=true)
PodShareProcessNamespace=true|false (BETA - default=true)
ProcMountType=true|false (ALPHA - default=false)
QOSReserved=true|false (ALPHA - default=false)
ResourceLimitsPriorityFunction=true|false (ALPHA - default=false)
ResourceQuotaScopeSelectors=true|false (BETA - default=true)
RotateKubeletClientCertificate=true|false (BETA - default=true)
RotateKubeletServerCertificate=true|false (BETA - default=true)
RunAsGroup=true|false (ALPHA - default=false)
RuntimeClass=true|false (ALPHA - default=false)
SCTPSupport=true|false (ALPHA - default=false)
ScheduleDaemonSetPods=true|false (BETA - default=true)
ServiceNodeExclusion=true|false (ALPHA - default=false)
StreamingProxyRedirects=true|false (BETA - default=true)
SupportPodPidsLimit=true|false (ALPHA - default=false)
Sysctls=true|false (BETA - default=true)
TTLAfterFinished=true|false (ALPHA - default=false)
TaintBasedEvictions=true|false (ALPHA - default=false)
TaintNodesByCondition=true|false (BETA - default=true)
TokenRequest=true|false (BETA - default=true)
TokenRequestProjection=true|false (BETA - default=true)
VolumeScheduling=true|false (BETA - default=true)
VolumeSnapshotDataSource=true|false (ALPHA - default=false)
VolumeSubpathEnvExpansion=true|false (ALPHA - default=false)
Path to a kubeconfig file that will be used to get client certificate for kubelet. If the file specified by --kubeconfig does not exist, the bootstrap kubeconfig is used to request a client certificate from the API server. On success, a kubeconfig file referencing the generated client certificate and key is written to the path specified by --kubeconfig. The client certificate and key file will be stored in the directory pointed by --cert-dir.
--cadvisor-port int32
The port of the localhost cAdvisor endpoint (set to 0 to disable) (default 4194)
--cert-dir string
+ + + + + -### SEE ALSO + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
--allow-verification-with-non-compliant-keys
Allow a SignatureVerifier to use keys which are technically non-compliant with RFC6962.
--alsologtostderr
log to standard error as well as files
--as string
Username to impersonate for the operation
--as-group stringArray
Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
--azure-container-registry-config string
Path to the file containing Azure container registry configuration information.
--cache-dir string     Default: "/Users/zarnold/.kube/http-cache"
Default HTTP cache directory
--certificate-authority string
Path to a cert file for the certificate authority
--client-certificate string
Path to a client certificate file for TLS
--client-key string
Path to a client key file for TLS
--cloud-provider-gce-lb-src-cidrs cidrs     Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
CIDRs opened in GCE firewall for LB traffic proxy & health checks
--cluster string
The name of the kubeconfig cluster to use
--context string
The name of the kubeconfig context to use
--default-not-ready-toleration-seconds int     Default: 300
Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration.
--default-unreachable-toleration-seconds int     Default: 300
Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration.
-h, --help
help for kubectl
--insecure-skip-tls-verify
If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
--kubeconfig string
Path to the kubeconfig file to use for CLI requests.
--log-backtrace-at traceLocation     Default: :0
when logging hits line file:N, emit a stack trace
--log-dir string
If non-empty, write log files in this directory
--log-flush-frequency duration     Default: 5s
Maximum number of seconds between log flushes
--logtostderr     Default: true
log to standard error instead of files
--match-server-version
Require server version to match client version
-n, --namespace string
If present, the namespace scope for this CLI request
--request-timeout string     Default: "0"
The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests.
-s, --server string
The address and port of the Kubernetes API server
--stderrthreshold severity     Default: 2
logs at or above this threshold go to stderr
--token string
Bearer token for authentication to the API server
--user string
The name of the kubeconfig user to use
-v, --v Level
log level for V logs
--version version[=true]
Print version information and quit
--vmodule moduleSpec
comma-separated list of pattern=N settings for file-filtered logging
+ + + +### SEE ALSO * [kubectl alpha](kubectl_alpha.md) - Commands for features in alpha * [kubectl annotate](kubectl_annotate.md) - Update the annotations on a resource * [kubectl api-resources](kubectl_api-resources.md) - Print the supported API resources on the server @@ -76,7 +277,7 @@ kubectl [flags] * [kubectl logs](kubectl_logs.md) - Print the logs for a container in a pod * [kubectl options](kubectl_options.md) - Print the list of flags inherited by all commands * [kubectl patch](kubectl_patch.md) - Update field(s) of a resource using strategic merge patch -* [kubectl plugin](kubectl_plugin.md) - Runs a command-line plugin +* [kubectl plugin](kubectl_plugin.md) - Provides utilities for interacting with plugins. * [kubectl port-forward](kubectl_port-forward.md) - Forward one or more local ports to a pod * [kubectl proxy](kubectl_proxy.md) - Run a proxy to the Kubernetes API server * [kubectl replace](kubectl_replace.md) - Replace a resource by filename or stdin @@ -88,6 +289,5 @@ kubectl [flags] * [kubectl top](kubectl_top.md) - Display Resource (CPU/Memory/Storage) usage. * [kubectl uncordon](kubectl_uncordon.md) - Mark node as schedulable * [kubectl version](kubectl_version.md) - Print the client and server version information -* [kubectl wait](kubectl_wait.md) - Experimental: Wait for one condition on one or many resources +* [kubectl wait](kubectl_wait.md) - Experimental: Wait for a specific condition on one or many resources. -###### Auto generated by spf13/cobra on 16-Jun-2018 diff --git a/content/en/docs/reference/kubectl/overview.md b/content/en/docs/reference/kubectl/overview.md index dba8ea36a4e7c..c51c24af3f82d 100644 --- a/content/en/docs/reference/kubectl/overview.md +++ b/content/en/docs/reference/kubectl/overview.md @@ -349,6 +349,87 @@ $ kubectl logs $ kubectl logs -f ``` +## Examples: Creating and using plugins + +Use the following set of examples to help you familiarize yourself with writing and using `kubectl` plugins: + +```shell +// create a simple plugin in any language and name the resulting executable file +// so that it begins with the prefix "kubectl-" +$ cat ./kubectl-hello +#!/bin/bash + +# this plugin prints the words "hello world" +echo "hello world" + +// with our plugin written, let's make it executable +$ sudo chmod +x ./kubectl-hello + +// and move it to a location in our PATH +$ sudo mv ./kubectl-hello /usr/local/bin + +// we have now created and "installed" a kubectl plugin. +// we can begin using our plugin by invoking it from kubectl as if it were a regular command +$ kubectl hello +hello world + +// we can "uninstall" a plugin, by simply removing it from our PATH +$ sudo rm /usr/local/bin/kubectl-hello +``` + +In order to view all of the plugins that are available to `kubectl`, we can use +the `kubectl plugin list` subcommand: + +```shell +$ kubectl plugin list +The following kubectl-compatible plugins are available: + +/usr/local/bin/kubectl-hello +/usr/local/bin/kubectl-foo +/usr/local/bin/kubectl-bar + +// this command can also warn us about plugins that are +// not executable, or that are overshadowed by other +// plugins, for example +$ sudo chmod -x /usr/local/bin/kubectl-foo +$ kubectl plugin list +The following kubectl-compatible plugins are available: + +/usr/local/bin/kubectl-hello +/usr/local/bin/kubectl-foo + - warning: /usr/local/bin/kubectl-foo identified as a plugin, but it is not executable +/usr/local/bin/kubectl-bar + +error: one plugin warning was found +``` + +We can think of plugins as a means to build more complex functionality on top +of the existing kubectl commands: + +```shell +$ cat ./kubectl-whoami +#!/bin/bash + +# this plugin makes use of the `kubectl config` command in order to output +# information about the current user, based on the currently selected context +kubectl config view --template='{{ range .contexts }}{{ if eq .name "'$(kubectl config current-context)'" }}Current user: {{ .context.user }}{{ end }}{{ end }}' +``` + +Running the above plugin gives us an output containing the user for the currently selected +context in our KUBECONFIG file: + +```shell +// make the file executable +$ sudo chmod +x ./kubectl-whoami + +// and move it into our PATH +$ sudo mv ./kubectl-whoami /usr/local/bin + +$ kubectl whoami +Current user: plugins-user +``` + +To find out more about plugins, take a look at the [example cli plugin](https://github.com/kubernetes/sample-cli-plugin). ## Next steps diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm.md index 9c36cd372ecc9..66869de837879 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm.md @@ -53,6 +53,13 @@ Example usage: help for kubeadm + + --rootfs string + + + [EXPERIMENTAL] The path to the 'real' host root filesystem. + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha.md index def246a453795..9022c61dbc59d 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha.md @@ -27,3 +27,24 @@ Experimental sub-commands not yet fully functional. +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase.md index aa175471cac11..11771b9355c68 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase.md @@ -27,3 +27,24 @@ This command is not meant to be run on its own. See list of available subcommand +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon.md index 52689eee0cf6a..834becc463aa5 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon.md @@ -27,3 +27,24 @@ This command is not meant to be run on its own. See list of available subcommand +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_all.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_all.md index 29655fd8c65ba..f30b47e3235db 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_all.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_all.md @@ -4,7 +4,7 @@ Installs all addons to a Kubernetes cluster ### Synopsis -Installs the CoreDNS and the kube-proxys addons components via the API server. Please note that although the DNS server is deployed, it will not be scheduled until CNI is installed. +Installs the CoreDNS and the kube-proxy addons components via the API server. Please note that although the DNS server is deployed, it will not be scheduled until CNI is installed. Alpha Disclaimer: this command is currently alpha. @@ -15,7 +15,7 @@ kubeadm alpha phase addon all [flags] ### Examples ``` - # Installs the CoreDNS and the kube-proxys addons components via the API server, + # Installs the CoreDNS and the kube-proxy addons components via the API server, # functionally equivalent to what installed by kubeadm init. kubeadm alpha phase selfhosting from-staticpods @@ -55,7 +55,7 @@ kubeadm alpha phase addon all [flags] --feature-gates string - A set of key=value pairs that describe feature gates for various features.Options are:
Auditing=true|false (ALPHA - default=false)
CoreDNS=true|false (default=true)
DynamicKubeletConfig=true|false (ALPHA - default=false)
SelfHosting=true|false (ALPHA - default=false)
StoreCertsInSecrets=true|false (ALPHA - default=false) + A set of key=value pairs that describe feature gates for various features. Options are:
Auditing=true|false (ALPHA - default=false)
CoreDNS=true|false (default=true)
DynamicKubeletConfig=true|false (BETA - default=false) @@ -76,11 +76,11 @@ kubeadm alpha phase addon all [flags] --kubeconfig string     Default: "/etc/kubernetes/admin.conf" - The KubeConfig file to use when talking to the cluster + The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file. - --kubernetes-version string     Default: "stable-1.10" + --kubernetes-version string     Default: "stable-1" Choose a specific Kubernetes version for the control plane @@ -112,3 +112,24 @@ kubeadm alpha phase addon all [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_coredns.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_coredns.md index 0c17c292f349c..4387b42f8e0a0 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_coredns.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_coredns.md @@ -32,7 +32,7 @@ kubeadm alpha phase addon coredns [flags] --feature-gates string - A set of key=value pairs that describe feature gates for various features.Options are:
Auditing=true|false (ALPHA - default=false)
CoreDNS=true|false (default=true)
DynamicKubeletConfig=true|false (ALPHA - default=false)
SelfHosting=true|false (ALPHA - default=false)
StoreCertsInSecrets=true|false (ALPHA - default=false) + A set of key=value pairs that describe feature gates for various features. Options are:
Auditing=true|false (ALPHA - default=false)
CoreDNS=true|false (default=true)
DynamicKubeletConfig=true|false (BETA - default=false) @@ -53,11 +53,11 @@ kubeadm alpha phase addon coredns [flags] --kubeconfig string     Default: "/etc/kubernetes/admin.conf" - The KubeConfig file to use when talking to the cluster + The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file. - --kubernetes-version string     Default: "stable-1.10" + --kubernetes-version string     Default: "stable-1" Choose a specific Kubernetes version for the control plane @@ -82,3 +82,24 @@ kubeadm alpha phase addon coredns [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_kube-dns.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_kube-dns.md deleted file mode 100644 index c9be9dc6adb50..0000000000000 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_kube-dns.md +++ /dev/null @@ -1,85 +0,0 @@ - -Installs the kube-dns addon to a Kubernetes cluster - -### Synopsis - - -Installs the kube-dns addon components via the API server. -Please note that although the DNS server is deployed, it will not be scheduled until CNI is installed. - -Alpha Disclaimer: this command is currently alpha. - -``` -kubeadm alpha phase addon kube-dns [flags] -``` - -### Options - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
--config string
Path to a kubeadm config file. WARNING: Usage of a configuration file is experimental!
--feature-gates string
A set of key=value pairs that describe feature gates for various features.Options are:
Auditing=true|false (ALPHA - default=false)
CoreDNS=true|false (BETA - default=false)
DynamicKubeletConfig=true|false (ALPHA - default=false)
SelfHosting=true|false (ALPHA - default=false)
StoreCertsInSecrets=true|false (ALPHA - default=false)
-h, --help
help for kube-dns
--image-repository string     Default: "k8s.gcr.io"
Choose a container registry to pull control plane images from
--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the cluster
--kubernetes-version string     Default: "stable-1.10"
Choose a specific Kubernetes version for the control plane
--service-cidr string     Default: "10.96.0.0/12"
The range of IP address used for service VIPs
--service-dns-domain string     Default: "cluster.local"
Alternative domain for services
- - - diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_kube-proxy.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_kube-proxy.md index 40d91010cbe53..0c36be46766ee 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_kube-proxy.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_kube-proxy.md @@ -60,11 +60,11 @@ kubeadm alpha phase addon kube-proxy [flags] --kubeconfig string     Default: "/etc/kubernetes/admin.conf" - The KubeConfig file to use when talking to the cluster + The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file. - --kubernetes-version string     Default: "stable-1.10" + --kubernetes-version string     Default: "stable-1" Choose a specific Kubernetes version for the control plane @@ -82,3 +82,24 @@ kubeadm alpha phase addon kube-proxy [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token.md index 491ef4d66c8a8..638eda6f50be2 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token.md @@ -26,7 +26,28 @@ This command is not meant to be run on its own. See list of available subcommand --kubeconfig string     Default: "/etc/kubernetes/admin.conf" - The KubeConfig file to use when talking to the cluster + The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file. + + + + + + + +### Options inherited from parent commands + + + + + + + + + + + + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_all.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_all.md index dd131e37d7ac9..0169c68221815 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_all.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_all.md @@ -105,7 +105,14 @@ kubeadm alpha phase bootstrap-token all [flags] - + + + + + + + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_cluster-info.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_cluster-info.md index 9e812e091641f..5cc7f3fc05be5 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_cluster-info.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_cluster-info.md @@ -48,7 +48,14 @@ kubeadm alpha phase bootstrap-token cluster-info [flags] - + + + + + + + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_create.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_create.md index d1cdf5d181ec1..aed484bb388ad 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_create.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_create.md @@ -97,7 +97,14 @@ kubeadm alpha phase bootstrap-token create [flags] - + + + + + + + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node.md index 2128d7c290d88..ef5cab6139750 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node.md @@ -40,7 +40,14 @@ This command is not meant to be run on its own. See list of available subcommand - + + + + + + + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node_allow-auto-approve.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node_allow-auto-approve.md index 1d04250869bfd..405ece9bce9ab 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node_allow-auto-approve.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node_allow-auto-approve.md @@ -48,7 +48,14 @@ kubeadm alpha phase bootstrap-token node allow-auto-approve [flags] - + + + + + + + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node_allow-post-csrs.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node_allow-post-csrs.md index 713644e273b63..8aee98f2ec4f7 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node_allow-post-csrs.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node_allow-post-csrs.md @@ -48,7 +48,14 @@ kubeadm alpha phase bootstrap-token node allow-post-csrs [flags] - + + + + + + + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs.md index d7ce2c46a039d..56d01fba8e226 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs.md @@ -27,3 +27,24 @@ This command is not meant to be run on its own. See list of available subcommand +### Options inherited from parent commands + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the clusterThe KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the clusterThe KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the clusterThe KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the clusterThe KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the clusterThe KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the clusterThe KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_all.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_all.md index f40cf7c0544fb..07916e76e8e38 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_all.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_all.md @@ -6,8 +6,7 @@ Generates all PKI assets necessary to establish the control plane Generates a self-signed CA to provision identities for each component in the cluster (including nodes) and client certificates to be used by various components. -If a given certificate and private key pair both exist, kubeadm skips the generation step and -existing files will be used. +If a given certificate and private key pair both exist, kubeadm skips the generation step and existing files will be used. Alpha Disclaimer: this command is currently alpha. @@ -60,7 +59,7 @@ kubeadm alpha phase certs all [flags] --config string - Path to kubeadm config file. WARNING: Usage of a configuration file is experimental + Path to kubeadm config file (WARNING: Usage of a configuration file is experimental) @@ -89,3 +88,24 @@ kubeadm alpha phase certs all [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_apiserver-etcd-client.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_apiserver-etcd-client.md index 0f93b4f2f6fe3..65ef3d793a3da 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_apiserver-etcd-client.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_apiserver-etcd-client.md @@ -1,10 +1,10 @@ -Generates a client certificate for the API server to connect to etcd securely +Generates the client apiserver uses to access etcd ### Synopsis -Generates the client certificate for the API server to connect to etcd securely and the respective key, and saves them into apiserver-etcd-client.crt and apiserver-etcd-client.key files. +Generates the client apiserver uses to access etcd, and saves them into apiserver-etcd-client.cert and apiserver-etcd-client.key files. If both files already exist, kubeadm skips the generation step and existing files will be used. @@ -34,7 +34,7 @@ kubeadm alpha phase certs apiserver-etcd-client [flags] --config string - Path to kubeadm config file. WARNING: Usage of a configuration file is experimental + Path to kubeadm config file (WARNING: Usage of a configuration file is experimental) @@ -49,3 +49,24 @@ kubeadm alpha phase certs apiserver-etcd-client [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_apiserver-kubelet-client.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_apiserver-kubelet-client.md index 9772c823785c7..37aeb21fb43d8 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_apiserver-kubelet-client.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_apiserver-kubelet-client.md @@ -1,10 +1,10 @@ -Generates a client certificate for the API server to connect to the kubelets securely +Generates the Client certificate for the API server to connect to kubelet ### Synopsis -Generates the client certificate for the API server to connect to the kubelet securely and the respective key, and saves them into apiserver-kubelet-client.crt and apiserver-kubelet-client.key files. +Generates the Client certificate for the API server to connect to kubelet, and saves them into apiserver-kubelet-client.cert and apiserver-kubelet-client.key files. If both files already exist, kubeadm skips the generation step and existing files will be used. @@ -34,7 +34,7 @@ kubeadm alpha phase certs apiserver-kubelet-client [flags] --config string - Path to kubeadm config file. WARNING: Usage of a configuration file is experimental + Path to kubeadm config file (WARNING: Usage of a configuration file is experimental) @@ -49,3 +49,24 @@ kubeadm alpha phase certs apiserver-kubelet-client [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_apiserver.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_apiserver.md index 6fa23650d3603..13f358c12a087 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_apiserver.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_apiserver.md @@ -1,12 +1,12 @@ -Generates an API server serving certificate and key +Generates the certificate for serving the kubernetes API ### Synopsis -Generates the API server serving certificate and key and saves them into apiserver.crt and apiserver.key files. +Generates the certificate for serving the kubernetes API, and saves them into apiserver.cert and apiserver.key files. -The certificate includes default subject alternative names and additional SANs provided by the user; default SANs are: , , kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc. , (that is the .10 address in address space). +Default SANs are kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, 10.96.0.1, 127.0.0.1 If both files already exist, kubeadm skips the generation step and existing files will be used. @@ -50,7 +50,7 @@ kubeadm alpha phase certs apiserver [flags] --config string - Path to kubeadm config file. WARNING: Usage of a configuration file is experimental + Path to kubeadm config file (WARNING: Usage of a configuration file is experimental) @@ -79,3 +79,24 @@ kubeadm alpha phase certs apiserver [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_ca.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_ca.md index 2d13b77835581..7f4e19a2d3a38 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_ca.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_ca.md @@ -1,10 +1,10 @@ -Generates a self-signed kubernetes CA to provision identities for components of the cluster +Generates the self-signed kubernetes CA to provision identities for other kuberenets components ### Synopsis -Generates the self-signed kubernetes certificate authority and related key, and saves them into ca.crt and ca.key files. +Generates the self-signed kubernetes CA to provision identities for other kuberenets components, and saves them into ca.cert and ca.key files. If both files already exist, kubeadm skips the generation step and existing files will be used. @@ -34,7 +34,7 @@ kubeadm alpha phase certs ca [flags] --config string - Path to kubeadm config file. WARNING: Usage of a configuration file is experimental + Path to kubeadm config file (WARNING: Usage of a configuration file is experimental) @@ -49,3 +49,24 @@ kubeadm alpha phase certs ca [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_etcd-ca.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_etcd-ca.md index 23ccb50b8a613..186905c298690 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_etcd-ca.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_etcd-ca.md @@ -1,10 +1,10 @@ -Generates a self-signed CA to provision identities for etcd +Generates the self-signed CA to provision identities for etcd ### Synopsis -Generates the self-signed etcd certificate authority and related key and saves them into etcd/ca.crt and etcd/ca.key files. +Generates the self-signed CA to provision identities for etcd, and saves them into etcd/ca.cert and etcd/ca.key files. If both files already exist, kubeadm skips the generation step and existing files will be used. @@ -34,7 +34,7 @@ kubeadm alpha phase certs etcd-ca [flags] --config string - Path to kubeadm config file. WARNING: Usage of a configuration file is experimental + Path to kubeadm config file (WARNING: Usage of a configuration file is experimental) @@ -49,3 +49,24 @@ kubeadm alpha phase certs etcd-ca [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_etcd-healthcheck-client.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_etcd-healthcheck-client.md index fa0abd61cc9cb..fd5b135b02469 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_etcd-healthcheck-client.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_etcd-healthcheck-client.md @@ -1,10 +1,10 @@ -Generates a client certificate for liveness probes to healthcheck etcd +Generates the client certificate for liveness probes to healtcheck etcd ### Synopsis -Generates the client certificate for liveness probes to healthcheck etcd and the respective key, and saves them into etcd/healthcheck-client.crt and etcd/healthcheck-client.key files. +Generates the client certificate for liveness probes to healtcheck etcd, and saves them into etcd/healthcheck-client.cert and etcd/healthcheck-client.key files. If both files already exist, kubeadm skips the generation step and existing files will be used. @@ -34,7 +34,7 @@ kubeadm alpha phase certs etcd-healthcheck-client [flags] --config string - Path to kubeadm config file. WARNING: Usage of a configuration file is experimental + Path to kubeadm config file (WARNING: Usage of a configuration file is experimental) @@ -49,3 +49,24 @@ kubeadm alpha phase certs etcd-healthcheck-client [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_etcd-peer.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_etcd-peer.md index 6a02d7f21ff43..d9a73e800a75e 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_etcd-peer.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_etcd-peer.md @@ -1,12 +1,12 @@ -Generates an etcd peer certificate and key +Generates the credentials for etcd nodes to communicate with each other ### Synopsis -Generates the etcd peer certificate and key and saves them into etcd/peer.crt and etcd/peer.key files. +Generates the credentials for etcd nodes to communicate with each other, and saves them into etcd/peer.cert and etcd/peer.key files. -The certificate includes default subject alternative names and additional SANs provided by the user; default SANs are: , . +Default SANs are localhost, 127.0.0.1, 127.0.0.1, ::1 If both files already exist, kubeadm skips the generation step and existing files will be used. @@ -36,7 +36,7 @@ kubeadm alpha phase certs etcd-peer [flags] --config string - Path to kubeadm config file. WARNING: Usage of a configuration file is experimental + Path to kubeadm config file (WARNING: Usage of a configuration file is experimental) @@ -51,3 +51,24 @@ kubeadm alpha phase certs etcd-peer [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_etcd-server.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_etcd-server.md index 9c7d9d95c5d0d..6965eceb66891 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_etcd-server.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_etcd-server.md @@ -1,12 +1,12 @@ -Generates an etcd serving certificate and key +Generates the certificate for serving etcd ### Synopsis -Generates the etcd serving certificate and key and saves them into etcd/server.crt and etcd/server.key files. +Generates the certificate for serving etcd, and saves them into etcd/server.cert and etcd/server.key files. -The certificate includes default subject alternative names and additional SANs provided by the user; default SANs are: localhost, 127.0.0.1. +Default SANs are localhost, 127.0.0.1, ::1 If both files already exist, kubeadm skips the generation step and existing files will be used. @@ -36,7 +36,7 @@ kubeadm alpha phase certs etcd-server [flags] --config string - Path to kubeadm config file. WARNING: Usage of a configuration file is experimental + Path to kubeadm config file (WARNING: Usage of a configuration file is experimental) @@ -51,3 +51,24 @@ kubeadm alpha phase certs etcd-server [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_front-proxy-ca.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_front-proxy-ca.md index 3eed51d2acd3c..e6cde90042dc2 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_front-proxy-ca.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_front-proxy-ca.md @@ -1,10 +1,10 @@ -Generates a front proxy CA certificate and key for a Kubernetes cluster +Generates the self-signed CA to provision identities for front proxy ### Synopsis -Generates the front proxy CA certificate and key and saves them into front-proxy-ca.crt and front-proxy-ca.key files. +Generates the self-signed CA to provision identities for front proxy, and saves them into front-proxy-ca.cert and front-proxy-ca.key files. If both files already exist, kubeadm skips the generation step and existing files will be used. @@ -34,7 +34,7 @@ kubeadm alpha phase certs front-proxy-ca [flags] --config string - Path to kubeadm config file. WARNING: Usage of a configuration file is experimental + Path to kubeadm config file (WARNING: Usage of a configuration file is experimental) @@ -49,3 +49,24 @@ kubeadm alpha phase certs front-proxy-ca [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_front-proxy-client.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_front-proxy-client.md index 072d83dfdd11c..bde1a92cda58e 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_front-proxy-client.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_front-proxy-client.md @@ -1,10 +1,10 @@ -Generates a front proxy CA client certificate and key for a Kubernetes cluster +Generates the client for the front proxy ### Synopsis -Generates the front proxy client certificate and key and saves them into front-proxy-client.crt and front-proxy-client.key files. +Generates the client for the front proxy, and saves them into front-proxy-client.cert and front-proxy-client.key files. If both files already exist, kubeadm skips the generation step and existing files will be used. @@ -34,7 +34,7 @@ kubeadm alpha phase certs front-proxy-client [flags] --config string - Path to kubeadm config file. WARNING: Usage of a configuration file is experimental + Path to kubeadm config file (WARNING: Usage of a configuration file is experimental) @@ -49,3 +49,24 @@ kubeadm alpha phase certs front-proxy-client [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_renew.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_renew.md new file mode 100644 index 0000000000000..348c268eede5c --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_renew.md @@ -0,0 +1,54 @@ + +Renews certificates for a Kubernetes cluster + +### Synopsis + + +This command is not meant to be run on its own. See list of available subcommands. + +``` +kubeadm alpha phase certs renew [flags] +``` + +### Options + + + + + + + + + + + + + + + + +
-h, --help
help for renew
+ + + +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_renew_all.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_renew_all.md new file mode 100644 index 0000000000000..c5fd726b3c979 --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_renew_all.md @@ -0,0 +1,82 @@ + +renew all available certificates + +### Synopsis + + +Renews all known certificates necessary to run the control plan. Renewals are run unconditionally, regardless of expiration date. Renewals can also be run individually for more control. + +``` +kubeadm alpha phase certs renew all [flags] +``` + +### Options + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
--cert-dir string     Default: "/etc/kubernetes/pki"
The path where to save the certificates
--config string
Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
-h, --help
help for all
--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
--use-api
Use the Kubernetes certificate API to renew certificates
+ + + +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_renew_apiserver-etcd-client.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_renew_apiserver-etcd-client.md new file mode 100644 index 0000000000000..255b18b0d103c --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_renew_apiserver-etcd-client.md @@ -0,0 +1,84 @@ + +Generates the client apiserver uses to access etcd + +### Synopsis + + +Renews the client apiserver uses to access etcd, and saves them into apiserver-etcd-client.cert and apiserver-etcd-client.key files. + +Extra attributes such as SANs will be based on the existing certificates, there is no need to resupply them. + +``` +kubeadm alpha phase certs renew apiserver-etcd-client [flags] +``` + +### Options + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
--cert-dir string     Default: "/etc/kubernetes/pki"
The path where to save the certificates
--config string
Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
-h, --help
help for apiserver-etcd-client
--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
--use-api
Use the Kubernetes certificate API to renew certificates
+ + + +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_renew_apiserver-kubelet-client.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_renew_apiserver-kubelet-client.md new file mode 100644 index 0000000000000..1fc536f2acf27 --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_renew_apiserver-kubelet-client.md @@ -0,0 +1,84 @@ + +Generates the Client certificate for the API server to connect to kubelet + +### Synopsis + + +Renews the Client certificate for the API server to connect to kubelet, and saves them into apiserver-kubelet-client.cert and apiserver-kubelet-client.key files. + +Extra attributes such as SANs will be based on the existing certificates, there is no need to resupply them. + +``` +kubeadm alpha phase certs renew apiserver-kubelet-client [flags] +``` + +### Options + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
--cert-dir string     Default: "/etc/kubernetes/pki"
The path where to save the certificates
--config string
Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
-h, --help
help for apiserver-kubelet-client
--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
--use-api
Use the Kubernetes certificate API to renew certificates
+ + + +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_renew_apiserver.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_renew_apiserver.md new file mode 100644 index 0000000000000..c56b907b9917f --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_renew_apiserver.md @@ -0,0 +1,84 @@ + +Generates the certificate for serving the kubernetes API + +### Synopsis + + +Renews the certificate for serving the kubernetes API, and saves them into apiserver.cert and apiserver.key files. + +Extra attributes such as SANs will be based on the existing certificates, there is no need to resupply them. + +``` +kubeadm alpha phase certs renew apiserver [flags] +``` + +### Options + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
--cert-dir string     Default: "/etc/kubernetes/pki"
The path where to save the certificates
--config string
Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
-h, --help
help for apiserver
--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
--use-api
Use the Kubernetes certificate API to renew certificates
+ + + +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_renew_etcd-healthcheck-client.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_renew_etcd-healthcheck-client.md new file mode 100644 index 0000000000000..1ecafc8366871 --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_renew_etcd-healthcheck-client.md @@ -0,0 +1,84 @@ + +Generates the client certificate for liveness probes to healtcheck etcd + +### Synopsis + + +Renews the client certificate for liveness probes to healtcheck etcd, and saves them into etcd/healthcheck-client.cert and etcd/healthcheck-client.key files. + +Extra attributes such as SANs will be based on the existing certificates, there is no need to resupply them. + +``` +kubeadm alpha phase certs renew etcd-healthcheck-client [flags] +``` + +### Options + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
--cert-dir string     Default: "/etc/kubernetes/pki"
The path where to save the certificates
--config string
Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
-h, --help
help for etcd-healthcheck-client
--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
--use-api
Use the Kubernetes certificate API to renew certificates
+ + + +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_renew_etcd-peer.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_renew_etcd-peer.md new file mode 100644 index 0000000000000..75da17a311108 --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_renew_etcd-peer.md @@ -0,0 +1,84 @@ + +Generates the credentials for etcd nodes to communicate with each other + +### Synopsis + + +Renews the credentials for etcd nodes to communicate with each other, and saves them into etcd/peer.cert and etcd/peer.key files. + +Extra attributes such as SANs will be based on the existing certificates, there is no need to resupply them. + +``` +kubeadm alpha phase certs renew etcd-peer [flags] +``` + +### Options + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
--cert-dir string     Default: "/etc/kubernetes/pki"
The path where to save the certificates
--config string
Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
-h, --help
help for etcd-peer
--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
--use-api
Use the Kubernetes certificate API to renew certificates
+ + + +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_renew_etcd-server.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_renew_etcd-server.md new file mode 100644 index 0000000000000..a44a852aeb0fe --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_renew_etcd-server.md @@ -0,0 +1,84 @@ + +Generates the certificate for serving etcd + +### Synopsis + + +Renews the certificate for serving etcd, and saves them into etcd/server.cert and etcd/server.key files. + +Extra attributes such as SANs will be based on the existing certificates, there is no need to resupply them. + +``` +kubeadm alpha phase certs renew etcd-server [flags] +``` + +### Options + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
--cert-dir string     Default: "/etc/kubernetes/pki"
The path where to save the certificates
--config string
Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
-h, --help
help for etcd-server
--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
--use-api
Use the Kubernetes certificate API to renew certificates
+ + + +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_renew_front-proxy-client.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_renew_front-proxy-client.md new file mode 100644 index 0000000000000..41ad8887a17ed --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_renew_front-proxy-client.md @@ -0,0 +1,84 @@ + +Generates the client for the front proxy + +### Synopsis + + +Renews the client for the front proxy, and saves them into front-proxy-client.cert and front-proxy-client.key files. + +Extra attributes such as SANs will be based on the existing certificates, there is no need to resupply them. + +``` +kubeadm alpha phase certs renew front-proxy-client [flags] +``` + +### Options + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
--cert-dir string     Default: "/etc/kubernetes/pki"
The path where to save the certificates
--config string
Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
-h, --help
help for front-proxy-client
--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
--use-api
Use the Kubernetes certificate API to renew certificates
+ + + +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_sa.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_sa.md index 5d56ec7b5c276..4c707b4a5cfd9 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_sa.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_sa.md @@ -4,9 +4,7 @@ Generates a private key for signing service account tokens along with its public ### Synopsis -Generates the private key for signing service account tokens along with its public key, and saves them into sa.key and sa.pub files. - -If both files already exist, kubeadm skips the generation step and existing files will be used. +Generates the private key for signing service account tokens along with its public key, and saves them into sa.key and sa.pub files. If both files already exist, kubeadm skips the generation step and existing files will be used. Alpha Disclaimer: this command is currently alpha. @@ -34,7 +32,7 @@ kubeadm alpha phase certs sa [flags] --config string - Path to kubeadm config file. WARNING: Usage of a configuration file is experimental + Path to kubeadm config file (WARNING: Usage of a configuration file is experimental) @@ -49,3 +47,24 @@ kubeadm alpha phase certs sa [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane.md index a14adfcf4444c..3605a67b17143 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane.md @@ -27,3 +27,24 @@ This command is not meant to be run on its own. See list of available subcommand +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_all.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_all.md index 0a15bced4bdf2..e940dae06b4f2 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_all.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_all.md @@ -78,7 +78,7 @@ kubeadm alpha phase controlplane all [flags] --feature-gates string - A set of key=value pairs that describe feature gates for various features. Options are:
Auditing=true|false (ALPHA - default=false)
CoreDNS=true|false (default=true)
DynamicKubeletConfig=true|false (ALPHA - default=false)
SelfHosting=true|false (ALPHA - default=false)
StoreCertsInSecrets=true|false (ALPHA - default=false) + A set of key=value pairs that describe feature gates for various features. Options are:
Auditing=true|false (ALPHA - default=false)
CoreDNS=true|false (default=true)
DynamicKubeletConfig=true|false (BETA - default=false) @@ -89,7 +89,7 @@ kubeadm alpha phase controlplane all [flags] - --kubernetes-version string     Default: "stable-1.10" + --kubernetes-version string     Default: "stable-1" Choose a specific Kubernetes version for the control plane @@ -121,3 +121,24 @@ kubeadm alpha phase controlplane all [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_apiserver.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_apiserver.md index 3939b997f4476..de5fff7083f13 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_apiserver.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_apiserver.md @@ -60,7 +60,7 @@ kubeadm alpha phase controlplane apiserver [flags] --feature-gates string - A set of key=value pairs that describe feature gates for various features. Options are:
Auditing=true|false (ALPHA - default=false)
CoreDNS=true|false (default=true)
DynamicKubeletConfig=true|false (ALPHA - default=false)
SelfHosting=true|false (ALPHA - default=false)
StoreCertsInSecrets=true|false (ALPHA - default=false) + A set of key=value pairs that describe feature gates for various features. Options are:
Auditing=true|false (ALPHA - default=false)
CoreDNS=true|false (default=true)
DynamicKubeletConfig=true|false (BETA - default=false) @@ -71,7 +71,7 @@ kubeadm alpha phase controlplane apiserver [flags] - --kubernetes-version string     Default: "stable-1.10" + --kubernetes-version string     Default: "stable-1" Choose a specific Kubernetes version for the control plane @@ -89,3 +89,24 @@ kubeadm alpha phase controlplane apiserver [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_controller-manager.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_controller-manager.md index 004692b024d38..402703698c2a8 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_controller-manager.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_controller-manager.md @@ -50,7 +50,7 @@ kubeadm alpha phase controlplane controller-manager [flags] - --kubernetes-version string     Default: "stable-1.10" + --kubernetes-version string     Default: "stable-1" Choose a specific Kubernetes version for the control plane @@ -68,3 +68,24 @@ kubeadm alpha phase controlplane controller-manager [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_scheduler.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_scheduler.md index d8bab2226e510..e07e4b46d893d 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_scheduler.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_scheduler.md @@ -43,7 +43,7 @@ kubeadm alpha phase controlplane scheduler [flags] - --kubernetes-version string     Default: "stable-1.10" + --kubernetes-version string     Default: "stable-1" Choose a specific Kubernetes version for the control plane @@ -61,3 +61,24 @@ kubeadm alpha phase controlplane scheduler [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_etcd.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_etcd.md index 285144797f46d..60819008a3c7f 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_etcd.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_etcd.md @@ -27,3 +27,24 @@ This command is not meant to be run on its own. See list of available subcommand +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_etcd_local.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_etcd_local.md index d3ca8e253a051..19802040fc04b 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_etcd_local.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_etcd_local.md @@ -58,3 +58,24 @@ kubeadm alpha phase etcd local [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig.md index 1c7c61dd0c984..ba11bde684c0b 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig.md @@ -27,3 +27,24 @@ This command is not meant to be run on its own. See list of available subcommand +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_admin.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_admin.md index 4ed4e00b13647..e58fad7829a94 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_admin.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_admin.md @@ -68,3 +68,24 @@ kubeadm alpha phase kubeconfig admin [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_all.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_all.md index fa98914fbcdd2..ffb3610e9bcca 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_all.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_all.md @@ -86,3 +86,24 @@ kubeadm alpha phase kubeconfig all [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_controller-manager.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_controller-manager.md index 6cae50ba82fe0..24f77d50af270 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_controller-manager.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_controller-manager.md @@ -68,3 +68,24 @@ kubeadm alpha phase kubeconfig controller-manager [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_kubelet.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_kubelet.md index 9eaa2c3521ab6..ff7c787b1de73 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_kubelet.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_kubelet.md @@ -77,3 +77,24 @@ kubeadm alpha phase kubeconfig kubelet [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_scheduler.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_scheduler.md index b98f615b0bc9e..6de62a33ce9b4 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_scheduler.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_scheduler.md @@ -68,3 +68,24 @@ kubeadm alpha phase kubeconfig scheduler [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_user.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_user.md index b2f43935eb484..9f7c0d92f0add 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_user.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_user.md @@ -89,3 +89,24 @@ kubeadm alpha phase kubeconfig user [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet.md index 726a98890c565..648b219e76e90 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet.md @@ -27,3 +27,24 @@ This command is not meant to be run on its own. See list of available subcommand +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet_config.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet_config.md index 8f2958f6076b9..2c2d8ca00467b 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet_config.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet_config.md @@ -27,3 +27,24 @@ This command is not meant to be run on its own. See list of available subcommand +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet_config_annotate-cri.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet_config_annotate-cri.md new file mode 100644 index 0000000000000..5b9cd0fa6ac1f --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet_config_annotate-cri.md @@ -0,0 +1,76 @@ + +annotates the node with the given crisocket + +### Synopsis + + +Adds an annotation to the current node with the CRI socket specified in the kubeadm InitConfiguration object. + +Alpha Disclaimer: this command is currently alpha. + +``` +kubeadm alpha phase kubelet config annotate-cri [flags] +``` + +### Examples + +``` + kubeadm alpha phase kubelet config annotate-cri --config kubeadm.yaml +``` + +### Options + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
--config string
Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
-h, --help
help for annotate-cri
--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
+ + + +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet_config_download.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet_config_download.md index d8b3b3cd5f802..8f1118ee1e072 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet_config_download.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet_config_download.md @@ -19,7 +19,7 @@ kubeadm alpha phase kubelet config download [flags] kubeadm alpha phase kubelet config download # Downloads the kubelet configuration from the ConfigMap in the cluster. Uses a specific desired kubelet version. - kubeadm alpha phase kubelet config download --kubelet-version v1.11.0 + kubeadm alpha phase kubelet config download --kubelet-version v1.12.0 ``` ### Options @@ -42,7 +42,7 @@ kubeadm alpha phase kubelet config download [flags] --kubeconfig string     Default: "/etc/kubernetes/kubelet.conf" - The KubeConfig file to use when talking to the cluster + The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file. @@ -57,3 +57,24 @@ kubeadm alpha phase kubelet config download [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet_config_enable-dynamic.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet_config_enable-dynamic.md index 56d653b7fbcf8..91bf90d15e8b8 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet_config_enable-dynamic.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet_config_enable-dynamic.md @@ -18,7 +18,7 @@ kubeadm alpha phase kubelet config enable-dynamic [flags] ``` # Enables dynamic kubelet configuration for a Node. - kubeadm alpha phase kubelet enable-dynamic-config --node-name node-1 --kubelet-version v1.11.0 + kubeadm alpha phase kubelet enable-dynamic-config --node-name node-1 --kubelet-version v1.12.0 WARNING: This feature is still experimental, and disabled by default. Enable only if you know what you are doing, as it may have surprising side-effects at this stage. @@ -44,7 +44,7 @@ kubeadm alpha phase kubelet config enable-dynamic [flags] --kubeconfig string     Default: "/etc/kubernetes/admin.conf" - The KubeConfig file to use when talking to the cluster + The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file. @@ -66,3 +66,24 @@ kubeadm alpha phase kubelet config enable-dynamic [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet_config_upload.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet_config_upload.md index eb56fe1d031e8..63584465ca339 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet_config_upload.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet_config_upload.md @@ -1,10 +1,10 @@ -Uploads kubelet configuration to a ConfigMap based on a kubeadm MasterConfiguration file. +Uploads kubelet configuration to a ConfigMap based on a kubeadm InitConfiguration file. ### Synopsis -Uploads kubelet configuration extracted from the kubeadm MasterConfiguration object to a ConfigMap of the form kubelet-config-1.X in the cluster, where X is the minor version of the current (API Server) Kubernetes version. +Uploads kubelet configuration extracted from the kubeadm InitConfiguration object to a ConfigMap of the form kubelet-config-1.X in the cluster, where X is the minor version of the current (API Server) Kubernetes version. Alpha Disclaimer: this command is currently alpha. @@ -46,7 +46,28 @@ kubeadm alpha phase kubelet config upload [flags] --kubeconfig string     Default: "/etc/kubernetes/admin.conf" - The KubeConfig file to use when talking to the cluster + The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file. + + + + + + + +### Options inherited from parent commands + + + + + + + + + + + + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet_config_write-to-disk.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet_config_write-to-disk.md index 09bcad8394920..02eaee18e03cf 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet_config_write-to-disk.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet_config_write-to-disk.md @@ -47,3 +47,24 @@ kubeadm alpha phase kubelet config write-to-disk [flags] +### Options inherited from parent commands + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet_write-env-file.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet_write-env-file.md index 7dc61eabb92a1..eadafa78ddfdc 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet_write-env-file.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubelet_write-env-file.md @@ -4,7 +4,7 @@ Writes an environment file with runtime flags for the kubelet. ### Synopsis -Writes an environment file with flags that should be passed to the kubelet executing on the master or node. This --config flag can either consume a MasterConfiguration object or a NodeConfiguration one, as this function is used for both "kubeadm init" and "kubeadm join". +Writes an environment file with flags that should be passed to the kubelet executing on the master or node. This --config flag can either consume a InitConfiguration object or a JoinConfiguration one, as this function is used for both "kubeadm init" and "kubeadm join". Alpha Disclaimer: this command is currently alpha. @@ -15,11 +15,11 @@ kubeadm alpha phase kubelet write-env-file [flags] ### Examples ``` - # Writes a dynamic environment file with kubelet flags from a MasterConfiguration file. + # Writes a dynamic environment file with kubelet flags from a InitConfiguration file. kubeadm alpha phase kubelet write-env-file --config masterconfig.yaml - # Writes a dynamic environment file with kubelet flags from a NodeConfiguration file. - kubeadm alpha phase kubelet write-env-file --config nodeConfig.yaml + # Writes a dynamic environment file with kubelet flags from a JoinConfiguration file. + kubeadm alpha phase kubelet write-env-file --config nodeconfig.yaml ``` ### Options @@ -50,3 +50,24 @@ kubeadm alpha phase kubelet write-env-file [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_mark-master.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_mark-master.md index 9c456dd4838f9..61e3e17473a73 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_mark-master.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_mark-master.md @@ -49,7 +49,7 @@ kubeadm alpha phase mark-master [flags] --kubeconfig string     Default: "/etc/kubernetes/admin.conf" - The KubeConfig file to use when talking to the cluster + The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file. @@ -64,3 +64,24 @@ kubeadm alpha phase mark-master [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight.md index b47c3938c345e..b41e864631991 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight.md @@ -15,6 +15,13 @@ This command is not meant to be run on its own. See list of available subcommand + + --config string + + + Path to kubeadm config file (WARNING: Usage of a configuration file is experimental) + + -h, --help @@ -22,6 +29,34 @@ This command is not meant to be run on its own. See list of available subcommand help for preflight + + --ignore-preflight-errors stringSlice + + + A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks. + + + + + + + +### Options inherited from parent commands + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight_master.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight_master.md index 2a84b5a9c30f6..eb1b8de7efb12 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight_master.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight_master.md @@ -40,3 +40,38 @@ kubeadm alpha phase preflight master [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
--config string
Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
--ignore-preflight-errors stringSlice
A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight_node.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight_node.md index 973c743a4c6ba..2c0cfe2247d9b 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight_node.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight_node.md @@ -40,3 +40,38 @@ kubeadm alpha phase preflight node [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
--config string
Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
--ignore-preflight-errors stringSlice
A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_selfhosting.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_selfhosting.md index 85f87530d2062..a4543c9ee780f 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_selfhosting.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_selfhosting.md @@ -27,3 +27,24 @@ This command is not meant to be run on its own. See list of available subcommand +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_selfhosting_convert-from-staticpods.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_selfhosting_convert-from-staticpods.md index 76e16d03e07ec..fc403a9d46578 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_selfhosting_convert-from-staticpods.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_selfhosting_convert-from-staticpods.md @@ -51,7 +51,7 @@ kubeadm alpha phase selfhosting convert-from-staticpods [flags] --feature-gates string - A set of key=value pairs that describe feature gates for various features. Options are:
Auditing=true|false (ALPHA - default=false)
CoreDNS=true|false (default=true)
DynamicKubeletConfig=true|false (ALPHA - default=false)
SelfHosting=true|false (ALPHA - default=false)
StoreCertsInSecrets=true|false (ALPHA - default=false) + A set of key=value pairs that describe feature gates for various features. Options are:
Auditing=true|false (ALPHA - default=false)
CoreDNS=true|false (default=true)
DynamicKubeletConfig=true|false (BETA - default=false) @@ -65,7 +65,28 @@ kubeadm alpha phase selfhosting convert-from-staticpods [flags] --kubeconfig string     Default: "/etc/kubernetes/admin.conf" - The KubeConfig file to use when talking to the cluster + The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file. + + + + + + + +### Options inherited from parent commands + + + + + + + + + + + + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_upload-config.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_upload-config.md index c9b013f9346b8..657b6430042f8 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_upload-config.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_upload-config.md @@ -48,7 +48,28 @@ kubeadm alpha phase upload-config [flags] - + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the clusterThe KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
+ + + +### Options inherited from parent commands + + + + + + + + + + + + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_completion.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_completion.md index 301a76999bd56..37481780b1652 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_completion.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_completion.md @@ -69,3 +69,24 @@ source <(kubeadm completion zsh) +### Options inherited from parent commands + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config.md index 54a478a8eaa71..b84059532066d 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config.md @@ -35,7 +35,28 @@ kubeadm config [flags] --kubeconfig string     Default: "/etc/kubernetes/admin.conf" - The KubeConfig file to use when talking to the cluster. + The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file. + + + + + + + +### Options inherited from parent commands + + + + + + + + + + + + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images.md index 85f978a88e0ee..ee309006b8d29 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images.md @@ -44,7 +44,14 @@ kubeadm config images [flags] - + + + + + + + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_list.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_list.md index ca2a2119b5bbd..345d8328986ea 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_list.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_list.md @@ -30,7 +30,7 @@ kubeadm config images list [flags] - + @@ -41,7 +41,7 @@ kubeadm config images list [flags] - + @@ -65,7 +65,14 @@ kubeadm config images list [flags] - + + + + + + + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_pull.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_pull.md index d5efa5ab05627..83b3a6c10ccfc 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_pull.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_pull.md @@ -27,17 +27,17 @@ kubeadm config images pull [flags] - + - + - + @@ -48,7 +48,7 @@ kubeadm config images pull [flags] - + @@ -72,7 +72,14 @@ kubeadm config images pull [flags] - + + + + + + + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_migrate.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_migrate.md index 2a41580170881..eff30744e38eb 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_migrate.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_migrate.md @@ -9,9 +9,9 @@ This command lets you convert configuration objects of older versions to the lat locally in the CLI tool without ever touching anything in the cluster. In this version of kubeadm, the following API versions are supported: - kubeadm.k8s.io/v1alpha2 -- kubeadm.k8s.io/v1alpha1 +- kubeadm.k8s.io/v1alpha3 -Further, kubeadm can only write out config of version "kubeadm.k8s.io/v1alpha2", but read both types. +Further, kubeadm can only write out config of version "kubeadm.k8s.io/v1alpha3", but read both types. So regardless of what version you pass to the --old-config parameter here, the API object will be read, deserialized, defaulted, converted, validated, and re-serialized when written to stdout or --new-config if specified. @@ -72,7 +72,14 @@ kubeadm config migrate [flags] - + + + + + + + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_print-default.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_print-default.md index 3e011d9743d7b..ede571108cdde 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_print-default.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_print-default.md @@ -5,8 +5,8 @@ Print the default values for a kubeadm configuration object. -This command prints the default MasterConfiguration object that is used for 'kubeadm init' and 'kubeadm upgrade', -and the default NodeConfiguration object that is used for 'kubeadm join'. +This command prints the default InitConfiguration object that is used for 'kubeadm init' and 'kubeadm upgrade', +and the default JoinConfiguration object that is used for 'kubeadm join'. Note that sensitive values like the Bootstrap Token fields are replaced with silly values like {"abcdef.0123456789abcdef" "" "nil" [] []} in order to pass validation but not perform the real computation for creating a token. @@ -29,7 +29,7 @@ kubeadm config print-default [flags] - + @@ -57,7 +57,14 @@ kubeadm config print-default [flags] - + + + + + + + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload.md index e20d2ca0c720a..d16f6f91246ef 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload.md @@ -44,7 +44,14 @@ kubeadm config upload [flags] - + + + + + + + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload_from-file.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload_from-file.md index aa2905e2c1a98..87764b606f456 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload_from-file.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload_from-file.md @@ -57,7 +57,14 @@ kubeadm config upload from-file [flags] - + + + + + + + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload_from-flags.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload_from-flags.md index faf57f341f74c..bb660cbe41709 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload_from-flags.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload_from-flags.md @@ -64,7 +64,7 @@ kubeadm config upload from-flags [flags] - + @@ -75,7 +75,7 @@ kubeadm config upload from-flags [flags] - + @@ -127,7 +127,14 @@ kubeadm config upload from-flags [flags] - + + + + + + + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_view.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_view.md index 9869d43c8d131..664055d815c0b 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_view.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_view.md @@ -48,7 +48,14 @@ kubeadm config view [flags] - + + + + + + + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md index b846cf903473d..c476ed58034b6 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md @@ -72,7 +72,7 @@ kubeadm init [flags] - + @@ -90,7 +90,7 @@ kubeadm init [flags] - + @@ -150,3 +150,24 @@ kubeadm init [flags] +### Options inherited from parent commands + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the cluster.The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
--feature-gates string
A set of key=value pairs that describe feature gates for various features. Options are:
Auditing=true|false (ALPHA - default=false)
CoreDNS=true|false (default=true)
DynamicKubeletConfig=true|false (ALPHA - default=false)
SelfHosting=true|false (ALPHA - default=false)
StoreCertsInSecrets=true|false (ALPHA - default=false)		A set of key=value pairs that describe feature gates for various features. Options are:
Auditing=true|false (ALPHA - default=false)
CoreDNS=true|false (default=true)
DynamicKubeletConfig=true|false (BETA - default=false)
--kubernetes-version string     Default: "stable-1.10"--kubernetes-version string     Default: "stable-1"
Choose a specific Kubernetes version for the control plane.--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the cluster.The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
--cri-socket-path string     Default: "/var/run/dockershim.sock"--cri-socket string     Default: "/var/run/dockershim.sock"
Path to the CRI socket.Specify the CRI socket to connect to.
--feature-gates string
A set of key=value pairs that describe feature gates for various features. Options are:
Auditing=true|false (ALPHA - default=false)
CoreDNS=true|false (default=true)
DynamicKubeletConfig=true|false (ALPHA - default=false)
SelfHosting=true|false (ALPHA - default=false)
StoreCertsInSecrets=true|false (ALPHA - default=false)		A set of key=value pairs that describe feature gates for various features. Options are:
Auditing=true|false (ALPHA - default=false)
CoreDNS=true|false (default=true)
DynamicKubeletConfig=true|false (BETA - default=false)
--kubernetes-version string     Default: "stable-1.10"--kubernetes-version string     Default: "stable-1"
Choose a specific Kubernetes version for the control plane.--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the cluster.The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the cluster.The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
--api-objects stringSlice
A comma-separated list for API objects to print the default values for. Available values: [MasterConfiguration NodeConfiguration]. This flag unset means 'print all known objects'A comma-separated list for API objects to print the default values for. Available values: [InitConfiguration ClusterConfiguration JoinConfiguration KubeProxyConfiguration KubeletConfiguration MasterConfiguration]. This flag unset means 'print all known objects'
--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the cluster.The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the cluster.The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the cluster.The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
--feature-gates string
A set of key=value pairs that describe feature gates for various features. Options are:
Auditing=true|false (ALPHA - default=false)
CoreDNS=true|false (default=true)
DynamicKubeletConfig=true|false (ALPHA - default=false)
SelfHosting=true|false (ALPHA - default=false)
StoreCertsInSecrets=true|false (ALPHA - default=false)		A set of key=value pairs that describe feature gates for various features. Options are:
Auditing=true|false (ALPHA - default=false)
CoreDNS=true|false (default=true)
DynamicKubeletConfig=true|false (BETA - default=false)
--kubernetes-version string     Default: "stable-1.10"--kubernetes-version string     Default: "stable-1"
Choose a specific Kubernetes version for the control plane.--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the cluster.The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the cluster.The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
--feature-gates string
A set of key=value pairs that describe feature gates for various features. Options are:
Auditing=true|false (ALPHA - default=false)
CoreDNS=true|false (default=true)
DynamicKubeletConfig=true|false (ALPHA - default=false)
SelfHosting=true|false (ALPHA - default=false)
StoreCertsInSecrets=true|false (ALPHA - default=false)		A set of key=value pairs that describe feature gates for various features. Options are:
Auditing=true|false (ALPHA - default=false)
CoreDNS=true|false (default=true)
DynamicKubeletConfig=true|false (BETA - default=false)
--kubernetes-version string     Default: "stable-1.10"--kubernetes-version string     Default: "stable-1"
Choose a specific Kubernetes version for the control plane.
+ + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join.md index c321fe6af9134..4643946ce5423 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join.md @@ -28,7 +28,7 @@ value of this flag is specified as ":", where the supported hash type is "sha256". The hash is calculated over the bytes of the Subject Public Key Info (SPKI) object (as in RFC7469). This value is available in the output of "kubeadm init" or can be -calcuated using standard tools. The --discovery-token-ca-cert-hash flag +calculated using standard tools. The --discovery-token-ca-cert-hash flag may be repeated multiple times to allow more than one public key. If you cannot know the CA public key hash ahead of time, you can pass @@ -60,6 +60,20 @@ kubeadm join [flags] + + --apiserver-advertise-address string + + + If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. + + + + --apiserver-bind-port int32     Default: 6443 + + + If the node should host a new control plane instance, the port for the API Server to bind to. + + --config string @@ -85,7 +99,7 @@ kubeadm join [flags] --discovery-token string - A token used to validate cluster information fetched from the master. + A token used to validate cluster information fetched from the api server. @@ -102,11 +116,18 @@ kubeadm join [flags] For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning. + + --experimental-control-plane + + + Create a new control plane instance on this node + + --feature-gates string - A set of key=value pairs that describe feature gates for various features. Options are:
Auditing=true|false (ALPHA - default=false)
CoreDNS=true|false (default=true)
DynamicKubeletConfig=true|false (ALPHA - default=false)
SelfHosting=true|false (ALPHA - default=false)
StoreCertsInSecrets=true|false (ALPHA - default=false) + A set of key=value pairs that describe feature gates for various features. Options are:
Auditing=true|false (ALPHA - default=false)
CoreDNS=true|false (default=true)
DynamicKubeletConfig=true|false (BETA - default=false) @@ -149,3 +170,24 @@ kubeadm join [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset.md index 5f5cd9b4be0d7..d4f273f1c8dbd 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset.md @@ -34,7 +34,7 @@ kubeadm reset [flags] - --force + -f, --force Reset the node without prompting for confirmation. @@ -59,3 +59,24 @@ kubeadm reset [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token.md index 56d1a06080c3e..77e2596f6b257 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token.md @@ -20,7 +20,7 @@ What is a bootstrap token more exactly? - The name of the Secret must be named "bootstrap-token-(token-id)". You can read more about bootstrap tokens here: - https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/ + https://kubernetes.io/docs/admin/bootstrap-tokens/ ``` @@ -54,7 +54,28 @@ kubeadm token [flags] --kubeconfig string     Default: "/etc/kubernetes/admin.conf" - The KubeConfig file to use when talking to the cluster. If the flag is not set a set of standard locations are searched for an existing KubeConfig file + The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file. + + + + + + + +### Options inherited from parent commands + + + + + + + + + + + + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_create.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_create.md index d2ea7b141365c..fe2a710103ccb 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_create.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_create.md @@ -100,7 +100,14 @@ kubeadm token create [token] - + + + + + + + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_delete.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_delete.md index 8a47b4345dba9..3a92d9ff74feb 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_delete.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_delete.md @@ -56,7 +56,14 @@ kubeadm token delete [token-value] - + + + + + + + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_generate.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_generate.md index f76a8d9d1a478..43aed13f1c323 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_generate.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_generate.md @@ -61,7 +61,14 @@ kubeadm token generate [flags] - + + + + + + + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_list.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_list.md index a65b730a28c33..ed4f822fd46ec 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_list.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_list.md @@ -53,7 +53,14 @@ kubeadm token list [flags] - + + + + + + + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade.md index 8bd79242839a8..dd3d5f9d897ec 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade.md @@ -20,59 +20,31 @@ kubeadm upgrade [flags] - + - + - - - - - - + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the cluster. If the flag is not set a set of standard locations are searched for an existing KubeConfig fileThe KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the cluster. If the flag is not set a set of standard locations are searched for an existing KubeConfig fileThe KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the cluster. If the flag is not set a set of standard locations are searched for an existing KubeConfig fileThe KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
--kubeconfig string     Default: "/etc/kubernetes/admin.conf"
The KubeConfig file to use when talking to the cluster. If the flag is not set a set of standard locations are searched for an existing KubeConfig fileThe KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
--allow-experimental-upgrades-h, --help
Show unstable versions of Kubernetes as an upgrade alternative and allow upgrading to an alpha/beta/release candidate versions of Kubernetes.help for upgrade
--allow-release-candidate-upgrades
Show release candidate versions of Kubernetes as an upgrade alternative and allow upgrading to a release candidate versions of Kubernetes.
- - --config string - - - Path to kubeadm config file. WARNING: Usage of a configuration file is experimental! - - - --feature-gates string - - - A set of key=value pairs that describe feature gates for various features.Options are:
Auditing=true|false (ALPHA - default=false)
CoreDNS=true|false (default=true)
DynamicKubeletConfig=true|false (ALPHA - default=false)
SelfHosting=true|false (ALPHA - default=false)
StoreCertsInSecrets=true|false (ALPHA - default=false) - - - -h, --help - - - help for upgrade - +### Options inherited from parent commands - - --ignore-preflight-errors stringSlice - - - A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks. - - - - --kubeconfig string     Default: "/etc/kubernetes/admin.conf" - - - The KubeConfig file to use when talking to the cluster. - + + + + + + - + - + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_apply.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_apply.md index 15ae2a283e7ec..87ace5dcc009c 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_apply.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_apply.md @@ -20,101 +20,87 @@ kubeadm upgrade apply [version] - + - + - + - + - + - + - + - + - + - + - + - + - -
--print-config--rootfs string
Specifies whether the configuration file that will be used in the upgrade should be printed or not.[EXPERIMENTAL] The path to the 'real' host root filesystem.
--dry-run--allow-experimental-upgrades
Do not change any state, just output what actions would be performed.Show unstable versions of Kubernetes as an upgrade alternative and allow upgrading to an alpha/beta/release candidate versions of Kubernetes.
--etcd-upgrade     Default: true--allow-release-candidate-upgrades
Perform the upgrade of etcd.Show release candidate versions of Kubernetes as an upgrade alternative and allow upgrading to a release candidate versions of Kubernetes.
-f, --force--config string
Force upgrading although some requirements might not be met. This also implies non-interactive mode.Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
-h, --help--cri-socket string     Default: "/var/run/dockershim.sock"
help for applySpecify the CRI socket to connect to.
--image-pull-timeout duration     Default: 15m0s--dry-run
The maximum amount of time to wait for the control plane pods to be downloaded.Do not change any state, just output what actions would be performed.
-y, --yes--etcd-upgrade     Default: true
Perform the upgrade and do not prompt for confirmation (non-interactive mode).Perform the upgrade of etcd.
- - - -### Options inherited from parent commands - - - - - - - - - + - + - + - + - + - + - + - + - + - + - + - + @@ -124,6 +110,34 @@ kubeadm upgrade apply [version] + + + + + + + + +
--allow-experimental-upgrades--feature-gates string
Show unstable versions of Kubernetes as an upgrade alternative and allow upgrading to an alpha/beta/release candidate versions of Kubernetes.A set of key=value pairs that describe feature gates for various features. Options are:
Auditing=true|false (ALPHA - default=false)
CoreDNS=true|false (default=true)
DynamicKubeletConfig=true|false (BETA - default=false)
--allow-release-candidate-upgrades-f, --force
Show release candidate versions of Kubernetes as an upgrade alternative and allow upgrading to a release candidate versions of Kubernetes.Force upgrading although some requirements might not be met. This also implies non-interactive mode.
--config string-h, --help
Path to kubeadm config file. WARNING: Usage of a configuration file is experimental!help for apply
--feature-gates string--ignore-preflight-errors stringSlice
A set of key=value pairs that describe feature gates for various features.Options are:
Auditing=true|false (ALPHA - default=false)
CoreDNS=true|false (default=true)
DynamicKubeletConfig=true|false (ALPHA - default=false)
SelfHosting=true|false (ALPHA - default=false)
StoreCertsInSecrets=true|false (ALPHA - default=false)		A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
--ignore-preflight-errors stringSlice--image-pull-timeout duration     Default: 15m0s
A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.The maximum amount of time to wait for the control plane pods to be downloaded.
--kubeconfig string     Default: "/etc/kubernetes/admin.conf"--kubeconfig string     Default: "/Users/zarnold/.kube/config"
The KubeConfig file to use when talking to the cluster.The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
Specifies whether the configuration file that will be used in the upgrade should be printed or not.
-y, --yes
Perform the upgrade and do not prompt for confirmation (non-interactive mode).
+ + + +### Options inherited from parent commands + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_diff.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_diff.md index 64053f17fc07d..099dd2381c162 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_diff.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_diff.md @@ -26,6 +26,13 @@ kubeadm upgrade diff [version] [flags] path to API server manifest + + --config string + + + Path to kubeadm config file (WARNING: Usage of a configuration file is experimental) + + -c, --context-lines int     Default: 3 @@ -69,52 +76,10 @@ kubeadm upgrade diff [version] [flags] - --allow-experimental-upgrades - - - Show unstable versions of Kubernetes as an upgrade alternative and allow upgrading to an alpha/beta/release candidate versions of Kubernetes. - - - - --allow-release-candidate-upgrades - - - Show release candidate versions of Kubernetes as an upgrade alternative and allow upgrading to a release candidate versions of Kubernetes. - - - - --config string - - - Path to kubeadm config file. WARNING: Usage of a configuration file is experimental! - - - - --feature-gates string - - - A set of key=value pairs that describe feature gates for various features.Options are:
Auditing=true|false (ALPHA - default=false)
CoreDNS=true|false (default=true)
DynamicKubeletConfig=true|false (ALPHA - default=false)
SelfHosting=true|false (ALPHA - default=false)
StoreCertsInSecrets=true|false (ALPHA - default=false) - - - - --ignore-preflight-errors stringSlice - - - A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks. - - - - --kubeconfig string     Default: "/etc/kubernetes/admin.conf" - - - The KubeConfig file to use when talking to the cluster. - - - - --print-config + --rootfs string - Specifies whether the configuration file that will be used in the upgrade should be printed or not. + [EXPERIMENTAL] The path to the 'real' host root filesystem. diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node.md index 037a07e56bee7..0c76e50de5b8a 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node.md @@ -41,52 +41,10 @@ kubeadm upgrade node [flags] - --allow-experimental-upgrades + --rootfs string - Show unstable versions of Kubernetes as an upgrade alternative and allow upgrading to an alpha/beta/release candidate versions of Kubernetes. - - - - --allow-release-candidate-upgrades - - - Show release candidate versions of Kubernetes as an upgrade alternative and allow upgrading to a release candidate versions of Kubernetes. - - - - --config string - - - Path to kubeadm config file. WARNING: Usage of a configuration file is experimental! - - - - --feature-gates string - - - A set of key=value pairs that describe feature gates for various features.Options are:
Auditing=true|false (ALPHA - default=false)
CoreDNS=true|false (default=true)
DynamicKubeletConfig=true|false (ALPHA - default=false)
SelfHosting=true|false (ALPHA - default=false)
StoreCertsInSecrets=true|false (ALPHA - default=false) - - - - --ignore-preflight-errors stringSlice - - - A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks. - - - - --kubeconfig string     Default: "/etc/kubernetes/admin.conf" - - - The KubeConfig file to use when talking to the cluster. - - - - --print-config - - - Specifies whether the configuration file that will be used in the upgrade should be printed or not. + [EXPERIMENTAL] The path to the 'real' host root filesystem. diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_config.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_config.md index 3172348328c12..957e151227aa9 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_config.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_config.md @@ -14,11 +14,11 @@ kubeadm upgrade node config [flags] ``` # Downloads the kubelet configuration from the ConfigMap in the cluster. Uses a specific desired kubelet version. - kubeadm upgrade node config --kubelet-version v1.11.0 + kubeadm upgrade node config --kubelet-version v1.12.0 # Simulates the downloading of the kubelet configuration from the ConfigMap in the cluster with a specific desired # version. Does not change any state locally on the node. - kubeadm upgrade node config --kubelet-version v1.11.0 --dry-run + kubeadm upgrade node config --kubelet-version v1.12.0 --dry-run ``` ### Options @@ -44,6 +44,13 @@ kubeadm upgrade node config [flags] help for config + + --kubeconfig string     Default: "/etc/kubernetes/kubelet.conf" + + + The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file. + + --kubelet-version string @@ -66,52 +73,10 @@ kubeadm upgrade node config [flags] - --allow-experimental-upgrades - - - Show unstable versions of Kubernetes as an upgrade alternative and allow upgrading to an alpha/beta/release candidate versions of Kubernetes. - - - - --allow-release-candidate-upgrades - - - Show release candidate versions of Kubernetes as an upgrade alternative and allow upgrading to a release candidate versions of Kubernetes. - - - - --config string - - - Path to kubeadm config file. WARNING: Usage of a configuration file is experimental! - - - - --feature-gates string - - - A set of key=value pairs that describe feature gates for various features.Options are:
Auditing=true|false (ALPHA - default=false)
CoreDNS=true|false (default=true)
DynamicKubeletConfig=true|false (ALPHA - default=false)
SelfHosting=true|false (ALPHA - default=false)
StoreCertsInSecrets=true|false (ALPHA - default=false) - - - - --ignore-preflight-errors stringSlice - - - A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks. - - - - --kubeconfig string     Default: "/etc/kubernetes/admin.conf" - - - The KubeConfig file to use when talking to the cluster. - - - - --print-config + --rootfs string - Specifies whether the configuration file that will be used in the upgrade should be printed or not. + [EXPERIMENTAL] The path to the 'real' host root filesystem. diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_experimental-control-plane.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_experimental-control-plane.md new file mode 100644 index 0000000000000..091f7ac1edd64 --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_experimental-control-plane.md @@ -0,0 +1,79 @@ + +Upgrades the control plane instance deployed on this node. IMPORTANT. This command should be executed after executing `kubeadm upgrade apply` on another control plane instance + +### Synopsis + + +Downloads the kubelet configuration from a ConfigMap of the form "kubelet-config-1.X" in the cluster, where X is the minor version of the kubelet. kubeadm uses the --kubelet-version parameter to determine what the desired kubelet version is. Give + +``` +kubeadm upgrade node experimental-control-plane [flags] +``` + +### Examples + +``` + # Downloads the kubelet configuration from the ConfigMap in the cluster. Uses a specific desired kubelet version. + kubeadm upgrade node config --kubelet-version v1.12.0 + + # Simulates the downloading of the kubelet configuration from the ConfigMap in the cluster with a specific desired + # version. Does not change any state locally on the node. + kubeadm upgrade node config --kubelet-version v1.12.0 --dry-run +``` + +### Options + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
--dry-run
Do not change any state, just output the actions that would be performed.
-h, --help
help for experimental-control-plane
--kubeconfig string     Default: "/etc/kubernetes/kubelet.conf"
The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
+ + + +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_plan.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_plan.md index 23e42a640141b..842e070f19ad1 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_plan.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_plan.md @@ -12,27 +12,6 @@ kubeadm upgrade plan [version] [flags] ### Options - - - - - - - - - - - - - - - -
-h, --help
help for plan
- - - -### Options inherited from parent commands - @@ -58,14 +37,21 @@ kubeadm upgrade plan [version] [flags] - + - + + + + + + + + @@ -76,10 +62,10 @@ kubeadm upgrade plan [version] [flags] - + - + @@ -94,3 +80,24 @@ kubeadm upgrade plan [version] [flags] +### Options inherited from parent commands + +
--config string
Path to kubeadm config file. WARNING: Usage of a configuration file is experimental!Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
--feature-gates string
A set of key=value pairs that describe feature gates for various features.Options are:
Auditing=true|false (ALPHA - default=false)
CoreDNS=true|false (default=true)
DynamicKubeletConfig=true|false (ALPHA - default=false)
SelfHosting=true|false (ALPHA - default=false)
StoreCertsInSecrets=true|false (ALPHA - default=false)		A set of key=value pairs that describe feature gates for various features. Options are:
Auditing=true|false (ALPHA - default=false)
CoreDNS=true|false (default=true)
DynamicKubeletConfig=true|false (BETA - default=false)
-h, --help
help for plan
--kubeconfig string     Default: "/etc/kubernetes/admin.conf"--kubeconfig string     Default: "/Users/zarnold/.kube/config"
The KubeConfig file to use when talking to the cluster.The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.
+ + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_version.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_version.md index 9d47c24691647..9e824f238c491 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_version.md +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_version.md @@ -38,3 +38,24 @@ kubeadm version [flags] +### Options inherited from parent commands + + + + + + + + + + + + + + + + +
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
+ + + diff --git a/content/en/docs/reference/setup-tools/kubeadm/implementation-details.md b/content/en/docs/reference/setup-tools/kubeadm/implementation-details.md index 342149e7cebe8..67fcee964afd3 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/implementation-details.md +++ b/content/en/docs/reference/setup-tools/kubeadm/implementation-details.md @@ -324,8 +324,9 @@ Please note that: 1. To make dynamic kubelet configuration work, flag `--dynamic-config-dir=/var/lib/kubelet/config/dynamic` should be specified in `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` -1. Kubelet init configuration can be changed by using kubeadm MasterConfiguration file by setting `.kubeletConfiguration.baseConfig`. - See [using kubeadm init with a configuration file](/docs/reference/setup-tools/kubeadm/kubeadm-init/#config-file) for more detail +1. The kubelet configuration can be changed by passing a `KubeletConfiguration` object to `kubeadm init` or `kubeadm join` by using + a configuration file `--config some-file.yaml`. The `KubeletConfiguration` object can be separated from other objects such + as `InitConfiguration` using the `---` separator. For more details have a look at the `kubeadm config print-default` command. ### Wait for the control plane to come up @@ -346,7 +347,7 @@ If kubeadm is invoked with `--feature-gates=DynamicKubeletConfig`: (that is `system:bootstrappers:kubeadm:default-node-token` and `system:nodes` groups) 3. Enable the dynamic kubelet configuration feature for the initial master node by pointing `Node.spec.configSource` to the newly-created ConfigMap -### Save kubeadm MasterConfiguration in a ConfigMap for later reference +### Save the kubeadm ClusterConfiguration in a ConfigMap for later reference kubeadm saves the configuration passed to `kubeadm init`, either via flags or the config file, in a ConfigMap named `kubeadm-config` under `kube-system` namespace. diff --git a/content/en/docs/reference/setup-tools/kubeadm/kubeadm-alpha.md b/content/en/docs/reference/setup-tools/kubeadm/kubeadm-alpha.md index ae8afd71dff1a..ba29459a2a13b 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/kubeadm-alpha.md +++ b/content/en/docs/reference/setup-tools/kubeadm/kubeadm-alpha.md @@ -41,6 +41,20 @@ You can create all required certificates with the `all` subcommand or selectivel {{< tab name="front-proxy-client" include="generated/kubeadm_alpha_phase_certs_front-proxy-client.md" />}} {{< /tabs >}} +## kubeadm alpha phase certs renew {#cmd-phase-certs-renew} + +You can renew all Kubernetes certificates using the `all` subcommand or renew them selectively. + +{{< tabs name="tab-certs-renew" >}} +{{< tab name="all" include="generated/kubeadm_alpha_phase_certs_renew_all.md" />}} +{{< tab name="apiserver-etcd-client" include="generated/kubeadm_alpha_phase_certs_renew_apiserver-etcd-client.md" />}} +{{< tab name="apiserver-kubelet-client" include="generated/kubeadm_alpha_phase_certs_renew_apiserver-kubelet-client.md" />}} +{{< tab name="apiserver" include="generated/kubeadm_alpha_phase_certs_renew_apiserver.md" />}} +{{< tab name="etcd-healthcheck-client" include="generated/kubeadm_alpha_phase_certs_renew_etcd-healthcheck-client.md" />}} +{{< tab name="etcd-peer" include="generated/kubeadm_alpha_phase_certs_renew_etcd-peer.md" />}} +{{< tab name="etcd-server" include="generated/kubeadm_alpha_phase_certs_renew_etcd-server.md" />}} +{{< tab name="front-proxy-client" include="generated/kubeadm_alpha_phase_certs_renew_front-proxy-client.md" />}} +{{< /tabs >}} ## kubeadm alpha phase kubeconfig {#cmd-phase-kubeconfig} @@ -56,6 +70,18 @@ Additionally, the `user` subcommand supports the creation of kubeconfig files fo {{< tab name="user" include="generated/kubeadm_alpha_phase_kubeconfig_user.md" />}} {{< /tabs >}} +## kubeadm alpha phase kubelet {#cmd-phase-kubelet} + +Use the following commands to manage the kubelet phase. + +{{< tabs name="tab-kubelet" >}} +{{< tab name="config annotate-cri" include="generated/kubeadm_alpha_phase_kubelet_config_annotate-cri.md" />}} +{{< tab name="config download" include="generated/kubeadm_alpha_phase_kubelet_config_download.md" />}} +{{< tab name="config enable-dynamic" include="generated/kubeadm_alpha_phase_kubelet_config_enable-dynamic.md" />}} +{{< tab name="config upload" include="generated/kubeadm_alpha_phase_kubelet_config_upload.md" />}} +{{< tab name="config write-to-disk" include="generated/kubeadm_alpha_phase_kubelet_config_write-to-disk.md" />}} +{{< tab name="write-env-file" include="generated/kubeadm_alpha_phase_kubelet_write-env-file.md" />}} +{{< /tabs >}} ## kubeadm alpha phase controlplane {#cmd-phase-controlplane} diff --git a/content/en/docs/reference/setup-tools/kubeadm/kubeadm-init.md b/content/en/docs/reference/setup-tools/kubeadm/kubeadm-init.md index bcd3c39c888c7..9562bb7829668 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/kubeadm-init.md +++ b/content/en/docs/reference/setup-tools/kubeadm/kubeadm-init.md @@ -102,164 +102,16 @@ configuration file options. This file is passed in the `--config` option. In Kubernetes 1.11 and later, the default configuration can be printed out using the [kubeadm config print-default](/docs/reference/setup-tools/kubeadm/kubeadm-config/) command. -It is **recommended** that you migrate your old `v1alpha1` configuration to `v1alpha2` using +It is **recommended** that you migrate your old `v1alpha2` configuration to `v1alpha3` using the [kubeadm config migrate](/docs/reference/setup-tools/kubeadm/kubeadm-config/) command, -because `v1alpha1` will be removed in Kubernetes 1.12. +because `v1alpha2` will be removed in Kubernetes 1.13. For more details on each field in the configuration you can navigate to our -[API reference pages.] (https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm#MasterConfiguration) - -Example of the kubeadm MasterConfiguration version `v1alpha2`: - -```yaml -apiVersion: kubeadm.k8s.io/v1alpha2 -kind: MasterConfiguration -kubernetesVersion: v1.11.0 -api: - advertiseAddress: 192.168.0.102 - bindPort: 6443 - controlPlaneEndpoint: "" -auditPolicy: - logDir: /var/log/kubernetes/audit - logMaxAge: 2 - path: "" -bootstrapTokens: -- groups: - - system:bootstrappers:kubeadm:default-node-token - token: abcdef.0123456789abcdef - ttl: 24h0m0s - usages: - - signing - - authentication -certificatesDir: /etc/kubernetes/pki -clusterName: kubernetes -etcd: - local: - dataDir: /var/lib/etcd - image: "" -imageRepository: k8s.gcr.io -kubeProxy: - config: - bindAddress: 0.0.0.0 - clientConnection: - acceptContentTypes: "" - burst: 10 - contentType: application/vnd.kubernetes.protobuf - kubeconfig: /var/lib/kube-proxy/kubeconfig.conf - qps: 5 - clusterCIDR: "" - configSyncPeriod: 15m0s - conntrack: - max: null - maxPerCore: 32768 - min: 131072 - tcpCloseWaitTimeout: 1h0m0s - tcpEstablishedTimeout: 24h0m0s - enableProfiling: false - healthzBindAddress: 0.0.0.0:10256 - hostnameOverride: "" - iptables: - masqueradeAll: false - masqueradeBit: 14 - minSyncPeriod: 0s - syncPeriod: 30s - ipvs: - ExcludeCIDRs: null - minSyncPeriod: 0s - scheduler: "" - syncPeriod: 30s - metricsBindAddress: 127.0.0.1:10249 - mode: "" - nodePortAddresses: null - oomScoreAdj: -999 - portRange: "" - resourceContainer: /kube-proxy - udpIdleTimeout: 250ms -kubeletConfiguration: - baseConfig: - address: 0.0.0.0 - authentication: - anonymous: - enabled: false - webhook: - cacheTTL: 2m0s - enabled: true - x509: - clientCAFile: /etc/kubernetes/pki/ca.crt - authorization: - mode: Webhook - webhook: - cacheAuthorizedTTL: 5m0s - cacheUnauthorizedTTL: 30s - cgroupDriver: cgroupfs - cgroupsPerQOS: true - clusterDNS: - - 10.96.0.10 - clusterDomain: cluster.local - containerLogMaxFiles: 5 - containerLogMaxSize: 10Mi - contentType: application/vnd.kubernetes.protobuf - cpuCFSQuota: true - cpuManagerPolicy: none - cpuManagerReconcilePeriod: 10s - enableControllerAttachDetach: true - enableDebuggingHandlers: true - enforceNodeAllocatable: - - pods - eventBurst: 10 - eventRecordQPS: 5 - evictionHard: - imagefs.available: 15% - memory.available: 100Mi - nodefs.available: 10% - nodefs.inodesFree: 5% - evictionPressureTransitionPeriod: 5m0s - failSwapOn: true - fileCheckFrequency: 20s - hairpinMode: promiscuous-bridge - healthzBindAddress: 127.0.0.1 - healthzPort: 10248 - httpCheckFrequency: 20s - imageGCHighThresholdPercent: 85 - imageGCLowThresholdPercent: 80 - imageMinimumGCAge: 2m0s - iptablesDropBit: 15 - iptablesMasqueradeBit: 14 - kubeAPIBurst: 10 - kubeAPIQPS: 5 - makeIPTablesUtilChains: true - maxOpenFiles: 1000000 - maxPods: 110 - nodeStatusUpdateFrequency: 10s - oomScoreAdj: -999 - podPidsLimit: -1 - port: 10250 - registryBurst: 10 - registryPullQPS: 5 - resolvConf: /etc/resolv.conf - rotateCertificates: true - runtimeRequestTimeout: 2m0s - serializeImagePulls: true - staticPodPath: /etc/kubernetes/manifests - streamingConnectionIdleTimeout: 4h0m0s - syncFrequency: 1m0s - volumeStatsAggPeriod: 1m0s -networking: - dnsDomain: cluster.local - podSubnet: "" - serviceSubnet: 10.96.0.0/12 -nodeRegistration: - criSocket: /var/run/dockershim.sock - name: your-host-name - taints: - - effect: NoSchedule - key: node-role.kubernetes.io/master -unifiedControlPlaneImage: "" -``` +[API reference pages.] (https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm) ### Adding kube-proxy parameters {#kube-proxy} -For information about kube-proxy parameters in the MasterConfiguration see: +For information about kube-proxy parameters in the kubeadm configuration see: - [kube-proxy](https://godoc.org/k8s.io/kubernetes/pkg/proxy/apis/config#KubeProxyConfiguration) For information about enabling IPVS mode with kubeadm see: @@ -329,7 +181,7 @@ Environment="KUBELET_SYSTEM_PODS_ARGS=--pod-manifest-path=/etc/kubernetes/manife Environment="KUBELET_NETWORK_ARGS=--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin" Environment="KUBELET_DNS_ARGS=--cluster-dns=10.96.0.10 --cluster-domain=cluster.local" Environment="KUBELET_AUTHZ_ARGS=--authorization-mode=Webhook --client-ca-file=/etc/kubernetes/pki/ca.crt" -Environment="KUBELET_CADVISOR_ARGS=--cadvisor-port=0" +Environment="KUBELET_CADVISOR_ARGS=" Environment="KUBELET_CERTIFICATE_ARGS=--rotate-certificates=true --cert-dir=/var/lib/kubelet/pki" ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_SYSTEM_PODS_ARGS $KUBELET_NETWORK_ARGS $KUBELET_DNS_ARGS $KUBELET_AUTHZ_ARGS $KUBELET_CADVISOR_ARGS $KUBELET_CERTIFICATE_ARGS $KUBELET_EXTRA_ARGS ``` @@ -357,21 +209,11 @@ Here's a breakdown of what/why: API using this CA certificate. * `--authorization-mode=Webhook` authorizes requests to the Kubelet API by `POST`-ing a `SubjectAccessReview` to the API server. -* `--cadvisor-port=0` disables cAdvisor from listening to `0.0.0.0:4194` by default. - cAdvisor will still be run inside of the kubelet and its API can be accessed at - `https://{node-ip}:10250/stats/`. If you want to enable cAdvisor to listen on a - wide-open port, run: - - ```bash - sed -e "/cadvisor-port=0/d" -i /etc/systemd/system/kubelet.service.d/10-kubeadm.conf - systemctl daemon-reload - systemctl restart kubelet - ``` * `--rotate-certificates` auto rotate the kubelet client certificates by requesting new certificates from the `kube-apiserver` when the certificate expiration approaches. * `--cert-dir`the directory where the TLS certs are located. -### Use kubeadm with other CRI runtimes +### Use kubeadm with CRI runtimes Since v1.6.0, Kubernetes has enabled the use of CRI, Container Runtime Interface, by default. The container runtime used by default is Docker, which is enabled through the built-in @@ -384,6 +226,8 @@ Other CRI-based runtimes include: - [frakti](https://github.com/kubernetes/frakti) - [rkt](https://github.com/kubernetes-incubator/rktlet) +Refer to the [CRI installation instructions](/docs/setup/cri.md) for more information. + After you have successfully installed `kubeadm` and `kubelet`, execute these two additional steps: @@ -437,10 +281,11 @@ manager, and scheduler run as [DaemonSet pods](/docs/concepts/workloads/controll configured via the Kubernetes API instead of [static pods](/docs/tasks/administer-cluster/static-pod/) configured in the kubelet via static files. +To create a self-hosted cluster, pass the flag `--feature-gates=SelfHosting=true` to `kubeadm init`. + {{< caution >}} -**Caution:** Self-hosting is alpha, but is expected to become the default in -a future version. To create a self-hosted cluster, pass the `--feature-gates=SelfHosting=true` -flag to `kubeadm init`. +**Caution:** `SelfHosting` is an alpha feature. It is deprecated in 1.12 +and will be removed in 1.13. {{< /caution >}} {{< warning >}} @@ -463,6 +308,11 @@ instead. This requires very careful control over the authentication and authorization configuration for your cluster, and may not be appropriate for your environment. +{{< caution >}} +**Caution:** `StoreCertsInSecrets` is an alpha feature. It is deprecated in 1.12 +and will be removed in 1.13. +{{< /caution >}} + In kubeadm 1.8, the self-hosted portion of the control plane does not include etcd, which still runs as a static Pod. @@ -497,24 +347,25 @@ This process (steps 3-6) can also be triggered with `kubeadm phase selfhosting c For running kubeadm without an internet connection you have to pre-pull the required master images for the version of choice: -| Image Name | v1.8 release branch version | v1.9 release branch version | -|----------------------------------------------------------|-----------------------------|-----------------------------| -| k8s.gcr.io/kube-apiserver-${ARCH} | v1.8.x | v1.9.x | -| k8s.gcr.io/kube-controller-manager-${ARCH} | v1.8.x | v1.9.x | -| k8s.gcr.io/kube-scheduler-${ARCH} | v1.8.x | v1.9.x | -| k8s.gcr.io/kube-proxy-${ARCH} | v1.8.x | v1.9.x | -| k8s.gcr.io/etcd-${ARCH} | 3.0.17 | 3.1.10 | -| k8s.gcr.io/pause-${ARCH} | 3.0 | 3.0 | -| k8s.gcr.io/k8s-dns-sidecar-${ARCH} | 1.14.5 | 1.14.7 | -| k8s.gcr.io/k8s-dns-kube-dns-${ARCH} | 1.14.5 | 1.14.7 | -| k8s.gcr.io/k8s-dns-dnsmasq-nanny-${ARCH} | 1.14.5 | 1.14.7 | - -Here `v1.8.x` means the "latest patch release of the v1.8 branch". +| Image Name | v1.10 release branch version | +|--------------------------------------------|------------------------------| +| k8s.gcr.io/kube-apiserver-${ARCH} | v1.10.x | +| k8s.gcr.io/kube-controller-manager-${ARCH} | v1.10.x | +| k8s.gcr.io/kube-scheduler-${ARCH} | v1.10.x | +| k8s.gcr.io/kube-proxy-${ARCH} | v1.10.x | +| k8s.gcr.io/etcd-${ARCH} | 3.1.12 | +| k8s.gcr.io/pause-${ARCH} | 3.1 | +| k8s.gcr.io/k8s-dns-sidecar-${ARCH} | 1.14.8 | +| k8s.gcr.io/k8s-dns-kube-dns-${ARCH} | 1.14.8 | +| k8s.gcr.io/k8s-dns-dnsmasq-nanny-${ARCH} | 1.14.8 | +| coredns/coredns | 1.0.6 | + +Here `v1.10.x` means the "latest patch release of the v1.10 branch". `${ARCH}` can be one of: `amd64`, `arm`, `arm64`, `ppc64le` or `s390x`. If you run Kubernetes version 1.10 or earlier, and if you set `--feature-gates=CoreDNS=true`, -you must also use the image `coredns/coredns:1.0.2`, instead of the three `k8s-dns-*` images. +you must also use the `coredns/coredns` image, instead of the three `k8s-dns-*` images. In Kubernetes 1.11 and later, you can list and pull the images using the `kubeadm config images` sub-command: ``` @@ -522,6 +373,9 @@ kubeadm config images list kubeadm config images pull ``` +Starting with Kubernetes 1.12, the `k8s.gcr.io/kube-*`, `k8s.gcr.io/etcd` and `k8s.gcr.io/pause` images +don't require an `-${ARCH}` suffix. + ### Automating kubeadm Rather than copying the token you obtained from `kubeadm init` to each node, as diff --git a/content/en/docs/reference/setup-tools/kubeadm/kubeadm-join.md b/content/en/docs/reference/setup-tools/kubeadm/kubeadm-join.md index eb9448b1e23b9..c0882d0b0163a 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/kubeadm-join.md +++ b/content/en/docs/reference/setup-tools/kubeadm/kubeadm-join.md @@ -210,26 +210,17 @@ still considered alpha and may change in future versions. It's possible to configure `kubeadm join` with a configuration file instead of command line flags, and some more advanced features may only be available as -configuration file options. This file is passed in the `--config` option. - -```json -apiVersion: kubeadm.k8s.io/v1alpha1 -kind: NodeConfiguration -caCertPath: -discoveryFile: -discoveryToken: -discoveryTokenAPIServers: -- -- -nodeName: -tlsBootstrapToken: -token: -discoveryTokenCACertHashes: -- -- -discoveryTokenUnsafeSkipCAVerification: +configuration file options. This file is passed using the `--config` flag and it must +contain a `JoinConfiguration` structure. + +To print the default values of `JoinConfiguration` run the following command: + +```bash +kubeadm config print-default --api-objects=JoinConfiguration ``` +For details on individual fields in `JoinConfiguration` see [the godoc](https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm#JoinConfiguration). + {{% /capture %}} {{% capture whatsnext %}} diff --git a/content/en/docs/reference/setup-tools/kubeadm/kubeadm-upgrade.md b/content/en/docs/reference/setup-tools/kubeadm/kubeadm-upgrade.md index 55f61028f5148..3fb585644821f 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/kubeadm-upgrade.md +++ b/content/en/docs/reference/setup-tools/kubeadm/kubeadm-upgrade.md @@ -26,6 +26,7 @@ For more version-specific upgrade guidance, see the following resources: * [1.9.x to 1.9.y upgrades](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-9/) * [1.9.x to 1.9.y HA cluster upgrades](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-ha/) * [1.10 to 1.11 upgrades](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-11/) + * [1.11 to 1.12 upgrades](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-12/) In Kubernetes v1.11.0 and later, you can use `kubeadm upgrade diff` to see the changes that would be applied to static pod manifests. @@ -42,6 +43,9 @@ applied to static pod manifests. ## kubeadm upgrade node config {#cmd-upgrade-node-config} {{< include "generated/kubeadm_upgrade_node_config.md" >}} +## kubeadm upgrade node experimental-control-plane {#cmd-experimental-control-plane} +{{< include "generated/kubeadm_upgrade_node_experimental-control-plane.md" >}} + {{% /capture %}} {{% capture whatsnext %}} diff --git a/content/en/docs/reference/setup-tools/kubefed/kubefed.md b/content/en/docs/reference/setup-tools/kubefed/kubefed.md index ce72a322aea8a..4d296ba22c253 100644 --- a/content/en/docs/reference/setup-tools/kubefed/kubefed.md +++ b/content/en/docs/reference/setup-tools/kubefed/kubefed.md @@ -1,8 +1,3 @@ ---- -title: kubefed -notitle: true -weight: 10 ---- ## kubefed kubefed controls a Kubernetes Cluster Federation @@ -10,7 +5,7 @@ kubefed controls a Kubernetes Cluster Federation ### Synopsis -kubefed controls a Kubernetes Cluster Federation. +kubefed controls a Kubernetes Cluster Federation. Find more information at https://github.com/kubernetes/federation. @@ -24,7 +19,7 @@ kubefed [flags] --alsologtostderr log to standard error as well as files --as string Username to impersonate for the operation --as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups. - --cache-dir string Default HTTP cache directory (default "/Users/jrondeau/.kube/http-cache") + --cache-dir string Default HTTP cache directory (default "/Users/zarnold/.kube/http-cache") --certificate-authority string Path to a cert file for the certificate authority --client-certificate string Path to a client certificate file for TLS --client-key string Path to a client key file for TLS @@ -62,10 +57,10 @@ kubefed [flags] ``` ### SEE ALSO -* [kubefed init](/docs/reference/setup-tools/kubefed/kubefed-init/) - Initialize a federation control plane -* [kubefed join](/docs/reference/setup-tools/kubefed/kubefed-join/) - Join a cluster to a federation -* [kubefed options](/docs/reference/setup-tools/kubefed/kubefed-options/) - Print the list of flags inherited by all commands -* [kubefed unjoin](/docs/reference/setup-tools/kubefed/kubefed-unjoin/) - Unjoin a cluster from a federation -* [kubefed version](/docs/reference/setup-tools/kubefed/kubefed-version/) - Print the client and server version information +* [kubefed init](kubefed_init.md) - Initialize a federation control plane +* [kubefed join](kubefed_join.md) - Join a cluster to a federation +* [kubefed options](kubefed_options.md) - Print the list of flags inherited by all commands +* [kubefed unjoin](kubefed_unjoin.md) - Unjoin a cluster from a federation +* [kubefed version](kubefed_version.md) - Print the client and server version information -###### Auto generated by spf13/cobra on 25-Mar-2018 +###### Auto generated by spf13/cobra on 24-Sep-2018 diff --git a/content/en/docs/reference/setup-tools/kubefed/kubefed_init.md b/content/en/docs/reference/setup-tools/kubefed/kubefed_init.md new file mode 100644 index 0000000000000..69da8c83fe499 --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubefed/kubefed_init.md @@ -0,0 +1,101 @@ +## kubefed init + +Initialize a federation control plane + +### Synopsis + + +Init initializes a federation control plane. + + Federation control plane is hosted inside a Kubernetes + cluster. The host cluster must be specified using the + --host-cluster-context flag. + +``` +kubefed init FEDERATION_NAME --host-cluster-context=HOST_CONTEXT [flags] +``` + +### Examples + +``` + # Initialize federation control plane for a federation + # named foo in the host cluster whose local kubeconfig + # context is bar. + kubefed init foo --host-cluster-context=bar +``` + +### Options + +``` + --api-server-advertise-address string Preferred address to advertise api server nodeport service. Valid only if 'api-server-service-type=NodePort'. + --api-server-port int32 Preferred port to use for api server nodeport service (0 for random port assignment). Valid only if 'api-server-service-type=NodePort'. + --api-server-service-type string The type of service to create for federation API server. Options: 'LoadBalancer' (default), 'NodePort'. (default "LoadBalancer") + --apiserver-arg-overrides string comma separated list of federation-apiserver arguments to override: Example "--arg1=value1,--arg2=value2..." + --apiserver-enable-basic-auth Enables HTTP Basic authentication for the federation-apiserver. Defaults to false. + --apiserver-enable-token-auth Enables token authentication for the federation-apiserver. Defaults to false. + --controllermanager-arg-overrides string comma separated list of federation-controller-manager arguments to override: Example "--arg1=value1,--arg2=value2..." + --credentials-kubeconfig string Kubeconfig file path on local file system, which should be used to authenticate with host cluster or the joining cluster (instead of the default kubeconfig).This can be used to override the RBAC based authentication while initialising the federation control plane or joining a cluster to one, even when the cluster exposes the RBAC API. + --dns-provider string Dns provider to be used for this deployment. + --dns-provider-config string Config file path on local file system for configuring DNS provider. + --dns-zone-name string DNS suffix for this federation. Federated Service DNS names are published with this suffix. + --dry-run dry run without sending commands to server. + --etcd-image string Image to use for etcd server. (default "gcr.io/google_containers/etcd:3.1.10") + --etcd-persistent-storage Use persistent volume for etcd. Defaults to 'true'. (default true) + --etcd-pv-capacity string Size of persistent volume claim to be used for etcd. (default "10Gi") + --etcd-pv-storage-class string The storage class of the persistent volume claim used for etcd. Must be provided if a default storage class is not enabled for the host cluster. + --etcd-servers string External pre-deployed etcd server to be used to store federation state. + --federation-system-namespace string Namespace in the host cluster where the federation system components are installed (default "federation-system") + -h, --help help for init + --host-cluster-context string Host cluster context + --image string Image to use for federation API server and controller manager binaries. (default "gcr.io/k8s-jkns-e2e-gce-federation/fcp-amd64:v0.0.0-master_$Format:%h$") + --image-pull-policy string PullPolicy describes a policy for if/when to pull a container image. The default pull policy is IfNotPresent which will not pull an image if it already exists. (default "IfNotPresent") + --image-pull-secrets string Provide secrets that can access the private registry. + --node-selector string comma separated list of nodeSelector arguments: Example "arg1=value1,arg2=value2..." +``` + +### Options inherited from parent commands + +``` + --alsologtostderr log to standard error as well as files + --as string Username to impersonate for the operation + --as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups. + --cache-dir string Default HTTP cache directory (default "/Users/zarnold/.kube/http-cache") + --certificate-authority string Path to a cert file for the certificate authority + --client-certificate string Path to a client certificate file for TLS + --client-key string Path to a client key file for TLS + --cloud-provider-gce-lb-src-cidrs cidrs CIDRs opened in GCE firewall for LB traffic proxy & health checks (default 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16) + --cluster string The name of the kubeconfig cluster to use + --context string The name of the kubeconfig context to use + --default-not-ready-toleration-seconds int Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. (default 300) + --default-unreachable-toleration-seconds int Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. (default 300) + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --ir-data-source string Data source used by InitialResources. Supported options: influxdb, gcm. (default "influxdb") + --ir-dbname string InfluxDB database name which contains metrics required by InitialResources (default "k8s") + --ir-hawkular string Hawkular configuration URL + --ir-influxdb-host string Address of InfluxDB which contains metrics required by InitialResources (default "localhost:8080/api/v1/namespaces/kube-system/services/monitoring-influxdb:api/proxy") + --ir-namespace-only Whether the estimation should be made only based on data from the same namespace. + --ir-password string Password used for connecting to InfluxDB (default "root") + --ir-percentile int Which percentile of samples should InitialResources use when estimating resources. For experiment purposes. (default 90) + --ir-user string User used for connecting to InfluxDB (default "root") + --kubeconfig string Path to the kubeconfig file to use for CLI requests. + --log-backtrace-at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log-dir string If non-empty, write log files in this directory + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --logtostderr log to standard error instead of files (default true) + --match-server-version Require server version to match client version + -n, --namespace string If present, the namespace scope for this CLI request + --password string Password for basic authentication to the API server + --request-timeout string The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0") + -s, --server string The address and port of the Kubernetes API server + --stderrthreshold severity logs at or above this threshold go to stderr (default 2) + --token string Bearer token for authentication to the API server + --user string The name of the kubeconfig user to use + --username string Username for basic authentication to the API server + -v, --v Level log level for V logs + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` + +### SEE ALSO +* [kubefed](kubefed.md) - kubefed controls a Kubernetes Cluster Federation + +###### Auto generated by spf13/cobra on 24-Sep-2018 diff --git a/content/en/docs/reference/setup-tools/kubefed/kubefed_join.md b/content/en/docs/reference/setup-tools/kubefed/kubefed_join.md new file mode 100644 index 0000000000000..79b29a4f99e3e --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubefed/kubefed_join.md @@ -0,0 +1,95 @@ +## kubefed join + +Join a cluster to a federation + +### Synopsis + + +Join adds a cluster to a federation. + + Current context is assumed to be a federation API + server. Please use the --context flag otherwise. + +``` +kubefed join CLUSTER_NAME --host-cluster-context=HOST_CONTEXT [flags] +``` + +### Examples + +``` + # Join a cluster to a federation by specifying the + # cluster name and the context name of the federation + # control plane's host cluster. Cluster name must be + # a valid RFC 1123 subdomain name. Cluster context + # must be specified if the cluster name is different + # than the cluster's context in the local kubeconfig. + kubefed join foo --host-cluster-context=bar +``` + +### Options + +``` + --allow-missing-template-keys If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. (default true) + --cluster-context string Name of the cluster's context in the local kubeconfig. Defaults to cluster name if unspecified. + --credentials-kubeconfig string Kubeconfig file path on local file system, which should be used to authenticate with host cluster or the joining cluster (instead of the default kubeconfig).This can be used to override the RBAC based authentication while initialising the federation control plane or joining a cluster to one, even when the cluster exposes the RBAC API. + --dry-run If true, only print the object that would be sent, without sending it. + --federation-system-namespace string Namespace in the host cluster where the federation system components are installed (default "federation-system") + --generator string The name of the API generator to use. (default "cluster/v1beta1") + -h, --help help for join + --host-cluster-context string Host cluster context + --no-headers When using the default or custom-column output format, don't print headers (default print headers). + -o, --output string Output format. One of: json|yaml|wide|name|custom-columns=...|custom-columns-file=...|go-template=...|go-template-file=...|jsonpath=...|jsonpath-file=... See custom columns [http://kubernetes.io/docs/user-guide/kubectl-overview/#custom-columns], golang template [http://golang.org/pkg/text/template/#pkg-overview] and jsonpath template [http://kubernetes.io/docs/user-guide/jsonpath]. + --save-config If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. + -a, --show-all When printing, show all resources (default hide terminated pods.) + --show-labels When printing, show all labels as the last column (default hide labels column) + --sort-by string If non-empty, sort list types using this field specification. The field specification is expressed as a JSONPath expression (e.g. '{.metadata.name}'). The field in the API resource specified by this JSONPath expression must be an integer or a string. + --template string Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. + --validate If true, use a schema to validate the input before sending it (default true) +``` + +### Options inherited from parent commands + +``` + --alsologtostderr log to standard error as well as files + --as string Username to impersonate for the operation + --as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups. + --cache-dir string Default HTTP cache directory (default "/Users/zarnold/.kube/http-cache") + --certificate-authority string Path to a cert file for the certificate authority + --client-certificate string Path to a client certificate file for TLS + --client-key string Path to a client key file for TLS + --cloud-provider-gce-lb-src-cidrs cidrs CIDRs opened in GCE firewall for LB traffic proxy & health checks (default 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16) + --cluster string The name of the kubeconfig cluster to use + --context string The name of the kubeconfig context to use + --default-not-ready-toleration-seconds int Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. (default 300) + --default-unreachable-toleration-seconds int Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. (default 300) + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --ir-data-source string Data source used by InitialResources. Supported options: influxdb, gcm. (default "influxdb") + --ir-dbname string InfluxDB database name which contains metrics required by InitialResources (default "k8s") + --ir-hawkular string Hawkular configuration URL + --ir-influxdb-host string Address of InfluxDB which contains metrics required by InitialResources (default "localhost:8080/api/v1/namespaces/kube-system/services/monitoring-influxdb:api/proxy") + --ir-namespace-only Whether the estimation should be made only based on data from the same namespace. + --ir-password string Password used for connecting to InfluxDB (default "root") + --ir-percentile int Which percentile of samples should InitialResources use when estimating resources. For experiment purposes. (default 90) + --ir-user string User used for connecting to InfluxDB (default "root") + --kubeconfig string Path to the kubeconfig file to use for CLI requests. + --log-backtrace-at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log-dir string If non-empty, write log files in this directory + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --logtostderr log to standard error instead of files (default true) + --match-server-version Require server version to match client version + -n, --namespace string If present, the namespace scope for this CLI request + --password string Password for basic authentication to the API server + --request-timeout string The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0") + -s, --server string The address and port of the Kubernetes API server + --stderrthreshold severity logs at or above this threshold go to stderr (default 2) + --token string Bearer token for authentication to the API server + --user string The name of the kubeconfig user to use + --username string Username for basic authentication to the API server + -v, --v Level log level for V logs + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` + +### SEE ALSO +* [kubefed](kubefed.md) - kubefed controls a Kubernetes Cluster Federation + +###### Auto generated by spf13/cobra on 24-Sep-2018 diff --git a/content/en/docs/reference/setup-tools/kubefed/kubefed_options.md b/content/en/docs/reference/setup-tools/kubefed/kubefed_options.md new file mode 100644 index 0000000000000..d1255f2865aba --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubefed/kubefed_options.md @@ -0,0 +1,72 @@ +## kubefed options + +Print the list of flags inherited by all commands + +### Synopsis + + +Print the list of flags inherited by all commands + +``` +kubefed options [flags] +``` + +### Examples + +``` + # Print flags inherited by all commands + kubefed options +``` + +### Options + +``` + -h, --help help for options +``` + +### Options inherited from parent commands + +``` + --alsologtostderr log to standard error as well as files + --as string Username to impersonate for the operation + --as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups. + --cache-dir string Default HTTP cache directory (default "/Users/zarnold/.kube/http-cache") + --certificate-authority string Path to a cert file for the certificate authority + --client-certificate string Path to a client certificate file for TLS + --client-key string Path to a client key file for TLS + --cloud-provider-gce-lb-src-cidrs cidrs CIDRs opened in GCE firewall for LB traffic proxy & health checks (default 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16) + --cluster string The name of the kubeconfig cluster to use + --context string The name of the kubeconfig context to use + --default-not-ready-toleration-seconds int Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. (default 300) + --default-unreachable-toleration-seconds int Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. (default 300) + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --ir-data-source string Data source used by InitialResources. Supported options: influxdb, gcm. (default "influxdb") + --ir-dbname string InfluxDB database name which contains metrics required by InitialResources (default "k8s") + --ir-hawkular string Hawkular configuration URL + --ir-influxdb-host string Address of InfluxDB which contains metrics required by InitialResources (default "localhost:8080/api/v1/namespaces/kube-system/services/monitoring-influxdb:api/proxy") + --ir-namespace-only Whether the estimation should be made only based on data from the same namespace. + --ir-password string Password used for connecting to InfluxDB (default "root") + --ir-percentile int Which percentile of samples should InitialResources use when estimating resources. For experiment purposes. (default 90) + --ir-user string User used for connecting to InfluxDB (default "root") + --kubeconfig string Path to the kubeconfig file to use for CLI requests. + --log-backtrace-at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log-dir string If non-empty, write log files in this directory + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --logtostderr log to standard error instead of files (default true) + --match-server-version Require server version to match client version + -n, --namespace string If present, the namespace scope for this CLI request + --password string Password for basic authentication to the API server + --request-timeout string The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0") + -s, --server string The address and port of the Kubernetes API server + --stderrthreshold severity logs at or above this threshold go to stderr (default 2) + --token string Bearer token for authentication to the API server + --user string The name of the kubeconfig user to use + --username string Username for basic authentication to the API server + -v, --v Level log level for V logs + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` + +### SEE ALSO +* [kubefed](kubefed.md) - kubefed controls a Kubernetes Cluster Federation + +###### Auto generated by spf13/cobra on 24-Sep-2018 diff --git a/content/en/docs/reference/setup-tools/kubefed/kubefed_unjoin.md b/content/en/docs/reference/setup-tools/kubefed/kubefed_unjoin.md new file mode 100644 index 0000000000000..ae80ef3bb8e7d --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubefed/kubefed_unjoin.md @@ -0,0 +1,82 @@ +## kubefed unjoin + +Unjoin a cluster from a federation + +### Synopsis + + +Unjoin a cluster from a federation. + + Current context is assumed to be a federation endpoint. + Please use the --context flag otherwise. + +``` +kubefed unjoin CLUSTER_NAME --host-cluster-context=HOST_CONTEXT [flags] +``` + +### Examples + +``` + # Unjoin the specified cluster from a federation. + # Federation control plane's host cluster context name + # must be specified via the --host-cluster-context flag + # to properly cleanup the credentials. + kubectl unjoin foo --host-cluster-context=bar --cluster-context=baz +``` + +### Options + +``` + --cluster-context string Name of the cluster's context in the local kubeconfig. Defaults to cluster name if unspecified. + --credentials-kubeconfig string Kubeconfig file path on local file system, which should be used to authenticate with host cluster or the joining cluster (instead of the default kubeconfig).This can be used to override the RBAC based authentication while initialising the federation control plane or joining a cluster to one, even when the cluster exposes the RBAC API. + --federation-system-namespace string Namespace in the host cluster where the federation system components are installed (default "federation-system") + -h, --help help for unjoin + --host-cluster-context string Host cluster context +``` + +### Options inherited from parent commands + +``` + --alsologtostderr log to standard error as well as files + --as string Username to impersonate for the operation + --as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups. + --cache-dir string Default HTTP cache directory (default "/Users/zarnold/.kube/http-cache") + --certificate-authority string Path to a cert file for the certificate authority + --client-certificate string Path to a client certificate file for TLS + --client-key string Path to a client key file for TLS + --cloud-provider-gce-lb-src-cidrs cidrs CIDRs opened in GCE firewall for LB traffic proxy & health checks (default 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16) + --cluster string The name of the kubeconfig cluster to use + --context string The name of the kubeconfig context to use + --default-not-ready-toleration-seconds int Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. (default 300) + --default-unreachable-toleration-seconds int Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. (default 300) + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --ir-data-source string Data source used by InitialResources. Supported options: influxdb, gcm. (default "influxdb") + --ir-dbname string InfluxDB database name which contains metrics required by InitialResources (default "k8s") + --ir-hawkular string Hawkular configuration URL + --ir-influxdb-host string Address of InfluxDB which contains metrics required by InitialResources (default "localhost:8080/api/v1/namespaces/kube-system/services/monitoring-influxdb:api/proxy") + --ir-namespace-only Whether the estimation should be made only based on data from the same namespace. + --ir-password string Password used for connecting to InfluxDB (default "root") + --ir-percentile int Which percentile of samples should InitialResources use when estimating resources. For experiment purposes. (default 90) + --ir-user string User used for connecting to InfluxDB (default "root") + --kubeconfig string Path to the kubeconfig file to use for CLI requests. + --log-backtrace-at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log-dir string If non-empty, write log files in this directory + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --logtostderr log to standard error instead of files (default true) + --match-server-version Require server version to match client version + -n, --namespace string If present, the namespace scope for this CLI request + --password string Password for basic authentication to the API server + --request-timeout string The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0") + -s, --server string The address and port of the Kubernetes API server + --stderrthreshold severity logs at or above this threshold go to stderr (default 2) + --token string Bearer token for authentication to the API server + --user string The name of the kubeconfig user to use + --username string Username for basic authentication to the API server + -v, --v Level log level for V logs + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` + +### SEE ALSO +* [kubefed](kubefed.md) - kubefed controls a Kubernetes Cluster Federation + +###### Auto generated by spf13/cobra on 24-Sep-2018 diff --git a/content/en/docs/reference/setup-tools/kubefed/kubefed_version.md b/content/en/docs/reference/setup-tools/kubefed/kubefed_version.md new file mode 100644 index 0000000000000..eb2cfdbfffe20 --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubefed/kubefed_version.md @@ -0,0 +1,75 @@ +## kubefed version + +Print the client and server version information + +### Synopsis + + +Print the client and server version information for the current context + +``` +kubefed version [flags] +``` + +### Examples + +``` + # Print the client and server versions for the current context + kubefed version +``` + +### Options + +``` + --client Client version only (no server required). + -h, --help help for version + -o, --output string One of 'yaml' or 'json'. + --short Print just the version number. +``` + +### Options inherited from parent commands + +``` + --alsologtostderr log to standard error as well as files + --as string Username to impersonate for the operation + --as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups. + --cache-dir string Default HTTP cache directory (default "/Users/zarnold/.kube/http-cache") + --certificate-authority string Path to a cert file for the certificate authority + --client-certificate string Path to a client certificate file for TLS + --client-key string Path to a client key file for TLS + --cloud-provider-gce-lb-src-cidrs cidrs CIDRs opened in GCE firewall for LB traffic proxy & health checks (default 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16) + --cluster string The name of the kubeconfig cluster to use + --context string The name of the kubeconfig context to use + --default-not-ready-toleration-seconds int Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. (default 300) + --default-unreachable-toleration-seconds int Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. (default 300) + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --ir-data-source string Data source used by InitialResources. Supported options: influxdb, gcm. (default "influxdb") + --ir-dbname string InfluxDB database name which contains metrics required by InitialResources (default "k8s") + --ir-hawkular string Hawkular configuration URL + --ir-influxdb-host string Address of InfluxDB which contains metrics required by InitialResources (default "localhost:8080/api/v1/namespaces/kube-system/services/monitoring-influxdb:api/proxy") + --ir-namespace-only Whether the estimation should be made only based on data from the same namespace. + --ir-password string Password used for connecting to InfluxDB (default "root") + --ir-percentile int Which percentile of samples should InitialResources use when estimating resources. For experiment purposes. (default 90) + --ir-user string User used for connecting to InfluxDB (default "root") + --kubeconfig string Path to the kubeconfig file to use for CLI requests. + --log-backtrace-at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log-dir string If non-empty, write log files in this directory + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --logtostderr log to standard error instead of files (default true) + --match-server-version Require server version to match client version + -n, --namespace string If present, the namespace scope for this CLI request + --password string Password for basic authentication to the API server + --request-timeout string The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0") + -s, --server string The address and port of the Kubernetes API server + --stderrthreshold severity logs at or above this threshold go to stderr (default 2) + --token string Bearer token for authentication to the API server + --user string The name of the kubeconfig user to use + --username string Username for basic authentication to the API server + -v, --v Level log level for V logs + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` + +### SEE ALSO +* [kubefed](kubefed.md) - kubefed controls a Kubernetes Cluster Federation + +###### Auto generated by spf13/cobra on 24-Sep-2018 diff --git a/content/en/docs/reference/using-api/api-concepts.md b/content/en/docs/reference/using-api/api-concepts.md index aac69ea32f92b..623e2b99378b0 100644 --- a/content/en/docs/reference/using-api/api-concepts.md +++ b/content/en/docs/reference/using-api/api-concepts.md @@ -284,6 +284,51 @@ An encoded Protobuf message with the following IDL: Clients that receive a response in `application/vnd.kubernetes.protobuf` that does not match the expected prefix should reject the response, as future versions may need to alter the serialization format in an incompatible way and will do so by changing the prefix. + +## Dry run + +{{< feature-state for_k8s_version="v1.12" state="alpha" >}} In version 1.12, if the dry run alpha feature is enabled, the modifying verbs (`POST`, `PUT`, `PATCH`, and `DELETE`) can accept requests in a dry run mode. Dry run mode helps to evaluate a request through the typical request stages (admission chain, validation, merge conflicts) up until persisting objects to storage. The response body for the request is as close as possible to a non dry run response. The system guarantees that dry run requests will not be persisted in storage or have any other side effects. + + +### Enable the dry run alpha feature + +Dry run is an alpha feature, so it is disabled by default. To turn it on, +you need to: + +* Include "DryRun=true" in the `--feature-gates` flag when starting + `kube-apiserver`. If you have multiple `kube-apiserver` replicas, all should + have the same flag setting. + +If this feature is not enabled, all requests with a modifying verb (`POST`, `PUT`, `PATCH`, and `DELETE`) which set the `dryRun` query parameter will be rejected with a 400 Bad Request error. Kubernetes 1.11 always rejects dry run requests like this, so it is safe for clients to make dry run requests even if the feature is not enabled on the server, as long as the server version is >= 1.11. + + +### Make a dry run request + +Dry run is triggered by setting the `dryRun` query parameter. This parameter is a string, working as an enum, and in 1.12 the only accepted values are: + +* `All`: Every stage runs as normal, except for the final storage stage. Admission controllers are run to check that the request is valid, mutating controllers mutate the request, merge is performed on `PATCH`, fields are defaulted, and schema validation occurs. The changes are not persisted to the underlying storage, but the final object which would have been persisted is still returned to the user, along with the normal status code. If the request would trigger an admission controller which would have side effects, the request will be failed rather than risk an unwanted side effect. Admission webhooks can now declare (in their configuration object) that they do not have side effects to prevent this. All built in admission control plugins support dry run. +* Leave the value empty, which is also the default: Keep the default modifying behavior. + +For example: + + POST /api/v1/namespaces/test/pods?dryRun=All + Content-Type: application/json + Accept: application/json + +The response would look the same as for non dry run request, but the values of some generated fields may differ. + + +### Generated values + +Some values of an object are typically generated before the object is persisted. It is important not to rely upon the values of these fields set by a dry run request, since these values will likely be different in dry run mode from when the real request is made. Some of these fields are: + +* `name`: if `generateName` is set, `name` will have a unique random name +* `creationTimestamp`/`deletionTimestamp`: records the time of creation/deletion +* `UID`: uniquely identifies the object and is randomly generated (non-deterministic) +* `resourceVersion`: tracks the persisted version of the object +* Any field set by a mutating admission controller +* For the `Service` resource: Ports or IPs that kube-apiserver assigns to v1.Service objects + {{% /capture %}} diff --git a/content/en/docs/setup/cri.md b/content/en/docs/setup/cri.md new file mode 100644 index 0000000000000..5ff203d7766eb --- /dev/null +++ b/content/en/docs/setup/cri.md @@ -0,0 +1,226 @@ +--- +reviewers: +- vincepri +- bart0sh +title: CRI installation +content_template: templates/concept +weight: 100 +--- +{{% capture overview %}} +Since v1.6.0, Kubernetes has enabled the use of CRI, Container Runtime Interface, by default. +This page contains installation instruction for various runtimes. + +{{% /capture %}} + +{{% capture body %}} + +Please proceed with executing the following commands based on your OS as root. +You may become the root user by executing `sudo -i` after SSH-ing to each host. + +## Docker + +On each of your machines, install Docker. +Version 18.06 is recommended, but 1.11, 1.12, 1.13 and 17.03 are known to work as well. +Keep track of the latest verified Docker version in the Kubernetes release notes. + +Use the following commands to install Docker on your system: + +{{< tabs name="tab-cri-docker-installation" >}} +{{< tab name="Ubuntu 16.04" codelang="bash" >}} +# Install Docker from Ubuntu's repositories: +apt-get update +apt-get install -y docker.io + +# or install Docker CE 18.06 from Docker's repositories for Ubuntu or Debian: + +## Install prerequisites. +apt-get update && apt-get install apt-transport-https ca-certificates curl software-properties-common + +## Download GPG key. +curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - + +## Add docker apt repository. +add-apt-repository \ + "deb [arch=amd64] https://download.docker.com/linux/ubuntu \ + $(lsb_release -cs) \ + stable" + +## Install docker. +apt-get update && apt-get install docker-ce=18.06.0~ce~3-0~ubuntu + +# Setup daemon. +cat > /etc/docker/daemon.json <}} +{{< tab name="CentOS/RHEL 7.4+" codelang="bash" >}} + +# Install Docker from CentOS/RHEL repository: +yum install -y docker + +# or install Docker CE 18.06 from Docker's CentOS repositories: + +## Install prerequisites. +yum install yum-utils device-mapper-persistent-data lvm2 + +## Add docker repository. +yum-config-manager \ + --add-repo \ + https://download.docker.com/linux/centos/docker-ce.repo + +## Install docker. +yum update && yum install docker-ce-18.06.1.ce + +# Setup daemon. +cat > /etc/docker/daemon.json <}} +{{< /tabs >}} + +Refer to the [official Docker installation guides](https://docs.docker.com/engine/installation/) +for more information. + +## CRI-O + +This section contains the necessary steps to install `CRI-O` as CRI runtime. + +Use the following commands to install CRI-O on your system: + +### Prerequisites + +```shell +modprobe overlay +modprobe br_netfilter + +# Setup required sysctl params, these persist across reboots. +cat > /etc/sysctl.d/99-kubernetes-cri.conf <}} +{{< tab name="Ubuntu 16.04" codelang="bash" >}} + +# Install prerequisites +apt-get update +apt-get install software-properties-common + +add-apt-repository ppa:projectatomic/ppa +apt-get update + +# Install CRI-O +apt-get install cri-o-1.11 + +{{< /tab >}} +{{< tab name="CentOS/RHEL 7.4+" codelang="bash" >}} + +# Install prerequisites +yum-config-manager --add-repo=https://cbs.centos.org/repos/paas7-crio-311-candidate/x86_64/os/ + +# Install CRI-O +yum install --nogpgcheck cri-o + +{{< /tab >}} +{{< /tabs >}} + +### Start CRI-O + +``` +systemctl start crio +``` + +Refer to the [CRI-O installation guide](https://github.com/kubernetes-sigs/cri-o#getting-started) +for more information. + +## Containerd + +This section contains the necessary steps to use `containerd` as CRI runtime. + +Use the following commands to install Containerd on your system: + +### Prerequisites + +```shell +modprobe overlay +modprobe br_netfilter + +# Setup required sysctl params, these persist across reboots. +cat > /etc/sysctl.d/99-kubernetes-cri.conf <}} +{{< tab name="Ubuntu 16.04+" codelang="bash" >}} +apt-get install -y libseccomp2 +{{< /tab >}} +{{< tab name="CentOS/RHEL 7.4+" codelang="bash" >}} +yum install -y libseccomp +{{< /tab >}} +{{< /tabs >}} + +### Install containerd + +[Containerd releases](https://github.com/containerd/containerd/releases) are published regularly, the values below are hardcoded to the latest version available at the time of writing. Please check for newer versions and hashes [here](https://storage.googleapis.com/cri-containerd-release). + +```shell +# Export required environment variables. +export CONTAINERD_VERSION="1.1.2" +export CONTAINERD_SHA256="d4ed54891e90a5d1a45e3e96464e2e8a4770cd380c21285ef5c9895c40549218" + +# Download containerd tar. +wget https://storage.googleapis.com/cri-containerd-release/cri-containerd-${CONTAINERD_VERSION}.linux-amd64.tar.gz + +# Check hash. +echo "${CONTAINERD_SHA256} cri-containerd-${CONTAINERD_VERSION}.linux-amd64.tar.gz" | sha256sum --check - + +# Unpack. +tar --no-overwrite-dir -C / -xzf cri-containerd-${CONTAINERD_VERSION}.linux-amd64.tar.gz + +# Start containerd. +systemctl start containerd +``` + +## Other CRI runtimes: rktlet and frakti + +Refer to the [Frakti QuickStart guide](https://github.com/kubernetes/frakti#quickstart) and [Rktlet Getting Started guide](https://github.com/kubernetes-incubator/rktlet/blob/master/docs/getting-started-guide.md) for more information. + +{{% /capture %}} diff --git a/content/en/docs/setup/custom-cloud/node.yaml b/content/en/docs/setup/custom-cloud/node.yaml index 503d67dd556d0..9f5caff49bc3e 100644 --- a/content/en/docs/setup/custom-cloud/node.yaml +++ b/content/en/docs/setup/custom-cloud/node.yaml @@ -83,7 +83,6 @@ coreos: --api-servers=:8080 \ --allow-privileged=true \ --logtostderr=true \ - --cadvisor-port=4194 \ --healthz-bind-address=0.0.0.0 \ --healthz-port=10248 Restart=always diff --git a/content/en/docs/setup/independent/control-plane-flags.md b/content/en/docs/setup/independent/control-plane-flags.md index b1d1f4ebca8a4..ba01d29b4c39d 100644 --- a/content/en/docs/setup/independent/control-plane-flags.md +++ b/content/en/docs/setup/independent/control-plane-flags.md @@ -20,7 +20,7 @@ These fields consist of `key: value` pairs. To override a flag for a control pla 2. Add the flags to override to the field. For more details on each field in the configuration you can navigate to our -[API reference pages](https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm#MasterConfiguration). +[API reference pages](https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm#ClusterConfiguration). {{% /capture %}} @@ -32,11 +32,11 @@ For details, see the [reference documentation for kube-apiserver](https://kubern Example usage: ```yaml -apiVersion: kubeadm.k8s.io/v1alpha2 -kind: MasterConfiguration -kubernetesVersion: v1.11.0 +apiVersion: kubeadm.k8s.io/v1alpha3 +kind: ClusterConfiguration +kubernetesVersion: v1.12.0 metadata: - name: 1.11-sample + name: 1.12-sample apiServerExtraArgs: advertise-address: 192.168.0.103 anonymous-auth: false @@ -50,11 +50,11 @@ For details, see the [reference documentation for kube-controller-manager](https Example usage: ```yaml -apiVersion: kubeadm.k8s.io/v1alpha2 -kind: MasterConfiguration -kubernetesVersion: v1.11.0 +apiVersion: kubeadm.k8s.io/v1alpha3 +kind: ClusterConfiguration +kubernetesVersion: v1.12.0 metadata: - name: 1.11-sample + name: 1.12-sample controllerManagerExtraArgs: cluster-signing-key-file: /home/johndoe/keys/ca.key bind-address: 0.0.0.0 @@ -67,11 +67,11 @@ For details, see the [reference documentation for kube-scheduler](https://kubern Example usage: ```yaml -apiVersion: kubeadm.k8s.io/v1alpha2 -kind: MasterConfiguration -kubernetesVersion: v1.11.0 +apiVersion: kubeadm.k8s.io/v1alpha3 +kind: ClusterConfiguration +kubernetesVersion: v1.12.0 metadata: - name: 1.11-sample + name: 1.12-sample schedulerExtraArgs: address: 0.0.0.0 config: /home/johndoe/schedconfig.yaml diff --git a/content/en/docs/setup/independent/create-cluster-kubeadm.md b/content/en/docs/setup/independent/create-cluster-kubeadm.md index 94efe78911c9f..cd23475401df5 100644 --- a/content/en/docs/setup/independent/create-cluster-kubeadm.md +++ b/content/en/docs/setup/independent/create-cluster-kubeadm.md @@ -69,6 +69,7 @@ timeframe; which also applies to `kubeadm`. | v1.9.x | December 2017 | September 2018   | | v1.10.x | March 2018 | December 2018   | | v1.11.x | June 2018 | March 2019   | +| v1.12.x | September 2018 | June 2019   | {{% /capture %}} diff --git a/content/en/docs/setup/independent/high-availability.md b/content/en/docs/setup/independent/high-availability.md index 33c2cdd53c1cf..fdf3df5def03d 100644 --- a/content/en/docs/setup/independent/high-availability.md +++ b/content/en/docs/setup/independent/high-availability.md @@ -16,7 +16,7 @@ and control plane nodes are co-located. - With an external etcd cluster. This approach requires more infrastructure. The control plane nodes and etcd members are separated. -Your clusters must run Kubernetes version 1.11 or later. You should also be aware that +Your clusters must run Kubernetes version 1.12 or later. You should also be aware that setting up HA clusters with kubeadm is still experimental. You might encounter issues with upgrading your clusters, for example. We encourage you to try either approach, and provide feedback. @@ -139,15 +139,18 @@ different configuration. ### Bootstrap the first stacked control plane node +{{< note >}} +**Note**: Optionally replace `stable` with a different version of Kubernetes, for example `v1.12.0`. +{{< /note >}} + 1. Create a `kubeadm-config.yaml` template file: - apiVersion: kubeadm.k8s.io/v1alpha2 - kind: MasterConfiguration - kubernetesVersion: v1.11.x + apiVersion: kubeadm.k8s.io/v1alpha3 + kind: ClusterConfiguration + kubernetesVersion: stable apiServerCertSANs: - "LOAD_BALANCER_DNS" - api: - controlPlaneEndpoint: "LOAD_BALANCER_DNS:LOAD_BALANCER_PORT" + controlPlaneEndpoint: "LOAD_BALANCER_DNS:LOAD_BALANCER_PORT" etcd: local: extraArgs: @@ -166,9 +169,6 @@ different configuration. # This CIDR is a Calico default. Substitute or remove for your CNI provider. podSubnet: "192.168.0.0/16" -1. Replace `x` in `kubernetesVersion: v1.11.x` with the latest available version. - For example: `kubernetesVersion: v1.11.1` - 1. Replace the following variables in the template with the appropriate values for your cluster: @@ -224,13 +224,12 @@ done 1. Create a second, different `kubeadm-config.yaml` template file: - apiVersion: kubeadm.k8s.io/v1alpha2 - kind: MasterConfiguration - kubernetesVersion: v1.11.x + apiVersion: kubeadm.k8s.io/v1alpha3 + kind: ClusterConfiguration + kubernetesVersion: stable apiServerCertSANs: - "LOAD_BALANCER_DNS" - api: - controlPlaneEndpoint: "LOAD_BALANCER_DNS:LOAD_BALANCER_PORT" + controlPlaneEndpoint: "LOAD_BALANCER_DNS:LOAD_BALANCER_PORT" etcd: local: extraArgs: @@ -250,9 +249,6 @@ done # This CIDR is a calico default. Substitute or remove for your CNI provider. podSubnet: "192.168.0.0/16" -1. Replace `x` in `kubernetesVersion: v1.11.x` with the latest available version. - For example: `kubernetesVersion: v1.11.1` - 1. Replace the following variables in the template with the appropriate values for your cluster: - `LOAD_BALANCER_DNS` @@ -296,7 +292,7 @@ done export CP1_IP=10.0.0.8 export CP1_HOSTNAME=cp1 - export KUBECONFIG=/etc/kubernetes/admin.conf + export KUBECONFIG=/etc/kubernetes/admin.conf kubectl exec -n kube-system etcd-${CP0_HOSTNAME} -- etcdctl --ca-file /etc/kubernetes/pki/etcd/ca.crt --cert-file /etc/kubernetes/pki/etcd/peer.crt --key-file /etc/kubernetes/pki/etcd/peer.key --endpoints=https://${CP0_IP}:2379 member add ${CP1_HOSTNAME} https://${CP1_IP}:2380 kubeadm alpha phase etcd local --config kubeadm-config.yaml ``` @@ -317,13 +313,12 @@ done 1. Create a third, different `kubeadm-config.yaml` template file: - apiVersion: kubeadm.k8s.io/v1alpha2 - kind: MasterConfiguration - kubernetesVersion: v1.11.x + apiVersion: kubeadm.k8s.io/v1alpha3 + kind: ClusterConfiguration + kubernetesVersion: stable apiServerCertSANs: - "LOAD_BALANCER_DNS" - api: - controlPlaneEndpoint: "LOAD_BALANCER_DNS:LOAD_BALANCER_PORT" + controlPlaneEndpoint: "LOAD_BALANCER_DNS:LOAD_BALANCER_PORT" etcd: local: extraArgs: @@ -343,9 +338,6 @@ done # This CIDR is a calico default. Substitute or remove for your CNI provider. podSubnet: "192.168.0.0/16" -1. Replace `x` in `kubernetesVersion: v1.11.x` with the latest available version. - For example: `kubernetesVersion: v1.11.1` - 1. Replace the following variables in the template with the appropriate values for your cluster: - `LOAD_BALANCER_DNS` @@ -391,7 +383,7 @@ done export CP2_IP=10.0.0.9 export CP2_HOSTNAME=cp2 - export KUBECONFIG=/etc/kubernetes/admin.conf + export KUBECONFIG=/etc/kubernetes/admin.conf kubectl exec -n kube-system etcd-${CP0_HOSTNAME} -- etcdctl --ca-file /etc/kubernetes/pki/etcd/ca.crt --cert-file /etc/kubernetes/pki/etcd/peer.crt --key-file /etc/kubernetes/pki/etcd/peer.key --endpoints=https://${CP0_IP}:2379 member add ${CP2_HOSTNAME} https://${CP2_IP}:2380 kubeadm alpha phase etcd local --config kubeadm-config.yaml ``` @@ -411,39 +403,49 @@ done - Follow [these instructions](/docs/setup/independent/setup-ha-etcd-with-kubeadm/) to set up the etcd cluster. -### Copy required files to other control plane nodes - -The following certificates were created when you created the cluster. Copy them -to your other control plane nodes: - -- `/etc/kubernetes/pki/etcd/ca.crt` -- `/etc/kubernetes/pki/apiserver-etcd-client.crt` -- `/etc/kubernetes/pki/apiserver-etcd-client.key` +#### Copy required files from an etcd node to all control plane nodes In the following example, replace `USER` and `CONTROL_PLANE_HOSTS` values with values for your environment. ```sh +# Make a list of required etcd certificate files +cat << EOF > etcd-pki-files.txt +/etc/kubernetes/pki/etcd/ca.crt +/etc/kubernetes/pki/apiserver-etcd-client.crt +/etc/kubernetes/pki/apiserver-etcd-client.key +EOF + +# create the archive +tar -czf etcd-pki.tar.gz -T etcd-pki-files.txt + +# copy the archive to the control plane nodes USER=ubuntu CONTROL_PLANE_HOSTS="10.0.0.7 10.0.0.8 10.0.0.9" for host in $CONTROL_PLANE_HOSTS; do - scp /etc/kubernetes/pki/etcd/ca.crt "${USER}"@$host: - scp /etc/kubernetes/pki/apiserver-etcd-client.crt "${USER}"@$host: - scp /etc/kubernetes/pki/apiserver-etcd-client.key "${USER}"@$host: + scp etcd-pki.tar.gz "${USER}"@$host: done ``` ### Set up the first control plane node -1. Create a `kubeadm-config.yaml` template file: +1. Extract the etcd certificates + + mkdir -p /etc/kubernetes/pki + tar -xzf etcd-pki.tar.gz -C /etc/kubernetes/pki --strip-components=3 + +1. Create a `kubeadm-config.yaml`: + +{{< note >}} +**Note**: Optionally replace `stable` with a different version of Kubernetes, for example `v1.11.3`. +{{< /note >}} - apiVersion: kubeadm.k8s.io/v1alpha2 - kind: MasterConfiguration - kubernetesVersion: v1.11.x + apiVersion: kubeadm.k8s.io/v1alpha3 + kind: ClusterConfiguration + kubernetesVersion: stable apiServerCertSANs: - "LOAD_BALANCER_DNS" - api: - controlPlaneEndpoint: "LOAD_BALANCER_DNS:LOAD_BALANCER_PORT" + controlPlaneEndpoint: "LOAD_BALANCER_DNS:LOAD_BALANCER_PORT" etcd: external: endpoints: @@ -457,9 +459,6 @@ done # This CIDR is a calico default. Substitute or remove for your CNI provider. podSubnet: "192.168.0.0/16" -1. Replace `x` in `kubernetesVersion: v1.11.x` with the latest available version. - For example: `kubernetesVersion: v1.11.1` - 1. Replace the following variables in the template with the appropriate values for your cluster: - `LOAD_BALANCER_DNS` @@ -469,11 +468,12 @@ done - `ETCD_2_IP` 1. Run `kubeadm init --config kubeadm-config.yaml` +1. Copy the output join commamnd. ### Copy required files to the correct locations -The following certificates and other required files were created when you ran `kubeadm init`. -Copy these files to your other control plane nodes: +The following pki files were created during the `kubeadm init` step and must be shared with +all other control plane nodes. - `/etc/kubernetes/pki/ca.crt` - `/etc/kubernetes/pki/ca.key` @@ -486,24 +486,34 @@ In the following example, replace the list of `CONTROL_PLANE_IPS` values with the IP addresses of the other control plane nodes. ```sh +# make a list of required kubernetes certificate files +cat << EOF > certificate_files.txt +/etc/kubernetes/pki/ca.crt +/etc/kubernetes/pki/ca.key +/etc/kubernetes/pki/sa.key +/etc/kubernetes/pki/sa.pub +/etc/kubernetes/pki/front-proxy-ca.crt +/etc/kubernetes/pki/front-proxy-ca.key +EOF + +# create the archive +tar -czf control-plane-certificates.tar.gz -T certificate_files.txt + USER=ubuntu # customizable CONTROL_PLANE_IPS="10.0.0.7 10.0.0.8" for host in ${CONTROL_PLANE_IPS}; do - scp /etc/kubernetes/pki/ca.crt "${USER}"@$host: - scp /etc/kubernetes/pki/ca.key "${USER}"@$host: - scp /etc/kubernetes/pki/sa.key "${USER}"@$host: - scp /etc/kubernetes/pki/sa.pub "${USER}"@$host: - scp /etc/kubernetes/pki/front-proxy-ca.crt "${USER}"@$host: - scp /etc/kubernetes/pki/front-proxy-ca.key "${USER}"@$host: + scp control-plane-certificates.tar.gz "${USER}"@$host: done ``` -{{< note >}} -**Note**: Remember that your config may differ from this example. -{{< /note >}} - ### Set up the other control plane nodes +1. Extract the required certificates + + mkdir -p /etc/kubernetes/pki + tar -xzf etcd-pki.tar.gz -C /etc/kubernetes/pki --strip-components 3 + tar -xzf control-plane-certificates.tar.gz -C /etc/kubernetes/pki --strip-components 3 + 1. Verify the location of the copied files. Your `/etc/kubernetes` directory should look like this: @@ -517,8 +527,10 @@ done - `/etc/kubernetes/pki/sa.pub` - `/etc/kubernetes/pki/etcd/ca.crt` -1. Run `kubeadm init --config kubeadm-config.yaml` on each control plane node, where - `kubeadm-config.yaml` is the file you already created. +1. Run the copied `kubeadm join` command from above. Add the flag "--experimental-control-plane". + The final command will look something like this: + + kubeadm join ha.k8s.example.com:6443 --token 5ynki1.3erp9i3yo7gqg1nv --discovery-token-ca-cert-hash sha256:a00055bd8c710a9906a3d91b87ea02976334e1247936ac061d867a0f014ecd81 --experimental-control-plane ## Common tasks after bootstrapping control plane diff --git a/content/en/docs/setup/independent/install-kubeadm.md b/content/en/docs/setup/independent/install-kubeadm.md index c80c5aaba2186..df670972c5c93 100644 --- a/content/en/docs/setup/independent/install-kubeadm.md +++ b/content/en/docs/setup/independent/install-kubeadm.md @@ -79,57 +79,20 @@ The pod network plugin you use (see below) may also require certain ports to be open. Since this differs with each pod network plugin, please see the documentation for the plugins about what port(s) those need. -## Installing Docker +## Installing runtime -On each of your machines, install Docker. -Version 17.03 is recommended, but 1.11, 1.12 and 1.13 are known to work as well. -Versions 17.06+ _might work_, but have not yet been tested and verified by the Kubernetes node team. -Keep track of the latest verified Docker version in the Kubernetes release notes. +Since v1.6.0, Kubernetes has enabled the use of CRI, Container Runtime Interface, by default. +The container runtime used by default is Docker, which is enabled through the built-in +`dockershim` CRI implementation inside of the `kubelet`. -Please proceed with executing the following commands based on your OS as root. You may become the root user by executing `sudo -i` after SSH-ing to each host. +Other CRI-based runtimes include: -If you already have the required versions of the Docker installed, you can move on to next section. -If not, you can use the following commands to install Docker on your system: +- [cri-containerd](https://github.com/containerd/cri-containerd) +- [cri-o](https://github.com/kubernetes-incubator/cri-o) +- [frakti](https://github.com/kubernetes/frakti) +- [rkt](https://github.com/kubernetes-incubator/rktlet) -{{< tabs name="docker_install" >}} -{{% tab name="Ubuntu, Debian or HypriotOS" %}} -Install Docker from Ubuntu's repositories: - -```bash -apt-get update -apt-get install -y docker.io -``` - -or install Docker CE 17.03 from Docker's repositories for Ubuntu or Debian: - -```bash -apt-get update -apt-get install -y apt-transport-https ca-certificates curl software-properties-common -curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - -add-apt-repository "deb https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") $(lsb_release -cs) stable" -apt-get update && apt-get install -y docker-ce=$(apt-cache madison docker-ce | grep 17.03 | head -1 | awk '{print $3}') -``` -{{% /tab %}} -{{% tab name="CentOS, RHEL or Fedora" %}} -Install Docker using your operating system's bundled package: - -```bash -yum install -y docker -systemctl enable docker && systemctl start docker -``` -{{% /tab %}} -{{% tab name="Container Linux" %}} -Enable and start Docker: - -```bash -systemctl enable docker && systemctl start docker -``` -{{% /tab %}} -{{< /tabs >}} - - -Refer to the [official Docker installation guides](https://docs.docker.com/engine/installation/) -for more information. +Refer to the [CRI installation instructions](/docs/setup/cri.md) for more information. ## Installing kubeadm, kubelet and kubectl diff --git a/content/en/docs/setup/independent/kubelet-integration.md b/content/en/docs/setup/independent/kubelet-integration.md index 55d905455f317..926d26e1a9c8e 100644 --- a/content/en/docs/setup/independent/kubelet-integration.md +++ b/content/en/docs/setup/independent/kubelet-integration.md @@ -23,7 +23,7 @@ manager instead, but you need to configure it manually. Some kubelet configuration details need to be the same across all kubelets involved in the cluster, while other configuration aspects need to be set on a per-kubelet basis, to accommodate the different characteristics of a given machine, such as OS, storage, and networking. You can manage the configuration -of your kubelets manually, but [kubeadm now provides a `MasterConfig` API type for managing your +of your kubelets manually, but [kubeadm now provides a `KubeletConfiguration` API type for managing your kubelet configurations centrally](#configure-kubelets-using-kubeadm). {{% /capture %}} @@ -63,10 +63,7 @@ clusterDNS: - 10.96.0.10 ``` -See the -[API reference for the -kubelet ComponentConfig](https://godoc.org/k8s.io/kubernetes/pkg/kubelet/apis/config#KubeletConfiguration) -for more information. +For more details on the ComponentConfig have a look at [this section](#configure-kubelets-using-kubeadm). ### Providing instance-specific configuration details @@ -96,14 +93,19 @@ such as systemd. ## Configure kubelets using kubeadm -The kubeadm config API type `MasterConfiguration` embeds the kubelet's ComponentConfig under -the `.kubeletConfiguration.baseConfig` key. Any user writing a `MasterConfiguration` -file can use this configuration key to also set the base-level configuration for all kubelets -in the cluster. +It is possible to configure the kubelet that kubeadm will start if a custom `KubeletConfiguration` +API object is passed with a configuration file like so `kubeadm ... --config some-config-file.yaml`. + +By calling `kubeadm config print-default --api-objects KubeletConfiguration` you can +see all the default values for this structure. + +Also have a look at the [API reference for the +kubelet ComponentConfig](https://godoc.org/k8s.io/kubernetes/pkg/kubelet/apis/config#KubeletConfiguration) +for more information on the individual fields. ### Workflow when using `kubeadm init` -When you call `kubeadm init`, the `.kubeletConfiguration.baseConfig` structure is marshalled to disk +When you call `kubeadm init`, the kubelet configuration is marshalled to disk at `/var/lib/kubelet/config.yaml`, and also uploaded to a ConfigMap in the cluster. The ConfigMap is named `kubelet-config-1.X`, where `.X` is the minor version of the Kubernetes version you are initializing. A kubelet configuration file is also written to `/etc/kubernetes/kubelet.conf` with the diff --git a/content/en/docs/setup/independent/setup-ha-etcd-with-kubeadm.md b/content/en/docs/setup/independent/setup-ha-etcd-with-kubeadm.md index dc66ce34f1d0d..9e312d5464da8 100644 --- a/content/en/docs/setup/independent/setup-ha-etcd-with-kubeadm.md +++ b/content/en/docs/setup/independent/setup-ha-etcd-with-kubeadm.md @@ -1,7 +1,7 @@ --- reviewers: - sig-cluster-lifecycle -title: Set up a high availability etcd cluster with kubeadm +title: Set up a High Availability etcd cluster with kubeadm content_template: templates/task weight: 60 --- @@ -9,7 +9,7 @@ weight: 60 {{% capture overview %}} Kubeadm defaults to running a single member etcd cluster in a static pod managed -by the kubelet on the control plane node. This is not a high availability setup +by the kubelet on the control plane node. This is not a high availability setup as the etcd cluster contains only one member and cannot sustain any members becoming unavailable. This task walks through the process of creating a high availability etcd cluster of three members that can be used as an external etcd @@ -83,8 +83,8 @@ this example. HOST=${ETCDHOSTS[$i]} NAME=${NAMES[$i]} cat << EOF > /tmp/${HOST}/kubeadmcfg.yaml - apiVersion: "kubeadm.k8s.io/v1alpha2" - kind: MasterConfiguration + apiVersion: "kubeadm.k8s.io/v1alpha3" + kind: ClusterConfiguration etcd: local: serverCertSANs: @@ -107,7 +107,7 @@ this example. If you already have a CA then the only action that is copying the CA's `crt` and `key` file to `/etc/kubernetes/pki/etcd/ca.crt` and - `/etc/kubernetes/pki/etcd/ca.key`. After those files have been copied, + `/etc/kubernetes/pki/etcd/ca.key`. After those files have been copied, proceed to the next step, "Create certificates for each member". If you do not already have a CA then run this command on `$HOST0` (where you diff --git a/content/en/docs/setup/independent/troubleshooting-kubeadm.md b/content/en/docs/setup/independent/troubleshooting-kubeadm.md index 481b429e023f6..8a66795d50c69 100644 --- a/content/en/docs/setup/independent/troubleshooting-kubeadm.md +++ b/content/en/docs/setup/independent/troubleshooting-kubeadm.md @@ -190,7 +190,7 @@ Error from server: Get https://10.19.0.41:10250/containerLogs/default/mysql-ddc6 curl http://169.254.169.254/metadata/v1/interfaces/public/0/anchor_ipv4/address ``` - The workaround is to tell `kubelet` which IP to use using `--node-ip`. When using Digital Ocean, it can be the public one (assigned to `eth0`) or the private one (assigned to `eth1`) should you want to use the optional private network. The [KubeletExtraArgs section of the MasterConfiguration file](https://github.com/kubernetes/kubernetes/blob/master/cmd/kubeadm/app/apis/kubeadm/v1alpha2/types.go#L147) can be used for this. + The workaround is to tell `kubelet` which IP to use using `--node-ip`. When using Digital Ocean, it can be the public one (assigned to `eth0`) or the private one (assigned to `eth1`) should you want to use the optional private network. The [`KubeletExtraArgs` section of the kubeadm `NodeRegistrationOptions` structure](https://github.com/kubernetes/kubernetes/blob/release-1.12/cmd/kubeadm/app/apis/kubeadm/v1alpha3/types.go#L163-L166) can be used for this. Then restart `kubelet`: diff --git a/content/en/docs/setup/multiple-zones.md b/content/en/docs/setup/multiple-zones.md index 70ca0fcf0678a..d98604c25e849 100644 --- a/content/en/docs/setup/multiple-zones.md +++ b/content/en/docs/setup/multiple-zones.md @@ -73,18 +73,20 @@ available and can tolerate the loss of a zone, the control plane is located in a single zone. Users that want a highly available control plane should follow the [high availability](/docs/admin/high-availability) instructions. +### Volume limitations +The following limitations are addressed with [topology-aware volume binding](/docs/concepts/storage/storage-classes/#volume-binding-mode). + * StatefulSet volume zone spreading when using dynamic provisioning is currently not compatible with -pod affinity or anti-affinity policies. + pod affinity or anti-affinity policies. * If the name of the StatefulSet contains dashes ("-"), volume zone spreading -may not provide a uniform distribution of storage across zones. + may not provide a uniform distribution of storage across zones. * When specifying multiple PVCs in a Deployment or Pod spec, the StorageClass -needs to be configured for a specific, single zone, or the PVs need to be -statically provisioned in a specific zone. Another workaround is to use a -StatefulSet, which will ensure that all the volumes for a replica are -provisioned in the same zone. - + needs to be configured for a specific single zone, or the PVs need to be + statically provisioned in a specific zone. Another workaround is to use a + StatefulSet, which will ensure that all the volumes for a replica are + provisioned in the same zone. ## Walkthrough diff --git a/content/en/docs/setup/release/notes.md b/content/en/docs/setup/release/notes.md index 7ba44e23b49f8..45f6f83ae19e7 100644 --- a/content/en/docs/setup/release/notes.md +++ b/content/en/docs/setup/release/notes.md @@ -1,725 +1,846 @@ ---- -title: v1.11 Release Notes -content_template: templates/concept ---- - -{{% capture overview %}} - -[Documentation](https://docs.k8s.io) & [Examples](https://github.com/kubernetes/examples) - -## Downloads for v1.11.0 + +- [v1.12.0-rc.2](#v1120-rc2) + - [Downloads for v1.12.0-rc.2](#downloads-for-v1120-rc2) + - [Client Binaries](#client-binaries) + - [Server Binaries](#server-binaries) + - [Node Binaries](#node-binaries) + - [Changelog since v1.12.0-rc.1](#changelog-since-v1120-rc1) + - [Other notable changes](#other-notable-changes) +- [v1.12.0-rc.1](#v1120-rc1) + - [Downloads for v1.12.0-rc.1](#downloads-for-v1120-rc1) + - [Client Binaries](#client-binaries-1) + - [Server Binaries](#server-binaries-1) + - [Node Binaries](#node-binaries-1) + - [Changelog since v1.12.0-beta.2](#changelog-since-v1120-beta2) + - [Action Required](#action-required) + - [Other notable changes](#other-notable-changes-1) +- [v1.12.0-beta.2](#v1120-beta2) + - [Downloads for v1.12.0-beta.2](#downloads-for-v1120-beta2) + - [Client Binaries](#client-binaries-2) + - [Server Binaries](#server-binaries-2) + - [Node Binaries](#node-binaries-2) + - [Changelog since v1.12.0-beta.1](#changelog-since-v1120-beta1) + - [Action Required](#action-required-1) + - [Other notable changes](#other-notable-changes-2) +- [v1.12.0-beta.1](#v1120-beta1) + - [Downloads for v1.12.0-beta.1](#downloads-for-v1120-beta1) + - [Client Binaries](#client-binaries-3) + - [Server Binaries](#server-binaries-3) + - [Node Binaries](#node-binaries-3) + - [Changelog since v1.12.0-alpha.1](#changelog-since-v1120-alpha1) + - [Action Required](#action-required-2) + - [Other notable changes](#other-notable-changes-3) +- [v1.12.0-alpha.1](#v1120-alpha1) + - [Downloads for v1.12.0-alpha.1](#downloads-for-v1120-alpha1) + - [Client Binaries](#client-binaries-4) + - [Server Binaries](#server-binaries-4) + - [Node Binaries](#node-binaries-4) + - [Changelog since v1.11.0](#changelog-since-v1110) + - [Action Required](#action-required-3) + - [Other notable changes](#other-notable-changes-4) + + + + + +# v1.12.0-rc.2 + +[Documentation](https://docs.k8s.io) & [Examples](https://releases.k8s.io/release-1.12/examples) + +## Downloads for v1.12.0-rc.2 filename | sha256 hash -------- | ----------- -[kubernetes.tar.gz](https://dl.k8s.io/v1.11.0/kubernetes.tar.gz) | `3c779492574a5d8ce702d89915184f5dd52280da909abf134232e5ab00b4a885` -[kubernetes-src.tar.gz](https://dl.k8s.io/v1.11.0/kubernetes-src.tar.gz) | `f0b2d8e61860acaf50a9bae0dc36b8bfdb4bb41b8d0a1bb5a9bc3d87aad3b794` +[kubernetes.tar.gz](https://dl.k8s.io/v1.12.0-rc.2/kubernetes.tar.gz) | `184ea437bc72d0e6a4c96b964de53181273e919a1d4785515da3406c7e982bf5` +[kubernetes-src.tar.gz](https://dl.k8s.io/v1.12.0-rc.2/kubernetes-src.tar.gz) | `aee82938827ef05ab0ee81bac42f4f79fff126294469868d02efb3426717d71e` ### Client Binaries filename | sha256 hash -------- | ----------- -[kubernetes-client-darwin-386.tar.gz](https://dl.k8s.io/v1.11.0/kubernetes-client-darwin-386.tar.gz) | `196738ef058510438b3129f0a72544544b7d52a8732948b4f9358781f87dab59` -[kubernetes-client-darwin-amd64.tar.gz](https://dl.k8s.io/v1.11.0/kubernetes-client-darwin-amd64.tar.gz) | `9ec8357b10b79f8fd87f3a836879d0a4bb46fb70adbb82f1e34dc7e91d74999f` -[kubernetes-client-linux-386.tar.gz](https://dl.k8s.io/v1.11.0/kubernetes-client-linux-386.tar.gz) | `e8ee8a965d3ea241d9768b9ac868ecbbee112ef45038ff219e4006fa7f4ab4e2` -[kubernetes-client-linux-amd64.tar.gz](https://dl.k8s.io/v1.11.0/kubernetes-client-linux-amd64.tar.gz) | `d31377c92b4cc9b3da086bc1974cbf57b0d2c2b22ae789ba84cf1b7554ea7067` -[kubernetes-client-linux-arm.tar.gz](https://dl.k8s.io/v1.11.0/kubernetes-client-linux-arm.tar.gz) | `9e9da909293a4682a5d6270a39894b056b3e901532b15eb8fdc0814a8d628d65` -[kubernetes-client-linux-arm64.tar.gz](https://dl.k8s.io/v1.11.0/kubernetes-client-linux-arm64.tar.gz) | `149df9daac3e596042f5759977f9f9299a397130d9dddc2d4a2b513dd64f1092` -[kubernetes-client-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.11.0/kubernetes-client-linux-ppc64le.tar.gz) | `ff3d3e4714406d92e9a2b7ef2887519800b89f6592a756524f7a37dc48057f44` -[kubernetes-client-linux-s390x.tar.gz](https://dl.k8s.io/v1.11.0/kubernetes-client-linux-s390x.tar.gz) | `e5a39bdc1e474d9d00974a81101e043aaff37c30c1418fb85a0c2561465e14c7` -[kubernetes-client-windows-386.tar.gz](https://dl.k8s.io/v1.11.0/kubernetes-client-windows-386.tar.gz) | `4ba1102a33c6d4df650c4864a118f99a9882021fea6f250a35f4b4f4a2d68eaa` -[kubernetes-client-windows-amd64.tar.gz](https://dl.k8s.io/v1.11.0/kubernetes-client-windows-amd64.tar.gz) | `0bb74af7358f9a2f4139ed1c10716a2f5f0c1c13ab3af71a0621a1983233c8d7` +[kubernetes-client-darwin-386.tar.gz](https://dl.k8s.io/v1.12.0-rc.2/kubernetes-client-darwin-386.tar.gz) | `40ed3ef9bbc4fad7787dd14eae952edf06d40e1094604bc6d10209b8778c3121` +[kubernetes-client-darwin-amd64.tar.gz](https://dl.k8s.io/v1.12.0-rc.2/kubernetes-client-darwin-amd64.tar.gz) | `a317fe3801ea5387ce474b9759a7e28ede8324587f79935a7a945da44c99a4b2` +[kubernetes-client-linux-386.tar.gz](https://dl.k8s.io/v1.12.0-rc.2/kubernetes-client-linux-386.tar.gz) | `cd61b4b71d6b739582c02b5be1d87d928507bc59f64ee72629a920cc529a0941` +[kubernetes-client-linux-amd64.tar.gz](https://dl.k8s.io/v1.12.0-rc.2/kubernetes-client-linux-amd64.tar.gz) | `306af04fc18ca2588e16fd831358df50a2cb02219687b543073836f835de8583` +[kubernetes-client-linux-arm.tar.gz](https://dl.k8s.io/v1.12.0-rc.2/kubernetes-client-linux-arm.tar.gz) | `497584f2686339cce857cff1ebf4ed10dcd63f4684a03c242b0828fcd307be4c` +[kubernetes-client-linux-arm64.tar.gz](https://dl.k8s.io/v1.12.0-rc.2/kubernetes-client-linux-arm64.tar.gz) | `1dfbb8c299f5af15239ef39135a6c8a52ee4c234764ee0437d8f707e636c9124` +[kubernetes-client-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.12.0-rc.2/kubernetes-client-linux-ppc64le.tar.gz) | `668d6f35c5f6adcd25584d9ef74c549db13ffca9d93b4bc8d25609a8e5837640` +[kubernetes-client-linux-s390x.tar.gz](https://dl.k8s.io/v1.12.0-rc.2/kubernetes-client-linux-s390x.tar.gz) | `8a8e205c38858bd9d161115e5e2870c6cfc9c82e189d156e7062e6fa979c3fda` +[kubernetes-client-windows-386.tar.gz](https://dl.k8s.io/v1.12.0-rc.2/kubernetes-client-windows-386.tar.gz) | `cdef48279c22cc8c764e43a4b9c2a86f02f21c80abbbcd48041fb1e89fb1eb67` +[kubernetes-client-windows-amd64.tar.gz](https://dl.k8s.io/v1.12.0-rc.2/kubernetes-client-windows-amd64.tar.gz) | `50621a3d2b1550c69325422c6dce78f5690574b35d3778dd3afcf698b57f0f54` ### Server Binaries filename | sha256 hash -------- | ----------- -[kubernetes-server-linux-amd64.tar.gz](https://dl.k8s.io/v1.11.0/kubernetes-server-linux-amd64.tar.gz) | `b8a8a88afd8a40871749b2362dbb21295c6a9c0a85b6fc87e7febea1688eb99e` -[kubernetes-server-linux-arm.tar.gz](https://dl.k8s.io/v1.11.0/kubernetes-server-linux-arm.tar.gz) | `88b9168013bb07a7e17ddc0638e7d36bcd2984d049a50a96f54cb4218647d8da` -[kubernetes-server-linux-arm64.tar.gz](https://dl.k8s.io/v1.11.0/kubernetes-server-linux-arm64.tar.gz) | `12fab9e9f0e032f278c0e114c72ea01899a0430fc772401f23e26de306e0f59f` -[kubernetes-server-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.11.0/kubernetes-server-linux-ppc64le.tar.gz) | `6616d726a651e733cfd4cccd78bfdc1d421c4a446edf4b617b8fd8f5e21f073e` -[kubernetes-server-linux-s390x.tar.gz](https://dl.k8s.io/v1.11.0/kubernetes-server-linux-s390x.tar.gz) | `291838980929c8073ac592219d9576c84a9bdf233585966c81a380c3d753316e` +[kubernetes-server-linux-amd64.tar.gz](https://dl.k8s.io/v1.12.0-rc.2/kubernetes-server-linux-amd64.tar.gz) | `87a8438887a2daa199508aae591b158025860b8381c64cbe9b1d0c06c4eebde9` +[kubernetes-server-linux-arm.tar.gz](https://dl.k8s.io/v1.12.0-rc.2/kubernetes-server-linux-arm.tar.gz) | `f65be73870a0e564ef8ce1b6bb2b75ff7021a6807de84b5750e4fa78635051b6` +[kubernetes-server-linux-arm64.tar.gz](https://dl.k8s.io/v1.12.0-rc.2/kubernetes-server-linux-arm64.tar.gz) | `171f15aa8b7c365f4fee70ce025c882a921d0075bd726a99b5534cadd09273ef` +[kubernetes-server-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.12.0-rc.2/kubernetes-server-linux-ppc64le.tar.gz) | `abc2003d58bd1aca517415c582ed1e8bb1ed596bf04197f4fc7c0c51865a9f86` +[kubernetes-server-linux-s390x.tar.gz](https://dl.k8s.io/v1.12.0-rc.2/kubernetes-server-linux-s390x.tar.gz) | `e2ce834abb4d45d91fd7a8d774e47f0f8092eb4edcf556605c2ef6e2b190b8b1` ### Node Binaries filename | sha256 hash -------- | ----------- -[kubernetes-node-linux-amd64.tar.gz](https://dl.k8s.io/v1.11.0/kubernetes-node-linux-amd64.tar.gz) | `b23e905efb828fdffc4efc208f7343236b22c964e408fe889f529502aed4a335` -[kubernetes-node-linux-arm.tar.gz](https://dl.k8s.io/v1.11.0/kubernetes-node-linux-arm.tar.gz) | `44bf8973581887a2edd33eb637407e76dc0dc3a5abcc2ff04aec8338b533156d` -[kubernetes-node-linux-arm64.tar.gz](https://dl.k8s.io/v1.11.0/kubernetes-node-linux-arm64.tar.gz) | `51e481c782233b46ee21e9635c7d8c2a84450cbe30d7b1cbe5c5982b33f40b13` -[kubernetes-node-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.11.0/kubernetes-node-linux-ppc64le.tar.gz) | `d1a3feda31a954d3a83193a51a117873b6ef9f8acc3e10b3f1504fece91f2eb8` -[kubernetes-node-linux-s390x.tar.gz](https://dl.k8s.io/v1.11.0/kubernetes-node-linux-s390x.tar.gz) | `0ad76c6e6aef670c215256803b3b0d19f4730a0843429951c6421564c73d4932` -[kubernetes-node-windows-amd64.tar.gz](https://dl.k8s.io/v1.11.0/kubernetes-node-windows-amd64.tar.gz) | `8ad26200ed40d40a1b78d7a5dbe56220f0813d31194f40f267b476499fe2c5c3` - -## Urgent Upgrade Notes - -{{< caution >}} -**Caution**: You **MUST** do this before you upgrade! -{{< /caution >}} - -Before upgrading to Kubernetes 1.11, you must keep the following in mind: - -* **JSON configuration files that contain fields with incorrect case will no longer be valid. You must correct these files before upgrading.** When specifying keys in JSON resource definitions during direct API server communication, the keys are case-sensitive. A bug introduced in Kubernetes 1.8 caused the API server to accept a request with incorrect case and coerce it to correct case, but this behaviour has been fixed in 1.11 and the API server will once again be enforcing the correct case. It’s worth noting that during this time, the `kubectl` tool continued to enforce case-sensitive keys, so users that strictly manage resources with `kubectl` will be unaffected by this change. ([#65034](https://github.com/kubernetes/kubernetes/pull/65034), [@caesarxuchao](https://github.com/caesarxuchao)) -* **[Pod priority and preemption](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/) is now enabled by default.** Note that this means that pods from *any* namespace can now request priority classes that compete with and/or cause preemption of critical system pods that are already running. If that is not desired, disable the PodPriority feature by setting `--feature-gates=PodPriority=false` on the kube-apiserver, kube-scheduler, and kubelet components before upgrading to 1.11. Disabling the PodPriority feature limits [critical pods](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical-when-priorites-are-enabled) to the `kube-system` namespace. - -{{% /capture %}} - -{{< toc >}} +[kubernetes-node-linux-amd64.tar.gz](https://dl.k8s.io/v1.12.0-rc.2/kubernetes-node-linux-amd64.tar.gz) | `6016c3a1e14c42dcc88caed6497de1b2c56a02bb52d836b19e2ff52098302dda` +[kubernetes-node-linux-arm.tar.gz](https://dl.k8s.io/v1.12.0-rc.2/kubernetes-node-linux-arm.tar.gz) | `e712e38c8037159ea074ad93c2f2905cf279f3f119e5fdbf9b97391037a8813f` +[kubernetes-node-linux-arm64.tar.gz](https://dl.k8s.io/v1.12.0-rc.2/kubernetes-node-linux-arm64.tar.gz) | `7f4095f12d8ad9438919fa447360113799f88bb9435369b9307a41dd9c7692a6` +[kubernetes-node-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.12.0-rc.2/kubernetes-node-linux-ppc64le.tar.gz) | `4aeb5dbb0c68e54570542eb5a1d7506d73c81b57eba3c2080ee73bb53dbc3be0` +[kubernetes-node-linux-s390x.tar.gz](https://dl.k8s.io/v1.12.0-rc.2/kubernetes-node-linux-s390x.tar.gz) | `a160599598167208286db6dc73b415952836218d967fa964fc432b213f1b9908` +[kubernetes-node-windows-amd64.tar.gz](https://dl.k8s.io/v1.12.0-rc.2/kubernetes-node-windows-amd64.tar.gz) | `174bedf62b7959d4cb1b1595666f607cd6377c7a2e2208fef5bd554603db5db3` -{{% capture body %}} +## Changelog since v1.12.0-rc.1 -## Major Themes +### Other notable changes -### SIG API Machinery +* Update to use manifest list for etcd image ([#68896](https://github.com/kubernetes/kubernetes/pull/68896), [@ixdy](https://github.com/ixdy)) +* Fix Azure nodes power state for InstanceShutdownByProviderID() ([#68921](https://github.com/kubernetes/kubernetes/pull/68921), [@feiskyer](https://github.com/feiskyer)) +* Bump kube-dns to 1.14.13 ([#68900](https://github.com/kubernetes/kubernetes/pull/68900), [@MrHohn](https://github.com/MrHohn)) + * - Update Alpine base image to 3.8.1. + * - Build multi-arch images correctly. +* kubelet: fix grpc timeout in the CRI client ([#67793](https://github.com/kubernetes/kubernetes/pull/67793), [@fisherxu](https://github.com/fisherxu)) +* Update to golang 1.10.4 ([#68802](https://github.com/kubernetes/kubernetes/pull/68802), [@ixdy](https://github.com/ixdy)) +* kubeadm now uses fat manifests for the kube-dns images ([#68830](https://github.com/kubernetes/kubernetes/pull/68830), [@rosti](https://github.com/rosti)) +* Update Cluster Autoscaler version to 1.12.0. ([#68739](https://github.com/kubernetes/kubernetes/pull/68739), [@losipiuk](https://github.com/losipiuk)) + * See https://github.com/kubernetes/autoscaler/releases/tag/1.12.0 for CA release notes. +* kube-proxy restores the *filter table when running in ipvs mode. ([#68786](https://github.com/kubernetes/kubernetes/pull/68786), [@alexjx](https://github.com/alexjx)) +* New kubeDNS image fixes an issue where SRV records were incorrectly being compressed. Added manifest file for multiple arch images. ([#68430](https://github.com/kubernetes/kubernetes/pull/68430), [@prameshj](https://github.com/prameshj)) +* Drain should delete terminal pods. ([#68767](https://github.com/kubernetes/kubernetes/pull/68767), [@ravisantoshgudimetla](https://github.com/ravisantoshgudimetla)) -This release SIG API Machinery focused mainly on CustomResources. For example, subresources for CustomResources are now beta and enabled by default. With this, updates to the `/status` subresource will disallow updates to all fields other than `.status` (not just `.spec` and `.metadata` as before). Also, `required` and `description` can be used at the root of the CRD OpenAPI validation schema when the `/status` subresource is enabled. -In addition, users can now create multiple versions of CustomResourceDefinitions, but without any kind of automatic conversion, and CustomResourceDefinitions now allow specification of additional columns for `kubectl get` output via the `spec.additionalPrinterColumns` field. -### SIG Auth +# v1.12.0-rc.1 -Work this cycle focused on graduating existing functions, and on making security functions more understandable for users. +[Documentation](https://docs.k8s.io) & [Examples](https://releases.k8s.io/release-1.12/examples) -RBAC [cluster role aggregation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles), introduced in 1.9, graduated to stable status with no changes in 1.11, and [client-go credential plugins](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins) graduated to beta status, while also adding support for obtaining TLS credentials from an external plugin. +## Downloads for v1.12.0-rc.1 -Kubernetes 1.11 also makes it easier to see what's happening, as audit events can now be annotated with information about how an API request was handled: -* Authorization sets `authorization.k8s.io/decision` and `authorization.k8s.io/reason` annotations with the authorization decision ("allow" or "forbid") and a human-readable description of why the decision was made (for example, RBAC includes the name of the role/binding/subject which allowed a request). -* PodSecurityPolicy admission sets `podsecuritypolicy.admission.k8s.io/admit-policy` and `podsecuritypolicy.admission.k8s.io/validate-policy` annotations containing the name of the policy that allowed a pod to be admitted. (PodSecurityPolicy also gained the ability to [limit hostPath volume mounts to be read-only](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems).) - -In addition, the NodeRestriction admission plugin now prevents kubelets from modifying taints on their Node API objects, making it easier to keep track of which nodes should be in use. - -### SIG CLI - -SIG CLI's main focus this release was on refactoring `kubectl` internals to improve composability, readability and testability of `kubectl` commands. Those refactors will allow the team to extract a mechanism for extensibility of kubectl -- that is, plugins -- in the next releases. - -### SIG Cluster Lifecycle - -SIG Cluster Lifecycle focused on improving kubeadm’s user experience by including a set of new commands related to maintaining the kubeadm configuration file, the API version of which has now has been incremented to `v1alpha2`. These commands can handle the migration of the configuration to a newer version, printing the default configuration, and listing and pulling the required container images for bootstrapping a cluster. - -Other notable changes include: - -* CoreDNS replaces kube-dns as the default DNS provider -* Improved user experience for environments without a public internet connection and users using other CRI runtimes than Docker -* Support for structured configuration for the kubelet, which avoids the need to modify the systemd drop-in file -* Many improvements to the upgrade process and other bug fixes +filename | sha256 hash +-------- | ----------- +[kubernetes.tar.gz](https://dl.k8s.io/v1.12.0-rc.1/kubernetes.tar.gz) | `ac65cf9571c3a03105f373db23c8d7f4d01fe1c9ee09b06615bb02d0b81d572c` +[kubernetes-src.tar.gz](https://dl.k8s.io/v1.12.0-rc.1/kubernetes-src.tar.gz) | `28518e1d9c7fe5c54aa3b57235ac8d1a7dae02aec04177c38ca157fc2d16edb6` -### SIG Instrumentation +### Client Binaries -As far as Sig Instrumentation, the major change in Kubernetes 1.11 is the deprecation of Heapster as part of ongoing efforts to move to the new Kubernetes monitoring model. Clusters still using Heapster for autoscaling should be migrated over to metrics-server and the custom metrics API. See the deprecation section for more information. +filename | sha256 hash +-------- | ----------- +[kubernetes-client-darwin-386.tar.gz](https://dl.k8s.io/v1.12.0-rc.1/kubernetes-client-darwin-386.tar.gz) | `7b6f6f264464d40b7975baecdd796d4f75c5a305999b4ae1f4513646184cac7c` +[kubernetes-client-darwin-amd64.tar.gz](https://dl.k8s.io/v1.12.0-rc.1/kubernetes-client-darwin-amd64.tar.gz) | `5feabe3e616125a36ce4c8021d6bdccdec0f3d82f151b80af7cac1453255b4d5` +[kubernetes-client-linux-386.tar.gz](https://dl.k8s.io/v1.12.0-rc.1/kubernetes-client-linux-386.tar.gz) | `40524a1a09dd24081b3494593a02a461227727f8706077542f2b8603e1cf7e06` +[kubernetes-client-linux-amd64.tar.gz](https://dl.k8s.io/v1.12.0-rc.1/kubernetes-client-linux-amd64.tar.gz) | `ac2c9757d7df761bdf8ffc259fff07448c300dd110c7dbe2ae3830197eb023e9` +[kubernetes-client-linux-arm.tar.gz](https://dl.k8s.io/v1.12.0-rc.1/kubernetes-client-linux-arm.tar.gz) | `02f27ae16e8ebb12b3cb66391fe85f64de08a99450d726e9defd2c5bcd590955` +[kubernetes-client-linux-arm64.tar.gz](https://dl.k8s.io/v1.12.0-rc.1/kubernetes-client-linux-arm64.tar.gz) | `1286af2cad3f8e2ee8e2dc18a738935779631b58e7ef3da8794bbeadca2f332e` +[kubernetes-client-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.12.0-rc.1/kubernetes-client-linux-ppc64le.tar.gz) | `9c04419b159fb0fe501d6e0c8122d6a80b5d6961070ebc5e759f4327a1156cf4` +[kubernetes-client-linux-s390x.tar.gz](https://dl.k8s.io/v1.12.0-rc.1/kubernetes-client-linux-s390x.tar.gz) | `104d5c695826971c64cb0cec26cf791d609d3e831edb33574e9af2c4b191f049` +[kubernetes-client-windows-386.tar.gz](https://dl.k8s.io/v1.12.0-rc.1/kubernetes-client-windows-386.tar.gz) | `0096f8126eb04eafa9decd258f6d09977d24eee91b83781347a34ebb7d2064aa` +[kubernetes-client-windows-amd64.tar.gz](https://dl.k8s.io/v1.12.0-rc.1/kubernetes-client-windows-amd64.tar.gz) | `a641a1a421795279a6213163d7becab9dc6014362e6566f13d660ef1638dc286` -### SIG Network +### Server Binaries -The main milestones for SIG Network this release are the graduation of IPVS-based load balancing and CoreDNS to general availability. +filename | sha256 hash +-------- | ----------- +[kubernetes-server-linux-amd64.tar.gz](https://dl.k8s.io/v1.12.0-rc.1/kubernetes-server-linux-amd64.tar.gz) | `202958d3cfb774fd065ad1ec2477dc9c92ce7f0ff355807c9a2a3a61e8dad927` +[kubernetes-server-linux-arm.tar.gz](https://dl.k8s.io/v1.12.0-rc.1/kubernetes-server-linux-arm.tar.gz) | `474de8f6a58d51eb01f6cc73b41897351528a839f818d5c4f828a484f8bc988b` +[kubernetes-server-linux-arm64.tar.gz](https://dl.k8s.io/v1.12.0-rc.1/kubernetes-server-linux-arm64.tar.gz) | `dbd5affd244815bf45ac0c7a56265800864db623a6a37e7ce9ebe5e5896453f8` +[kubernetes-server-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.12.0-rc.1/kubernetes-server-linux-ppc64le.tar.gz) | `a62fefa8ad7b3fbfeb7702dac7d4d6f37823b6c3e4edae3356bf0781b48e42e1` +[kubernetes-server-linux-s390x.tar.gz](https://dl.k8s.io/v1.12.0-rc.1/kubernetes-server-linux-s390x.tar.gz) | `0f77690f87503c8ee7ccb473c9d2b9d26420292defd82249509cf50d8bb1a16c` -IPVS is an alternative approach to in-cluster load balancing that uses in-kernel hash tables rather than the previous iptables approach, while CoreDNS is a replacement for kube-dns for service discovery. +### Node Binaries -### SIG Node +filename | sha256 hash +-------- | ----------- +[kubernetes-node-linux-amd64.tar.gz](https://dl.k8s.io/v1.12.0-rc.1/kubernetes-node-linux-amd64.tar.gz) | `2191845147d5aab08f14312867f86078b513b6aff8685bb8ce84a06b78ae9914` +[kubernetes-node-linux-arm.tar.gz](https://dl.k8s.io/v1.12.0-rc.1/kubernetes-node-linux-arm.tar.gz) | `54de98d7d2a71b78bc7a45e70a2005144d210401663f5a9daadedd05f89291f0` +[kubernetes-node-linux-arm64.tar.gz](https://dl.k8s.io/v1.12.0-rc.1/kubernetes-node-linux-arm64.tar.gz) | `a765514e0c4865bb20ceb476af83b9d9356c9b565cfe12615ecf7ad3d5a6b4f7` +[kubernetes-node-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.12.0-rc.1/kubernetes-node-linux-ppc64le.tar.gz) | `b7ae7d159602d0b933614071f11216ede4df3fc2b28a30d0018e06b3bb22cf6e` +[kubernetes-node-linux-s390x.tar.gz](https://dl.k8s.io/v1.12.0-rc.1/kubernetes-node-linux-s390x.tar.gz) | `7d4f502eda6aa70b7a18420344abfaec740d74a1edffcb9869e4305c22bba260` +[kubernetes-node-windows-amd64.tar.gz](https://dl.k8s.io/v1.12.0-rc.1/kubernetes-node-windows-amd64.tar.gz) | `ed5516b1f66a39592a101bec135022b3905a66ae526b8ed3e2e9dff5ed68eda0` + +## Changelog since v1.12.0-beta.2 + +### Action Required + +* Service events are now added in azure-cloud-provider for easily identify the underground errors of Azure API. ([#68212](https://github.com/kubernetes/kubernetes/pull/68212), [@feiskyer](https://github.com/feiskyer)) + * Action required: The following clusterrole and clusterrolebinding should be applied: + * kind: List + * apiVersion: v1 + * items: + * - apiVersion: rbac.authorization.k8s.io/v1 + * kind: ClusterRole + * metadata: + * labels: + * kubernetes.io/cluster-service: "true" + * name: system:azure-cloud-provider + * rules: + * - apiGroups: [""] + * resources: ["events"] + * verbs: + * - create + * - patch + * - update + * - apiVersion: rbac.authorization.k8s.io/v1 + * kind: ClusterRoleBinding + * metadata: + * labels: + * kubernetes.io/cluster-service: "true" + * name: system:azure-cloud-provider + * roleRef: + * apiGroup: rbac.authorization.k8s.io + * kind: ClusterRole + * name: system:azure-cloud-provider + * subjects: + * - kind: ServiceAccount + * name: azure-cloud-provider + * namespace: kube-system + * If the clusterrole with same has already been provisioned (e.g. for accessing azurefile secrets), then the above yaml should be merged togather, e.g. + * kind: List + * apiVersion: v1 + * items: + * - apiVersion: rbac.authorization.k8s.io/v1 + * kind: ClusterRole + * metadata: + * labels: + * kubernetes.io/cluster-service: "true" + * name: system:azure-cloud-provider + * rules: + * - apiGroups: [""] + * resources: ["events"] + * verbs: + * - create + * - patch + * - update + * - apiGroups: [""] + * resources: ["secrets"] + * verbs: + * - get + * - create + * - apiVersion: rbac.authorization.k8s.io/v1 + * kind: ClusterRoleBinding + * metadata: + * labels: + * kubernetes.io/cluster-service: "true" + * name: system:azure-cloud-provider + * roleRef: + * apiGroup: rbac.authorization.k8s.io + * kind: ClusterRole + * name: system:azure-cloud-provider + * subjects: + * - kind: ServiceAccount + * name: azure-cloud-provider + * namespace: kube-system + * - kind: ServiceAccount + * name: persistent-volume-binder + * namespace: kube-system + +### Other notable changes + +* Update metrics-server to v0.3.1 ([#68746](https://github.com/kubernetes/kubernetes/pull/68746), [@DirectXMan12](https://github.com/DirectXMan12)) +* Upgrade kubeadm's version of docker support ([#68495](https://github.com/kubernetes/kubernetes/pull/68495), [@yuansisi](https://github.com/yuansisi)) +* fix a bug that overwhelming number of prometheus metrics are generated because $NAMESPACE is not replaced by string "{namespace}" ([#68530](https://github.com/kubernetes/kubernetes/pull/68530), [@wenjiaswe](https://github.com/wenjiaswe)) +* The feature gates `ReadOnlyAPIDataVolumes` and `ServiceProxyAllowExternalIPs`, deprecated since 1.10, have been removed and any references must be removed from command-line invocations. ([#67951](https://github.com/kubernetes/kubernetes/pull/67951), [@liggitt](https://github.com/liggitt)) +* Verify invalid secret/configmap/projected volumes before calling setup ([#68691](https://github.com/kubernetes/kubernetes/pull/68691), [@gnufied](https://github.com/gnufied)) +* Fix bug that caused `kubectl` commands to sometimes fail to refresh access token when running against GKE clusters. ([#66314](https://github.com/kubernetes/kubernetes/pull/66314), [@jlowdermilk](https://github.com/jlowdermilk)) +* Use KubeDNS by default in GCE setups, as CoreDNS has significantly higher memory usage in large clusters. ([#68629](https://github.com/kubernetes/kubernetes/pull/68629), [@shyamjvs](https://github.com/shyamjvs)) +* Fix PodAntiAffinity issues in case of multiple affinityTerms. ([#68173](https://github.com/kubernetes/kubernetes/pull/68173), [@Huang-Wei](https://github.com/Huang-Wei)) +* Make APIGroup field in TypedLocalObjectReference optional. ([#68419](https://github.com/kubernetes/kubernetes/pull/68419), [@xing-yang](https://github.com/xing-yang)) +* Fix potential panic when getting azure load balancer status ([#68609](https://github.com/kubernetes/kubernetes/pull/68609), [@feiskyer](https://github.com/feiskyer)) +* Fix kubelet panics when RuntimeClass is enabled. ([#68521](https://github.com/kubernetes/kubernetes/pull/68521), [@yujuhong](https://github.com/yujuhong)) +* - cAdvisor: Fix NVML initialization race condition ([#68431](https://github.com/kubernetes/kubernetes/pull/68431), [@dashpole](https://github.com/dashpole)) + * - cAdvisor: Fix brtfs filesystem discovery + * - cAdvisor: Fix race condition with AllDockerContainers + * - cAdvisor: Don't watch .mount cgroups + * - cAdvisor: Reduce lock contention during list containers +* Promote ScheduleDaemonSetPods by default scheduler to beta ([#67899](https://github.com/kubernetes/kubernetes/pull/67899), [@ravisantoshgudimetla](https://github.com/ravisantoshgudimetla)) + + + +# v1.12.0-beta.2 + +[Documentation](https://docs.k8s.io) & [Examples](https://releases.k8s.io/release-1.12/examples) + +## Downloads for v1.12.0-beta.2 -SIG-Node advanced several features and made incremental improvements in a few key topic areas this release. -The dynamic kubelet config feature graduated to beta, so it is enabled by default, simplifying management of the node object itself. Kubelets that are configured to work with the CRI may take advantage of the log rotation feature, which is graduating to beta this release. +filename | sha256 hash +-------- | ----------- +[kubernetes.tar.gz](https://dl.k8s.io/v1.12.0-beta.2/kubernetes.tar.gz) | `7163d18b9c1bd98ce804b17469ed67b399deb7b574dd12a86609fc647c5c773b` +[kubernetes-src.tar.gz](https://dl.k8s.io/v1.12.0-beta.2/kubernetes-src.tar.gz) | `6225b71b2dec0f29afb713e64d2b6b82bd0e122274c31310c0de19ef023cb1d0` -The cri-tools project, which aims to provide consistent tooling for operators to debug and introspect their nodes in production independent of their chosen container runtime, graduated to GA. +### Client Binaries -As far as platforms, working with SIG-Windows, enhancements were made to the kubelet to improve platform support on Windows operating systems, and improvements to resource management were also made. In particular, support for sysctls on Linux graduated to beta. +filename | sha256 hash +-------- | ----------- +[kubernetes-client-darwin-386.tar.gz](https://dl.k8s.io/v1.12.0-beta.2/kubernetes-client-darwin-386.tar.gz) | `f2ec9799e47c28fce336bc90a6e9b4e47def7081fd73b8e2164940f0a6c824c7` +[kubernetes-client-darwin-amd64.tar.gz](https://dl.k8s.io/v1.12.0-beta.2/kubernetes-client-darwin-amd64.tar.gz) | `0e8cfcbe5ec862423ced97da1d9740d4cc4904a0d5cd11a60616aee596bc7622` +[kubernetes-client-linux-386.tar.gz](https://dl.k8s.io/v1.12.0-beta.2/kubernetes-client-linux-386.tar.gz) | `1cbd6e8dd892cfc2555d37e733b66aaf85df9950466c7295875d312ac254ddfc` +[kubernetes-client-linux-amd64.tar.gz](https://dl.k8s.io/v1.12.0-beta.2/kubernetes-client-linux-amd64.tar.gz) | `47337b58a26a4953e5c061d28e3ec89b3d4354bce40f9b51fbe269598caeff03` +[kubernetes-client-linux-arm.tar.gz](https://dl.k8s.io/v1.12.0-beta.2/kubernetes-client-linux-arm.tar.gz) | `eaaed82f428fb7ddbb10b4e39a2f287817c33ae24ff16008159f437acc653d4a` +[kubernetes-client-linux-arm64.tar.gz](https://dl.k8s.io/v1.12.0-beta.2/kubernetes-client-linux-arm64.tar.gz) | `3249d1c7d5d5500793546eb144fe537d1984a01c7a79c1382eb2e26a78e532cd` +[kubernetes-client-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.12.0-beta.2/kubernetes-client-linux-ppc64le.tar.gz) | `67afd34f2199deff901b0872a177dc448ba700dc4ced9ede6f3187a0eed2c6fb` +[kubernetes-client-linux-s390x.tar.gz](https://dl.k8s.io/v1.12.0-beta.2/kubernetes-client-linux-s390x.tar.gz) | `e8faa6e45c6e2aeb67ac65737e09be87c190e3c89782ec87a9a205d4f1af9246` +[kubernetes-client-windows-386.tar.gz](https://dl.k8s.io/v1.12.0-beta.2/kubernetes-client-windows-386.tar.gz) | `2395051c8cbd0a995b5f3689c0f8c0447bcc1c46440d8cdeffd7c7fccf8e8ae1` +[kubernetes-client-windows-amd64.tar.gz](https://dl.k8s.io/v1.12.0-beta.2/kubernetes-client-windows-amd64.tar.gz) | `c6a38ee6eda20656b391ecfcc1f24505eb8a3a5a3200d4bddede318291773619` -### SIG OpenStack +### Server Binaries -SIG-OpenStack continued to build out testing, with eleven acceptance tests covering a wide-range of scenarios and use-cases. During the 1.11 cycle our reporting back to test-grid has qualified the OpenStack cloud provider as a gating job for the Kubernetes release. +filename | sha256 hash +-------- | ----------- +[kubernetes-server-linux-amd64.tar.gz](https://dl.k8s.io/v1.12.0-beta.2/kubernetes-server-linux-amd64.tar.gz) | `795c713a91118218f5952e1bd4cf0933f36476aa3d9d60a9ee43c9bae8400fd3` +[kubernetes-server-linux-arm.tar.gz](https://dl.k8s.io/v1.12.0-beta.2/kubernetes-server-linux-arm.tar.gz) | `1798d48a37b8f06878e0ecb8d9b67d0fb5c8ee721608412add57725eb5ce5f1e` +[kubernetes-server-linux-arm64.tar.gz](https://dl.k8s.io/v1.12.0-beta.2/kubernetes-server-linux-arm64.tar.gz) | `da2459b5e811daaa2fc04a072773e81dc220400f3aeb6e29bb9594c306c7b266` +[kubernetes-server-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.12.0-beta.2/kubernetes-server-linux-ppc64le.tar.gz) | `7fd1c2ba0c2c9da5db54f8d0aed28261f03e9953ce01fa367e4ce3d84bf01b4f` +[kubernetes-server-linux-s390x.tar.gz](https://dl.k8s.io/v1.12.0-beta.2/kubernetes-server-linux-s390x.tar.gz) | `c9fafb009d7e5da74f588aaa935244c452de52b9488863b90e8b477b1bb16e52` -New features include improved integration between the Keystone service and Kubernetes RBAC, and a number of stability and compatibility improvements across the entire provider code-base. +### Node Binaries -### SIG Scheduling -[Pod Priority and Preemption](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/) has graduated to Beta, so it is enabled by default. Note that this involves [significant and important changes for operators](https://github.com/kubernetes/sig-release/pull/201/files). The team also worked on improved performance and reliability of the scheduler. +filename | sha256 hash +-------- | ----------- +[kubernetes-node-linux-amd64.tar.gz](https://dl.k8s.io/v1.12.0-beta.2/kubernetes-node-linux-amd64.tar.gz) | `ab901137b499829b20b868492d04c1f69d738620b96eb349c642d6d773c44448` +[kubernetes-node-linux-arm.tar.gz](https://dl.k8s.io/v1.12.0-beta.2/kubernetes-node-linux-arm.tar.gz) | `116dd82721f200f3f37df0e47aebb611fdd7856f94d4c2ebb1d51db21b793a9c` +[kubernetes-node-linux-arm64.tar.gz](https://dl.k8s.io/v1.12.0-beta.2/kubernetes-node-linux-arm64.tar.gz) | `56d8316eb95f7f54c154625063617b86ffb8e2cc80b8225cce4f5c91d2d3a64f` +[kubernetes-node-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.12.0-beta.2/kubernetes-node-linux-ppc64le.tar.gz) | `66535b16ad588ba3bfcb40728a0497c6821360ab7be9c3ced2072bfa107e5c46` +[kubernetes-node-linux-s390x.tar.gz](https://dl.k8s.io/v1.12.0-beta.2/kubernetes-node-linux-s390x.tar.gz) | `688e09becc9327e50c68b33161eac63a8ba018c02fb298cbd0de82d6ed5dba90` +[kubernetes-node-windows-amd64.tar.gz](https://dl.k8s.io/v1.12.0-beta.2/kubernetes-node-windows-amd64.tar.gz) | `b72582f67d19c06f605ca9b02c08b7227796c15c639e3c09b06a8b667c4569fe` + +## Changelog since v1.12.0-beta.1 + +### Action Required + +* Action required: The --storage-versions flag of kube-apiserver is deprecated. Please omit this flag to ensure the default storage versions are used. Otherwise the cluster is not safe to upgrade to a version newer than 1.12. This flag will be removed in 1.13. ([#68080](https://github.com/kubernetes/kubernetes/pull/68080), [@caesarxuchao](https://github.com/caesarxuchao)) + +### Other notable changes + +* kubeadm: add mandatory "--config" flag to "kubeadm alpha phase preflight" ([#68446](https://github.com/kubernetes/kubernetes/pull/68446), [@neolit123](https://github.com/neolit123)) +* Apply user configurations for local etcd ([#68334](https://github.com/kubernetes/kubernetes/pull/68334), [@SataQiu](https://github.com/SataQiu)) +* kubeadm: added phase command "alpha phase kubelet config annotate-cri" ([#68449](https://github.com/kubernetes/kubernetes/pull/68449), [@fabriziopandini](https://github.com/fabriziopandini)) +* If `TaintNodesByCondition` is enabled, add `node.kubernetes.io/unschedulable` and ([#64954](https://github.com/kubernetes/kubernetes/pull/64954), [@k82cn](https://github.com/k82cn)) + * `node.kubernetes.io/network-unavailable` automatically to DaemonSet pods. +* Deprecate cloudstack and ovirt controllers ([#68199](https://github.com/kubernetes/kubernetes/pull/68199), [@dims](https://github.com/dims)) +* add missing LastTransitionTime of ContainerReady condition ([#64867](https://github.com/kubernetes/kubernetes/pull/64867), [@dixudx](https://github.com/dixudx)) +* kube-controller-manager: use informer cache instead of active pod gets in HPA controller ([#68241](https://github.com/kubernetes/kubernetes/pull/68241), [@krzysztof-jastrzebski](https://github.com/krzysztof-jastrzebski)) +* Support NodeShutdown taint for azure ([#68033](https://github.com/kubernetes/kubernetes/pull/68033), [@yastij](https://github.com/yastij)) +* Registers volume topology information reported by a node-level Container Storage Interface (CSI) driver. This enables Kubernetes support of CSI topology mechanisms. ([#67684](https://github.com/kubernetes/kubernetes/pull/67684), [@verult](https://github.com/verult)) +* Update default etcd server to 3.2.24 for kubernetes 1.12 ([#68318](https://github.com/kubernetes/kubernetes/pull/68318), [@timothysc](https://github.com/timothysc)) +* External CAs can now be used for kubeadm with only a certificate, as long as all required certificates already exist. ([#68296](https://github.com/kubernetes/kubernetes/pull/68296), [@liztio](https://github.com/liztio)) +* Bump addon-manager to v8.7 ([#68299](https://github.com/kubernetes/kubernetes/pull/68299), [@MrHohn](https://github.com/MrHohn)) + * - Support extra `--prune-whitelist` resources in kube-addon-manager. + * - Update kubectl to v1.10.7. +* Let service controller retry creating load balancer when persistUpdate failed due to conflict. ([#68087](https://github.com/kubernetes/kubernetes/pull/68087), [@grayluck](https://github.com/grayluck)) +* Kubelet now only sync iptables on Linux. ([#67690](https://github.com/kubernetes/kubernetes/pull/67690), [@feiskyer](https://github.com/feiskyer)) +* CSI NodePublish call can optionally contain information about the pod that requested the CSI volume. ([#67945](https://github.com/kubernetes/kubernetes/pull/67945), [@jsafrane](https://github.com/jsafrane)) +* [e2e] verifying LimitRange update is effective before creating new pod ([#68171](https://github.com/kubernetes/kubernetes/pull/68171), [@dixudx](https://github.com/dixudx)) +* cluster/gce: generate consistent key sizes in config-default.sh using /dev/urandom instead of /dev/random ([#67139](https://github.com/kubernetes/kubernetes/pull/67139), [@yogi-sagar](https://github.com/yogi-sagar)) +* Add support for volume attach limits for CSI volumes ([#67731](https://github.com/kubernetes/kubernetes/pull/67731), [@gnufied](https://github.com/gnufied)) +* CSI volume plugin does not need external attacher for non-attachable CSI volumes. ([#67955](https://github.com/kubernetes/kubernetes/pull/67955), [@jsafrane](https://github.com/jsafrane)) +* KubeletPluginsWatcher feature graduates to beta. ([#68200](https://github.com/kubernetes/kubernetes/pull/68200), [@RenaudWasTaken](https://github.com/RenaudWasTaken)) +* Update etcd client to 3.2.24 for latest release ([#68147](https://github.com/kubernetes/kubernetes/pull/68147), [@timothysc](https://github.com/timothysc)) +* [fluentd-gcp-scaler addon] Bump fluentd-gcp-scaler to 0.4 to pick up security fixes. ([#67691](https://github.com/kubernetes/kubernetes/pull/67691), [@loburm](https://github.com/loburm)) + * [prometheus-to-sd addon] Bump prometheus-to-sd to 0.3.1 to pick up security fixes, bug fixes and new features. + * [event-exporter addon] Bump event-exporter to 0.2.3 to pick up security fixes. +* Fixes issue where pod scheduling may fail when using local PVs and pod affinity and anti-affinity without the default StatefulSet OrderedReady pod management policy ([#67556](https://github.com/kubernetes/kubernetes/pull/67556), [@msau42](https://github.com/msau42)) +* Kubelet only applies default hard evictions of nodefs.inodesFree on Linux ([#67709](https://github.com/kubernetes/kubernetes/pull/67709), [@feiskyer](https://github.com/feiskyer)) +* Add kubelet stats for windows system container "pods" ([#66427](https://github.com/kubernetes/kubernetes/pull/66427), [@feiskyer](https://github.com/feiskyer)) +* Add a TTL machenism to clean up Jobs after they finish. ([#66840](https://github.com/kubernetes/kubernetes/pull/66840), [@janetkuo](https://github.com/janetkuo)) + + + +# v1.12.0-beta.1 + +[Documentation](https://docs.k8s.io) & [Examples](https://releases.k8s.io/release-1.12/examples) + +## Downloads for v1.12.0-beta.1 -### SIG Storage -Sig Storage graduated two features that had been introduced in previous versions and introduced three new features in an alpha state. +filename | sha256 hash +-------- | ----------- +[kubernetes.tar.gz](https://dl.k8s.io/v1.12.0-beta.1/kubernetes.tar.gz) | `caa332b14a6ea9d24710e3b015a91b62c04cab14bed14c49077e08bd82b8f4c1` +[kubernetes-src.tar.gz](https://dl.k8s.io/v1.12.0-beta.1/kubernetes-src.tar.gz) | `821bdea3a52a348306fa8226bcfffa67b375cf1dd80e4be343ce0b38dd20a9a0` -The StorageProtection feature, which prevents deletion of PVCs while Pods are still using them and of PVs while still bound to a PVC, is now generally available, and volume resizing, which lets you increase size of a volume after a Pod restarts is now beta, which means it is on by default. +### Client Binaries -New alpha features include: +filename | sha256 hash +-------- | ----------- +[kubernetes-client-darwin-386.tar.gz](https://dl.k8s.io/v1.12.0-beta.1/kubernetes-client-darwin-386.tar.gz) | `58323c0a81afe53dd0dda1c6eb513caa4c82514fb6c7f0a327242e573ce80490` +[kubernetes-client-darwin-amd64.tar.gz](https://dl.k8s.io/v1.12.0-beta.1/kubernetes-client-darwin-amd64.tar.gz) | `28e9344ede16890ea7848c261e461ded89c3bb2dd5b08446da04b071b48f0b02` +[kubernetes-client-linux-386.tar.gz](https://dl.k8s.io/v1.12.0-beta.1/kubernetes-client-linux-386.tar.gz) | `a9eece5e0994d2ad5e07152d88787a8b5e9efcdf78983a5bafe3699e5274a9da` +[kubernetes-client-linux-amd64.tar.gz](https://dl.k8s.io/v1.12.0-beta.1/kubernetes-client-linux-amd64.tar.gz) | `9a67750cc4243335f0c2eb89db1c4b54b0a8af08c59e2041636d0a3e946546bf` +[kubernetes-client-linux-arm.tar.gz](https://dl.k8s.io/v1.12.0-beta.1/kubernetes-client-linux-arm.tar.gz) | `bbd2644f843917a3de517a53c90b327502b577fe533a9ad3da4fe6bc437c4a02` +[kubernetes-client-linux-arm64.tar.gz](https://dl.k8s.io/v1.12.0-beta.1/kubernetes-client-linux-arm64.tar.gz) | `630946f49ef18dd43c004d99dccd9ae76390281f54740d7335c042f6f006324b` +[kubernetes-client-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.12.0-beta.1/kubernetes-client-linux-ppc64le.tar.gz) | `1d4e5cd83faf4cae8e16667576492fcd48a72f69e8fd89d599a8b555a41e90d6` +[kubernetes-client-linux-s390x.tar.gz](https://dl.k8s.io/v1.12.0-beta.1/kubernetes-client-linux-s390x.tar.gz) | `9cefdcf21a62075b5238fda8ef2db08f81b0541ebce0e67353af1dded9e53483` +[kubernetes-client-windows-386.tar.gz](https://dl.k8s.io/v1.12.0-beta.1/kubernetes-client-windows-386.tar.gz) | `8b0085606ff38bded362bbe4826b5c8ee5199a33d5cbbc1b9b58f1336648ad5b` +[kubernetes-client-windows-amd64.tar.gz](https://dl.k8s.io/v1.12.0-beta.1/kubernetes-client-windows-amd64.tar.gz) | `f44a3ec55dc7d926e681c33b5f7830c6d1cb165e24e349e426c1089b2d05a1df` -* Online volume resizing will increase the filesystem size of a resized volume without requiring a Pod restart. -* AWS EBS and GCE PD volumes support increased limits on the maximum number of attached volumes per node. -* Subpath volume directories can be created using DownwardAPI environment variables. +### Server Binaries -### SIG Windows +filename | sha256 hash +-------- | ----------- +[kubernetes-server-linux-amd64.tar.gz](https://dl.k8s.io/v1.12.0-beta.1/kubernetes-server-linux-amd64.tar.gz) | `1bf7364aa168fc251768bc850d66fef1d93f324f0ec85f6dce74080627599b70` +[kubernetes-server-linux-arm.tar.gz](https://dl.k8s.io/v1.12.0-beta.1/kubernetes-server-linux-arm.tar.gz) | `dadc94fc0564cfa98add5287763bbe9c33bf8ba3eebad95fb2258c33fe8c5df3` +[kubernetes-server-linux-arm64.tar.gz](https://dl.k8s.io/v1.12.0-beta.1/kubernetes-server-linux-arm64.tar.gz) | `2e6c8a7810705594f191b33476bf4c8fca8cebb364f0855dfea577b01fca7b7e` +[kubernetes-server-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.12.0-beta.1/kubernetes-server-linux-ppc64le.tar.gz) | `ced4a0a4e03639378eff0d3b8bfb832f5fb96be8df3e0befbdbd71373a323130` +[kubernetes-server-linux-s390x.tar.gz](https://dl.k8s.io/v1.12.0-beta.1/kubernetes-server-linux-s390x.tar.gz) | `7e1a3fac2115c15b5baa0db04c7f319fbaaca92aa4c4588ecf62fb19812465a8` -This release supports more of Kubernetes API for pods and containers on Windows, including: +### Node Binaries -* Metrics for Pod, Container, Log filesystem -* The run_as_user security contexts -* Local persistent volumes and fstype for Azure disk +filename | sha256 hash +-------- | ----------- +[kubernetes-node-linux-amd64.tar.gz](https://dl.k8s.io/v1.12.0-beta.1/kubernetes-node-linux-amd64.tar.gz) | `81d2e2f4cd3254dd345c1e921b12bff62eb96e7551336c44fb0da5407bf5fe5f` +[kubernetes-node-linux-arm.tar.gz](https://dl.k8s.io/v1.12.0-beta.1/kubernetes-node-linux-arm.tar.gz) | `b14734a20190aca2b2af9cee59549d285be4f0c38faf89c5308c94534110edc1` +[kubernetes-node-linux-arm64.tar.gz](https://dl.k8s.io/v1.12.0-beta.1/kubernetes-node-linux-arm64.tar.gz) | `ad0a81ecf6ef8346b7aa98a8d02a4f3853d0a5439d149a14b1ac2307b763b2ad` +[kubernetes-node-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.12.0-beta.1/kubernetes-node-linux-ppc64le.tar.gz) | `8e6d72837fe19afd055786c8731bd555fe082e107195c956c6985e56a03d504f` +[kubernetes-node-linux-s390x.tar.gz](https://dl.k8s.io/v1.12.0-beta.1/kubernetes-node-linux-s390x.tar.gz) | `0fc7d55fb2750b29c0bbc36da050c8bf14508b1aa40e38e3b7f6cf311b464827` +[kubernetes-node-windows-amd64.tar.gz](https://dl.k8s.io/v1.12.0-beta.1/kubernetes-node-windows-amd64.tar.gz) | `09bf133156b9bc474d272bf16e765b143439959a1f007283c477e7999f2b4d6a` + +## Changelog since v1.12.0-alpha.1 + +### Action Required + +* Move volume dynamic provisioning scheduling to beta (ACTION REQUIRED: The DynamicProvisioningScheduling alpha feature gate has been removed. The VolumeScheduling beta feature gate is still required for this feature) ([#67432](https://github.com/kubernetes/kubernetes/pull/67432), [@lichuqiang](https://github.com/lichuqiang)) + +### Other notable changes + +* Not split nodes when searching for nodes but doing it all at once. ([#67555](https://github.com/kubernetes/kubernetes/pull/67555), [@wgliang](https://github.com/wgliang)) +* Deprecate kubectl run generators, except for run-pod/v1 ([#68132](https://github.com/kubernetes/kubernetes/pull/68132), [@soltysh](https://github.com/soltysh)) +* Using the Horizontal Pod Autoscaler with metrics from Heapster is now deprecated. ([#68089](https://github.com/kubernetes/kubernetes/pull/68089), [@DirectXMan12](https://github.com/DirectXMan12)) +* Support both directory and block device for local volume plugin FileSystem VolumeMode ([#63011](https://github.com/kubernetes/kubernetes/pull/63011), [@NickrenREN](https://github.com/NickrenREN)) +* Add CSI volume attributes for kubectl describe pv. ([#65074](https://github.com/kubernetes/kubernetes/pull/65074), [@wgliang](https://github.com/wgliang)) +* `kubectl rollout status` now works for unlimited timeouts. ([#67817](https://github.com/kubernetes/kubernetes/pull/67817), [@tnozicka](https://github.com/tnozicka)) +* Fix panic when processing Azure HTTP response. ([#68210](https://github.com/kubernetes/kubernetes/pull/68210), [@feiskyer](https://github.com/feiskyer)) +* add mixed protocol support for azure load balancer ([#67986](https://github.com/kubernetes/kubernetes/pull/67986), [@andyzhangx](https://github.com/andyzhangx)) +* Replace scale down forbidden window with scale down stabilization window. Rather than waiting a fixed period of time between scale downs HPA now scales down to the highest recommendation it during the scale down stabilization window. ([#68122](https://github.com/kubernetes/kubernetes/pull/68122), [@krzysztof-jastrzebski](https://github.com/krzysztof-jastrzebski)) +* Adding validation to kube-scheduler at the API level ([#66799](https://github.com/kubernetes/kubernetes/pull/66799), [@noqcks](https://github.com/noqcks)) +* Improve performance of Pod affinity/anti-affinity in the scheduler ([#67788](https://github.com/kubernetes/kubernetes/pull/67788), [@ahmad-diaa](https://github.com/ahmad-diaa)) +* kubeadm: fix air-gapped support and also allow some kubeadm commands to work without an available networking interface ([#67397](https://github.com/kubernetes/kubernetes/pull/67397), [@neolit123](https://github.com/neolit123)) +* Increase Horizontal Pod Autoscaler default update interval (30s -> 15s). It will improve HPA reaction time for metric changes. ([#68021](https://github.com/kubernetes/kubernetes/pull/68021), [@krzysztof-jastrzebski](https://github.com/krzysztof-jastrzebski)) +* Increase scrape frequency of metrics-server to 30s ([#68127](https://github.com/kubernetes/kubernetes/pull/68127), [@serathius](https://github.com/serathius)) +* Add new `--server-dry-run` flag to `kubectl apply` so that the request will be sent to the server with the dry-run flag (alpha), which means that changes won't be persisted. ([#68069](https://github.com/kubernetes/kubernetes/pull/68069), [@apelisse](https://github.com/apelisse)) +* kubelet v1beta1 external ComponentConfig types are now available in the `k8s.io/kubelet` repo ([#67263](https://github.com/kubernetes/kubernetes/pull/67263), [@luxas](https://github.com/luxas)) +* Adds a kubelet parameter and config option to change CFS quota period from the default 100ms to some other value between 1µs and 1s. This was done to improve response latencies for workloads running in clusters with guaranteed and burstable QoS classes. ([#63437](https://github.com/kubernetes/kubernetes/pull/63437), [@szuecs](https://github.com/szuecs)) +* Enable secure serving on port 10258 to cloud-controller-manager (configurable via `--secure-port`). Delegated authentication and authorization have to be configured like for aggregated API servers. ([#67069](https://github.com/kubernetes/kubernetes/pull/67069), [@sttts](https://github.com/sttts)) +* Support extra `--prune-whitelist` resources in kube-addon-manager. ([#67743](https://github.com/kubernetes/kubernetes/pull/67743), [@Random-Liu](https://github.com/Random-Liu)) +* Upon receiving a LIST request with expired continue token, the apiserver now returns a continue token together with the 410 "the from parameter is too old " error. If the client does not care about getting a list from a consistent snapshot, the client can use this token to continue listing from the next key, but the returned chunk will be from the latest snapshot. ([#67284](https://github.com/kubernetes/kubernetes/pull/67284), [@caesarxuchao](https://github.com/caesarxuchao)) +* Role, ClusterRole and their bindings for cloud-provider is put under system namespace. Their addonmanager mode switches to EnsureExists. ([#67224](https://github.com/kubernetes/kubernetes/pull/67224), [@grayluck](https://github.com/grayluck)) +* Mount propagation has promoted to GA. The `MountPropagation` feature gate is deprecated and will be removed in 1.13. ([#67255](https://github.com/kubernetes/kubernetes/pull/67255), [@bertinatto](https://github.com/bertinatto)) +* Introduce CSI Cluster Registration mechanism to ease CSI plugin discovery and allow CSI drivers to customize Kubernetes' interaction with them. ([#67803](https://github.com/kubernetes/kubernetes/pull/67803), [@saad-ali](https://github.com/saad-ali)) +* Adds the commands `kubeadm alpha phases renew ` ([#67910](https://github.com/kubernetes/kubernetes/pull/67910), [@liztio](https://github.com/liztio)) +* ProcMount added to SecurityContext and AllowedProcMounts added to PodSecurityPolicy to allow paths in the container's /proc to not be masked. ([#64283](https://github.com/kubernetes/kubernetes/pull/64283), [@jessfraz](https://github.com/jessfraz)) +* support cross resource group for azure file ([#68117](https://github.com/kubernetes/kubernetes/pull/68117), [@andyzhangx](https://github.com/andyzhangx)) +* Port 31337 will be used by fluentd ([#68051](https://github.com/kubernetes/kubernetes/pull/68051), [@Szetty](https://github.com/Szetty)) +* Improve CPU sample sanitization in HPA by taking metric's freshness into account. ([#68068](https://github.com/kubernetes/kubernetes/pull/68068), [@krzysztof-jastrzebski](https://github.com/krzysztof-jastrzebski)) +* CoreDNS is now v1.2.2 for Kubernetes 1.12 ([#68076](https://github.com/kubernetes/kubernetes/pull/68076), [@rajansandeep](https://github.com/rajansandeep)) +* Enable secure serving on port 10257 to kube-controller-manager (configurable via `--secure-port`). Delegated authentication and authorization have to be configured like for aggregated API servers. ([#64149](https://github.com/kubernetes/kubernetes/pull/64149), [@sttts](https://github.com/sttts)) +* Update metrics-server to v0.3.0. ([#68077](https://github.com/kubernetes/kubernetes/pull/68077), [@DirectXMan12](https://github.com/DirectXMan12)) +* TokenRequest and TokenRequestProjection are now beta features. To enable these feature, the API server needs to be started with the following flags: ([#67349](https://github.com/kubernetes/kubernetes/pull/67349), [@mikedanese](https://github.com/mikedanese)) + * --service-account-issuer + * --service-account-signing-key-file + * --service-account-api-audiences +* Don't let aggregated apiservers fail to launch if the external-apiserver-authentication configmap is not found in the cluster. ([#67836](https://github.com/kubernetes/kubernetes/pull/67836), [@sttts](https://github.com/sttts)) +* Promote AdvancedAuditing to GA, replacing the previous (legacy) audit logging mechanisms. ([#65862](https://github.com/kubernetes/kubernetes/pull/65862), [@loburm](https://github.com/loburm)) +* Azure cloud provider now supports unmanaged nodes (such as on-prem) that are labeled with `kubernetes.azure.com/managed=false` and `alpha.service-controller.kubernetes.io/exclude-balancer=true` ([#67984](https://github.com/kubernetes/kubernetes/pull/67984), [@feiskyer](https://github.com/feiskyer)) +* `kubectl get apiservice` now shows the target service and whether the service is available ([#67747](https://github.com/kubernetes/kubernetes/pull/67747), [@smarterclayton](https://github.com/smarterclayton)) +* Openstack supports now node shutdown taint. Taint is added when instance is shutdown in openstack. ([#67982](https://github.com/kubernetes/kubernetes/pull/67982), [@zetaab](https://github.com/zetaab)) +* Return apiserver panics as 500 errors instead terminating the apiserver process. ([#68001](https://github.com/kubernetes/kubernetes/pull/68001), [@sttts](https://github.com/sttts)) +* Fix VMWare VM freezing bug by reverting [#51066](https://github.com/kubernetes/kubernetes/pull/51066) ([#67825](https://github.com/kubernetes/kubernetes/pull/67825), [@nikopen](https://github.com/nikopen)) +* Make CoreDNS be the default DNS server in kube-up (instead of kube-dns formerly). ([#67569](https://github.com/kubernetes/kubernetes/pull/67569), [@fturib](https://github.com/fturib)) + * It is still possible to deploy kube-dns by setting CLUSTER_DNS_CORE_DNS=false. +* Added support to restore a volume from a volume snapshot data source. ([#67087](https://github.com/kubernetes/kubernetes/pull/67087), [@xing-yang](https://github.com/xing-yang)) +* fixes the errors/warnings in fluentd configuration ([#67947](https://github.com/kubernetes/kubernetes/pull/67947), [@saravanan30erd](https://github.com/saravanan30erd)) +* Stop counting soft-deleted pods for scaling purposes in HPA controller to avoid soft-deleted pods incorrectly affecting scale up replica count calculation. ([#67067](https://github.com/kubernetes/kubernetes/pull/67067), [@moonek](https://github.com/moonek)) +* delegated authn/z: optionally opt-out of mandatory authn/authz kubeconfig ([#67545](https://github.com/kubernetes/kubernetes/pull/67545), [@sttts](https://github.com/sttts)) +* kubeadm: Control plane images (etcd, kube-apiserver, kube-proxy, etc.) don't use arch suffixes. Arch suffixes are kept for kube-dns only. ([#66960](https://github.com/kubernetes/kubernetes/pull/66960), [@rosti](https://github.com/rosti)) +* Adds sample-cli-plugin staging repository ([#67938](https://github.com/kubernetes/kubernetes/pull/67938), [@soltysh](https://github.com/soltysh)) +* adjusted http/2 buffer sizes for apiservers to prevent starvation issues between concurrent streams ([#67902](https://github.com/kubernetes/kubernetes/pull/67902), [@liggitt](https://github.com/liggitt)) +* SCTP is now supported as additional protocol (alpha) alongside TCP and UDP in Pod, Service, Endpoint, and NetworkPolicy. ([#64973](https://github.com/kubernetes/kubernetes/pull/64973), [@janosi](https://github.com/janosi)) +* Always create configmaps/extensions-apiserver-authentication from kube-apiserver. ([#67694](https://github.com/kubernetes/kubernetes/pull/67694), [@sttts](https://github.com/sttts)) +* kube-proxy v1beta1 external ComponentConfig types are now available in the `k8s.io/kube-proxy` repo ([#67688](https://github.com/kubernetes/kubernetes/pull/67688), [@Lion-Wei](https://github.com/Lion-Wei)) +* Apply unreachable taint to a node when it lost network connection. ([#67734](https://github.com/kubernetes/kubernetes/pull/67734), [@Huang-Wei](https://github.com/Huang-Wei)) +* Allow ImageReview backend to return annotations to be added to the created pod. ([#64597](https://github.com/kubernetes/kubernetes/pull/64597), [@wteiken](https://github.com/wteiken)) +* Bump ip-masq-agent to v2.1.1 ([#67916](https://github.com/kubernetes/kubernetes/pull/67916), [@MrHohn](https://github.com/MrHohn)) + * - Update debian-iptables image for CVEs. + * - Change chain name to IP-MASQ to be compatible with the + * pre-injected masquerade rules. +* AllowedTopologies field inside StorageClass is now validated against set and map semantics. Specifically, there cannot be duplicate TopologySelectorTerms, MatchLabelExpressions keys, and TopologySelectorLabelRequirement Values. ([#66843](https://github.com/kubernetes/kubernetes/pull/66843), [@verult](https://github.com/verult)) +* Introduces autoscaling/v2beta2 and custom_metrics/v1beta2, which implement metric selectors for Object and Pods metrics, as well as allowing AverageValue targets on Objects, similar to External metrics. ([#64097](https://github.com/kubernetes/kubernetes/pull/64097), [@damemi](https://github.com/damemi)) +* The cloudstack cloud provider now reports a `Hostname` address type for nodes based on the `local-hostname` metadata key. ([#67719](https://github.com/kubernetes/kubernetes/pull/67719), [@liggitt](https://github.com/liggitt)) +* kubeadm: --cri-socket now defaults to tcp://localhost:2375 when running on Windows ([#67447](https://github.com/kubernetes/kubernetes/pull/67447), [@benmoss](https://github.com/benmoss)) +* kubeadm: The kubeadm configuration now support definition of more than one control plane instances with their own APIEndpoint. The APIEndpoint for the "bootstrap" control plane instance should be defined using `InitConfiguration.APIEndpoint`, while the APIEndpoints for additional control plane instances should be added using `JoinConfiguration.APIEndpoint`. ([#67832](https://github.com/kubernetes/kubernetes/pull/67832), [@fabriziopandini](https://github.com/fabriziopandini)) +* Enable dynamic azure disk volume limits ([#67772](https://github.com/kubernetes/kubernetes/pull/67772), [@andyzhangx](https://github.com/andyzhangx)) +* kubelet: Users can now enable the alpha NodeLease feature gate to have the Kubelet create and periodically renew a Lease in the kube-node-lease namespace. The lease duration defaults to 40s, and can be configured via the kubelet.config.k8s.io/v1beta1.KubeletConfiguration's NodeLeaseDurationSeconds field. ([#66257](https://github.com/kubernetes/kubernetes/pull/66257), [@mtaufen](https://github.com/mtaufen)) +* latent controller caches no longer cause repeating deletion messages for deleted pods ([#67826](https://github.com/kubernetes/kubernetes/pull/67826), [@deads2k](https://github.com/deads2k)) +* API paging is now enabled for custom resource definitions, custom resources and APIService objects ([#67861](https://github.com/kubernetes/kubernetes/pull/67861), [@liggitt](https://github.com/liggitt)) +* kubeadm: ControlPlaneEndpoint was moved from the API config struct to ClusterConfiguration ([#67830](https://github.com/kubernetes/kubernetes/pull/67830), [@fabriziopandini](https://github.com/fabriziopandini)) +* kubeadm - feature-gates HighAvailability, SelfHosting, CertsInSecrets are now deprecated and can't be used anymore for new clusters. Update of cluster using above feature-gates flag is not supported ([#67786](https://github.com/kubernetes/kubernetes/pull/67786), [@fabriziopandini](https://github.com/fabriziopandini)) +* Replace scale up forbidden window with disregarding CPU samples collected when pod was initializing. ([#67252](https://github.com/kubernetes/kubernetes/pull/67252), [@jbartosik](https://github.com/jbartosik)) +* Moving KubeSchedulerConfiguration from ComponentConfig API types to staging repos ([#66916](https://github.com/kubernetes/kubernetes/pull/66916), [@dixudx](https://github.com/dixudx)) +* Improved error message when checking the rollout status of StatefulSet with OnDelete strategy type ([#66983](https://github.com/kubernetes/kubernetes/pull/66983), [@mortent](https://github.com/mortent)) +* RuntimeClass is a new API resource for defining different classes of runtimes that may be used to run containers in the cluster. Pods can select a RunitmeClass to use via the RuntimeClassName field. This feature is in alpha, and the RuntimeClass feature gate must be enabled in order to use it. ([#67737](https://github.com/kubernetes/kubernetes/pull/67737), [@tallclair](https://github.com/tallclair)) +* Remove rescheduler since scheduling DS pods by default scheduler is moving to beta. ([#67687](https://github.com/kubernetes/kubernetes/pull/67687), [@Lion-Wei](https://github.com/Lion-Wei)) +* Turn on PodReadinessGate by default ([#67406](https://github.com/kubernetes/kubernetes/pull/67406), [@freehan](https://github.com/freehan)) +* Speed up kubelet start time by executing an immediate runtime and node status update when the Kubelet sees that it has a CIDR. ([#67031](https://github.com/kubernetes/kubernetes/pull/67031), [@krzysztof-jastrzebski](https://github.com/krzysztof-jastrzebski)) +* The OpenStack cloud provider now reports a `Hostname` address type for nodes ([#67748](https://github.com/kubernetes/kubernetes/pull/67748), [@FengyunPan2](https://github.com/FengyunPan2)) +* The aws cloud provider now reports a `Hostname` address type for nodes based on the `local-hostname` metadata key. ([#67715](https://github.com/kubernetes/kubernetes/pull/67715), [@liggitt](https://github.com/liggitt)) +* Azure cloud provider now supports cross resource group nodes that are labeled with `kubernetes.azure.com/resource-group=` and `alpha.service-controller.kubernetes.io/exclude-balancer=true` ([#67604](https://github.com/kubernetes/kubernetes/pull/67604), [@feiskyer](https://github.com/feiskyer)) +* Reduce API calls for Azure instance metadata. ([#67478](https://github.com/kubernetes/kubernetes/pull/67478), [@feiskyer](https://github.com/feiskyer)) +* `kubectl create secret tls` can now read certificate and key files from process substitution arguments ([#67713](https://github.com/kubernetes/kubernetes/pull/67713), [@liggitt](https://github.com/liggitt)) +* change default value of kind for azure disk ([#67483](https://github.com/kubernetes/kubernetes/pull/67483), [@andyzhangx](https://github.com/andyzhangx)) +* To address the possibility dry-run requests overwhelming admission webhooks that rely on side effects and a reconciliation mechanism, a new field is being added to admissionregistration.k8s.io/v1beta1.ValidatingWebhookConfiguration and admissionregistration.k8s.io/v1beta1.MutatingWebhookConfiguration so that webhooks can explicitly register as having dry-run support. If a dry-run request is made on a resource that triggers a non dry-run supporting webhook, the request will be completely rejected, with "400: Bad Request". Additionally, a new field is being added to the admission.k8s.io/v1beta1.AdmissionReview API object, exposing to webhooks whether or not the request being reviewed is a dry-run. ([#66936](https://github.com/kubernetes/kubernetes/pull/66936), [@jennybuckley](https://github.com/jennybuckley)) +* Kubeadm ha upgrade ([#66973](https://github.com/kubernetes/kubernetes/pull/66973), [@fabriziopandini](https://github.com/fabriziopandini)) +* kubeadm: InitConfiguration now consists of two structs: InitConfiguration and ClusterConfiguration ([#67441](https://github.com/kubernetes/kubernetes/pull/67441), [@rosti](https://github.com/rosti)) +* Updated Cluster Autoscaler version to 1.3.2-beta.2. Release notes: https://github.com/kubernetes/autoscaler/releases/tag/cluster-autoscaler-1.3.2-beta.2 ([#67697](https://github.com/kubernetes/kubernetes/pull/67697), [@aleksandra-malinowska](https://github.com/aleksandra-malinowska)) +* cpumanager: rollback state if updateContainerCPUSet failed ([#67430](https://github.com/kubernetes/kubernetes/pull/67430), [@choury](https://github.com/choury)) +* [CRI] Adds a "runtime_handler" field to RunPodSandboxRequest, for selecting the runtime configuration to run the sandbox with (alpha feature). ([#67518](https://github.com/kubernetes/kubernetes/pull/67518), [@tallclair](https://github.com/tallclair)) +* Create cli-runtime staging repository ([#67658](https://github.com/kubernetes/kubernetes/pull/67658), [@soltysh](https://github.com/soltysh)) +* Headless Services with no ports defined will now create Endpoints correctly, and appear in DNS. ([#67622](https://github.com/kubernetes/kubernetes/pull/67622), [@thockin](https://github.com/thockin)) +* Kubernetes juju charms will now use CSI for ceph. ([#66523](https://github.com/kubernetes/kubernetes/pull/66523), [@hyperbolic2346](https://github.com/hyperbolic2346)) +* kubeadm: Fix panic when node annotation is nil ([#67648](https://github.com/kubernetes/kubernetes/pull/67648), [@xlgao-zju](https://github.com/xlgao-zju)) +* Prevent `resourceVersion` updates for custom resources on no-op writes. ([#67562](https://github.com/kubernetes/kubernetes/pull/67562), [@nikhita](https://github.com/nikhita)) +* Fail container start if its requested device plugin resource hasn't registered after Kubelet restart. ([#67145](https://github.com/kubernetes/kubernetes/pull/67145), [@jiayingz](https://github.com/jiayingz)) +* Use sync.map to scale ecache better ([#66862](https://github.com/kubernetes/kubernetes/pull/66862), [@resouer](https://github.com/resouer)) +* DaemonSet: Fix bug- daemonset didn't create pod after node have enough resource ([#67337](https://github.com/kubernetes/kubernetes/pull/67337), [@linyouchong](https://github.com/linyouchong)) +* updates kibana to 6.3.2 ([#67582](https://github.com/kubernetes/kubernetes/pull/67582), [@monotek](https://github.com/monotek)) +* fixes json logging in fluentd-elasticsearch image by downgrading fluent-plugin-kubernetes_metadata_filter plugin to version 2.0.0 ([#67544](https://github.com/kubernetes/kubernetes/pull/67544), [@monotek](https://github.com/monotek)) +* add --dns-loop-detect option to dnsmasq run by kube-dns ([#67302](https://github.com/kubernetes/kubernetes/pull/67302), [@dixudx](https://github.com/dixudx)) +* Switched certificate data replacement from "REDACTED" to "DATA+OMITTED" ([#66023](https://github.com/kubernetes/kubernetes/pull/66023), [@ibrasho](https://github.com/ibrasho)) +* improve performance of anti-affinity predicate of default scheduler. ([#66948](https://github.com/kubernetes/kubernetes/pull/66948), [@mohamed-mehany](https://github.com/mohamed-mehany)) +* Fixed a bug that was blocking extensible error handling when serializing API responses error out. Previously, serialization failures always resulted in the status code of the original response being returned. Now, the following behavior occurs: ([#67041](https://github.com/kubernetes/kubernetes/pull/67041), [@tristanburgess](https://github.com/tristanburgess)) + * - If the serialization type is application/vnd.kubernetes.protobuf, and protobuf marshaling is not implemented for the requested API resource type, a '406 Not Acceptable is returned'. + * - If the serialization type is 'application/json': + * - If serialization fails, and the original status code was an failure (e.g. 4xx or 5xx), the original status code will be returned. + * - If serialization fails, and the original status code was not a failure (e.g. 2xx), the status code of the serialization failure will be returned. By default, this is '500 Internal Server Error', because JSON serialization is our default, and not supposed to be implemented on a type-by-type basis. +* Add a feature to the scheduler to score fewer than all nodes in every scheduling cycle. This can improve performance of the scheduler in large clusters. ([#66733](https://github.com/kubernetes/kubernetes/pull/66733), [@bsalamat](https://github.com/bsalamat)) +* kube-controller-manager can now start the quota controller when discovery results can only be partially determined. ([#67433](https://github.com/kubernetes/kubernetes/pull/67433), [@deads2k](https://github.com/deads2k)) +* The plugin mechanism functionality now closely follows the git plugin design ([#66876](https://github.com/kubernetes/kubernetes/pull/66876), [@juanvallejo](https://github.com/juanvallejo)) +* GCE: decrease cpu requests on master node, to allow more components to fit on one core machine. ([#67504](https://github.com/kubernetes/kubernetes/pull/67504), [@loburm](https://github.com/loburm)) +* PVC may not be synced to controller local cache in time if PV is bound by external PV binder (e.g. kube-scheduler), double check if PVC is not found to prevent reclaiming PV wrongly. ([#67062](https://github.com/kubernetes/kubernetes/pull/67062), [@cofyc](https://github.com/cofyc)) +* add more storage account sku support for azure disk ([#67528](https://github.com/kubernetes/kubernetes/pull/67528), [@andyzhangx](https://github.com/andyzhangx)) +* updates es-image to elasticsearch 6.3.2 ([#67484](https://github.com/kubernetes/kubernetes/pull/67484), [@monotek](https://github.com/monotek)) +* Bump GLBC version to 1.2.3 ([#66793](https://github.com/kubernetes/kubernetes/pull/66793), [@freehan](https://github.com/freehan)) +* kube-apiserver: fixes error creating system priority classes when starting multiple apiservers simultaneously ([#67372](https://github.com/kubernetes/kubernetes/pull/67372), [@tanshanshan](https://github.com/tanshanshan)) +* kubectl patch now respects --local ([#67399](https://github.com/kubernetes/kubernetes/pull/67399), [@deads2k](https://github.com/deads2k)) +* Defaults for file audit logging backend in batch mode changed: ([#67223](https://github.com/kubernetes/kubernetes/pull/67223), [@tallclair](https://github.com/tallclair)) + * - Logs are written 1 at a time (no batching) + * - Only a single writer process (lock contention) +* Forget rate limit when CRD establish controller successfully updated CRD condition ([#67370](https://github.com/kubernetes/kubernetes/pull/67370), [@yue9944882](https://github.com/yue9944882)) +* updates fluentd in fluentd-elasticsearch to version 1.2.4 ([#67434](https://github.com/kubernetes/kubernetes/pull/67434), [@monotek](https://github.com/monotek)) + * also updates activesupport, fluent-plugin-elasticsearch & oj gems +* The dockershim now sets the "bandwidth" and "ipRanges" CNI capabilities (dynamic parameters). Plugin authors and administrators can now take advantage of this by updating their CNI configuration file. For more information, see the [CNI docs](https://github.com/containernetworking/cni/blob/master/CONVENTIONS.md#dynamic-plugin-specific-fields-capabilities--runtime-configuration) ([#64445](https://github.com/kubernetes/kubernetes/pull/64445), [@squeed](https://github.com/squeed)) +* Expose `/debug/flags/v` to allow kubelet dynamically set glog logging level. If want to change glog level to 3, you only have to send a PUT request like `curl -X PUT http://127.0.0.1:8080/debug/flags/v -d "3"`. ([#64601](https://github.com/kubernetes/kubernetes/pull/64601), [@hzxuzhonghu](https://github.com/hzxuzhonghu)) +* Fix an issue that pods using hostNetwork keep increasing. ([#67456](https://github.com/kubernetes/kubernetes/pull/67456), [@Huang-Wei](https://github.com/Huang-Wei)) +* DaemonSet controller is now using backoff algorithm to avoid hot loops fighting with kubelet on pod recreation when a particular DaemonSet is misconfigured. ([#65309](https://github.com/kubernetes/kubernetes/pull/65309), [@tnozicka](https://github.com/tnozicka)) +* Add node affinity for Azure unzoned managed disks ([#67229](https://github.com/kubernetes/kubernetes/pull/67229), [@feiskyer](https://github.com/feiskyer)) +* Attacher/Detacher refactor for local storage ([#66884](https://github.com/kubernetes/kubernetes/pull/66884), [@NickrenREN](https://github.com/NickrenREN)) +* Update debian-iptables and hyperkube-base images to include CVE fixes. ([#67365](https://github.com/kubernetes/kubernetes/pull/67365), [@ixdy](https://github.com/ixdy)) +* Fix an issue where filesystems are not unmounted when a backend is not reachable and returns EIO. ([#67097](https://github.com/kubernetes/kubernetes/pull/67097), [@chakri-nelluri](https://github.com/chakri-nelluri)) +* Update Cluster Autoscaler version to 1.3.2-beta.1. Release notes: https://github.com/kubernetes/autoscaler/releases/tag/cluster-autoscaler-1.3.2-beta.1 ([#67396](https://github.com/kubernetes/kubernetes/pull/67396), [@aleksandra-malinowska](https://github.com/aleksandra-malinowska)) +* Remove unused binary and container image for kube-aggregator. The functionality is already integrated into the kube-apiserver. ([#67157](https://github.com/kubernetes/kubernetes/pull/67157), [@dims](https://github.com/dims)) +* Avoid creating new controller revisions for statefulsets when cache is stale ([#67039](https://github.com/kubernetes/kubernetes/pull/67039), [@mortent](https://github.com/mortent)) +* Revert [#63905](https://github.com/kubernetes/kubernetes/pull/63905): Setup dns servers and search domains for Windows Pods. DNS for Windows containers will be set by CNI plugins. ([#66587](https://github.com/kubernetes/kubernetes/pull/66587), [@feiskyer](https://github.com/feiskyer)) +* attachdetach controller attaches volumes immediately when Pod's PVCs are bound ([#66863](https://github.com/kubernetes/kubernetes/pull/66863), [@cofyc](https://github.com/cofyc)) +* The check for unsupported plugins during volume resize has been moved from the admission controller to the two controllers that handle volume resize. ([#66780](https://github.com/kubernetes/kubernetes/pull/66780), [@kangarlou](https://github.com/kangarlou)) +* Fix kubelet to not leak goroutines/intofiy watchers on an inactive connection if it's closed ([#67285](https://github.com/kubernetes/kubernetes/pull/67285), [@yujuhong](https://github.com/yujuhong)) +* fix azure disk create failure due to sdk upgrade ([#67236](https://github.com/kubernetes/kubernetes/pull/67236), [@andyzhangx](https://github.com/andyzhangx)) +* Kubeadm join --control-plane main workflow ([#66873](https://github.com/kubernetes/kubernetes/pull/66873), [@fabriziopandini](https://github.com/fabriziopandini)) +* Dynamic provisions that create iSCSI PVs can ensure that multipath is used by specifying 2 or more target portals in the PV, which will cause kubelet to wait up to 10 seconds for the multipath device. PVs with just one portal continue to work as before, with kubelet not waiting for the multipath device and just using the first disk it finds. ([#67140](https://github.com/kubernetes/kubernetes/pull/67140), [@bswartz](https://github.com/bswartz)) +* kubectl: recreating resources for immutable fields when force is applied ([#66602](https://github.com/kubernetes/kubernetes/pull/66602), [@dixudx](https://github.com/dixudx)) +* Remove deprecated --interactive flag from kubectl logs. ([#65420](https://github.com/kubernetes/kubernetes/pull/65420), [@jsoref](https://github.com/jsoref)) +* kubeadm uses audit policy v1 instead of v1beta1 ([#67176](https://github.com/kubernetes/kubernetes/pull/67176), [@charrywanganthony](https://github.com/charrywanganthony)) +* kubeadm: make sure pre-pulled kube-proxy image and the one specified in its daemon set manifest are the same ([#67131](https://github.com/kubernetes/kubernetes/pull/67131), [@rosti](https://github.com/rosti)) +* Graduate Resource Quota ScopeSelectors to beta, and enable it by default. ([#67077](https://github.com/kubernetes/kubernetes/pull/67077), [@vikaschoudhary16](https://github.com/vikaschoudhary16)) +* Decrease the amount of time it takes to modify kubeconfig files with large amounts of contexts ([#67093](https://github.com/kubernetes/kubernetes/pull/67093), [@juanvallejo](https://github.com/juanvallejo)) +* Fixes issue when updating a DaemonSet causes a hash collision. ([#66476](https://github.com/kubernetes/kubernetes/pull/66476), [@mortent](https://github.com/mortent)) +* fix cluster-info dump error ([#66652](https://github.com/kubernetes/kubernetes/pull/66652), [@charrywanganthony](https://github.com/charrywanganthony)) +* The PodShareProcessNamespace feature to configure PID namespace sharing within a pod has been promoted to beta. ([#66507](https://github.com/kubernetes/kubernetes/pull/66507), [@verb](https://github.com/verb)) +* `kubectl create {clusterrole,role}`'s `--resources` flag supports asterisk to specify all resources. ([#62945](https://github.com/kubernetes/kubernetes/pull/62945), [@nak3](https://github.com/nak3)) +* Bump up version number of debian-base, debian-hyperkube-base and debian-iptables. ([#67026](https://github.com/kubernetes/kubernetes/pull/67026), [@satyasm](https://github.com/satyasm)) + * Also updates dependencies of users of debian-base. + * debian-base version 0.3.1 is already available. +* DynamicProvisioningScheduling and VolumeScheduling is now supported for Azure managed disks. Feature gates DynamicProvisioningScheduling and VolumeScheduling should be enabled before using this feature. ([#67121](https://github.com/kubernetes/kubernetes/pull/67121), [@feiskyer](https://github.com/feiskyer)) +* kube-apiserver now includes all registered API groups in discovery, including registered extension API group/versions for unavailable extension API servers. ([#66932](https://github.com/kubernetes/kubernetes/pull/66932), [@nilebox](https://github.com/nilebox)) +* Allows extension API server to dynamically discover the requestheader CA certificate when the core API server doesn't use certificate based authentication for it's clients ([#66394](https://github.com/kubernetes/kubernetes/pull/66394), [@rtripat](https://github.com/rtripat)) +* audit.k8s.io api group is upgraded from v1beta1 to v1. ([#65891](https://github.com/kubernetes/kubernetes/pull/65891), [@CaoShuFeng](https://github.com/CaoShuFeng)) + * Deprecated element metav1.ObjectMeta and Timestamp are removed from audit Events in v1 version. + * Default value of option --audit-webhook-version and --audit-log-version will be changed from `audit.k8s.io/v1beta1` to `audit.k8s.io/v1` in release 1.13 +* scope AWS LoadBalancer security group ICMP rules to spec.loadBalancerSourceRanges ([#63572](https://github.com/kubernetes/kubernetes/pull/63572), [@haz-mat](https://github.com/haz-mat)) +* Add NoSchedule/NoExecute tolerations to ip-masq-agent, ensuring it to be scheduled in all nodes except master. ([#66260](https://github.com/kubernetes/kubernetes/pull/66260), [@tanshanshan](https://github.com/tanshanshan)) +* The flag `--skip-preflight-checks` of kubeadm has been removed. Please use `--ignore-preflight-errors` instead. ([#62727](https://github.com/kubernetes/kubernetes/pull/62727), [@xiangpengzhao](https://github.com/xiangpengzhao)) +* The watch API endpoints prefixed with `/watch` are deprecated and will be removed in a future release. These standard method for watching resources (supported since v1.0) is to use the list API endpoints with a `?watch=true` parameter. All client-go clients have used the parameter method since v1.6.0. ([#65147](https://github.com/kubernetes/kubernetes/pull/65147), [@liggitt](https://github.com/liggitt)) +* Bump Heapster to v1.6.0-beta.1 ([#67074](https://github.com/kubernetes/kubernetes/pull/67074), [@kawych](https://github.com/kawych)) +* kube-apiserver: setting a `dryRun` query parameter on a CONNECT request will now cause the request to be rejected, consistent with behavior of other mutating API requests. Examples of CONNECT APIs are the `nodes/proxy`, `services/proxy`, `pods/proxy`, `pods/exec`, and `pods/attach` subresources. Note that this prevents sending a `dryRun` parameter to backends via `{nodes,services,pods}/proxy` subresources. ([#66083](https://github.com/kubernetes/kubernetes/pull/66083), [@jennybuckley](https://github.com/jennybuckley)) +* In clusters where the DryRun feature is enabled, dry-run requests will go through the normal admission chain. Because of this, ImagePolicyWebhook authors should especially make sure that their webhooks do not rely on side effects. ([#66391](https://github.com/kubernetes/kubernetes/pull/66391), [@jennybuckley](https://github.com/jennybuckley)) +* Metadata Agent Improvements ([#66485](https://github.com/kubernetes/kubernetes/pull/66485), [@bmoyles0117](https://github.com/bmoyles0117)) + * Bump metadata agent version to 0.2-0.0.21-1. + * Expand the metadata agent's access to all API groups. + * Remove metadata agent config maps in favor of command line flags. + * Update the metadata agent's liveness probe to a new /healthz handler. + * Logging Agent Improvements + * Bump logging agent version to 0.2-1.5.33-1-k8s-1. + * Appropriately set log severity for k8s_container. + * Fix detect exceptions plugin to analyze message field instead of log field. + * Fix detect exceptions plugin to analyze streams based on local resource id. + * Disable the metadata agent for monitored resource construction in logging. + * Disable timestamp adjustment in logs to optimize performance. + * Reduce logging agent buffer chunk limit to 512k to optimize performance. +* kubectl: the wait command now prints an error message and exits with the code 1, if there is no resources matching selectors ([#66692](https://github.com/kubernetes/kubernetes/pull/66692), [@m1kola](https://github.com/m1kola)) +* Quota admission configuration api graduated to v1beta1 ([#66156](https://github.com/kubernetes/kubernetes/pull/66156), [@vikaschoudhary16](https://github.com/vikaschoudhary16)) +* Unit tests for scopes and scope selectors in the quota spec ([#66351](https://github.com/kubernetes/kubernetes/pull/66351), [@vikaschoudhary16](https://github.com/vikaschoudhary16)) +* Print kube-apiserver --help flag help in sections. ([#64517](https://github.com/kubernetes/kubernetes/pull/64517), [@sttts](https://github.com/sttts)) +* Azure managed disks now support availability zones and new parameters `zoned`, `zone` and `zones` are added for AzureDisk storage class. ([#66553](https://github.com/kubernetes/kubernetes/pull/66553), [@feiskyer](https://github.com/feiskyer)) +* nodes: improve handling of erroneous host names ([#64815](https://github.com/kubernetes/kubernetes/pull/64815), [@dixudx](https://github.com/dixudx)) +* remove deprecated shorthand flag `-c` from `kubectl version (--client)` ([#66817](https://github.com/kubernetes/kubernetes/pull/66817), [@charrywanganthony](https://github.com/charrywanganthony)) +* Added etcd_object_count metrics for CustomResources. ([#65983](https://github.com/kubernetes/kubernetes/pull/65983), [@sttts](https://github.com/sttts)) +* Handle newlines for `command`, `args`, `env`, and `annotations` in `kubectl describe` wrapping ([#66841](https://github.com/kubernetes/kubernetes/pull/66841), [@smarterclayton](https://github.com/smarterclayton)) +* Fix pod launch by kubelet when --cgroups-per-qos=false and --cgroup-driver="systemd" ([#66617](https://github.com/kubernetes/kubernetes/pull/66617), [@pravisankar](https://github.com/pravisankar)) +* kubelet: fix nil pointer dereference while enforce-node-allocatable flag is not config properly ([#66190](https://github.com/kubernetes/kubernetes/pull/66190), [@linyouchong](https://github.com/linyouchong)) +* Fix a bug on GCE that /etc/crictl.yaml is not generated when crictl is preloaded. ([#66877](https://github.com/kubernetes/kubernetes/pull/66877), [@Random-Liu](https://github.com/Random-Liu)) +* This fix prevents a GCE PD volume from being mounted if the udev device link is stale and tries to correct the link. ([#66832](https://github.com/kubernetes/kubernetes/pull/66832), [@msau42](https://github.com/msau42)) + + + +# v1.12.0-alpha.1 + +[Documentation](https://docs.k8s.io) & [Examples](https://releases.k8s.io/master/examples) + +## Downloads for v1.12.0-alpha.1 -Improvements in Windows Server version 1803 also bring new storage functionality to Kubernetes v1.11, including: -* Volume mounts for ConfigMap and Secret -* Flexvolume plugins for SMB and iSCSI storage are also available out-of-tree at [Microsoft/K8s-Storage-Plugins](https://github.com/Microsoft/K8s-Storage-Plugin) +filename | sha256 hash +-------- | ----------- +[kubernetes.tar.gz](https://dl.k8s.io/v1.12.0-alpha.1/kubernetes.tar.gz) | `603345769f5e2306e5c22db928aa1cbedc6af63f387ab7a8818cb0111292133f` +[kubernetes-src.tar.gz](https://dl.k8s.io/v1.12.0-alpha.1/kubernetes-src.tar.gz) | `f8fb4610cee20195381e54bfd163fbaeae228d68986817b685948b8957f324d0` -## Known Issues +### Client Binaries -* IPVS based kube-proxy doesn't support graceful close connections for terminating pod. This issue will be fixed in a future release. ([#57841](https://github.com/kubernetes/kubernetes/pull/57841), [@jsravn](https://github.com/jsravn)) -* kube-proxy needs to be configured to override hostname in some environments. ([#857](https://github.com/kubernetes/kubeadm/issues/857), [@detiber](https://github.com/detiber)) -* There's a known issue where the Vertical Pod Autoscaler will radically change implementation in 1.12, so users of VPA (alpha) in 1.11 are warned that they will not be able to automatically migrate their VPA configs from 1.11 to 1.12. +filename | sha256 hash +-------- | ----------- +[kubernetes-client-darwin-386.tar.gz](https://dl.k8s.io/v1.12.0-alpha.1/kubernetes-client-darwin-386.tar.gz) | `e081c275601bcaa45d906a976d35902256f836bb60caa738a2fd8719ff3e1048` +[kubernetes-client-darwin-amd64.tar.gz](https://dl.k8s.io/v1.12.0-alpha.1/kubernetes-client-darwin-amd64.tar.gz) | `2dd222a267ac247dce4dfc52aff313f20c427b4351f7410aadebe8569ede3139` +[kubernetes-client-linux-386.tar.gz](https://dl.k8s.io/v1.12.0-alpha.1/kubernetes-client-linux-386.tar.gz) | `46b16d6b0429163da67b06242772c3c6c5ab9da6deda5306e63d21be04b4811d` +[kubernetes-client-linux-amd64.tar.gz](https://dl.k8s.io/v1.12.0-alpha.1/kubernetes-client-linux-amd64.tar.gz) | `8b8bf0a8a4568559d3762a72c1095ab37785fc8bbbb290aaff3a34341a24d7eb` +[kubernetes-client-linux-arm.tar.gz](https://dl.k8s.io/v1.12.0-alpha.1/kubernetes-client-linux-arm.tar.gz) | `d71dc60e087746b2832e66170053816dc8ed42e95efe0769ed926a6e044175ef` +[kubernetes-client-linux-arm64.tar.gz](https://dl.k8s.io/v1.12.0-alpha.1/kubernetes-client-linux-arm64.tar.gz) | `e9091bbfb997d1603dfd17ba9f145ca7dacf304f04d10230e056f8a12ce44445` +[kubernetes-client-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.12.0-alpha.1/kubernetes-client-linux-ppc64le.tar.gz) | `fc6c0985ccbd806add497f2557000f7e90f3176427250e019a40e8acf7c42282` +[kubernetes-client-linux-s390x.tar.gz](https://dl.k8s.io/v1.12.0-alpha.1/kubernetes-client-linux-s390x.tar.gz) | `b8c64b318d702f6e8be76330fd5da9b87e2e4e31e904ea7e00c0cd6412ab2bcf` +[kubernetes-client-windows-386.tar.gz](https://dl.k8s.io/v1.12.0-alpha.1/kubernetes-client-windows-386.tar.gz) | `cb96e353eb5d400756a93c8d16321d0fac87d6a4f8ad89fda42858f8e4d85e9d` +[kubernetes-client-windows-amd64.tar.gz](https://dl.k8s.io/v1.12.0-alpha.1/kubernetes-client-windows-amd64.tar.gz) | `003284f983cafc6fd0ce1205c03d47e638a999def1ef4e1e77bfb9149e5f598b` +### Server Binaries -## Before Upgrading +filename | sha256 hash +-------- | ----------- +[kubernetes-server-linux-amd64.tar.gz](https://dl.k8s.io/v1.12.0-alpha.1/kubernetes-server-linux-amd64.tar.gz) | `d9c282cd02c8c3fdbeb2f46abd0ddd257a8449e94be3beed2514c6e30a335a87` +[kubernetes-server-linux-arm.tar.gz](https://dl.k8s.io/v1.12.0-alpha.1/kubernetes-server-linux-arm.tar.gz) | `613390ba73f4236feb10bb4f70cbf96e504cf8d598da0180efc887d316b8bc5e` +[kubernetes-server-linux-arm64.tar.gz](https://dl.k8s.io/v1.12.0-alpha.1/kubernetes-server-linux-arm64.tar.gz) | `1dd417f59d17c3583c6b4a3989d24c57e4989eb7b6ab9f2aa10c4cbf9bf5c11b` +[kubernetes-server-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.12.0-alpha.1/kubernetes-server-linux-ppc64le.tar.gz) | `44e9e6424ed3a5a91f5adefa456b2b71c0c5d3b01be9f60f5c8c0f958815ffc1` +[kubernetes-server-linux-s390x.tar.gz](https://dl.k8s.io/v1.12.0-alpha.1/kubernetes-server-linux-s390x.tar.gz) | `3118d9c955f9a50f86ebba324894f06dbf7c1cb8f9bc5bdf6a95caf2a6678805` -* When Response is a `metav1.Status`, it is no longer copied into the audit.Event status. Only the "status", "reason" and "code" fields are set. For example, when we run `kubectl get pods abc`, the API Server returns a status object: -``` -{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods \"abc\" not found","reason":"NotFound","details":{"name":"abc","kind":"pods"},"code":404} -``` -In previous versions, the whole object was logged in audit events. Starting in 1.11, only `status`, `reason`, and `code` are logged. Code that relies on the older version must be updated to avoid errors. -([#62695](https://github.com/kubernetes/kubernetes/pull/62695), [@CaoShuFeng](https://github.com/CaoShuFeng)) -* HTTP transport now uses `context.Context` to cancel dial operations. k8s.io/client-go/transport/Config struct has been updated to accept a function with a `context.Context` parameter. This is a breaking change if you use this field in your code. ([#60012](https://github.com/kubernetes/kubernetes/pull/60012), [@ash2k](https://github.com/ash2k)) -* kubectl: This client version requires the `apps/v1` APIs, so it will not work against a cluster version older than v1.9.0. Note that kubectl only guarantees compatibility with clusters that are +/-1 minor version away. ([#61419](https://github.com/kubernetes/kubernetes/pull/61419), [@enisoc](https://github.com/enisoc)) -* Pod priority and preemption is now enabled by default. Even if you don't plan to use this feature, you might need to take some action immediately after upgrading. In multi-tenant clusters where not all users are trusted, you are advised to create appropriate quotas for two default priority classes, system-cluster-critical and system-node-critical, which are added to clusters by default. `ResourceQuota` should be created to limit users from creating Pods at these priorities if not all users of your cluster are trusted. We do not advise disabling this feature because critical system Pods rely on the scheduler preemption to be scheduled when cluster is under resource pressure. -* Default mount propagation has changed from `HostToContainer` ("rslave" in Linux terminology), as it was in 1.10, to `None` ("private") to match the behavior in 1.9 and earlier releases; `HostToContainer` as a default caused regressions in some pods. If you are relying on this behavior you will need to set it explicitly. ([#62462](https://github.com/kubernetes/kubernetes/pull/62462), [@jsafrane](https://github.com/jsafrane)) -* The kube-apiserver `--storage-version` flag has been removed; you must use `--storage-versions` instead. ([#61453](https://github.com/kubernetes/kubernetes/pull/61453), [@hzxuzhonghu](https://github.com/hzxuzhonghu)) -* Authors of aggregated API servers must not rely on authorization being done by the kube-apiserver, and must do delegated authorization in addition. ([#61349](https://github.com/kubernetes/kubernetes/pull/61349), [@sttts](https://github.com/sttts)) -* GC is now bound by QPS so if you need more QPS to avoid ratelimiting GC, you'll have to set it explicitly. ([#63657](https://github.com/kubernetes/kubernetes/pull/63657), [@shyamjvs](https://github.com/shyamjvs)) -* `kubeadm join` is now blocking on the kubelet performing the TLS Bootstrap properly. Earlier, `kubeadm join` only did the discovery part and exited successfully without checking that the kubelet actually started properly and performed the TLS bootstrap correctly. Now, as kubeadm runs some post-join steps (for example, annotating the Node API object with the CRISocket), `kubeadm join` is now waiting for the kubelet to perform the TLS Bootstrap, and then uses that credential to perform further actions. This also improves the UX, as `kubeadm` will exit with a non-zero code if the kubelet isn't in a functional state, instead of pretending everything's fine. - ([#64792](https://github.com/kubernetes/kubernetes/pull/64792), [@luxas](https://github.com/luxas)) -* The structure of the kubelet dropin in the kubeadm deb package has changed significantly. Instead of hard-coding the parameters for the kubelet in the dropin, a structured configuration file for the kubelet is used, and is expected to be present in `/var/lib/kubelet/config.yaml`. For runtime-detected, instance-specific configuration values, a environment file with dynamically-generated flags at `kubeadm init` or `kubeadm join` run time is used. Finally, if you want to override something specific for the kubelet that can't be done via the kubeadm Configuration file (which is preferred), you might add flags to the `KUBELET_EXTRA_ARGS` environment variable in either `/etc/default/kubelet` -or `/etc/sysconfig/kubelet`, depending on the system you're running on. -([#64780](https://github.com/kubernetes/kubernetes/pull/64780), [@luxas](https://github.com/luxas)) -* The `--node-name` flag for kubeadm now dictates the Node API object name the kubelet uses for registration, in all cases but where you might use an in-tree cloud provider. If you're not using an in-tree cloud provider, `--node-name` will set the Node API object name. If you're using an in-tree cloud provider, you MUST make `--node-name` match the name the in-tree cloud provider decides to use. -([#64706](https://github.com/kubernetes/kubernetes/pull/64706), [@liztio](https://github.com/liztio)) -* The `PersistentVolumeLabel` admission controller is now disabled by default. If you depend on this feature (AWS/GCE) then ensure it is added to the `--enable-admission-plugins` flag on the kube-apiserver. ([#64326](https://github.com/kubernetes/kubernetes/pull/64326), [@andrewsykim](https://github.com/andrewsykim)) -* kubeadm: kubelets in kubeadm clusters now disable the readonly port (10255). If you're relying on unauthenticated access to the readonly port, please switch to using the secure port (10250). Instead, you can now use ServiceAccount tokens when talking to the secure port, which will make it easier to get access to, for example, the `/metrics` endpoint of the kubelet, securely. ([#64187](https://github.com/kubernetes/kubernetes/pull/64187), [@luxas](https://github.com/luxas)) -* The formerly publicly-available cAdvisor web UI that the kubelet ran on port 4194 by default is now turned off by default. The flag configuring what port to run this UI on `--cadvisor-port` was deprecated in v1.10. Now the default is `--cadvisor-port=0`, in other words, to not run the web server. If you still need to run cAdvisor, the recommended way to run it is via a DaemonSet. Note that the `--cadvisor-port` will be removed in v1.12 ([#63881](https://github.com/kubernetes/kubernetes/pull/63881), [@luxas](https://github.com/luxas)) - -### New Deprecations - -* As a reminder, etcd2 as a backend is deprecated and support will be removed in Kubernetes 1.13. Please ensure that your clusters are upgraded to etcd3 as soon as possible. -* InfluxDB cluster monitoring has been deprecated as part of the deprecation of Heapster. Instead, you may use the [metrics server](https://github.com/kubernetes-incubator/metrics-server). It's a simplified heapster that is able to gather and serve current metrics values. It provides the Metrics API that is used by `kubectl top`, and horizontal pod autoscaler. Note that it doesn't include some features of Heapster, such as short term metrics for graphs in kube-dashboard and dedicated push sinks, which proved hard to maintain and scale. Clusters using Heapster for transfering metrics into long-term storage should consider using their metric solution's native Kubernetes support, if present, or should consider alternative solutions. ([#62328](https://github.com/kubernetes/kubernetes/pull/62328), [@serathius](https://github.com/serathius)) -* The kubelet `--rotate-certificates` flag is now deprecated, and will be removed in a future release. The kubelet certificate rotation feature can now be enabled via the `.RotateCertificates` field in the kubelet's config file. ([#63912](https://github.com/kubernetes/kubernetes/pull/63912), [@luxas](https://github.com/luxas)) -* The kubeadm configuration file version has been upgraded from `v1alpha2` from `v1alpha1`. `v1alpha1` read support exists in v1.11, but will be removed in v1.12. ([#63788](https://github.com/kubernetes/kubernetes/pull/63788), [@luxas](https://github.com/luxas)) -The following PRs changed the API spec: - * In the new v1alpha2 kubeadm Configuration API, the `.CloudProvider` and `.PrivilegedPods` fields don't exist anymore. Instead, you should use the out-of-tree cloud provider implementations, which are beta in v1.11. - * If you have to use the legacy in-tree cloud providers, you can rearrange your config like the example below. If you need the `cloud-config` file (located in `{cloud-config-path}`), you can mount it into the API Server and controller-manager containers using ExtraVolumes, as in: - - - kind: MasterConfiguration - apiVersion: kubeadm.k8s.io/v1alpha2 - apiServerExtraArgs: - cloud-provider: "{cloud}" - cloud-config: "{cloud-config-path}" - apiServerExtraVolumes: - - name: cloud - hostPath: "{cloud-config-path}" - mountPath: "{cloud-config-path}" - controllerManagerExtraArgs: - cloud-provider: "{cloud}" - cloud-config: "{cloud-config-path}" - controllerManagerExtraVolumes: - - name: cloud - hostPath: "{cloud-config-path}" - mountPath: "{cloud-config-path}" - - -* If you need to use the `.PrivilegedPods` functionality, you can still edit the manifests in `/etc/kubernetes/manifests/`, and set `.SecurityContext.Privileged=true` for the apiserver and controller manager. - ([#63866](https://github.com/kubernetes/kubernetes/pull/63866), [@luxas](https://github.com/luxas)) - * kubeadm: The Token-related fields in the `MasterConfiguration` object have now been refactored. Instead of the top-level `.Token`, `.TokenTTL`, `.TokenUsages`, `.TokenGroups` fields, there is now a `BootstrapTokens` slice of `BootstrapToken` objects that support the same features under the `.Token`, `.TTL`, `.Usages`, `.Groups` fields. ([#64408](https://github.com/kubernetes/kubernetes/pull/64408), [@luxas](https://github.com/luxas)) - * `.NodeName` and `.CRISocket` in the `MasterConfiguration` and `NodeConfiguration` v1alpha1 API objects are now `.NodeRegistration.Name` and `.NodeRegistration.CRISocket` respectively in the v1alpha2 API. The `.NoTaintMaster` field has been removed in the v1alpha2 API. ([#64210](https://github.com/kubernetes/kubernetes/pull/64210), [@luxas](https://github.com/luxas)) - * kubeadm: Support for `.AuthorizationModes` in the kubeadm v1alpha2 API has been removed. Instead, you can use the `.APIServerExtraArgs` and `.APIServerExtraVolumes` fields to achieve the same effect. Files using the v1alpha1 API and setting this field will be automatically upgraded to this v1alpha2 API and the information will be preserved. ([#64068](https://github.com/kubernetes/kubernetes/pull/64068), [@luxas](https://github.com/luxas)) -* The annotation `service.alpha.kubernetes.io/tolerate-unready-endpoints` is deprecated. Users should use Service.spec.publishNotReadyAddresses instead. ([#63742](https://github.com/kubernetes/kubernetes/pull/63742), [@thockin](https://github.com/thockin)) -* `--show-all`, which only affected pods, and even then only for human readable/non-API printers, is inert in v1.11, and will be removed in a future release. ([#60793](https://github.com/kubernetes/kubernetes/pull/60793), [@charrywanganthony](https://github.com/charrywanganthony)) -* The `kubectl rolling-update` is now deprecated. Use `kubectl rollout` instead. ([#61285](https://github.com/kubernetes/kubernetes/pull/61285), [@soltysh](https://github.com/soltysh)) -* kube-apiserver: the default `--endpoint-reconciler-type` is now `lease`. The `master-count` endpoint reconciler type is deprecated and will be removed in 1.13. ([#63383](https://github.com/kubernetes/kubernetes/pull/63383), [@liggitt](https://github.com/liggitt)) -* OpenStack built-in cloud provider is now deprecated. Please use the external cloud provider for OpenStack. ([#63524](https://github.com/kubernetes/kubernetes/pull/63524), [@dims](https://github.com/dims)) -* The Kubelet's deprecated `--allow-privileged` flag now defaults to true. This enables users to stop setting `--allow-privileged` in order to transition to `PodSecurityPolicy`. Previously, users had to continue setting `--allow-privileged`, because the default was false. ([#63442](https://github.com/kubernetes/kubernetes/pull/63442), [@mtaufen](https://github.com/mtaufen)) -* The old dynamic client has been replaced by a new one. The previous dynamic client will exist for one release in `client-go/deprecated-dynamic`. Switch as soon as possible. ([#63446](https://github.com/kubernetes/kubernetes/pull/63446), [@deads2k](https://github.com/deads2k)) -* In-tree support for openstack credentials is now deprecated. please use the "client-keystone-auth" from the cloud-provider-openstack repository. details on how to use this new capability is documented [here](https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/using-client-keystone-auth.md) ([#64346](https://github.com/kubernetes/kubernetes/pull/64346), [@dims](https://github.com/dims)) -* The GitRepo volume type is deprecated. To provision a container with a git repo, mount an `EmptyDir` into an `InitContainer` that clones the repo using git, then `moEmptyDir` into the Pod's container. -([#63445](https://github.com/kubernetes/kubernetes/pull/63445), [@ericchiang](https://github.com/ericchiang)) -* Alpha annotation for PersistentVolume node affinity has been removed. Update your PersistentVolumes to use the beta PersistentVolume.nodeAffinity field before upgrading to this release. ([#61816](https://github.com/kubernetes/kubernetes/pull/61816), [@wackxu -](https://github.com/wackxu)) - -### Removed Deprecations - -* kubeadm has removed the `.ImagePullPolicy` field in the v1alpha2 API version. Instead it's set statically to `IfNotPresent` for all required images. If you want to always pull the latest images before cluster init (as `Always` would do), run `kubeadm config images pull` before each `kubeadm init`. If you don't want the kubelet to pull any images at `kubeadm init` time, for example if you don't have an internet connection, you can also run `kubeadm config images pull` before `kubeadm init` or side-load the images some other way (such as `docker load -i image.tar`). Having the images locally cached will result in no pull at runtime, which makes it possible to run without any internet connection. ([#64096](https://github.com/kubernetes/kubernetes/pull/64096), [@luxas](https://github.com/luxas)) -* kubeadm has removed `.Etcd.SelfHosting` from its configuration API. It was never used in practice ([#63871](https://github.com/kubernetes/kubernetes/pull/63871), [@luxas](https://github.com/luxas)) -* The deprecated and inactive option '--enable-custom-metrics' has been removed in 1.11. ([#60699](https://github.com/kubernetes/kubernetes/pull/60699), [@CaoShuFeng](https://github.com/CaoShuFeng)) -* --include-extended-apis, which was deprecated back in [#32894](https://github.com/kubernetes/kubernetes/pull/32894), has been removed. ([#62803](https://github.com/kubernetes/kubernetes/pull/62803), [@deads2k](https://github.com/deads2k)) -* Kubelets will no longer set `externalID` in their node spec. This feature has been deprecated since v1.1. ([#61877](https://github.com/kubernetes/kubernetes/pull/61877), [@mikedanese](https://github.com/mikedanese)) -* The `initresource` admission plugin has been removed. ([#58784](https://github.com/kubernetes/kubernetes/pull/58784), [@wackxu](https://github.com/wackxu)) -* `ObjectMeta `, `ListOptions`, and `DeleteOptions` have been removed from the core api group. Please reference them in `meta/v1` instead. ([#61809](https://github.com/kubernetes/kubernetes/pull/61809), [@hzxuzhonghu](https://github.com/hzxuzhonghu)) -* The deprecated `--mode` flag in `check-network-mode` has been removed. ([#60102](https://github.com/kubernetes/kubernetes/pull/60102), [@satyasm](https://github.com/satyasm)) -* Support for the `alpha.kubernetes.io/nvidia-gpu` resource, which was deprecated in 1.10, has been removed. Please use the resource exposed by DevicePlugins instead (`nvidia.com/gpu`). ([#61498](https://github.com/kubernetes/kubernetes/pull/61498), [@mindprince](https://github.com/mindprince)) -* The `kube-cloud-controller-manager` flag `--service-account-private-key-file` has been removed. Use `--use-service-account-credentials` instead. ([#60875](https://github.com/kubernetes/kubernetes/pull/60875), [@charrywanganthony](https://github.com/charrywanganthony)) -* The rknetes code, which was deprecated in 1.10, has been removed. Use rktlet and CRI instead. ([#61432](https://github.com/kubernetes/kubernetes/pull/61432), [@filbranden](https://github.com/filbranden)) -* DaemonSet scheduling associated with the alpha ScheduleDaemonSetPods feature flag has been emoved. See https://github.com/kubernetes/features/issues/548 for feature status. ([#61411](https://github.com/kubernetes/kubernetes/pull/61411), [@liggitt](https://github.com/liggitt)) -* The `METADATA_AGENT_VERSION` configuration option has been removed to keep metadata agent version consistent across Kubernetes deployments. ([#63000](https://github.com/kubernetes/kubernetes/pull/63000), [@kawych](https://github.com/kawych)) -* The deprecated `--service-account-private-key-file` flag has been removed from the cloud-controller-manager. The flag is still present and supported in the kube-controller-manager. ([#65182](https://github.com/kubernetes/kubernetes/pull/65182), [@liggitt](https://github.com/liggitt)) -* Removed alpha functionality that allowed the controller manager to approve kubelet server certificates. This functionality should be replaced by automating validation and approval of node server certificate signing requests. ([#62471](https://github.com/kubernetes/kubernetes/pull/62471), [@mikedanese](https://github.com/mikedanese)) - -#### Graduated to Stable/GA -* IPVS-based in-cluster load balancing is now GA ([ref](https://github.com/kubernetes/features/issues/265)) -* Enable CoreDNS as a DNS plugin for Kubernetes ([ref](https://github.com/kubernetes/features/issues/427)) -* Azure Go SDK is now GA ([#63063](https://github.com/kubernetes/kubernetes/pull/63063), [@feiskyer](https://github.com/feiskyer)) -* ClusterRole aggregation is now GA ([ref](https://github.com/kubernetes/features/issues/502)) -* CRI validation test suite is now GA ([ref](https://github.com/kubernetes/features/issues/292)) -* StorageObjectInUseProtection is now GA ([ref](https://github.com/kubernetes/features/issues/498)) and ([ref](https://github.com/kubernetes/features/issues/499)) - -#### Graduated to Beta - -* Supporting out-of-tree/external cloud providers is now considered beta ([ref](https://github.com/kubernetes/features/issues/88)) -* Resizing PersistentVolumes after pod restart is now considered beta. ([ref](https://github.com/kubernetes/features/issues/284)) -* sysctl support is now considered beta ([ref](https://github.com/kubernetes/features/issues/34)) -* Support for Azure Virtual Machine Scale Sets is now considered beta. ([ref](https://github.com/kubernetes/features/issues/513)) -* Azure support for Cluster Autoscaler is now considered beta. ([ref](https://github.com/kubernetes/features/issues/514)) -* The ability to limit a node's access to the API is now considered beta. ([ref](https://github.com/kubernetes/features/issues/279)) -* CustomResource versioning is now considered beta. ([ref](https://github.com/kubernetes/features/issues/544)) -* Windows container configuration in CRI is now considered beta ([ref](https://github.com/kubernetes/features/issues/547)) -* CRI logging and stats are now considered beta ([ref](https://github.com/kubernetes/features/issues/552)) -* The dynamic Kubelet config feature is now beta, and the DynamicKubeletConfig feature gate is on by default. In order to use dynamic Kubelet config, ensure that the Kubelet's --dynamic-config-dir option is set. ([#64275](https://github.com/kubernetes/kubernetes/pull/64275), [@mtaufen](https://github.com/mtaufen)) -* The Sysctls experimental feature has been promoted to beta (enabled by default via the `Sysctls` feature flag). PodSecurityPolicy and Pod objects now have fields for specifying and controlling sysctls. Alpha sysctl annotations will be ignored by 1.11+ kubelets. All alpha sysctl annotations in existing deployments must be converted to API fields to be effective. ([#6371](https://github.com/kubernetes/kubernetes/pull/63717), [@ingvagabund](https://github.com/ingvagabund)) -* Volume expansion is now considered Beta. ([#64288](https://github.com/kubernetes/kubernetes/pull/64288), [@gnufied](https://github.com/gnufied)) -* CRI container log rotation is now considered beta, and is enabled by default. ([#64046](https://github.com/kubernetes/kubernetes/pull/64046), [@yujuhong](https://github.com/yujuhong)) -* The `PriorityClass` API has been promoted to `scheduling.k8s.io/v1beta1` ([#63100](https://github.com/kubernetes/kubernetes/pull/63100), [@ravisantoshgudimetla](https://github.com/ravisantoshgudimetla)) -* The priorityClass feature is now considered beta. ([#63724](https://github.com/kubernetes/kubernetes/pull/63724), [@ravisantoshgudimetla](https://github.com/ravisantoshgudimetla)) -* client-go: credential exec plugins is now considered beta. ([#64482](https://github.com/kubernetes/kubernetes/pull/64482), [@ericchiang](https://github.com/ericchiang)) -* Subresources for custom resources is now considered beta and enabled by default. With this, updates to the `/status` subresource will disallow updates to all fields other than `.status` (not just `.spec` and `.metadata` as before). Also, `required` can be used at the root of the CRD OpenAPI validation schema when the `/status` subresource is enabled. ([#63598](https://github.com/kubernetes/kubernetes/pull/63598), [@nikhita](https://github.com/nikhita)) - -### New alpha features - -* kube-scheduler can now schedule DaemonSet pods ([ref](https://github.com/kubernetes/features/issues/548)) -* You can now resize PersistentVolumes without taking them offline ([ref](https://github.com/kubernetes/features/issues/531)) -* You can now set a maximum volume count ([ref](https://github.com/kubernetes/features/issues/554)) -* You can now do environment variable expansion in a subpath mount. ([ref](https://github.com/kubernetes/features/issues/559)) -* You can now run containers in a pod as a particular group. ([ref](https://github.com/kubernetes/features/issues/213)) -You can now bind tokens to service requests. ([ref](https://github.com/kubernetes/features/issues/542)) -* The --experimental-qos-reserve kubelet flags has been replaced by the alpha level --qos-reserved flag or the QOSReserved field in the kubeletconfig, and requires the QOSReserved feature gate to be enabled. ([#62509](https://github.com/kubernetes/kubernetes/pull/62509), [@sjenning](https://github.com/sjenning)) - -## Other Notable Changes - -### SIG API Machinery - -* Orphan delete is now supported for custom resources. ([#63386](https://github.com/kubernetes/kubernetes/pull/63386), [@roycaihw](https://github.com/roycaihw)) -* Metadata of CustomResources is now pruned and schema-checked during deserialization of requests and when read from etcd. In the former case, invalid meta data is rejected, in the later it is dropped from the CustomResource objects. ([#64267](https://github.com/kubernetes/kubernetes/pull/64267), [@sttts](https://github.com/sttts)) -* The kube-apiserver openapi doc now includes extensions identifying `APIService` and `CustomResourceDefinition` `kind`s ([#64174](https://github.com/kubernetes/kubernetes/pull/64174), [@liggitt](https://github.com/liggitt)) -* CustomResourceDefinitions Status subresource now supports GET and PATCH ([#63619](https://github.com/kubernetes/kubernetes/pull/63619), [@roycaihw](https://github.com/roycaihw)) -* When updating `/status` subresource of a custom resource, only the value at the `.status` subpath for the update is considered. ([#63385](https://github.cm/kubernetes/kubernetes/pull/63385), [@CaoShuFeng](https://github.com/CaoShuFeng)) -* Added a way to pass extra arguments to etcd. The these extra arguments can be used to adjust runtime configuration like heartbeat interval etc. ([#63961](https://github.com/kubernetes/kubernetes/pull/63961), [@mborsz](https://github.com/mborsz)) -* Added Establishing Controller on CRDs to avoid race between Established condition and CRs actually served. In HA setups, the Established condition is delayed by 5 seconds. ([#63068](https://github.com/kubernetes/kubernetes/pull/63068), [@xmudrii](https://github.com/xmudrii)) -* Added `spec.additionalPrinterColumns` to CRDs to define server side printing columns. ([#60991](https://github.com/kubernetes/kubernetes/pull/60991), [@sttts](https://github.com/sttts)) -* Added CRD Versioning with NOP converter ([#63830](https://github.com/kubernetes/kubernetes/pull/63830), [@mbohlool](https://github.com/mbohlool)) -* Allow "required" and "description" to be used at the CRD OpenAPI validation schema root when the `/status` subresource is enabled. ([#63533](https://github.com/kubernetes/kubernetes/pull/63533), [@sttts](https://github.com/sttts)) -* Etcd health checks by the apiserver now ensure the apiserver can connect to and exercise the etcd API. ([#65027](https://github.com/kubernetes/kubernetes/pull/65027), [@liggitt](https://github.com/liggitt)) api- machinery -* The deprecated `--service-account-private-key-file` flag has been removed from the `cloud-controller-manager`. The flag is still present and supported in the `kube-controller-manager`. ([#65182](https://github.com/kubernetes/kubernetes/pull/65182), [@liggitt](https://github.com/liggitt)) -* Webhooks for the mutating admission controller now support the "remove" operation. ([#64255](https://github.com/kubernetes/kubernetes/pull/64255), [@rojkov](https://github.com/rojkov)) sig-API machinery -* The CRD OpenAPI v3 specification for validation now allows `additionalProperties`, which are mutually exclusive to properties. ([#62333](https://github.com/kubernetes/kubernetes/pull/62333), [@sttts](https://github.com/sttts)) -* Added the apiserver configuration option to choose the audit output version. ([#60056](https://github.com/kubernetes/kubernetes/pull/60056), [@crassirostris](https://github.com/crassirostris)) -* Created a new `dryRun` query parameter for mutating endpoints. If the parameter is set, then the query will be rejected, as the feature is not implemented yet. This will allow forward compatibility with future clients; otherwise, future clients talking with older apiservers might end up modifying a resource even if they include the `dryRun` query parameter. ([#63557](https://github.com/kubernetes/kubernetes/pull/63557), [@apelisse](https://github.com/apelisse)) -* `list`/`watch` API requests with a `fieldSelector` that specifies `metadata.name` can now be authorized as requests for an individual named resource ([#63469](https://github.com/kubernetes/kubernetes/pull/63469), [@wojtek-t](https://github.com/wojtek-t)) -* Exposed `/debug/flags/v` to allow dynamically set glog logging level. For example, to change glog level to 3, send a PUT request such as `curl -X PUT http://127.0.0.1:8080/debug/flags/v -d "3"`. ([#63777](https://github.com/kubernetes/kubernetes/pull/63777), [@hzxuzhonghu](https://github.com/hzxuzhonghu)) -* Exec authenticator plugin supports TLS client certificates. ([#61803](https://github.com/kubernetes/kubernetes/pull/61803), [@awly](https://github.com/awly)) -* The `serverAddressByClientCIDRs` property in `metav1.APIGroup`(discovery API) is now optional instead of required. ([#61963](https://github.com/kubernetes/kubernetes/pull/61963), [@roycaihw](https://github.com/roycaihw)) -* `apiservices/status` and `certificatesigningrequests/status` now support `GET` and `PATCH` ([#64063](https://github.com/kubernetes/kubernetes/pull/64063), [@roycaihw](https://github.com/roycaihw)) -* APIServices with kube-like versions (e.g. `v1`, `v2beta1`, etc.) will be sorted appropriately within each group. ([#64004](https://github.com/kubernetes/kubernetes/pull/64004), [@mbohlool](https://github.com/mbohlool)) -* Event object references with apiversion will now that value. ([#63913](https://github.com/kubernetes/kubernetes/pull/63913), [@deads2k](https://github.com/deads2k)) -* Fixes the `kubernetes.default.svc` loopback service resolution to use a loopback configuration. ([#62649](https://github.com/kubernetes/kubernetes/pull/62649), [@liggitt](https://github.com/liggitt)) - -### SIG Apps - -* Added generators for `apps/v1` deployments. ([#61288](https://github.com/kubernetes/kubernetes/pull/61288), [@ayushpateria](https://github.com/ayushpateria)) - -### SIG Auth - -* RBAC information is now included in audit logs via audit.Event annotations: - * authorization.k8s.io/decision = {allow, forbid} - * authorization.k8s.io/reason = human-readable reason for the decision ([#58807](https://github.com/kubernetes/kubernetes/pull/58807), [@CaoShuFeng](https://github.com/CaoShuFeng)) -* `kubectl certificate approve|deny` will not modify an already approved or denied CSR unless the `--force` flag is provided. ([#61971](https://github.com/kubernetes/kubernetes/pull/61971), [@smarterclayton](https://github.com/smarterclayton)) -* The `--bootstrap-kubeconfig` argument to Kubelet previously created the first bootstrap client credentials in the certificates directory as `kubelet-client.key` and `kubelet-client.crt`. Subsequent certificates created by cert rotation were created in a combined PEM file that was atomically rotated as `kubelet-client-DATE.pem` in that directory, which meant clients relying on the `node.kubeconfig` generated by bootstrapping would never use a rotated cert. The initial bootstrap certificate is now generated into the cert directory as a PEM file and symlinked to `kubelet-client-current.pem` so that the generated kubeconfig remains valid after rotation. ([#62152](https://github.com/kubernetes/kubernetes/pull/62152), [@smarterclayton](https://github.com/smarterclayton)) -* Owner references can now be set during creation, even if the user doesn't have deletion power ([#63403](https://github.com/kubernetes/kubernetes/pull/63403), [@deads2k](https://github.com/deads2k)) -* Laid the groundwork for OIDC distributed claims handling in the apiserver authentication token checker. A distributed claim allows the OIDC provider to delegate a claim to a separate URL. ([ref](http://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims)). ([#63213](https://github.com/kubernetes/kubernetes/pull/63213), [@filmil](https://github.com/filmil)) -* RBAC: all configured authorizers are now checked to determine if an RBAC role or clusterrole escalation (setting permissions the user does not currently have via RBAC) is allowed. ([#56358](https://github.com/kubernetes/kubernetes/pull/56358), [@liggitt](https://github.com/liggitt)) -* kube-apiserver: OIDC authentication now supports requiring specific claims with `--oidc-required-claim==` Previously, there was no mechanism for a user to specify claims in the OIDC authentication process that were requid to be present in the ID Token with an expected value. This version now makes it possible to require claims support for the OIDC authentication. It allows users to pass in a `--oidc-required-claims` flag, and `key=value` pairs in the API config, which will ensure that the specified required claims are checked against the ID Token claims. ([#62136](https://github.com/kubernetes/kubernetes/pull/62136), [@rithujohn191](https://github.com/rithujohn191)) -* Included the list of security groups when failing with the errors that more than one is tagged. ([#58874](https://github.com/kubernetes/kubernetes/pull/58874), [@sorenmat](https://github.com/sorenmat)) -* Added proxy for container streaming in kubelet for streaming auth. ([#64006](https://github.com/kubernetes/kubernetes/pull/64006), [@Random-Liu](https://github.com/Random-Liu)) -* PodSecurityPolicy admission information has been added to audit logs. ([#58143](https://github.com/kubernetes/kubernetes/pull/58143), [@CaoShuFeng](https://github.com/CaoShuFeng)) -* TokenRequests now are required to have an expiration duration between 10 minutes and 2^32 seconds. ([#63999](https://github.com/kubernetes/kubernetes/pull/63999), [@mikedanese](https://github.com/mikedanese)) -* The `NodeRestriction` admission plugin now prevents kubelets from modifying/removing taints applied to their Node API object. ([#63167](https://github.com/kubernetes/kubernetes/pull/63167), [@liggitt](https://github.com/liggitt)) -* authz: nodes should not be able to delete themselves ([#62818](https://github.com/kubernetes/kubernetes/pull/62818), [@mikedanese](https://github.com/mikedanese)) - -### SIG Autoscaling - -* A cluster-autoscaler ClusterRole is added to cover only the functionality required by Cluster Autoscaler and avoid abusing system:cluster-admin role. Cloud providers other than GCE might want to update their deployments or sample yaml files to reuse the role created via add-on. ([#64503](https://github.com/kubernetes/kubernetes/pull/64503), [@kgolab](https://github.com/kgolab)) - -### SIG Azure - -* The Azure cloud provider now supports standard SKU load balancer and public IP. -`excludeMasterFromStandardLB` defaults to true, which means master nodes are excluded from the standard load balancer. Also note that because all nodes (except master) are added as loadbalancer backends, the standard load balancer doesn't work with the `service.beta.kubernetes.io/azure-load-balancer-mode` annotation. -([#61884](https://github.com/kubernetes/kubernetes/pull/61884), [#62707](https://github.com/kubernetes/kubernetes/pull/62707), [@feiskyer](https://github.com/feiskyer)) -* The Azure cloud provider now supports specifying allowed service tags by the `service.beta.kubernetes.io/azure-allowed-service-tags` annotation. ([#61467](https://github.com/kubernetes/kubernetes/pull/61467), [@feiskyer](https://github.com/feiskyer)) -* You can now change the size of an azuredisk PVC using `kubectl edit pvc pvc-azuredisk`. Note that this operation will fail if the volume is already attached to a running VM. ([#64386](https://github.com/kubernetes/kubernetes/pull/64386), [@andyzhangx](https://github.com/andyzhangx)) -* Block device support has been added for azure disk. ([#63841](https://github.com/kubernetes/kubernetes/pull/63841), [@andyzhangx](https://github.com/andyzhangx)) -* Azure VM names can now contain the underscore (`_`) character ([#63526](https://github.com/kubernetes/kubernetes/pull/63526), [@djsly](https://github.com/djsly)) -* Azure disks now support external resource groups. -([#64427](https://github.com/kubernetes/kuernetes/pull/64427), [@andyzhangx](https://github.com/andyzhangx)) -* Added reason message logs for non-existant Azure resources. -([#64248](https://github.com/kubernetes/kubernetes/pull/64248), [@feiskyer](https://github.com/feiskyer)) - -### SIG CLI - -* You can now use the `base64decode` function in kubectl go templates to decode base64-encoded data, such as `kubectl get secret SECRET -o go-template='{{ .data.KEY | base64decode }}'`. ([#60755](https://github.com/kubernetes/kubernetes/pull/60755), [@glb](https://github.com/glb)) -* `kubectl patch` now supports `--dry-run`. ([#60675](https://github.com/kubernetes/kubernetes/pull/60675), [@timoreimann](https://github.com/timoreimann)) -* The global flag `--match-server-version` is now global. `kubectl version` will respect it. ([#63613](https://github.com/kubernetes/kubernetes/pull/63613), [@deads2k](https://github.com/deads2k)) -* kubectl will list all allowed print formats when an invalid format is passed. ([#64371](https://github.com/kubernetes/kubernetes/pull/64371), [@CaoShuFeng](https://github.com/CaoShuFeng)) -* The global flag "context" now gets applied to `kubectl config view --minify`. In previous versions, this command was only available for `current-context`. Now it will be easier for users to view other non current contexts when minifying. ([#64608](https://github.com/kubernetes/kubernetes/pull/64608), [@dixudx](https://github.com/dixudx)) -* `kubectl apply --prune` supports CronJob resources. ([#62991](https://github.com/kubernetes/kubernetes/pull/62991), [@tomoe](https://github.com/tomoe)) -* The `--dry-run` flag has been enabled for `kubectl auth reconcile` ([#64458](https://github.com/kubernetes/kubernetes/pull/64458), [@mrogers950](https://github.com/mrogers950)) -* `kubectl wait` is a new command that allows waiting for one or more resources to be deleted or to reach a specific condition. It adds a `kubectl wait --for=[delete|condition=condition-name] resource/string` command. ([#64034](https://github.com/kubernetes/kubernetes/pull/64034), [@deads2k](https://github.com/deads2k)) -* `kubectl auth reconcile` only works with rbac.v1; all the core helpers have been switched over to use the external types. ([#63967](https://github.com/kubernetes/kubernetes/pull/63967), [@deads2k](https://github.com/deads2k)) -* kubectl and client-go now detect duplicated names for user, cluster and context when loading kubeconfig and report this condition as an error. ([#60464](https://github.com/kubernetes/kubernetes/pull/60464), [@roycaihw](https://github.com/roycaihw)) -* Added 'UpdateStrategyType' and 'RollingUpdateStrategy' to 'kubectl describe sts' command output. ([#63844](https://github.com/kubernetes/kubernetes/pull/63844), [@tossmilestone](https://github.com/tossmilestone)) -* Initial Korean translation for kubectl has been added. ([#62040](https://github.com/kubernetes/kubernetes/pull/62040), [@ianychoi](https://github.com/ianychoi)) -* `kubectl cp` now supports completion. -([#60371](https://github.com/kubernetes/kubernetes/pull/60371), [@superbrothers](https://github.com/superbrothers)) -* The shortcuts that were moved server-side in at least 1.9 have been removed from being hardcoded in kubectl. This means that the client-based restmappers have been moved to client-go, where everyone who needs them can have access. ([#63507](https://github.com/kubernetes/kubernetes/pull/63507), [@deads2k](https://github.com/deads2k)) -* When using `kubectl delete` with selection criteria, the defaults to is now to ignore "not found" errors. Note that this does not apply when deleting a speciic resource. ([#63490](https://github.com/kubernetes/kubernetes/pull/63490), [@deads2k](https://github.com/deads2k)) -* `kubectl create [secret | configmap] --from-file` now works on Windows with fully-qualified paths ([#63439](https://github.com/kubernetes/kubernetes/pull/63439), [@liggitt](https://github.com/liggitt)) -* Portability across systems has been increased by the use of `/usr/bin/env` in all script shebangs. ([#62657](https://github.com/kubernetes/kubernetes/pull/62657), [@matthyx](https://github.com/matthyx)) -* You can now use `kubectl api-resources` to discover resources. - ([#42873](https://github.com/kubernetes/kubernetes/pull/42873), [@xilabao](https://github.com/xilabao)) -* You can now display requests/limits of extended resources in node allocated resources. ([#46079](https://github.com/kubernetes/kubernetes/pull/46079), [@xiangpengzhao](https://github.com/xiangpengzhao)) -* The `--remove-extra-subjects` and `--remove-extra-permissions` flags have been enabled for `kubectl auth reconcile` ([#64541](https://github.com/kubernetes/kubernetes/pull/64541), [@mrogers950](https://github.com/mrogers950)) -* kubectl now has improved compatibility with older servers when creating/updating API objects ([#61949](https://github.com/kubernetes/kubernetes/pull/61949), [@liggitt](https://github.com/liggitt)) -* `kubectl apply` view/edit-last-applied now supports completion. ([#60499](https://github.com/kubernetes/kubernetes/pull/60499), [@superbrothers](https://github.com/superbrothers)) - -### SIG Cluster Lifecycle - - * kubeadm: The `:Etcd` struct has been refactored in the v1alpha2 API. All the options now reside under either `.Etcd.Local` or `.Etcd.External`. Automatic conversions from the v1alpha1 API are supported. ([#64066](https://github.com/kubernetes/kubernetes/pull/64066), [@luxas](https://github.com/luxas)) -* kubeadm now uses an upgraded API version for the configuration file, `kubeadm.k8s.io/v1alpha2`. kubeadm in v1.11 will still be able to read `v1alpha1` configuration, and will automatically convert the configuration to `v1alpha2`, both internally and when storing the configuration in the ConfigMap in the cluster. ([#63788](https://github.com/kubernetes/kubernetes/pull/63788), [@luxas](https://github.com/luxas)) -* Phase `kubeadm alpha phase kubelet` has been added to support dynamic kubelet configuration in kubeadm. ([#57224](https://github.com/kubernetes/kubernetes/pull/57224), [@xiangpengzhao](https://github.com/xiangpengzhao)) -* The kubeadm config option `API.ControlPlaneEndpoint` has been extended to take an optional port, which may differ from the apiserver's bind port. ([#62314](https://github.com/kubernetes/kubernetes/pull/62314), [@rjosephwright](https://github.com/rjosephwright)) -* The `--cluster-name` parameter has been added to kubeadm init, enabling users to specify the cluster name in kubeconfig. ([#60852](https://github.com/kubernetes/kubernetes/pull/60852), [@karan](https://github.com/karan)) -* The logging feature for kubeadm commands now supports a verbosity setting. ([#57661](https://github.com/kubernetes/kubernetes/pull/57661), [@vbmade2000](https://github.com/vbmade2000)) -* kubeadm now has a join timeout that can be controlled via the `discoveryTimeout` config option. This option is set to 5 minutes by default. ([#60983](https://github.com/kubernetes/kubernetes/pull/60983), [@rosti](https://github.com/rosti)) -* Added the `writable` boolean option to kubeadm config. This option works on a per-volume basis for `ExtraVolumes` config keys. ([#60428](https://github.com/kubernetes/kubernetes/pul60428), [@rosti](https://github.com/rosti)) -* Added a new `kubeadm upgrade node config` command. ([#64624](https://github.com/kubernetes/kubernetes/pull/64624), [@luxas](https://github.com/luxas)) -* kubeadm now makes the CoreDNS container more secure by dropping (root) capabilities and improves the integrity of the container by running the whole container in read-only. ([#64473](https://github.com/kubernetes/kubernetes/pull/64473), [@nberlee](https://github.com/nberlee)) -* kubeadm now detects the Docker cgroup driver and starts the kubelet with the matching driver. This eliminates a common error experienced by new users in when the Docker cgroup driver is not the same as the one set for the kubelet due to different Linux distributions setting different cgroup drivers for Docker, making it hard to start the kubelet properly. -([#64347](https://github.com/kubernetes/kubernetes/pull/64347), [@neolit123](https://github.com/neolit123)) -* Added a 'kubeadm config migrate' command to convert old API types to their newer counterparts in the new, supported API types. This is just a client-side tool; it just executes locally without requiring a cluster to be running, operating in much the same way as a Unix pipe that upgrades config files. ([#64232](https://github.com/kubernetes/kubernetes/pull/64232), [@luxas](https://github.com/luxas)) -* kubeadm will now pull required images during preflight checks if it cannot find them on the system. ([#64105](https://github.com/kubernetes/kubernetes/pull/64105), [@chuckha](https://github.com/chuckha)) -* "kubeadm init" now writes a structured and versioned kubelet ComponentConfiguration file to `/var/lib/kubelet/config.yaml` and an environment file with runtime flags that you can source in the systemd kubelet dropin to `/var/lib/kubelet/kubeadm-flags.env`. ([#63887](https://github.com/kubernetes/kubernetes/pull/63887), [@luxas](https://github.com/luxas)) -* A `kubeadm config print-default` command has now been added. You can use this command to output a starting point when writing your own kubeadm configuration files. ([#63969](https://github.com/kubernetes/kubernetes/pull/63969), [@luxas](https://github.com/luxas)) -* Updated kubeadm's minimum supported kubernetes in v1.11.x to 1.10 ([#63920](https://github.com/kubernetes/kubernetes/pull/63920), [@dixudx](https://github.com/dixudx)) -* Added the `kubeadm upgrade diff` command to show how static pod manifests will be changed by an upgrade. This command shows the changes that will be made to the static pod manifests before applying them. This is a narrower case than kubeadm upgrade apply --dry-run, which specifically focuses on the static pod manifests. ([#63930](https://github.com/kubernetes/kubernetes/pull/63930), [@liztio](https://github.com/liztio)) -* The `kubeadm config images pull` command can now be used to pull container images used by kubeadm. ([#63833](https://github.com/kubernetes/kubernetes/pull/63833), [@chuckha](https://github.com/chuckha)) -* kubeadm will now deploy CoreDNS by default instead of KubeDNS ([#63509](https://github.com/kubernetes/kubernetes/pull/63509), [@detiber](https://github.com/detiber)) -* Preflight checks for kubeadm no longer validate custom kube-apiserver, kube-controller-manager and kube-scheduler arguments. ([#63673](https://github.com/kubernetes/kubernetes/pull/63673), [@chuckha](https://github.com/chuckha)) -* Added a `kubeadm config images list` command that lists required container images for a kubeadm install. ([#63450](https://github.com/kubernetes/kubernetes/pull/63450), [@chuckha](https://github.com/chukha)) -* You can now use `kubeadm token` specifying `--kubeconfig`. In this case, kubeadm searches the current user home path and the environment variable KUBECONFIG for existing files. If provided, the `--kubeconfig` flag will be honored instead. ([#62850](https://github.com/kubernetes/kubernetes/pull/62850), [@neolit123](https://github.com/neolit123)) -([#64988](https://github.com/kubernetes/kubernetes/pull/64988), [@detiber](https://github.com/detiber)) -* kubeadm now sets peer URLs for the default etcd instance. Previously we left the defaults, which meant the peer URL was unsecured. -* Kubernetes now packages crictl in a cri-tools deb and rpm package. ([#64836](https://github.com/kubernetes/kubernetes/pull/64836), [@chuckha](https://github.com/chuckha)) -* kubeadm now prompts the user for confirmation when resetting a master node. ([#59115](https://github.com/kubernetes/kubernetes/pull/59115), [@alexbrand](https://github.com/alexbrand)) -* kubead now creates kube-proxy with a toleration to run on all nodes, no matter the taint. ([#62390](https://github.com/kubernetes/kubernetes/pull/62390), [@discordianfish](https://github.com/discordianfish)) -* kubeadm now sets the kubelet `--resolv-conf` flag conditionally on init. ([#64665](https://github.com/kubernetes/kubernetes/pull/64665), [@stealthybox](https://github.com/stealthybox)) -* Added ipset and udevadm to the hyperkube base image. ([#61357](https://github.com/kubernetes/kubernetes/pull/61357), [@rphillips](https://github.com/rphillips)) - -### SIG GCP - -* Kubernetes clusters on GCE now have crictl installed. Users can use it to help debug their nodes. See the [crictl documentation](https://github.com/kubernetes-incubator/cri-tools/blob/master/docs/crictl.md) for details. ([#63357](https://github.com/kubernetes/kubernetes/pull/63357), [@Random-Liu](https://github.com/Random-Liu)) -* `cluster/kube-up.sh` now provisions a Kubelet config file for GCE via the metadata server. This file is installed by the corresponding GCE init scripts. ([#62183](https://github.com/kubernetes/kubernetes/pull/62183), [@mtaufen](https://github.com/mtaufen)) -* GCE: Update cloud provider to use TPU v1 API ([#64727](https://github.com/kubernetes/kubernetes/pull/64727), [@yguo0905](https://github.com/yguo0905)) -* GCE: Bump GLBC version to 1.1.1 - fixing an issue of handling multiple certs with identical certificates. ([#62751](https://github.com/kubernetes/kubernetes/pull/62751), [@nicksardo](https://github.com/nicksardo)) - -### SIG Instrumentation - -* Added prometheus cluster monitoring addon to kube-up. ([#62195](https://github.com/kubernetes/kubernetes/pull/62195), [@serathius](https://github.com/serathius)) -* Kubelet now exposes a new endpoint, `/metrics/probes`, which exposes a Prometheus metric containing the liveness and/or readiness probe results for a container. ([#61369](https://github.com/kubernetes/kubernetes/pull/61369), [@rramkumar1](https://github.com/rramkumar1)) - -### SIG Network - -* The internal IP address of the node is now added as additional information for kubectl. ([#57623](https://github.com/kubernetes/kubernetes/pull/57623), [@dixudx](https://github.com/dixudx)) -* NetworkPolicies can now target specific pods in other namespaces by including both a namespaceSelector and a podSelector in the same peer element. ([#60452](https://github.com/kubernetes/kubernetes/pull/60452), [@danwinship](https://github.com/danwinship)) -* CoreDNS deployment configuration now uses the k8s.gcr.io imageRepository. ([#64775](https://github.com/kubernetes/kubernetes/pull/64775), [@rajansandeep](https://giub.com/rajansandeep)) -* kubelet's `--cni-bin-dir` option now accepts multiple comma-separated CNI binary directory paths, which are searched for CNI plugins in the given order. ([#58714](https://github.com/kubernetes/kubernetes/pull/58714), [@dcbw](https://github.com/dcbw)) -* You can now use `--ipvs-exclude-cidrs` to specify a list of CIDR's which the IPVS proxier should not touch when cleaning up IPVS rules. ([#62083](https://github.com/kubernetes/kubernetes/pull/62083), [@rramkumar1](https://github.com/rramkumar1)) -* You can now receive node DNS info with the `--node-ip` flag, which adds `ExternalDNS`, `InternalDNS`, and `ExternalIP` to kubelet's output. ([#63170](https://github.com/kubernetes/kubernetes/pull/63170), [@micahhausler](https://github.com/micahhausler)) -* You can now have services that listen on the same host ports on different interfaces by specifying `--nodeport-addresses`. ([#62003](https://github.com/kubernetes/kubernetes/pull/62003), [@m1093782566](https://github.com/m1093782566)) -* Added port-forward examples for service - -### SIG Node - -* CRI: The container log path has been changed from containername_attempt#.log to containername/attempt#.log ([#62015](https://github.com/kubernetes/kubernetes/pull/62015), [@feiskyer](https://github.com/feiskyer)) -* Introduced the `ContainersReady` condition in Pod status. ([#64646](https://github.com/kubernetes/kubernetes/pull/64646), [@freehan](https://github.com/freehan)) -* Kubelet will now set extended resource capacity to zero after it restarts. If the extended resource is exported by a device plugin, its capacity will change to a valid value after the device plugin re-connects with the Kubelet. If the extended resource is exported by an external component through direct node status capacity patching, the component should repatch the field after kubelet becomes ready again. During the time gap, pods previously assigned with such resources may fail kubelet admission but their controller should create new pods in response to such failures. ([#64784](https://github.com/kubernetes/kubernetes/pull/64784), [@jiayingz](https://github.com/jiayingz)) node -* You can now use a security context with Windows containers -([#64009](https://github.com/kubernetes/kubernetes/pull/64009), [@feiskyer](https://github.com/feiskyer)) -* Added e2e regression tests for kubelet security. ([#64140](https://github.com/kubernetes/kubernetes/pull/64140), [@dixudx](https://github.com/dixudx)) -* The maximum number of images the Kubelet will report in the Node status can now be controlled via the Kubelet's `--node-status-max-images` flag. The default (50) remains the same. ([#64170](https://github.com/kubernetes/kubernetes/pull/64170), [@mtaufen](https://github.com/mtaufen)) -* The Kubelet now exports metrics that report the assigned (`node_config_assigned`), last-known-good (`node_config_last_known_good`), and active (`node_config_active`) config sources, and a metric indicating whether the node is experiencing a config-related error (`node_config_error`). The config source metrics always report the value `1`, and carry the `node_config_name`, `node_config_uid`, `node_config_resource_version`, and `node_config_kubelet_key labels`, which identify the config version. The error metric reports `1` if there is an error, `0` otherwise. ([#57527](https://github.com/kubernetes/kubernetes/pull/57527), [@mtaufen](https://github.com/mtaufen)) -* You now have the ability to quota resources by priority. ([#57963](https://github.com/kubernetes/kubernetes/pull/57963), [@vikaschoudhary16](https://github.com/ikaschoudhary16)) -* The gRPC max message size in the remote container runtime has been increased to 16MB. ([#64672](https://github.com/kubernetes/kubernetes/pull/64672), [@mcluseau](https://github.com/mcluseau)) -* Added a feature gate for the plugin watcher. ([#64605](https://github.com/kubernetes/kubernetes/pull/64605), [@vikaschoudhary16](https://github.com/vikaschoudhary16)) -* The status of dynamic Kubelet config is now reported via Node.Status.Config, rather than the KubeletConfigOk node condition. ([#63314](https://github.com/kubernetes/kubernetes/pull/63314), [@mtaufen](https://github.com/mtaufen)) -* You must now specify `Node.Spec.ConfigSource.ConfigMap.KubeletConfigKey` when using dynamic Kubelet config to tell the Kubelet which key of the `ConfigMap` identifies its config file. ([#59847](https://github.com/kubernetes/kubernetes/pull/59847), [@mtaufen](https://github.com/mtaufen)) -* The dynamic Kubelet config feature will now update the config in the event of a ConfigMap mutation, which reduces the chance for silent config skew. Only name, namespace, and kubeletConfigKey may now be set in `Node.Spec.ConfigSource.ConfigMap`. The least disruptive pattern for config management is still to create a new ConfigMap and incrementally roll out a new `Node.Spec.ConfigSource`. ([#63221](https://github.com/kubernetes/kubernetes/pull/63221), [@mtaufen](https://github.com/mtaufen)) -* Change seccomp annotation from "docker/default" to "runtime/default" ([#62662](https://github.com/kubernetes/kubernetes/pull/62662), [@wangzhen127](https://github.com/wangzhen127)) -* The node authorizer now automatically sets up rules for `Node.Spec.ConfigSource` when the DynamicKubeletConfig feature gate is enabled. ([#60100](https://github.com/kubernetes/kubernetes/pull/60100), [@mtaufen](https://github.com/mtaufen)) -* CRI now defines mounting behavior. If the host path doesn't exist, the runtime should return an error. If the host path is a symlink, the runtime should follow the symlink and mount the real destination to the container. ([#61460](https://github.com/kubernetes/kubernetes/pull/61460), [@feiskyer](https://github.com/feiskyer)) - -### SIG OpenStack - -* Provide a meaningful error message in the openstack cloud provider when no valid IP address can be found for a node, rather than just the first address of the node, which leads to a load balancer error if that address is a hostname or DNS name instead of an IP address. ([#64318](https://github.com/kubernetes/kubernetes/pull/64318), [@gonzolino](https://github.com/gonzolino)) -* Restored the pre-1.10 behavior of the openstack cloud provider, which uses the instance name as the Kubernetes Node name. This requires instances be named with RFC-1123 compatible names. ([#63903](https://github.com/kubernetes/kubernetes/pull/63903), [@liggitt](https://github.com/liggitt)) -* Kubernetes will try to read the openstack auth config from the client config and fall back to read from the environment variables if the auth config is not available. ([#60200](https://github.com/kubernetes/kubernetes/pull/60200), [@dixudx](https://github.com/dixudx)) - -### SIG Scheduling - -* Schedule DaemonSet Pods in scheduler, rather than the Daemonset controller. -([#63223](https://github.com/kubernetes/kubernetes/pull/63223), [@k82cn](https://github.com/k82cn)) -* Added `MatchFields` to `NodeSelectorTerm`; in 1.11, it only supports `metadata.name`. ([#62002](https://github.com/kubernetes/kubernetes/pull/62002), [@k82cn](https://github.com/k82cn)) -* kube-scheduler now has the `--write-config-to` flag so that Scheduler canwritets default configuration to a file. -([#62515](https://github.com/kubernetes/kubernetes/pull/62515), [@resouer](https://github.com/resouer)) -* Performance of the affinity/anti-affinity predicate for the default scheduler has been significantly improved. ([#62211](https://github.com/kubernetes/kubernetes/pull/62211), [@bsalamat](https://github.com/bsalamat)) -* The 'scheduling_latency_seconds' metric into has been split into finer steps (predicate, priority, preemption). ([#65306](https://github.com/kubernetes/kubernetes/pull/65306), [@shyamjvs](https://github.com/shyamjvs)) -* Scheduler now has a summary-type metric, 'scheduling_latency_seconds'. ([#64838](https://github.com/kubernetes/kubernetes/pull/64838), [@krzysied](https://github.com/krzysied)) -* `nodeSelector.matchFields` (node's `metadata.node`) is now supported in scheduler. ([#62453](https://github.com/kubernetes/kubernetes/pull/62453), [@k82cn](https://github.com/k82cn)) -* Added a parametrizable priority function mapping requested/capacity ratio to priority. This function is disabled by default and can be enabled via the scheduler policy config file. -([#63929](https://github.com/kubernetes/kubernetes/pull/63929), [@losipiuk](https://github.com/losipiuk)) -* System critical priority classes are now automatically added at cluster boostrapping. ([#60519](https://github.com/kubernetes/kubernetes/pull/60519), [@bsalamat](https://github.com/bsalamat)) - -### SIG Storage - -* AWS EBS, Azure Disk, GCE PD and Ceph RBD volume plugins now support dynamic provisioning of raw block volumes. ([#64447](https://github.com/kubernetes/kubernetes/pull/64447), [@jsafrane](https://github.com/jsafrane)) -* gitRepo volumes in pods no longer require git 1.8.5 or newer; older git versions are now supported. ([#62394](https://github.com/kubernetes/kubernetes/pull/62394), [@jsafrane](https://github.com/jsafrane)) -* Added support for resizing Portworx volumes. ([#62308](https://github.com/kubernetes/kubernetes/pull/62308), [@harsh-px](https://github.com/harsh-px)) -* Added block volume support to Cinder volume plugin. ([#64879](https://github.com/kubernetes/kubernetes/pull/64879), [@bertinatto](https://github.com/bertinatto)) -* Provided API support for external CSI storage drivers to support block volumes. ([#64723](https://github.com/kubernetes/kubernetes/pull/64723), [@vladimirvivien](https://github.com/vladimirvivien)) -* Volume topology aware dynamic provisioning for external provisioners is now supported. ([#63193](https://github.com/kubernetes/kubernetes/pull/63193), [@lichuqiang](https://github.com/lichuqiang)) -* Added a volume projection that is able to project service account tokens. ([#62005](https://github.com/kubernetes/kubernetes/pull/62005), [@mikedanese](https://github.com/mikedanese)) -* PodSecurityPolicy now supports restricting hostPath volume mounts to be readOnly and under specific path prefixes ([#58647](https://github.com/kubernetes/kubernetes/pull/58647), [@jhorwit2](https://github.com/jhorwit2)) -* Added StorageClass API to restrict topologies of dynamically provisioned volumes. ([#63233](https://github.com/kubernetes/kubernetes/pull/63233), [@lichuqiang](https://github.com/lichuqiang)) -* Added Alpha support for dynamic volume limits based on node type ([#64154](https://github.com/kubernetes/kubernetes/pull/64154), [@gnufied](https://github.com/gnufied)) -* AWS EBS volumes can be now used as ReadOnly in pods. ([#64403](https://github.com/kubernetes/kubernetes/pull/64403), [@jsafrane](https://github.com/jsafrane)) -* Basic plumbing for volume topology aware dynamic provisionin has been implemented. ([#63232](https://github.com/kubernetes/kubernetes/pull/63232), [@lichuqiang](https://github.com/lichuqiang)) -* Changed ext3/ext4 volume creation to not reserve any portion of the volume for the root user. When creating ext3/ext4 volume, mkfs defaults to reserving 5% of the volume for the super-user (root). This patch changes the mkfs to pass -m0 to disable this setting. -([#64102](https://github.com/kubernetes/kubernetes/pull/64102), [@atombender](https://github.com/atombender)) -* Added support for NFS relations on kubernetes-worker charm. ([#63817](https://github.com/kubernetes/kubernetes/pull/63817), [@hyperbolic2346](https://github.com/hyperbolic2346)) -* Implemented kubelet side online file system resizing ([#62460](https://github.com/kubernetes/kubernetes/pull/62460), [@mlmhl](https://github.com/mlmhl)) -* Generated subpath name from Downward API env ([#49388](https://github.com/kubernetes/kubernetes/pull/49388), [@kevtaylor](https://github.com/kevtaylor)) - -### SIG vSphere - -* Added a mechanism in vSphere Cloud Provider to get credentials from Kubernetes secrets, rather than the plain text `vsphere.conf` file.([#63902](https://github.com/kubernetes/kubernetes/pull/63902), [@abrarshivani](https://github.com/abrarshivani)) -* vSphere Cloud Provider: added SAML token authentication support ([#63824](https://github.com/kubernetes/kubernetes/pull/63824), [@dougm](https://github.com/dougm)) - -### SIG Windows - -* Added log and fs stats for Windows containers. ([#62266](https://github.com/kubernetes/kubernetes/pull/62266), [@feiskyer](https://github.com/feiskyer)) -* Added security contexts for Windows containers. [#64009](https://github.com/kubernetes/kubernetes/pull/64009), ([@feiskyer](https://github.com/feiskyer)) -* Added local persistent volumes for Windows containers. ([#62012](https://github.com/kubernetes/kubernetes/pull/62012), [@andyzhangx](https://github.com/andyzhangx)) and fstype for Azure disk ([#61267](https://github.com/kubernetes/kubernetes/pull/61267), [@andyzhangx](https://github.com/andyzhangx)) -* Improvements in Windows Server version 1803 also bring new storage functionality to Kubernetes v1.11, including: - * Volume mounts for ConfigMap and Secret - * Flexvolume plugins for SMB and iSCSI storage are also available out-of-tree at [Microsoft/K8s-Storage-Plugins](https://github.com/Microsoft/K8s-Storage-Plugins) -* Setup dns servers and search domains for Windows Pods in dockershim. Docker EE version >= 17.10.0 is required for propagating DNS to containers. ([#63905](https://github.com/kubernetes/kubernetes/pull/63905), [@feiskyer](https://github.com/feiskyer)) - -### Additional changes - -* Extended the Stackdriver Metadata Agent by adding a new Deployment for ingesting unscheduled pods and services. ([#62043](https://github.com/kubernetes/kubernetes/pull/62043), [@supriyagarg](https://github.com/supriyagarg)) -* Added all kinds of resource objects' statuses in HPA description. ([#59609](https://github.com/kubernetes/kubernetes/pull/59609), [@zhangxiaoyu-zidif](https://github.com/zhangxiaoyu-zidif)) -* Implemented preemption for extender with a verb and new interface ([#58717](https://github.com/kubernetes/kubernetes/pull/58717), [@resouer](https://github.com/resouer)) -* Updated nvidia-gpu-device-plugin DaemonSet config to use RollingUpdate updateStrategy instead of OnDelete. ([#64296](https://github.com/kubernetes/kubernetes/pull/64296), [@mindprince](https://github.com/mindprince)) -* increased grpc client default response size. ([#63977](https://github.com/kubernetes/kubernetes/pull/677), [@runcom](https://github.com/runcom)) -* Applied pod name and namespace labels to pod cgroup in cAdvisor metrics ([#63406](https://github.com/kubernetes/kubernetes/pull/63406), [@derekwaynecarr](https://github.com/derekwaynecarr)) -* [fluentd-gcp addon] Use the logging agent's node name as the metadata agent URL. ([#63353](https://github.com/kubernetes/kubernetes/pull/63353), [@bmoyles0117](https://github.com/bmoyles0117)) -* The new default value for the --allow-privileged parameter of the Kubernetes-worker charm has been set to true based on changes which went into the Kubernetes 1.10 release. Before this change the default value was set to false. If you're installing Canonical Kubernetes you should expect this value to now be true by default and you should now look to use PSP (pod security policies). ([#64104](https://github.com/kubernetes/kubernetes/pull/64104), [@CalvinHartwell](https://github.com/CalvinHartwell)) +### Node Binaries -## External Dependencies - -* Default etcd server version is v3.2.18 compared with v3.1.12 in v1.10 ([#61198](https://github.com/kubernetes/kubernetes/pull/61198)) -* Rescheduler is v0.4.0, compared with v0.3.1 in v1.10 ([#65454](https://github.com/kubernetes/kubernetes/pull/65454)) -* The validated docker versions are the same as for v1.10: 1.11.2 to 1.13.1 and 17.03.x (ref) -* The Go version is go1.10.2, as compared to go1.9.3 in v1.10. ([#63412](https://github.com/kubernetes/kubernetes/pull/63412)) -* The minimum supported go is the same as for v1.10: go1.9.1. ([#55301](https://github.com/kubernetes/kubernetes/pull/55301)) -* CNI is the same as v1.10: v0.6.0 ([#51250](https://github.com/kubernetes/kubernetes/pull/51250)) -* CSI is updated to 0.3.0 as compared to 0.2.0 in v1.10. ([#64719](https://github.com/kubernetes/kubernetes/pull/64719)) -* The dashboard add-on is the same as v1.10: v1.8.3. ([#517326](https://github.com/kubernetes/kubernetes/pull/57326)) -* Bump Heapster to v1.5.2 as compared to v1.5.0 in v1.10 ([#61396](https://github.com/kubernetes/kubernetes/pull/61396)) -* Updates Cluster Autoscaler version to v1.3.0 from v1.2.0 in v1.10. See [release notes](https://github.com/kubernetes/autoscaler/releases/tag/cluster-autoscaler-1.3.0) for details. ([#65219](https://github.com/kubernetes/kubernetes/pull/65219)) -* Kube-dns has been updated to v1.14.10, as compared to v1.14.8 in v1.10 ([#62676](https://github.com/kubernetes/kubernetes/pull/62676)) -* Influxdb is unchanged from v1.10: v1.3.3 ([#53319](https://github.com/kubernetes/kubernetes/pull/53319)) -* Grafana is unchanged from v1.10: v4.4.3 ([#53319](https://github.com/kubernetes/kubernetes/pull/53319)) -* CAdvisor is v0.30.1, as opposed to v0.29.1 in v1.10 ([#64987](https://github.com/kubernetes/kubernetes/pull/64987)) -* fluentd-gcp-scaler is unchanged from v1.10: v0.3.0 ([#61269](https://github.com/kubernetes/kubernetes/pull/61269)) -* fluentd in fluentd-es-image is unchanged from 1.10: v1.1.0 ([#58525](https://github.com/kubernetes/kubernetes/pull/58525)) -* fluentd-elasticsearch is unchanged from 1.10: v2.0.4 ([#58525](https://github.com/kubernetes/kubernetes/pull/58525)) -* fluentd-gcp is unchanged from 1.10: v3.0.0. ([#60722](https://github.com/kubernetes/kubernetes/pull/60722)) -* Ingress glbc is unchanged from 1.10: v1.0.0 ([#61302](https://github.com/kubernetes/kubernetes/pull/61302)) -* OIDC authentication is unchanged from 1.10: coreos/go-oidc v2 ([#58544](https://github.com/kubernetes/kubernetes/pull/58544)) -* Calico is unchanged from 1.10: v2.6.7 ([#59130](https://github.com/kubernetes/kubernetes/pull/59130)) -* hcsshim has been updated to v0..11 ([#64272](https://github.com/kubernetes/kubernetes/pull/64272)) -* gitRepo volumes in pods no longer require git 1.8.5 or newer; older git versions are now supported. ([#62394](https://github.com/kubernetes/kubernetes/pull/62394)) -* Update crictl on GCE to v1.11.0. ([#65254](https://github.com/kubernetes/kubernetes/pull/65254)) -* CoreDNS is now v1.1.3 ([#64258](https://github.com/kubernetes/kubernetes/pull/64258)) -* Setup dns servers and search domains for Windows Pods in dockershim. Docker EE version >= 17.10.0 is required for propagating DNS to containers. ([#63905](https://github.com/kubernetes/kubernetes/pull/63905)) -* Update version of Istio addon from 0.5.1 to 0.8.0. See [full Istio release notes](https://istio.io/about/notes/0.6.html).([#64537](https://github.com/kubernetes/kubernetes/pull/64537)) -* Update cadvisor godeps to v0.30.0 ([#64800](https://github.com/kubernetes/kubernetes/pull/64800)) -* Update event-exporter to version v0.2.0 that supports old (gke_container/gce_instance) and new (k8s_container/k8s_node/k8s_pod) stackdriver resources. ([#63918](https://github.com/kubernetes/kubernetes/pull/63918)) -* Rev the Azure SDK for networking to 2017-06-01 ([#61955](https://github.com/kubernetes/kubernetes/pull/61955)) - -## Bug Fixes - -* Fixed spurious "unable to find api field" errors patching custom resources ([#63146](https://github.com/kubernetes/kubernetes/pull/63146), [@liggitt](https://github.com/liggitt)) -* Nodes are not deleted from kubernetes anymore if node is shutdown in Openstack. ([#59931](https://github.com/kubernetes/kubernetes/pull/59931), [@zetaab](https://github.com/zetaab)) -* Re-enabled nodeipam controller for external clouds. Re-enables nodeipam controller for external clouds. Also does a small refactor so that we don't need to pass in allocateNodeCidr into the controller. - ([#63049](https://github.com/kubernetes/kubernetes/pull/63049), [@andrewsykim](https://github.com/andrewsykim)) -* Fixed a configuration error when upgrading kubeadm from 1.9 to 1.10+; Kubernetes must have the same major and minor versions as the kubeadm library. ([#62568](https://github.com/kubernetes/kubernetes/pull/62568), [@liztio](https://github.com/liztio)) -* kubectl no longer renders a List as suffix kind name for CRD resources ([#62512](https://github.com/kubernetes/kubernetes/pull/62512), [@dixudx](https://github.com/dixudx)) -* Restored old behavior to the `--template` flag in `get.go`. In old releases, providing a `--template` flag value and no `--output` value implicitly assigned a default value ("go-template") to `--output`, printing using the provided template argument. -([#65377](https://github.com/kubernetes/kubernetes/pull/65377),[@juanvallejo](https://github.com/juanvallejo)) -* Ensured cloudprovider.InstanceNotFound is reported when the VM is not found on Azure ([#61531](https://github.com/kubernetes/kubernetes/pull/61531), [@feiskyer](https://github.com/feiskyer)) -* Kubernetes version command line parameter in kubeadm has been updated to drop an unnecessary redirection from ci/latest.txt to ci-cross/latest.txt. Users should know exactly where the builds are stored on Google Cloud storage buckets from now on. For example for 1.9 and 1.10, users can specify ci/latest-1.9 and ci/latest-1.10 as the CI build jobs what build images correctly updates those. The CI jobs for master update the ci-cross/latest location, so if you are looking for latest master builds, then the correct parameter to use would be ci-cross/latest. ([#63504](https://github.com/kubernetes/kubernetes/pull/63504), [@dims](https://github.cm/dims)) +filename | sha256 hash +-------- | ----------- +[kubernetes-node-linux-amd64.tar.gz](https://dl.k8s.io/v1.12.0-alpha.1/kubernetes-node-linux-amd64.tar.gz) | `6b4d363d190e0ce6f4e41d19a0ac350b39cad7859bc442166a1da9124d1a82bb` +[kubernetes-node-linux-arm.tar.gz](https://dl.k8s.io/v1.12.0-alpha.1/kubernetes-node-linux-arm.tar.gz) | `c80ac005c228217b871bf3e9de032044659db3aa048cc95b101820e31d62264c` +[kubernetes-node-linux-arm64.tar.gz](https://dl.k8s.io/v1.12.0-alpha.1/kubernetes-node-linux-arm64.tar.gz) | `d8b84e7cc6ff5d0e26b045de37bdd40ca8809c303b601d8604902e5957d98621` +[kubernetes-node-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.12.0-alpha.1/kubernetes-node-linux-ppc64le.tar.gz) | `b0a667c5c905e6e724fba95d44797fb52afb564aedd1c25cbd4e632e152843e9` +[kubernetes-node-linux-s390x.tar.gz](https://dl.k8s.io/v1.12.0-alpha.1/kubernetes-node-linux-s390x.tar.gz) | `78e7dbb82543ea6ac70767ed63c92823726adb6257f6b70b5911843d18288df7` +[kubernetes-node-windows-amd64.tar.gz](https://dl.k8s.io/v1.12.0-alpha.1/kubernetes-node-windows-amd64.tar.gz) | `1a3e11cc3f1a0297de2b894a43eb56ede5fbd5cdc43e4da7e61171f5c1f3ef60` + +## Changelog since v1.11.0 + +### Action Required + +* action required: the API server and client-go libraries have been fixed to support additional non-alpha-numeric characters in UserInfo "extra" data keys. Both should be updated in order to properly support extra data containing "/" characters or other characters disallowed in HTTP headers. ([#65799](https://github.com/kubernetes/kubernetes/pull/65799), [@dekkagaijin](https://github.com/dekkagaijin)) +* [action required] The `NodeConfiguration` kind in the kubeadm v1alpha2 API has been renamed `JoinConfiguration` in v1alpha3 ([#65951](https://github.com/kubernetes/kubernetes/pull/65951), [@luxas](https://github.com/luxas)) +* ACTION REQUIRED: Removes defaulting of CSI file system type to ext4. All the production drivers listed under https://kubernetes-csi.github.io/docs/Drivers.html were inspected and should not be impacted after this change. If you are using a driver not in that list, please test the drivers on an updated test cluster first. ``` ([#65499](https://github.com/kubernetes/kubernetes/pull/65499), [@krunaljain](https://github.com/krunaljain)) +* [action required] The `MasterConfiguration` kind in the kubeadm v1alpha2 API has been renamed `InitConfiguration` in v1alpha3 ([#65945](https://github.com/kubernetes/kubernetes/pull/65945), [@luxas](https://github.com/luxas)) +* [action required] The formerly publicly-available cAdvisor web UI that the kubelet started using `--cadvisor-port` is now entirely removed in 1.12. The recommended way to run cAdvisor if you still need it, is via a DaemonSet. ([#65707](https://github.com/kubernetes/kubernetes/pull/65707), [@dims](https://github.com/dims)) +* Cluster Autoscaler version updated to 1.3.1-beta.1. Release notes: https://github.com/kubernetes/autoscaler/releases/tag/cluster-autoscaler-1.3.1-beta.1 ([#65857](https://github.com/kubernetes/kubernetes/pull/65857), [@aleksandra-malinowska](https://github.com/aleksandra-malinowska)) + * Default value for expendable pod priority cutoff in GCP deployment of Cluster Autoscaler changed from 0 to -10. + * action required: users deploying workloads with priority lower than 0 may want to use priority lower than -10 to avoid triggering scale-up. +* [action required] kubeadm: The `v1alpha1` config API has been removed. ([#65628](https://github.com/kubernetes/kubernetes/pull/65628), [@luxas](https://github.com/luxas)) + * Please convert your `v1alpha1` configuration files to `v1alpha2` using the + * `kubeadm config migrate` command of kubeadm v1.11.x +* kube-apiserver: the `Priority` admission plugin is now enabled by default when using `--enable-admission-plugins`. If using `--admission-control` to fully specify the set of admission plugins, the `Priority` admission plugin should be added if using the `PodPriority` feature, which is enabled by default in 1.11. ([#65739](https://github.com/kubernetes/kubernetes/pull/65739), [@liggitt](https://github.com/liggitt)) +* The `system-node-critical` and `system-cluster-critical` priority classes are now limited to the `kube-system` namespace by the `PodPriority` admission plugin. ([#65593](https://github.com/kubernetes/kubernetes/pull/65593), [@bsalamat](https://github.com/bsalamat)) +* kubernetes-worker juju charm: Added support for setting the --enable-ssl-chain-completion option on the ingress proxy. "action required": if your installation relies on supplying incomplete certificate chains and using OCSP to fill them in, you must set "ingress-ssl-chain-completion" to "true" in your juju configuration. ([#63845](https://github.com/kubernetes/kubernetes/pull/63845), [@paulgear](https://github.com/paulgear)) + +### Other notable changes + +* admin RBAC role now aggregates edit and view. edit RBAC role now aggregates view. ([#66684](https://github.com/kubernetes/kubernetes/pull/66684), [@deads2k](https://github.com/deads2k)) +* Speed up HPA reaction to metric changes by removing scale up forbidden window. ([#66615](https://github.com/kubernetes/kubernetes/pull/66615), [@jbartosik](https://github.com/jbartosik)) + * Scale up forbidden window was protecting HPA against making decision to scale up based on metrics gathered during pod initialisation (which may be invalid, for example pod may be using a lot of CPU despite not doing any "actual" work). + * To avoid that negative effect only use per pod metrics from pods that are: + * - ready (so metrics about them should be valid), or + * - unready but creation and last readiness change timestamps are apart more than 10s (pods that have formerly been ready and so metrics are in at least some cases (pod becoming unready because of overload) very useful). +* The `kubectl patch` command no longer exits with exit code 1 when a redundant patch results in a no-op ([#66725](https://github.com/kubernetes/kubernetes/pull/66725), [@juanvallejo](https://github.com/juanvallejo)) +* Improved the output of `kubectl get events` to prioritize showing the message, and move some fields to `-o wide`. ([#66643](https://github.com/kubernetes/kubernetes/pull/66643), [@smarterclayton](https://github.com/smarterclayton)) +* Added CPU Manager state validation in case of changed CPU topology. ([#66718](https://github.com/kubernetes/kubernetes/pull/66718), [@ipuustin](https://github.com/ipuustin)) +* Make EBS volume expansion faster ([#66728](https://github.com/kubernetes/kubernetes/pull/66728), [@gnufied](https://github.com/gnufied)) +* Kubelet serving certificate bootstrapping and rotation has been promoted to beta status. ([#66726](https://github.com/kubernetes/kubernetes/pull/66726), [@liggitt](https://github.com/liggitt)) +* Flag --pod (-p shorthand) of kubectl exec command marked as deprecated ([#66558](https://github.com/kubernetes/kubernetes/pull/66558), [@quasoft](https://github.com/quasoft)) +* Fixed an issue which prevented `gcloud` from working on GCE when metadata concealment was enabled. ([#66630](https://github.com/kubernetes/kubernetes/pull/66630), [@dekkagaijin](https://github.com/dekkagaijin)) +* Azure Go SDK has been upgraded to v19.0.0 and VirtualMachineScaleSetVM now supports availability zones. ([#66648](https://github.com/kubernetes/kubernetes/pull/66648), [@feiskyer](https://github.com/feiskyer)) +* kubeadm now can join the cluster with pre-existing client certificate if provided ([#66482](https://github.com/kubernetes/kubernetes/pull/66482), [@dixudx](https://github.com/dixudx)) +* If `TaintNodesByCondition` enabled, taint node with `TaintNodeUnschedulable` when ([#63955](https://github.com/kubernetes/kubernetes/pull/63955), [@k82cn](https://github.com/k82cn)) + * initializing node to avoid race condition. +* kubeadm: remove misleading error message regarding image pulling ([#66658](https://github.com/kubernetes/kubernetes/pull/66658), [@dixudx](https://github.com/dixudx)) +* Fix Stackdriver integration based on node annotation container.googleapis.com/instance_id. ([#66676](https://github.com/kubernetes/kubernetes/pull/66676), [@kawych](https://github.com/kawych)) +* Fix kubelet startup failure when using ExecPlugin in kubeconfig ([#66395](https://github.com/kubernetes/kubernetes/pull/66395), [@awly](https://github.com/awly)) +* When attaching iSCSI volumes, kubelet now scans only the specific ([#63176](https://github.com/kubernetes/kubernetes/pull/63176), [@bswartz](https://github.com/bswartz)) + * LUNs being attached, and also deletes them after detaching. This avoids + * dangling references to LUNs that no longer exist, which used to be the + * cause of random I/O errors/timeouts in kernel logs, slowdowns during + * block-device related operations, and very rare cases of data corruption. +* kubeadm: Pull sidecar and dnsmasq-nanny images when using kube-dns ([#66499](https://github.com/kubernetes/kubernetes/pull/66499), [@rosti](https://github.com/rosti)) +* Extender preemption should respect IsInterested() ([#66291](https://github.com/kubernetes/kubernetes/pull/66291), [@resouer](https://github.com/resouer)) +* Properly autopopulate OpenAPI version field without needing other OpenAPI fields present in generic API server code. ([#66411](https://github.com/kubernetes/kubernetes/pull/66411), [@DirectXMan12](https://github.com/DirectXMan12)) +* renamed command line option --cri-socket-path of the kubeadm subcommand "kubeadm config images pull" to --cri-socket to be consistent with the rest of kubeadm subcommands. ([#66382](https://github.com/kubernetes/kubernetes/pull/66382), [@bart0sh](https://github.com/bart0sh)) +* The --docker-disable-shared-pid kubelet flag has been removed. PID namespace sharing can instead be enable per-pod using the ShareProcessNamespace option. ([#66506](https://github.com/kubernetes/kubernetes/pull/66506), [@verb](https://github.com/verb)) +* Add support for using User Assigned MSI (https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview) with Kubernetes cluster on Azure. ([#66180](https://github.com/kubernetes/kubernetes/pull/66180), [@kkmsft](https://github.com/kkmsft)) +* fix acr could not be listed in sp issue ([#66429](https://github.com/kubernetes/kubernetes/pull/66429), [@andyzhangx](https://github.com/andyzhangx)) +* This PR will leverage subtests on the existing table tests for the scheduler units. ([#63665](https://github.com/kubernetes/kubernetes/pull/63665), [@xchapter7x](https://github.com/xchapter7x)) + * Some refactoring of error/status messages and functions to align with new approach. +* Fix volume limit for EBS on m5 and c5 instance types ([#66397](https://github.com/kubernetes/kubernetes/pull/66397), [@gnufied](https://github.com/gnufied)) +* Extend TLS timeouts to work around slow arm64 math/big ([#66264](https://github.com/kubernetes/kubernetes/pull/66264), [@joejulian](https://github.com/joejulian)) +* kubeadm: stop setting UID in the kubelet ConfigMap ([#66341](https://github.com/kubernetes/kubernetes/pull/66341), [@runiq](https://github.com/runiq)) +* kubectl: fixes a panic displaying pods with nominatedNodeName set ([#66406](https://github.com/kubernetes/kubernetes/pull/66406), [@liggitt](https://github.com/liggitt)) +* Update crictl to v1.11.1. ([#66152](https://github.com/kubernetes/kubernetes/pull/66152), [@Random-Liu](https://github.com/Random-Liu)) +* fixes a panic when using a mutating webhook admission plugin with a DELETE operation ([#66425](https://github.com/kubernetes/kubernetes/pull/66425), [@liggitt](https://github.com/liggitt)) +* GCE: Fixes loadbalancer creation and deletion issues appearing in 1.10.5. ([#66400](https://github.com/kubernetes/kubernetes/pull/66400), [@nicksardo](https://github.com/nicksardo)) +* Azure nodes with availability zone now will have label `failure-domain.beta.kubernetes.io/zone=-`. ([#66242](https://github.com/kubernetes/kubernetes/pull/66242), [@feiskyer](https://github.com/feiskyer)) +* Re-design equivalence class cache to two level cache ([#65714](https://github.com/kubernetes/kubernetes/pull/65714), [@resouer](https://github.com/resouer)) +* Checks CREATE admission for create-on-update requests instead of UPDATE admission ([#65572](https://github.com/kubernetes/kubernetes/pull/65572), [@yue9944882](https://github.com/yue9944882)) +* This PR will leverage subtests on the existing table tests for the scheduler units. ([#63666](https://github.com/kubernetes/kubernetes/pull/63666), [@xchapter7x](https://github.com/xchapter7x)) + * Some refactoring of error/status messages and functions to align with new approach. +* Fixed a panic in the node status update logic when existing node has nil labels. ([#66307](https://github.com/kubernetes/kubernetes/pull/66307), [@guoshimin](https://github.com/guoshimin)) +* Bump Ingress-gce version to 1.2.0 ([#65641](https://github.com/kubernetes/kubernetes/pull/65641), [@freehan](https://github.com/freehan)) +* Bump event-exporter to 0.2.2 to pick up security fixes. ([#66157](https://github.com/kubernetes/kubernetes/pull/66157), [@loburm](https://github.com/loburm)) +* Allow ScaleIO volumes to be provisioned without having to first manually create /dev/disk/by-id path on each kubernetes node (if not already present) ([#66174](https://github.com/kubernetes/kubernetes/pull/66174), [@ddebroy](https://github.com/ddebroy)) +* fix rollout status for statefulsets ([#62943](https://github.com/kubernetes/kubernetes/pull/62943), [@faraazkhan](https://github.com/faraazkhan)) +* Fix for resourcepool-path configuration in the vsphere.conf file. ([#66261](https://github.com/kubernetes/kubernetes/pull/66261), [@divyenpatel](https://github.com/divyenpatel)) +* OpenAPI spec and documentation reflect 202 Accepted response path for delete request ([#63418](https://github.com/kubernetes/kubernetes/pull/63418), [@roycaihw](https://github.com/roycaihw)) +* fixes a validation error that could prevent updates to StatefulSet objects containing non-normalized resource requests ([#66165](https://github.com/kubernetes/kubernetes/pull/66165), [@liggitt](https://github.com/liggitt)) +* Fix validation for HealthzBindAddress in kube-proxy when --healthz-port is set to 0 ([#66138](https://github.com/kubernetes/kubernetes/pull/66138), [@wsong](https://github.com/wsong)) +* kubeadm: use an HTTP request timeout when fetching the latest version of Kubernetes from dl.k8s.io ([#65676](https://github.com/kubernetes/kubernetes/pull/65676), [@dkoshkin](https://github.com/dkoshkin)) +* Support configuring the Azure load balancer idle connection timeout for services ([#66045](https://github.com/kubernetes/kubernetes/pull/66045), [@cpuguy83](https://github.com/cpuguy83)) +* `kubectl config set-context` can now set attributes of the current context, like the current namespace, by passing `--current` instead of a specific context name ([#66140](https://github.com/kubernetes/kubernetes/pull/66140), [@liggitt](https://github.com/liggitt)) +* The alpha `Initializers` admission plugin is no longer enabled by default. This matches the off-by-default behavior of the alpha API which drives initializer behavior. ([#66039](https://github.com/kubernetes/kubernetes/pull/66039), [@liggitt](https://github.com/liggitt)) +* kubeadm: Default component configs are printable via kubeadm config print-default ([#66074](https://github.com/kubernetes/kubernetes/pull/66074), [@rosti](https://github.com/rosti)) +* prevents infinite CLI wait on delete when item is recreated ([#66136](https://github.com/kubernetes/kubernetes/pull/66136), [@deads2k](https://github.com/deads2k)) +* Preserve vmUUID when renewing nodeinfo in vSphere cloud provider ([#66007](https://github.com/kubernetes/kubernetes/pull/66007), [@w-leads](https://github.com/w-leads)) +* Cluster Autoscaler version updated to 1.3.1. Release notes: https://github.com/kubernetes/autoscaler/releases/tag/cluster-autoscaler-1.3.1 ([#66122](https://github.com/kubernetes/kubernetes/pull/66122), [@aleksandra-malinowska](https://github.com/aleksandra-malinowska)) +* Expose docker registry config for addons used in Juju deployments ([#66092](https://github.com/kubernetes/kubernetes/pull/66092), [@kwmonroe](https://github.com/kwmonroe)) +* kubelets that specify `--cloud-provider` now only report addresses in Node status as determined by the cloud provider ([#65594](https://github.com/kubernetes/kubernetes/pull/65594), [@liggitt](https://github.com/liggitt)) + * kubelet serving certificate rotation now reacts to changes in reported node addresses, and will request certificates for addresses set by an external cloud provider +* Fix the bug where image garbage collection is disabled by mistake. ([#66051](https://github.com/kubernetes/kubernetes/pull/66051), [@jiaxuanzhou](https://github.com/jiaxuanzhou)) +* fixes an issue with multi-line annotations injected via downward API files getting scrambled ([#65992](https://github.com/kubernetes/kubernetes/pull/65992), [@liggitt](https://github.com/liggitt)) +* kubeadm: run kube-proxy on non-master tainted nodes ([#65931](https://github.com/kubernetes/kubernetes/pull/65931), [@neolit123](https://github.com/neolit123)) +* "kubectl delete" no longer waits for dependent objects to be deleted when removing parent resources ([#65908](https://github.com/kubernetes/kubernetes/pull/65908), [@juanvallejo](https://github.com/juanvallejo)) +* Introduce a new flag `--keepalive` for kubectl proxy to allow setting keep-alive period for long-running request. ([#63793](https://github.com/kubernetes/kubernetes/pull/63793), [@hzxuzhonghu](https://github.com/hzxuzhonghu)) +* If Openstack LoadBalancer is not defined in cloud config, the loadbalancer is not initialized any more in openstack. All setups must have some setting under that section ([#65781](https://github.com/kubernetes/kubernetes/pull/65781), [@zetaab](https://github.com/zetaab)) +* Re-adds `pkg/generated/bindata.go` to the repository to allow some parts of k8s.io/kubernetes to be go-vendorable. ([#65985](https://github.com/kubernetes/kubernetes/pull/65985), [@ixdy](https://github.com/ixdy)) +* Fix a bug that preempting a pod may block forever. ([#65987](https://github.com/kubernetes/kubernetes/pull/65987), [@Random-Liu](https://github.com/Random-Liu)) +* Fix flexvolume in containarized kubelets ([#65549](https://github.com/kubernetes/kubernetes/pull/65549), [@gnufied](https://github.com/gnufied)) +* Add volume mode filed to constructed volume spec for CSI plugin ([#65456](https://github.com/kubernetes/kubernetes/pull/65456), [@wenlxie](https://github.com/wenlxie)) +* Fix an issue with dropped audit logs, when truncating and batch backends enabled at the same time. ([#65823](https://github.com/kubernetes/kubernetes/pull/65823), [@loburm](https://github.com/loburm)) +* Support traffic shaping for CNI network driver ([#63194](https://github.com/kubernetes/kubernetes/pull/63194), [@m1093782566](https://github.com/m1093782566)) +* kubeadm: Use separate YAML documents for the kubelet and kube-proxy ComponentConfigs ([#65787](https://github.com/kubernetes/kubernetes/pull/65787), [@luxas](https://github.com/luxas)) +* kubeadm: Fix pause image to not use architecture, as it is a manifest list ([#65920](https://github.com/kubernetes/kubernetes/pull/65920), [@dims](https://github.com/dims)) +* kubeadm: print required flags when running kubeadm upgrade plan ([#65802](https://github.com/kubernetes/kubernetes/pull/65802), [@xlgao-zju](https://github.com/xlgao-zju)) +* Fix `RunAsGroup` which doesn't work since 1.10. ([#65926](https://github.com/kubernetes/kubernetes/pull/65926), [@Random-Liu](https://github.com/Random-Liu)) +* Running `kubectl describe pvc` now shows which pods are mounted to the pvc being described with the `Mounted By` field ([#65837](https://github.com/kubernetes/kubernetes/pull/65837), [@clandry94](https://github.com/clandry94)) +* fix azure storage account creation failure ([#65846](https://github.com/kubernetes/kubernetes/pull/65846), [@andyzhangx](https://github.com/andyzhangx)) +* Allow kube- and cloud-controller-manager to listen on ports up to 65535. ([#65860](https://github.com/kubernetes/kubernetes/pull/65860), [@sttts](https://github.com/sttts)) +* Allow kube-scheduler to listen on ports up to 65535. ([#65833](https://github.com/kubernetes/kubernetes/pull/65833), [@sttts](https://github.com/sttts)) +* kubeadm: Remove usage of `PersistentVolumeLabel` ([#65827](https://github.com/kubernetes/kubernetes/pull/65827), [@xlgao-zju](https://github.com/xlgao-zju)) +* kubeadm: Add a `v1alpha3` API. ([#65629](https://github.com/kubernetes/kubernetes/pull/65629), [@luxas](https://github.com/luxas)) +* Update to use go1.10.3 ([#65726](https://github.com/kubernetes/kubernetes/pull/65726), [@ixdy](https://github.com/ixdy)) +* LimitRange and Endpoints resources can be created via an update API call if the object does not already exist. When this occurs, an authorization check is now made to ensure the user making the API call is authorized to create the object. In previous releases, only an update authorization check was performed. ([#65150](https://github.com/kubernetes/kubernetes/pull/65150), [@jennybuckley](https://github.com/jennybuckley)) +* Fix 'kubectl cp' with no arguments causes a panic ([#65482](https://github.com/kubernetes/kubernetes/pull/65482), [@wgliang](https://github.com/wgliang)) +* bazel deb package bugfix: The kubeadm deb package now reloads the kubelet after installation ([#65554](https://github.com/kubernetes/kubernetes/pull/65554), [@rdodev](https://github.com/rdodev)) +* fix smb mount issue ([#65751](https://github.com/kubernetes/kubernetes/pull/65751), [@andyzhangx](https://github.com/andyzhangx)) +* More fields are allowed at the root of the CRD validation schema when the status subresource is enabled. ([#65357](https://github.com/kubernetes/kubernetes/pull/65357), [@nikhita](https://github.com/nikhita)) +* Reload systemd config files before starting kubelet. ([#65702](https://github.com/kubernetes/kubernetes/pull/65702), [@mborsz](https://github.com/mborsz)) +* Unix: support ZFS as a valid graph driver for Docker ([#65635](https://github.com/kubernetes/kubernetes/pull/65635), [@neolit123](https://github.com/neolit123)) +* Fix controller-manager crashes when flex plugin is removed from flex plugin directory ([#65536](https://github.com/kubernetes/kubernetes/pull/65536), [@gnufied](https://github.com/gnufied)) +* Enable etcdv3 client prometheus metics ([#64741](https://github.com/kubernetes/kubernetes/pull/64741), [@wgliang](https://github.com/wgliang)) +* skip nodes that have a primary NIC in a 'Failed' provisioningState ([#65412](https://github.com/kubernetes/kubernetes/pull/65412), [@yastij](https://github.com/yastij)) +* kubeadm: remove redundant flags settings for kubelet ([#64682](https://github.com/kubernetes/kubernetes/pull/64682), [@dixudx](https://github.com/dixudx)) +* Fixes the wrong elasticsearch node counter ([#65627](https://github.com/kubernetes/kubernetes/pull/65627), [@IvanovOleg](https://github.com/IvanovOleg)) +* - Can configure the vsphere cloud provider with a trusted Root-CA ([#64758](https://github.com/kubernetes/kubernetes/pull/64758), [@mariantalla](https://github.com/mariantalla)) +* Add Ubuntu 18.04 (Bionic) series to Juju charms ([#65644](https://github.com/kubernetes/kubernetes/pull/65644), [@tvansteenburgh](https://github.com/tvansteenburgh)) +* Fix local volume directory can't be deleted because of volumeMode error ([#65310](https://github.com/kubernetes/kubernetes/pull/65310), [@wenlxie](https://github.com/wenlxie)) +* kubectl: --use-openapi-print-columns is deprecated in favor of --server-print ([#65601](https://github.com/kubernetes/kubernetes/pull/65601), [@liggitt](https://github.com/liggitt)) +* Add prometheus scrape port to CoreDNS service ([#65589](https://github.com/kubernetes/kubernetes/pull/65589), [@rajansandeep](https://github.com/rajansandeep)) +* fixes an out of range panic in the NoExecuteTaintManager controller when running a non-64-bit build ([#65596](https://github.com/kubernetes/kubernetes/pull/65596), [@liggitt](https://github.com/liggitt)) +* kubectl: fixes a regression with --use-openapi-print-columns that would not print object contents ([#65600](https://github.com/kubernetes/kubernetes/pull/65600), [@liggitt](https://github.com/liggitt)) +* Hostnames are now converted to lowercase before being used for node lookups in the kubernetes-worker charm. ([#65487](https://github.com/kubernetes/kubernetes/pull/65487), [@dshcherb](https://github.com/dshcherb)) +* N/A ([#64660](https://github.com/kubernetes/kubernetes/pull/64660), [@figo](https://github.com/figo)) +* bugfix: Do not print feature gates in the generic apiserver code for glog level 0 ([#65584](https://github.com/kubernetes/kubernetes/pull/65584), [@neolit123](https://github.com/neolit123)) +* Add metrics for PVC in-use ([#64527](https://github.com/kubernetes/kubernetes/pull/64527), [@gnufied](https://github.com/gnufied)) +* Fixed exception detection in fluentd-gcp plugin. ([#65361](https://github.com/kubernetes/kubernetes/pull/65361), [@xperimental](https://github.com/xperimental)) +* api-machinery utility functions `SetTransportDefaults` and `DialerFor` once again respect custom Dial functions set on transports ([#65547](https://github.com/kubernetes/kubernetes/pull/65547), [@liggitt](https://github.com/liggitt)) +* Improve the display of jobs in `kubectl get` and `kubectl describe` to emphasize progress and duration. ([#65463](https://github.com/kubernetes/kubernetes/pull/65463), [@smarterclayton](https://github.com/smarterclayton)) +* kubectl convert previous created a list inside of a list. Now it is only wrapped once. ([#65489](https://github.com/kubernetes/kubernetes/pull/65489), [@deads2k](https://github.com/deads2k)) +* fix azure disk creation issue when specifying external resource group ([#65516](https://github.com/kubernetes/kubernetes/pull/65516), [@andyzhangx](https://github.com/andyzhangx)) +* fixes a regression in kube-scheduler to properly load client connection information from a `--config` file that references a kubeconfig file ([#65507](https://github.com/kubernetes/kubernetes/pull/65507), [@liggitt](https://github.com/liggitt)) +* Fixed cleanup of CSI metadata files. ([#65323](https://github.com/kubernetes/kubernetes/pull/65323), [@jsafrane](https://github.com/jsafrane)) +* Update Rescheduler's manifest to use version 0.4.0. ([#65454](https://github.com/kubernetes/kubernetes/pull/65454), [@bsalamat](https://github.com/bsalamat)) +* On COS, NPD creates a node condition for frequent occurrences of unregister_netdevice ([#65342](https://github.com/kubernetes/kubernetes/pull/65342), [@dashpole](https://github.com/dashpole)) +* Properly manage security groups for loadbalancer services on OpenStack. ([#65373](https://github.com/kubernetes/kubernetes/pull/65373), [@multi-io](https://github.com/multi-io)) +* Add user-agent to audit-logging. ([#64812](https://github.com/kubernetes/kubernetes/pull/64812), [@hzxuzhonghu](https://github.com/hzxuzhonghu)) +* kubeadm: notify the user of manifest upgrade timeouts ([#65164](https://github.com/kubernetes/kubernetes/pull/65164), [@xlgao-zju](https://github.com/xlgao-zju)) * Fixes incompatibility with custom scheduler extender configurations specifying `bindVerb` ([#65424](https://github.com/kubernetes/kubernetes/pull/65424), [@liggitt](https://github.com/liggitt)) -* kubectl built for darwin from darwin now enables cgo to use the system-native C libraries for DNS resolution. Cross-compiled kubectl (e.g. from an official kubernetes release) still uses the go-native netgo DNS implementation. ([#64219](https://github.com/kubernetes/kubernetes/pull/64219), [@ixdy](https://github.com/ixdy)) -* API server properly parses propagationPolicy as a query parameter sent with a delete request ([#63414](https://github.com/kubernetes/kubernetes/pull/63414), [@roycaihw](https://github.com/roycaihw)) -* Corrected a race condition in bootstrapping aggregated cluster roles in new HA clusters ([#63761](https://github.com/kubernetes/kubernetes/pull/63761), [@liggitt](https://github.com/liggitt)) -* kubelet: fix hangs in updating Node status after network interruptions/changes between the kubelet and API server ([#63492](https://github.com/kubernetes/kubernetes/pull/63492), [@liggitt](https://github.com/liggitt)) -* Added log and fs stats for Windows containers ([#62266](https://github.com/kubernetes/kubernetes/pull/62266), [@feiskyer](https://github.com/feiskyer)) -* Fail fast if cgroups-per-qos is set on Windows ([#62984](https://github.com/kubernetes/kubernetes/pull/62984), [@feiskyer](https://github.com/feiskyer)) -* Minor fix for VolumeZoneChecker predicate, storageclass can be in annotation and spec. ([#63749](https://github.com/kubernetes/kubernetes/pull/63749), [@wenlxie](https://github.com/wenlxie)) -* Fixes issue for readOnly subpath mounts for SELinux systems and when the volume mountPath already existed in the container image. ([#64351](https://github.com/kubernetes/kubernetes/pull/64351), [@msau42](https://github.com/msau42)) -* Fixed CSI gRPC connection leak during volume operations. ([#64519](https://github.com/kubernetes/kubernetes/pull/64519), [@vladimirvivien](https://github.com/vladimirvivien)) -* Fixed error reporting of CSI volumes attachment. ([#63303](https://github.com/kubernetes/kubernetes/pull/63303), [@jsafrane](https://github.com/jsafrane)) -* Fixed SELinux relabeling of CSI volumes. ([#64026](https://github.com/kubernetes/kubernetes/pull/64026), [@jsafrane](https://github.com/jsafrane)) -* Fixed detach of already detached CSI volumes. ([#63295](https://github.com/kubernetes/kubernetes/pull/63295), [@jsafrane](https://github.com/jsafrane)) -* fix rbd device works at block mode not get mapped to container ([#64555](https://github.com/kubernetes/kubernetes/pull/64555), [@wenlxie](https://github.com/wenlxie)) -* Fixed an issue where Portworx PVCs remain in pending state when created using a StorageClass with empty parameters ([#64895](https://github.com/kubernetes/kubernetes/pull/64895), [@harsh-px](https://github.com/harsh-px)) storage -* FIX: The OpenStack cloud providers DeleteRoute method fails to delete routes when it can’t find the corresponding instance in OpenStack. (#62729, databus23) -* [fluentd-gcp addon] Increase CPU limit for fluentd to 1 core to achieve 100kb/s throughput. ([#62430](https://github.com/kubernetes/kubernetes/pull/62430), [@bmoyles0117](https://github.com/bmoyles0117)) -* GCE: Fixed operation polling to adhere to the specified interval. Furthermore, operation errors are now returned instead of ignored. ([#64630](https://github.com/kubernetes/kubernetes/pull/64630), [@nicksardo](https://github.com/nicksardo)) -* Included kms-plugin-container.manifest to master nifests tarball. ([#65035](https://github.com/kubernetes/kubernetes/pull/65035), [@immutableT](https://github.com/immutableT)) -* Fixed missing nodes lines when kubectl top nodes ([#64389](https://github.com/kubernetes/kubernetes/pull/64389), [@yue9944882](https://github.com/yue9944882)) sig-cli -* Fixed kubectl drain --timeout option when eviction is used. ([#64378](https://github.com/kubernetes/kubernetes/pull/64378), [@wrdls](https://github.com/wrdls)) sig-cli -* Fixed kubectl auth can-i exit code. It will return 1 if the user is not allowed and 0 if it's allowed. ([#59579](https://github.com/kubernetes/kubernetes/pull/59579), [@fbac](https://github.com/fbac)) -* Fixed data loss issue if using existing azure disk with partitions in disk mount ([#63270](https://github.com/kubernetes/kubernetes/pull/63270), [@andyzhangx](https://github.com/andyzhangx)) -* Fixed azure file size grow issue ([#64383](https://github.com/kubernetes/kubernetes/pull/64383), [@andyzhangx](https://github.com/andyzhangx)) -* Fixed SessionAffinity not updated issue for Azure load balancer ([#64180](https://github.com/kubernetes/kubernetes/pull/64180), [@feiskyer](https://github.com/feiskyer)) -* Fixed kube-controller-manager panic while provisioning Azure security group rules ([#64739](https://github.com/kubernetes/kubernetes/pull/64739), [@feiskyer](https://github.com/feiskyer)) -* Fixed API server panic during concurrent GET or LIST requests with non-empty `resourceVersion`. ([#65092](https://github.com/kubernetes/kubernetes/pull/65092), [@sttts](https://github.com/sttts)) -* Fixed incorrect OpenAPI schema for CustomResourceDefinition objects ([#65256](https://github.com/kubernetes/kubernetes/pull/65256), [@liggitt](https://github.com/liggitt)) -* Fixed issue where PersistentVolume.NodeAffinity.NodeSelectorTerms were ANDed instead of ORed. ([#62556](https://github.com/kubernetes/kubernetes/pull/62556), [@msau42](https://github.com/msau42)) -* Fixed potential infinite loop that can occur when NFS PVs are recycled. ([#62572](https://github.com/kubernetes/kubernetes/pull/62572), [@joelsmith](https://github.com/joelsmith)) -* Fixed column alignment when kubectl get is used with custom columns from OpenAPI schema ([#56629](https://github.com/kubernetes/kubernetes/pull/56629), [@luksa](https://github.com/luksa)) -* kubectl: restore the ability to show resource kinds when displaying multiple objects ([#61985](https://github.com/kubernetes/kubernetes/pull/61985), [@liggitt](https://github.com/liggitt)) -* Fixed a panic in `kubectl run --attach ...` when the api server failed to create the runtime object (due to name conflict, PSP restriction, etc.) ([#61713](https://github.com/kubernetes/kubernetes/pull/61713), [@mountkin](https://github.com/mountkin)) -* kube-scheduler has been fixed to use `--leader-elect` option back to true (as it was in previous versions) ([#59732](https://github.com/kubernetes/kubernetes/pull/59732), [@dims](https://github.com/dims)) -* kubectl: fixes issue with `-o yaml` and `-o json` omitting kind and apiVersion when used with `--dry-run` ([#61808](https://github.com/kubernetes/kubernetes/pull/61808), [@liggitt](https://github.com/liggitt)) -* Ensure reasons end up as comments in `kubectl edit`. ([#60990](https://github.com/kubernetes/kubernetes/pull/60990), [@bmcstdio](https://github.com/bmcstdio)) -* Fixes issue where subpath readOnly mounts failed ([#63045](https://github.com/kubernetes/kubernetes/pull/63045), [@msau42](https://github.com/msau42)) -* Fix stackdriver metrics for node memory using wrong metric type ([#63535](https://github.co/kubernetes/kubernetes/pull/63535), [@serathius](https://github.com/serathius)) -* fix mount unmount failure for a Windows pod ([#63272](https://github.com/kubernetes/kubernetes/pull/63272), [@andyzhangx](https://github.com/andyzhangx)) - -### General Fixes and Reliability - -* Fixed a regression in kube-scheduler to properly load client connection information from a `--config` file that references a kubeconfig file. ([#65507](https://github.com/kubernetes/kubernetes/pull/65507), [@liggitt](https://github.com/liggitt)) -* Fix regression in `v1.JobSpec.backoffLimit` that caused failed Jobs to be restarted indefinitely. ([#63650](https://github.com/kubernetes/kubernetes/pull/63650), [@soltysh](https://github.com/soltysh)) -* fixes a potential deadlock in the garbage collection controller ([#64235](https://github.com/kubernetes/kubernetes/pull/64235), [@liggitt](https://github.com/liggitt)) -* fix formatAndMount func issue on Windows ([#63248](https://github.com/kubernetes/kubernetes/pull/63248), [@andyzhangx](https://github.com/andyzhangx)) -* Fix issue of colliding nodePorts when the cluster has services with externalTrafficPolicy=Local ([#64349](https://github.com/kubernetes/kubernetes/pull/64349), [@nicksardo](https://github.com/nicksardo)) -* fixes a panic applying json patches containing out of bounds operations ([#64355](https://github.com/kubernetes/kubernetes/pull/64355), [@liggitt](https://github.com/liggitt)) -* Fix incorrectly propagated ResourceVersion in ListRequests returning 0 items. ([#64150](https://github.com/kubernetes/kubernetes/pull/64150), [@wojtek-t](https://github.com/wojtek-t)) -* GCE: Fix to make the built-in `kubernetes` service properly point to the master's load balancer address in clusters that use multiple master VMs. ([#63696](https://github.com/kubernetes/kubernetes/pull/63696), [@grosskur](https://github.com/grosskur)) -* Fixes fake client generation for non-namespaced subresources ([#60445](https://github.com/kubernetes/kubernetes/pull/60445), [@jhorwit2](https://github.com/jhorwit2)) -* Schedule even if extender is not available when using extender ([#61445](https://github.com/kubernetes/kubernetes/pull/61445), [@resouer](https://github.com/resouer)) -* Fix panic create/update CRD when mutating/validating webhook configured. ([#61404](https://github.com/kubernetes/kubernetes/pull/61404), [@hzxuzhonghu](https://github.com/hzxuzhonghu)) -* Pods requesting resources prefixed with `*kubernetes.io` will remain unscheduled if there are no nodes exposing that resource. ([#61860](https://github.com/kubernetes/kubernetes/pull/61860), [@mindprince](https://github.com/mindprince)) -* fix scheduling policy on ConfigMap breaks without the --policy-configmap-namespace flag set ([#61388](https://github.com/kubernetes/kubernetes/pull/61388), [@zjj2wry](https://github.com/zjj2wry)) -* Bugfix for erroneous upgrade needed messaging in kubernetes worker charm. ([#60873](https://github.com/kubernetes/kubernetes/pull/60873), [@wwwtyro](https://github.com/wwwtyro)) -* Fix inter-pod anti-affinity check to consider a pod a match when all the anti-affinity terms match. ([#62715](https://github.com/kubernetes/kubernetes/pull/62715), [@bsalamat](https://github.com/bsalamat)) -* Pod affinity `nodeSelectorTerm.matchExpressions` may now be empty, and works as previously documented: nil or empty `matchExpressions` matches no objects in scheduler. ([#62448](https://github.com/kubernetes/kubernetes/pull/62448), [@k82cn](https://github.com/k82cn)) -* Fix an issue in inter-pod affinity predicate that cause affinity to self being processed correctly ([#62591](https://github.com/kubernetes/kubernetes/pull/62591), [@bsalamat](https://github.com/bsalamat)) -* fix WaitForAttach failure issue for azure disk ([#62612](https://github.com/kubernetes/kubernetes/pull/62612), [@andyzhangx](https://github.com/andyzhangx)) -* Fix user visible files creation for windows ([#62375](https://github.com/kubernetes/kubernetes/pull/62375), [@feiskyer](https://github.com/feiskyer)) -* Fix machineID getting for vmss nodes when using instance metadata ([#62611](https://github.com/kubernetes/kubernetes/pull/62611), [@feiskyer](https://github.com/feiskyer)) -* Fix Forward chain default reject policy for IPVS proxier ([#62007](https://github.com/kubernetes/kubernetes/pull/62007), [@m1093782566](https://github.com/m1093782566)) -* fix nsenter GetFileType issue in containerized kubelet ([#62467](https://github.com/kubernetes/kubernetes/pull/62467), [@andyzhangx](https://github.com/andyzhangx)) -* Ensure expected load balancer is selected for Azure ([#62450](https://github.com/kubernetes/kubernetes/pull/62450), [@feiskyer](https://github.com/feiskyer)) -* Resolves forbidden error when the `daemon-set-controller` cluster role access `controllerrevisions` resources. ([#62146](https://github.com/kubernetes/kubernetes/pull/62146), [@frodenas](https://github.com/frodenas)) -* fix incompatible file type checking on Windows ([#62154](https://github.com/kubernetes/kubernetes/pull/62154), [@dixudx](https://github.com/dixudx)) -* fix local volume absolute path issue on Windows ([#620s18](https://github.com/kubernetes/kubernetes/pull/62018), [@andyzhangx](https://github.com/andyzhangx)) -* fix the issue that default azure disk fsypte(ext4) does not work on Windows ([#62250](https://github.com/kubernetes/kubernetes/pull/62250), [@andyzhangx](https://github.com/andyzhangx)) -* Fixed bug in rbd-nbd utility when nbd is used. ([#62168](https://github.com/kubernetes/kubernetes/pull/62168), [@piontec](https://github.com/piontec)) -* fix local volume issue on Windows ([#62012](https://github.com/kubernetes/kubernetes/pull/62012), [@andyzhangx](https://github.com/andyzhangx)) -* Fix a bug that fluentd doesn't inject container logs for CRI container runtimes (containerd, cri-o etc.) into elasticsearch on GCE. ([#61818](https://github.com/kubernetes/kubernetes/pull/61818), [@Random-Liu](https://github.com/Random-Liu)) -* flexvolume: trigger plugin init only for the relevant plugin while probe ([#58519](https://github.com/kubernetes/kubernetes/pull/58519), [@linyouchong](https://github.com/linyouchong)) -* Fixed ingress issue with CDK and pre-1.9 versions of kubernetes. ([#61859](https://github.com/kubernetes/kubernetes/pull/61859), [@hyperbolic2346](https://github.com/hyperbolic2346)) -* Fixed racy panics when using fake watches with ObjectTracker ([#61195](https://github.com/kubernetes/kubernetes/pull/61195), [@grantr](https://github.com/grantr)) -* Fixed mounting of UNIX sockets(and other special files) in subpaths ([#61480](https://github.com/kubernetes/kubernetes/pull/61480), [@gnufscied](https://github.com/gnufied)) -* Fixed [#61123](https://github.com/kubernetes/kubernetes/pull/61123) by triggering syncer.Update on all cases including when a syncer is created ([#61124](https://github.com/kubernetes/kubernetes/pull/61124), [@satyasm](https://github.com/satyasm)) -* Fixed data race in node lifecycle controller ([#60831](https://github.com/kubernetes/kubernetes/pull/60831), [@resouer](https://github.com/resouer)) -* Fixed resultRun by resetting it to 0 on pod restart ([#62853](https://github.com/kubernetes/kubernetes/pull62853), [@tony612](https://github.com/tony612)) -* Fixed the liveness probe to use `/bin/bash -c` instead of `/bin/bash c`. ([#63033](https://github.com/kubernetes/kubernetes/pull/63033), [@bmoyles0117](https://github.com/bmoyles0117)) -* Fixed scheduler informers to receive events for all the pods in the cluster. ([#63003](https://github.com/kubernetes/kubernetes/pull/63003), [@bsalamat](https://github.com/bsalamat)) -* Fixed in vSphere Cloud Provider to handle upgrades from kubernetes version less than v1.9.4 to v1.9.4 and above. ([#62919](https://github.com/kubernetes/kubernetes/pull/62919), [@abrarshivani](https://github.com/abrarshivani)) -* Fixed error where config map for Metadata Agent was not created by addon manager. ([#62909](https://github.com/kubernetes/kubernetes/pull/62909), [@kawych](https://github.com/kawych)) -* Fixed permissions to allow statefulset scaling for admins, editors, and viewers ([#62336](https://github.com/kubernetes/kubernetes/pull/62336), [@deads2k](https://github.com/deads2k)) -* GCE: Fixed for internal load balancer management resulting in backend services with outdated instance group links. ([#62885](https://github.com/kubernetes/kubernetes/pull/62885), [@nicksardo](https://github.com/nicksardo)) -* Deployment will stop adding pod-template-hash labels/selector to ReplicaSets and Pods it adopts. Resources created by Deployments are not affected (will still have pod-template-hash labels/selector). ([#61615](https://github.com/kubernetes/kubernetes/pull/61615), [@janetkuo](https://github.com/janetkuo)) -* Used inline func to ensure unlock is executed ([#61644](https://github.com/kubernetes/kubernetes/pull/61644), [@resouer](https://github.com/resouer)) -* kubernetes-master charm now properly clears the client-ca-file setting on the apiserver snap ([#61479](https://github.com/kubernetes/kubernetes/pull/61479), [@hyperbolic2346](https://github.com/hyperbolic2346)) -* Bound cloud allocator to 10 retries with 100 ms delay between retries. ([#61375](https://github.com/kubernetes/kubernetes/pull/61375), [@satyasm](https://github.com/satyasm)) -* Respect fstype in Windows for azure disk ([#61267](https://github.com/kubernetes/kubernetes/pull/61267), [@andyzhangx](https://github.com/andyzhangx)) -* Unready pods will no longer impact the number of desired replicas when using horizontal auto-scaling with external metrics or object metrics. ([#60886](https://github.com/kubernetes/kubernetes/pull/60886), [@mattjmcnaughton](https://github.com/mattjmcnaughton)) -* Removed unsafe double RLock in cpumanager ([#62464](https://github.com/kubernetes/kubernetes/pull/62464), [@choury](https://github.com/choury)) - -## Non-user-facing changes - -* Remove UID mutation from request.context. ([#63957](https://github.com/kubernetes/kubernetes/pull/63957), [@hzxuzhonghu](https://github.com/hzxuzhonghu)) -* Use Patch instead of Put to sync pod status. ([#62306](https://github.com/kubernetes/kubernetes/pull/62306), [@freehan](https://github.com/freehan)) -* Allow env from resource with keys & updated tests ([#60636](https://github.com/kubernetes/kubernetes/pull/60636), [@PhilipGough](https://github.com/PhilipGough)) +* Using `kubectl describe` on CRDs that use underscores will be prettier. ([#65391](https://github.com/kubernetes/kubernetes/pull/65391), [@smarterclayton](https://github.com/smarterclayton)) +* Improve scheduler's performance by eliminating sorting of nodes by their score. ([#65396](https://github.com/kubernetes/kubernetes/pull/65396), [@bsalamat](https://github.com/bsalamat)) +* Add more conditions to the list of predicate failures that won't be resolved by preemption. ([#64995](https://github.com/kubernetes/kubernetes/pull/64995), [@bsalamat](https://github.com/bsalamat)) +* Allow access to ClusterIP from the host network namespace when kube-proxy is started in IPVS mode without either masqueradeAll or clusterCIDR flags ([#65388](https://github.com/kubernetes/kubernetes/pull/65388), [@lbernail](https://github.com/lbernail)) +* User can now use `sudo crictl` on GCE cluster. ([#65389](https://github.com/kubernetes/kubernetes/pull/65389), [@Random-Liu](https://github.com/Random-Liu)) +* Tolerate missing watch permission when deleting a resource ([#65370](https://github.com/kubernetes/kubernetes/pull/65370), [@deads2k](https://github.com/deads2k)) +* Prevents a `kubectl delete` hang when deleting controller managed lists ([#65367](https://github.com/kubernetes/kubernetes/pull/65367), [@deads2k](https://github.com/deads2k)) +* fixes a memory leak in the kube-controller-manager observed when large numbers of pods with tolerations are created/deleted ([#65339](https://github.com/kubernetes/kubernetes/pull/65339), [@liggitt](https://github.com/liggitt)) +* checkLimitsForResolvConf for the pod create and update events instead of checking period ([#64860](https://github.com/kubernetes/kubernetes/pull/64860), [@wgliang](https://github.com/wgliang)) +* Fix concurrent map access panic ([#65334](https://github.com/kubernetes/kubernetes/pull/65334), [@dashpole](https://github.com/dashpole)) + * Don't watch .mount cgroups to reduce number of inotify watches + * Fix NVML initialization race condition + * Fix brtfs disk metrics when using a subdirectory of a subvolume +* Change Azure ARM Rate limiting error message. ([#65292](https://github.com/kubernetes/kubernetes/pull/65292), [@wgliang](https://github.com/wgliang)) +* AWS now checks for validity of ecryption key when creating encrypted volumes. Dynamic provisioning of encrypted volume may get slower due to these checks. ([#65223](https://github.com/kubernetes/kubernetes/pull/65223), [@jsafrane](https://github.com/jsafrane)) +* Report accurate status for kubernetes-master and -worker charms. ([#65187](https://github.com/kubernetes/kubernetes/pull/65187), [@kwmonroe](https://github.com/kwmonroe)) +* Fixed issue 63608, which is that under rare circumstances the ResourceQuota admission controller could lose track of an request in progress and time out after waiting 10 seconds for a decision to be made. ([#64598](https://github.com/kubernetes/kubernetes/pull/64598), [@MikeSpreitzer](https://github.com/MikeSpreitzer)) +* In the vSphere cloud provider the `Global.vm-uuid` configuration option is not deprecated anymore, it can be used to overwrite the VMUUID on the controller-manager ([#65152](https://github.com/kubernetes/kubernetes/pull/65152), [@alvaroaleman](https://github.com/alvaroaleman)) +* fluentd-gcp grace termination period increased to 60s. ([#65084](https://github.com/kubernetes/kubernetes/pull/65084), [@x13n](https://github.com/x13n)) +* Pass cluster_location argument to Heapster ([#65176](https://github.com/kubernetes/kubernetes/pull/65176), [@kawych](https://github.com/kawych)) +* Fix a scalability issue where high rates of event writes degraded etcd performance. ([#64539](https://github.com/kubernetes/kubernetes/pull/64539), [@ccding](https://github.com/ccding)) +* Corrected a mistake in the documentation for wait.PollImmediate(...) ([#65026](https://github.com/kubernetes/kubernetes/pull/65026), [@spew](https://github.com/spew)) +* Split 'scheduling_latency_seconds' metric into finer steps (predicate, priority, premption) ([#65306](https://github.com/kubernetes/kubernetes/pull/65306), [@shyamjvs](https://github.com/shyamjvs)) +* Etcd health checks by the apiserver now ensure the apiserver can connect to and exercise the etcd API ([#65027](https://github.com/kubernetes/kubernetes/pull/65027), [@liggitt](https://github.com/liggitt)) +* Add e2e regression tests for the kubelet being secure ([#64140](https://github.com/kubernetes/kubernetes/pull/64140), [@dixudx](https://github.com/dixudx)) * set EnableHTTPSTrafficOnly in azure storage account creation ([#64957](https://github.com/kubernetes/kubernetes/pull/64957), [@andyzhangx](https://github.com/andyzhangx)) -* New conformance test added for Watch. ([#61424](https://github.com/kubernetes/kubernetes/pull/61424), [@jennybuckley](https://github.com/jennybuckley)) -* Use DeleteOptions.PropagationPolicy instead of OrphanDependents in kubectl ([#59851](https://thub.com/kubernetes/kubernetes/pull/59851), [@nilebox](https://github.com/nilebox)) -* Add probe based mechanism for kubelet plugin discovery ([#63328](https://github.com/kubernetes/kubernetes/pull/63328), [@vikaschoudhary16](https://github.com/vikaschoudhary16)) -* keep pod state consistent when scheduler cache UpdatePod ([#64692](https://github.com/kubernetes/kubernetes/pull/64692), [@adohe](https://github.com/adohe)) -* kubectl delete does not use reapers for removing objects anymore, but relies on server-side GC entirely ([#63979](https://github.com/kubernetes/kubernetes/pull/63979), [@soltysh](https://github.com/soltysh)) +* Fixes an issue where Portworx PVCs remain in pending state when created using a StorageClass with empty parameters ([#64895](https://github.com/kubernetes/kubernetes/pull/64895), [@harsh-px](https://github.com/harsh-px)) +* This PR will leverage subtests on the existing table tests for the scheduler units. ([#63662](https://github.com/kubernetes/kubernetes/pull/63662), [@xchapter7x](https://github.com/xchapter7x)) + * Some refactoring of error/status messages and functions to align with new approach. +* This PR will leverage subtests on the existing table tests for the scheduler units. ([#63661](https://github.com/kubernetes/kubernetes/pull/63661), [@xchapter7x](https://github.com/xchapter7x)) + * Some refactoring of error/status messages and functions to align with new approach. +* This PR will leverage subtests on the existing table tests for the scheduler units. ([#63660](https://github.com/kubernetes/kubernetes/pull/63660), [@xchapter7x](https://github.com/xchapter7x)) + * Some refactoring of error/status messages and functions to align with new approach. * Updated default image for nginx ingress in CDK to match current Kubernetes docs. ([#64285](https://github.com/kubernetes/kubernetes/pull/64285), [@hyperbolic2346](https://github.com/hyperbolic2346)) -* Increase scheduler cache generation number monotonically in order to avoid collision and use of stale information in scheduler. ([#63264](https://github.com/kubernetes/kubernetes/pull/63264), [@bsalamat](https://github.com/bsalamat)) -* Adding CSI driver registration code. ([#64560](https://github.com/kubernetes/kubernetes/pull/64560), [@sbezverk](https://github.com/sbezverk)) -* Do not check vmSetName when getting Azure node's IP ([#63541](https://github.com/kubernetes/kubernetes/pull/63541), [@feiskyer](https://github.com/feiskyer)) -* [fluentd-gcp addon] Update event-exporter image to have the latest base image. ([#61727](https://github.com/kubernetes/kubernetes/pull/61727), [@crassirostris](https://github.com/crassirostris)) -* Make volume usage metrics available for Cinder ([#62668](https://github.com/kubernetes/kubernetes/pull/62668), [@zetaab](https://github.com/zetaab)) -* cinder volume plugin : When the cinder volume status is `error`, controller will not do `attach ` and `detach ` operation ([#61082](https://github.com/kubernetes/kubernetes/pull/61082), [@wenlxie](https://github.com/wenlxie)) -* Allow user to scale l7 default backend deployment ([#62685](https://github.com/kubernetes/kubernetes/pull/62685), [@freehan](https://github.com/freehan)) -* Add support to ingest log entries to Stackdriver against new "k8s_container" and "k8s_node" resources. ([#62076](https://github.com/kubernetes/kubernetes/pull/62076), [@qingling128](https://github.com/qingling128)) -* Disabled CheckNodeMemoryPressure and CheckNodeDiskPressure predicates if TaintNodesByCondition enabled ([#60398](https://github.com/kubernetes/kubernetes/pull/60398), [@k82cn](https://github.com/k82cn)) -* Support custom test configuration for IPAM performance integration tests ([#61959](https://github.com/kubernetes/kubernetes/pull/61959), [@satyasm](https://github.com/satyasm)) -* OIDC authentication now allows tokens without an "email_verified" claim when using the "email" claim. If an "email_verified" claim is present when using the "email" claim, it must be `true`. ([#61508](https://github.com/kubernetes/kubernetes/pull/61508), [@rithujohn191](https://github.com/rithujohn191)) -* Add e2e test for CRD Watch ([#61025](https://github.com/kubernetes/kubernetes/pull/61025), [@ayushpateria](https://github.com/ayushpateria)) -* Return error if get NodeStageSecret and NodePublishSecret failed in CSI volume plugin ([#61096](https://github.com/kubernetes/kubernetes/pull/61096), [@mlmhl](https://github.com/mlmhl)) -* kubernetes-master charm now supports metrics server for horizontal pod autoscaler. ([#60174](https://github.com/kubernetes/kubernetes/pull/60174), [@hyperbolic2346](https://github.com/hyperbolic2346)) -* In a GCE cluster, the default `HIRPIN_MODE` is now "hairpin-veth". ([#60166](https://github.com/kubernetes/kubernetes/pull/60166), [@rramkumar1](https://github.com/rramkumar1)) -* Balanced resource allocation priority in scheduler to include volume count on node ([#60525](https://github.com/kubernetes/kubernetes/pull/60525), [@ravisantoshgudimetla](https://github.com/ravisantoshgudimetla)) -* new dhcp-domain parameter to be used for figuring out the hostname of a node ([#61890](https://github.com/kubernetes/kubernetes/pull/61890), [@dims](https://github.com/dims)) -* Disable ipamperf integration tests as part of every PR verification. ([#61863](https://github.com/kubernetes/kubernetes/pull/61863), [@satyasm](https://github.com/satyasm)) -* Enable server-side print in kubectl by default, with the ability to turn it off with --server-print=false ([#61477](https://github.com/kubernetes/kubernetes/pull/61477), [@soltysh](https://github.com/soltysh)) -* Updated admission controller settings for Juju deployed Kubernetes clusters ([#61427](https://github.com/kubernetes/kubernetes/pull/61427), [@hyperbolic2346](https://github.com/hyperbolic2346)) -* Performance test framework and basic tests for the IPAM controller, to simulate behavior of the four supported modes under lightly loaded and loaded conditions, where load is defined as the number of operations to perform as against the configured kubernetes. ([#61143](https://github.com/kubernetes/kubernetes/pull/61143), [@satyasm](https://github.com/satyasm)) -* Removed always pull policy from the template for ingress on CDK. ([#61598](https://github.com/kubernetes/kubernetes/pull/61598), [@hyperbolic2346](https://github.com/hyperbolic2346)) -* `make test-cmd` now works on macOS. ([#61393](https://github.com/kubernetes/kubernetes/pull/61393), [@totherme](https://github.com/totherme)) -* Conformance: ReplicaSet must be supported in the `apps/v1` version. ([#61367](https://github.com/kubernetes/kubernetes/pull/61367), [@enisoc](https://github.com/enisoc)) -* Remove 'system' prefix from Metadata Agent rbac configuration ([#61394](https://github.com/kubernetes/kubernetes/pull/61394), [@kawych](https://github.com/kawych)) -* Support new NODE_OS_DISTRIBUTION 'custom' on GCE on a new add event. ([#61235](https://github.com/kubernetes/kubernetes/pull/61235), [@yguo0905](https://github.com/yguo0905)) -* include file name in the error when visiting files ([#60919](https://github.com/kubernetes/kubernetes/pull/60919), [@dixudx](https://github.com/dixudx)) -* Split PodPriority and PodPreemption feature gate ([#62243](https://github.com/kubernetes/kubernetes/pull/62243), [@resouer](https://github.com/resouer)) -* Code generated for CRDs now passes `go vet`. ([#62412](https://github.com/kubernetes/kubernetes/pull/62412), [@bhcleek](https://github.com/bhcleek)) -* "beginPort+offset" format support for port range which affects kube-proxy only ([#58731](https://github.com/kubernetes/kubernetes/pull/58731), [@yue9944882](https://github.com/yue9944882)) -* Added e2e test for watch ([#60331](https://github.com/kubernetes/kubernetes/pull/60331), [@jennybuckley](https://github.com/jennybuckley)) -* add warnings on using pod-infra-container-image for remote container runtime ([#62982](https://github.com/kubernetes/kubernetes/pull/62982), [@dixudx](https://github.com/dixudx)) -* Mount additional paths required for a working CA root, for setups where /etc/ssl/certs doesn't contains certificates but just symlink. ([#59122](https://github.com/kubernetes/kubernetes/pull/59122), [@klausenbusk](https://github.com/klausenbusk)) -* Introduce truncating audit bacnd that can be enabled for existing backend to limit the size of individual audit events and batches of events. ([#61711](https://github.com/kubernetes/kubernetes/pull/61711), [@crassirostris](https://github.com/crassirostris)) -* stop kubelet to cloud provider integration potentially wedging kubelet sync loop ([#62543](https://github.com/kubernetes/kubernetes/pull/62543), [@ingvagabund](https://github.com/ingvagabund)) -* Set pod status to "Running" if there is at least one container still reporting as "Running" status and others are "Completed". ([#62642](https://github.com/kubernetes/kubernetes/pull/62642), [@ceshihao](https://github.com/ceshihao)) -* Fix memory cgroup notifications, and reduce associated log spam. ([#63220](https://github.com/kubernetes/kubernetes/pull/63220), [@dashpole](https://github.com/dashpole)) -* Remove never used NewCronJobControllerFromClient method (#59471, dmathieu) - -{{% /capture %}} +* Added block volume support to Cinder volume plugin. ([#64879](https://github.com/kubernetes/kubernetes/pull/64879), [@bertinatto](https://github.com/bertinatto)) +* fixed incorrect OpenAPI schema for CustomResourceDefinition objects ([#65256](https://github.com/kubernetes/kubernetes/pull/65256), [@liggitt](https://github.com/liggitt)) +* ignore not found file error when watching manifests ([#64880](https://github.com/kubernetes/kubernetes/pull/64880), [@dixudx](https://github.com/dixudx)) +* add port-forward examples for sevice ([#64773](https://github.com/kubernetes/kubernetes/pull/64773), [@MasayaAoyama](https://github.com/MasayaAoyama)) +* Fix issues for block device not mapped to container. ([#64555](https://github.com/kubernetes/kubernetes/pull/64555), [@wenlxie](https://github.com/wenlxie)) +* Update crictl on GCE to v1.11.0. ([#65254](https://github.com/kubernetes/kubernetes/pull/65254), [@Random-Liu](https://github.com/Random-Liu)) +* Fixes missing nodes lines when kubectl top nodes ([#64389](https://github.com/kubernetes/kubernetes/pull/64389), [@yue9944882](https://github.com/yue9944882)) +* keep pod state consistent when scheduler cache UpdatePod ([#64692](https://github.com/kubernetes/kubernetes/pull/64692), [@adohe](https://github.com/adohe)) +* add external resource group support for azure disk ([#64427](https://github.com/kubernetes/kubernetes/pull/64427), [@andyzhangx](https://github.com/andyzhangx)) +* Increase the gRPC max message size to 16MB in the remote container runtime. ([#64672](https://github.com/kubernetes/kubernetes/pull/64672), [@mcluseau](https://github.com/mcluseau)) +* The new default value for the --allow-privileged parameter of the Kubernetes-worker charm has been set to true based on changes which went into the Kubernetes 1.10 release. Before this change the default value was set to false. If you're installing Canonical Kubernetes you should expect this value to now be true by default and you should now look to use PSP (pod security policies). ([#64104](https://github.com/kubernetes/kubernetes/pull/64104), [@CalvinHartwell](https://github.com/CalvinHartwell)) +* The --remove-extra-subjects and --remove-extra-permissions flags have been enabled for kubectl auth reconcile ([#64541](https://github.com/kubernetes/kubernetes/pull/64541), [@mrogers950](https://github.com/mrogers950)) +* Fix kubectl drain --timeout option when eviction is used. ([#64378](https://github.com/kubernetes/kubernetes/pull/64378), [@wrdls](https://github.com/wrdls)) +* This PR will leverage subtests on the existing table tests for the scheduler units. ([#63659](https://github.com/kubernetes/kubernetes/pull/63659), [@xchapter7x](https://github.com/xchapter7x)) + * Some refactoring of error/status messages and functions to align with new approach. + diff --git a/content/en/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions.md b/content/en/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions.md index 3292d07c0d187..892f9f55e6fad 100644 --- a/content/en/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions.md +++ b/content/en/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions.md @@ -447,8 +447,9 @@ The column's `format` controls the style used when `kubectl` prints the value. ### Subresources +{{< feature-state state="beta" for_kubernetes_version="1.11" >}} + Custom resources support `/status` and `/scale` subresources. -This feature is __beta__ in v1.11 and enabled by default. You can disable this feature using the `CustomResourceSubresources` feature gate on the [kube-apiserver](/docs/admin/kube-apiserver): @@ -469,7 +470,28 @@ When the status subresource is enabled, the `/status` subresource for the custom - `PUT` requests to the `/status` subresource only validate the status stanza of the custom resource. - `PUT`/`POST`/`PATCH` requests to the custom resource ignore changes to the status stanza. - Any changes to the spec stanza increments the value at `.metadata.generation`. -- `properties`, `required` and `description` are the only constructs allowed in the root of the CRD OpenAPI validation schema. +- Only the following constructs are allowed at the root of the CRD OpenAPI validation schema: + + - Description + - Example + - ExclusiveMaximum + - ExclusiveMinimum + - ExternalDocs + - Format + - Items + - Maximum + - MaxItems + - MaxLength + - Minimum + - MinItems + - MinLength + - MultipleOf + - Pattern + - Properties + - Required + - Title + - Type + - UniqueItems #### Scale subresource diff --git a/content/en/docs/tasks/administer-cluster/dns-custom-nameservers.md b/content/en/docs/tasks/administer-cluster/dns-custom-nameservers.md index b6eac169f19cd..7067097b0b8a5 100644 --- a/content/en/docs/tasks/administer-cluster/dns-custom-nameservers.md +++ b/content/en/docs/tasks/administer-cluster/dns-custom-nameservers.md @@ -28,28 +28,19 @@ DNS is a built-in Kubernetes service launched automatically using the addon manager [cluster add-on](http://releases.k8s.io/{{< param "githubbranch" >}}/cluster/addons/README.md). -The running DNS Pod holds 3 containers: +As of Kubernetes v1.12, CoreDNS is the recommended DNS Server, replacing kube-dns. However, kube-dns may still be installed by +default with certain Kubernetes installer tools. Refer to the documentation provided by your installer to know which DNS server is installed by default. -- "`kubedns`": watches the Kubernetes master for changes - in Services and Endpoints, and maintains in-memory lookup structures to serve - DNS requests. -- "`dnsmasq`": adds DNS caching to improve performance. -- "`sidecar`": provides a single health check endpoint - to perform healthchecks for `dnsmasq` and `kubedns`. -The DNS Pod is exposed as a Kubernetes Service with a static IP. -The kubelet passes DNS to each container with the `--cluster-dns=` -flag. +The CoreDNS Deployment is exposed as a Kubernetes Service with a static IP. +Both the CoreDNS and kube-dns Service are named `kube-dns` in the `metadata.name` field. This is done so that there is greater interoperability with workloads that relied on the legacy `kube-dns` Service name to resolve addresses internal to the cluster. It abstracts away the implementation detail of which DNS provider is running behind that common endpoint. +The kubelet passes DNS to each container with the `--cluster-dns=` flag. DNS names also need domains. You configure the local domain in the kubelet with the flag `--cluster-domain=`. -The Kubernetes cluster DNS server is based on the -[SkyDNS](https://github.com/skynetservices/skydns) library. It supports forward -lookups (A records), service lookups (SRV records), and reverse IP address -lookups (PTR records). - -## Inheriting DNS from the node +The DNS server supports forward lookups (A records), port lookups (SRV records), reverse IP address lookups (PTR records), +and more. For more information see [DNS for Services and Pods] (/docs/concepts/services-networking/dns-pod-service/). If a Pod's `dnsPolicy` is set to "`default`", it inherits the name resolution configuration from the node that the Pod runs on. The Pod's DNS resolution @@ -61,7 +52,130 @@ use the kubelet's `--resolv-conf` flag. Set this flag to "" to prevent Pods fro inheriting DNS. Set it to a valid file path to specify a file other than `/etc/resolv.conf` for DNS inheritance. -## Configure stub-domain and upstream DNS servers +## CoreDNS + +CoreDNS is a general-purpose authoritative DNS server that can serve as cluster DNS, complying with the [dns specifications] +(https://github.com/kubernetes/dns/blob/master/docs/specification.md). + +### CoreDNS ConfigMap options + +CoreDNS is a DNS server that is modular and pluggable, and each plugin adds new functionality to CoreDNS. +This can be configured by maintaining a [Corefile](https://coredns.io/2017/07/23/corefile-explained/), which is the CoreDNS +configuration file. A cluster administrator can modify the ConfigMap for the CoreDNS Corefile to change how service discovery works. + +In Kubernetes, CoreDNS is installed with the following default Corefile configuration. + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: coredns + namespace: kube-system +Corefile: | + .:53 { + errors + health + kubernetes cluster.local in-addr.arpa ip6.arpa { + pods insecure + upstream + fallthrough in-addr.arpa ip6.arpa + } + prometheus :9153 + proxy . /etc/resolv.conf + cache 30 + loop + reload + loadbalance + } +``` +The Corefile configuration includes the following [plugins](https://coredns.io/plugins/) of CoreDNS: + +* [errors](https://coredns.io/plugins/errors/): Errors are logged to stdout. +* [health](https://coredns.io/plugins/health/): Health of CoreDNS is reported to http://localhost:8080/health. +* [kubernetes](https://coredns.io/plugins/kubernetes/): CoreDNS will reply to DNS queries based on IP of the services and pods of Kubernetes. You can find more details [here](https://coredns.io/plugins/kubernetes/). + +> The `pods insecure` option is provided for backward compatibility with kube-dns. You can use the `pod verified` option, which returns an A record only if there exists a pod in same namespace with matching IP. The `pods disabled` option can be used if you don't use pod records. + +> `Upstream` is used for resolving services that point to external hosts (External Services). + +* [prometheus](https://coredns.io/plugins/prometheus/): Metrics of CoreDNS are available at http://localhost:9153/metrics in [Prometheus](https://prometheus.io/) format. +* [proxy](https://coredns.io/plugins/proxy/): Any queries that are not within the cluster domain of Kubernetes will be forwarded to predefined resolvers (/etc/resolv.conf). +* [cache](https://coredns.io/plugins/cache/): This enables a frontend cache. +* [loop](https://coredns.io/plugins/loop/): Detects simple forwarding loops and halts the CoreDNS process if a loop is found. +* [reload](https://coredns.io/plugins/reload): Allows automatic reload of a changed Corefile. +* [loadbalance](https://coredns.io/plugins/loadbalance): This is a round-robin DNS loadbalancer by randomizing the order of A, AAAA, and MX records in the answer. + +We can modify the default behavior by modifying this configmap. + +### Configuration of Stub-domain and upstream nameserver using CoreDNS + +CoreDNS has the ability to configure stubdomains and upstream nameservers using the [proxy plugin](https://coredns.io/plugins/proxy/). + +#### Example +If a cluster operator has a [Consul](https://www.consul.io/) domain server located at 10.150.0.1, and all Consul names have the suffix .consul.local. To configure it in CoreDNS, the cluster administrator creates the following stanza in the CoreDNS ConfigMap. + +``` +consul.local:53 { + errors + cache 30 + proxy . 10.150.0.1 + } +``` + +To explicitly force all non-cluster DNS lookups to go through a specific nameserver at 172.16.0.1, point the `proxy` and `upstream` to the nameserver instead of `/etc/resolv.conf` + +``` +proxy . 172.16.0.1 +``` +``` +upstream 172.16.0.1 +``` + +So, the final ConfigMap along with the default `Corefile` configuration will look like: + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: coredns + namespace: kube-system +Corefile: | + .:53 { + errors + health + kubernetes cluster.local in-addr.arpa ip6.arpa { + pods insecure + upstream 172.16.0.1 + fallthrough in-addr.arpa ip6.arpa + } + prometheus :9153 + proxy . 172.16.0.1 + cache 30 + loop + reload + loadbalance + } + consul.local:53 { + errors + cache 30 + proxy . 10.150.0.1 + } +``` +In Kubernetes version 1.10 and later, kubeadm supports automatic translation of the CoreDNS ConfigMap from the kube-dns ConfigMap. + +## Kube-dns + +Kube-dns is now available as a optional DNS server since CoreDNS is now the default. +The running DNS Pod holds 3 containers: + +- "`kubedns`": watches the Kubernetes master for changes + in Services and Endpoints, and maintains in-memory lookup structures to serve + DNS requests. +- "`dnsmasq`": adds DNS caching to improve performance. +- "`sidecar`": provides a single health check endpoint + to perform healthchecks for `dnsmasq` and `kubedns`. + +### Configure stub-domain and upstream DNS servers Cluster administrators can specify custom stub domains and upstream nameservers by providing a ConfigMap for kube-dns (`kube-system:kube-dns`). @@ -102,7 +216,7 @@ details about the configuration option format. {{% capture discussion %}} -### Effects on Pods +#### Effects on Pods Custom upstream nameservers and stub domains do not affect Pods with a `dnsPolicy` set to "`Default`" or "`None`". @@ -136,7 +250,7 @@ DNS queries are routed according to the following flow: ![DNS lookup flow](/docs/tasks/administer-cluster/dns-custom-nameservers/dns.png) -## ConfigMap options +### ConfigMap options Options for the kube-dns `kube-system:kube-dns` ConfigMap: @@ -145,9 +259,9 @@ Options for the kube-dns `kube-system:kube-dns` ConfigMap: | `stubDomains` (optional) | A JSON map using a DNS suffix key such as “acme.local”, and a value consisting of a JSON array of DNS IPs. | The target nameserver can itself be a Kubernetes Service. For instance, you can run your own copy of dnsmasq to export custom DNS names into the ClusterDNS namespace. | | `upstreamNameservers` (optional) | A JSON array of DNS IPs. | If specified, the values replace the nameservers taken by default from the node’s `/etc/resolv.conf`. Limits: a maximum of three upstream nameservers can be specified. | -### Examples +#### Examples -#### Example: Stub domain +##### Example: Stub domain In this example, the user has a Consul DNS service discovery system they want to integrate with kube-dns. The consul domain server is located at 10.150.0.1, and @@ -169,7 +283,7 @@ Note that the cluster administrator does not want to override the node’s upstream nameservers, so they did not specify the optional `upstreamNameservers` field. -#### Example: Upstream nameserver +##### Example: Upstream nameserver In this example the cluster administrator wants to explicitly force all non-cluster DNS lookups to go through their own nameserver at 172.16.0.1. @@ -189,17 +303,9 @@ data: {{% /capture %}} -## Configuring CoreDNS {#config-coredns} - -You can configure [CoreDNS](https://coredns.io/) as a service discovery. - -CoreDNS is available as an option in Kubernetes starting with version 1.9. -It is currently a [GA feature](https://github.com/kubernetes/community/blob/master/keps/sig-network/0010-20180314-coredns-GA-proposal.md) and is on course to be [the default](https://github.com/kubernetes/community/blob/master/keps/sig-network/0012-20180518-coredns-default-proposal.md), replacing kube-dns. - - -## CoreDNS ConfigMap options +## CoreDNS configuration equivalent to kube-dns -CoreDNS chains plugins and can be configured by maintaining a Corefile with the ConfigMap. CoreDNS supports all the functionalities and more that is provided by kube-dns. +CoreDNS supports all the functionalities and more that is provided by kube-dns. A ConfigMap created for kube-dns to support `StubDomains`and `upstreamNameservers` translates to the `proxy` plugin in CoreDNS. Similarly, the `Federation` plugin translates to the `federation` plugin in CoreDNS. @@ -276,8 +382,8 @@ In Kubernetes version 1.10 and later, kubeadm supports automatic translation of ## Migration to CoreDNS -A number of tools support the installation of CoreDNS instead of kube-dns. To migrate from kube-dns to CoreDNS, [a detailed blog](https://coredns.io/2018/05/21/migration-from-kube-dns-to-coredns/) is available to help users adapt CoreDNS in place of kube-dns. +A cluster administrator can also migrate using [the deploy script](https://github.com/coredns/deployment/blob/master/kubernetes/deploy.sh), which will also help you translate the kube-dns configmap to the equivalent CoreDNS one. ## What's next - [Debugging DNS Resolution](/docs/tasks/administer-cluster/dns-debugging-resolution/). diff --git a/content/en/docs/tasks/administer-cluster/dns-debugging-resolution.md b/content/en/docs/tasks/administer-cluster/dns-debugging-resolution.md index 23061cbd74dfd..1a9b7bf7e2289 100644 --- a/content/en/docs/tasks/administer-cluster/dns-debugging-resolution.md +++ b/content/en/docs/tasks/administer-cluster/dns-debugging-resolution.md @@ -13,7 +13,7 @@ This page provides hints on diagnosing DNS problems. {{% capture prerequisites %}} * {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}} * Kubernetes version 1.6 and above. -* The cluster must be configured to use the `kube-dns` addon. +* The cluster must be configured to use the `coredns` (or `kube-dns`) addons. {{% /capture %}} {{% capture steps %}} @@ -68,7 +68,7 @@ nameserver 10.0.0.10 options ndots:5 ``` -Errors such as the following indicate a problem with the kube-dns add-on or +Errors such as the following indicate a problem with the coredns/kube-dns add-on or associated Services: ``` @@ -93,6 +93,17 @@ nslookup: can't resolve 'kubernetes.default' Use the `kubectl get pods` command to verify that the DNS pod is running. +For CoreDNS: +```shell +kubectl get pods --namespace=kube-system -l k8s-app=kube-dns +NAME READY STATUS RESTARTS AGE +... +coredns-7b96bf9f76-5hsxb 1/1 Running 0 1h +coredns-7b96bf9f76-mvmmt 1/1 Running 0 1h +... +``` + +Or for kube-dns: ```shell kubectl get pods --namespace=kube-system -l k8s-app=kube-dns NAME READY STATUS RESTARTS AGE @@ -107,8 +118,26 @@ have to deploy it manually. ### Check for Errors in the DNS pod -Use `kubectl logs` command to see logs for the DNS daemons. +Use `kubectl logs` command to see logs for the DNS containers. +For CoreDNS: +```shell +for p in $(kubectl get pods --namespace=kube-system -l k8s-app=kube-dns -o name); do kubectl logs --namespace=kube-system $p; done +``` + +Here is an example of a healthy CoreDNS log: + +``` +.:53 +2018/08/15 14:37:17 [INFO] CoreDNS-1.2.2 +2018/08/15 14:37:17 [INFO] linux/amd64, go1.10.3, 2e322f6 +CoreDNS-1.2.2 +linux/amd64, go1.10.3, 2e322f6 +2018/08/15 14:37:17 [INFO] plugin/reload: Running configuration MD5 = 24e6c59e83ce706f07bcc82c31b1ea1c +``` + + +For kube-dns, there are 3 sets of logs: ```shell kubectl logs --namespace=kube-system $(kubectl get pods --namespace=kube-system -l k8s-app=kube-dns -o name | head -1) -c kubedns @@ -117,8 +146,8 @@ kubectl logs --namespace=kube-system $(kubectl get pods --namespace=kube-system kubectl logs --namespace=kube-system $(kubectl get pods --namespace=kube-system -l k8s-app=kube-dns -o name | head -1) -c sidecar ``` -See if there is any suspicious log. Letter '`W`', '`E`', '`F`' at the beginning -represent Warning, Error and Failure. Please search for entries that have these +See if there are any suspicious error messages in the logs. In kube-dns, a '`W`', '`E`' or '`F`' at the beginning +of a line represents a Warning, Error or Failure. Please search for entries that have these as the logging level and use [kubernetes issues](https://github.com/kubernetes/kubernetes/issues) to report unexpected errors. @@ -135,6 +164,8 @@ kube-dns ClusterIP 10.0.0.10 53/UDP,53/TCP 1h ... ``` + +Note that the service name will be "kube-dns" for both CoreDNS and kube-dns deployments. If you have created the service or in the case it should be created by default but it does not appear, see [debugging services](/docs/tasks/debug-application-cluster/debug-service/) for @@ -158,20 +189,83 @@ For additional Kubernetes DNS examples, see the [cluster-dns examples](https://github.com/kubernetes/examples/tree/master/staging/cluster-dns) in the Kubernetes GitHub repository. + +### Are DNS queries being received/processed? + +You can verify if queries are being received by CoreDNS by adding the `log` plugin to the CoreDNS configuration (aka Corefile). +The CoreDNS Corefile is held in a ConfigMap named `coredns`. To edit it, use the command ... + +``` +kubectl -n kube-system edit configmap coredns +``` + +Then add `log` in the Corefile section per the example below. + +``` +apiVersion: v1 +kind: ConfigMap +metadata: + name: coredns + namespace: kube-system +data: + Corefile: | + .:53 { + log + errors + health + kubernetes cluster.local in-addr.arpa ip6.arpa { + pods insecure + upstream + fallthrough in-addr.arpa ip6.arpa + } + prometheus :9153 + proxy . /etc/resolv.conf + cache 30 + loop + reload + loadbalance + } + +``` + +After saving the changes, it may take up to minute or two for Kubernetes to propagate these changes to the CoreDNS pods. + +Next, make some queries and view the logs per the sections above in this document. If CoreDNS pods are receiving the queries, you should see them in the logs. + +Here is an example of a query in the log. + +``` +.:53 +2018/08/15 14:37:15 [INFO] CoreDNS-1.2.0 +2018/08/15 14:37:15 [INFO] linux/amd64, go1.10.3, 2e322f6 +CoreDNS-1.2.0 +linux/amd64, go1.10.3, 2e322f6 +2018/09/07 15:29:04 [INFO] plugin/reload: Running configuration MD5 = 162475cdf272d8aa601e6fe67a6ad42f +2018/09/07 15:29:04 [INFO] Reloading complete +172.17.0.18:41675 - [07/Sep/2018:15:29:11 +0000] 59925 "A IN kubernetes.default.svc.cluster.local. udp 54 false 512" NOERROR qr,aa,rd,ra 106 0.000066649s + +``` + ## Known issues -Kubernetes installs do not configure the nodes' resolv.conf files to use the -cluster DNS by default, because that process is inherently distro-specific. +Some Linux distributions (e.g. Ubuntu), use a local DNS resolver by default (systemd-resolved). +Systemd-resolved moves and replaces `/etc/resolv.conf` with a stub file that can cause a fatal forwarding +loop when resolving names in upstream servers. This can be fixed manually by using kubelet's `--resolv-conf` flag +to point to the correct `resolv.conf` (With `systemd-resolved`, this is `/run/systemd/resolve/resolv.conf`). +kubeadm 1.11 automatically detects `systemd-resolved`, and adjusts the kubelet flags accordingly. + +Kubernetes installs do not configure the nodes' `resolv.conf` files to use the +cluster DNS by default, because that process is inherently distribution-specific. This should probably be implemented eventually. Linux's libc is impossibly stuck ([see this bug from 2005](https://bugzilla.redhat.com/show_bug.cgi?id=168253)) with limits of just -3 DNS `nameserver` records and 6 DNS `search` records. Kubernetes needs to -consume 1 `nameserver` record and 3 `search` records. This means that if a +3 DNS `nameserver` records and 6 DNS `search` records. Kubernetes needs to +consume 1 `nameserver` record and 3 `search` records. This means that if a local installation already uses 3 `nameserver`s or uses more than 3 `search`es, -some of those settings will be lost. As a partial workaround, the node can run +some of those settings will be lost. As a partial workaround, the node can run `dnsmasq` which will provide more `nameserver` entries, but not more `search` -entries. You can also use kubelet's `--resolv-conf` flag. +entries. You can also use kubelet's `--resolv-conf` flag. If you are using Alpine version 3.3 or earlier as your base image, DNS may not work properly owing to a known issue with Alpine. diff --git a/content/en/docs/tasks/administer-cluster/dns-horizontal-autoscaling.md b/content/en/docs/tasks/administer-cluster/dns-horizontal-autoscaling.md index afdb829455a3c..c28f4c1001c99 100644 --- a/content/en/docs/tasks/administer-cluster/dns-horizontal-autoscaling.md +++ b/content/en/docs/tasks/administer-cluster/dns-horizontal-autoscaling.md @@ -36,10 +36,10 @@ The output is similar to this: NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE ... - kube-dns-autoscaler 1 1 1 1 ... + dns-autoscaler 1 1 1 1 ... ... -If you see "kube-dns-autoscaler" in the output, DNS horizontal autoscaling is +If you see "dns-autoscaler" in the output, DNS horizontal autoscaling is already enabled, and you can skip to [Tuning autoscaling parameters](#tuning-autoscaling-parameters). @@ -53,10 +53,13 @@ The output is similar to this: NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE ... - kube-dns 1 1 1 1 ... + coredns 2 2 2 2 ... ... -In Kubernetes versions earlier than 1.5 DNS is implemented using a + +In Kubernetes versions earlier than 1.12, the DNS Deployment was called "kube-dns". + +In Kubernetes versions earlier than 1.5 DNS was implemented using a ReplicationController instead of a Deployment. So if you don't see kube-dns, or a similar name, in the preceding output, list the ReplicationControllers in your cluster in the kube-system namespace: @@ -77,7 +80,7 @@ If you have a DNS Deployment, your scale target is: Deployment/ where is the name of your DNS Deployment. For example, if -your DNS Deployment name is kube-dns, your scale target is Deployment/kube-dns. +your DNS Deployment name is coredns, your scale target is Deployment/coredns. If you have a DNS ReplicationController, your scale target is: @@ -111,7 +114,7 @@ DNS horizontal autoscaling is now enabled. ## Tuning autoscaling parameters -Verify that the kube-dns-autoscaler ConfigMap exists: +Verify that the dns-autoscaler ConfigMap exists: kubectl get configmap --namespace=kube-system @@ -119,12 +122,12 @@ The output is similar to this: NAME DATA AGE ... - kube-dns-autoscaler 1 ... + dns-autoscaler 1 ... ... Modify the data in the ConfigMap: - kubectl edit configmap kube-dns-autoscaler --namespace=kube-system + kubectl edit configmap dns-autoscaler --namespace=kube-system Look for this line: @@ -151,15 +154,15 @@ There are other supported scaling patterns. For details, see There are a few options for turning DNS horizontal autoscaling. Which option to use depends on different conditions. -### Option 1: Scale down the kube-dns-autoscaler deployment to 0 replicas +### Option 1: Scale down the dns-autoscaler deployment to 0 replicas This option works for all situations. Enter this command: - kubectl scale deployment --replicas=0 kube-dns-autoscaler --namespace=kube-system + kubectl scale deployment --replicas=0 dns-autoscaler --namespace=kube-system The output is: - deployment.extensions/kube-dns-autoscaler scaled + deployment.extensions/dns-autoscaler scaled Verify that the replica count is zero: @@ -169,33 +172,33 @@ The output displays 0 in the DESIRED and CURRENT columns: NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE ... - kube-dns-autoscaler 0 0 0 0 ... + dns-autoscaler 0 0 0 0 ... ... -### Option 2: Delete the kube-dns-autoscaler deployment +### Option 2: Delete the dns-autoscaler deployment -This option works if kube-dns-autoscaler is under your own control, which means +This option works if dns-autoscaler is under your own control, which means no one will re-create it: - kubectl delete deployment kube-dns-autoscaler --namespace=kube-system + kubectl delete deployment dns-autoscaler --namespace=kube-system The output is: - deployment.extensions "kube-dns-autoscaler" deleted + deployment.extensions "dns-autoscaler" deleted -### Option 3: Delete the kube-dns-autoscaler manifest file from the master node +### Option 3: Delete the dns-autoscaler manifest file from the master node -This option works if kube-dns-autoscaler is under control of the +This option works if dns-autoscaler is under control of the [Addon Manager](https://git.k8s.io/kubernetes/cluster/addons/README.md)'s control, and you have write access to the master node. Sign in to the master node and delete the corresponding manifest file. -The common path for this kube-dns-autoscaler is: +The common path for this dns-autoscaler is: /etc/kubernetes/addons/dns-horizontal-autoscaler/dns-horizontal-autoscaler.yaml After the manifest file is deleted, the Addon Manager will delete the -kube-dns-autoscaler Deployment. +dns-autoscaler Deployment. {{% /capture %}} diff --git a/content/en/docs/tasks/administer-cluster/kms-provider.md b/content/en/docs/tasks/administer-cluster/kms-provider.md index 526ecb63ce503..5f14375b9e2ac 100644 --- a/content/en/docs/tasks/administer-cluster/kms-provider.md +++ b/content/en/docs/tasks/administer-cluster/kms-provider.md @@ -16,7 +16,7 @@ This page shows how to configure a Key Management Service (KMS) provider and plu * etcd v3 or later is required -{{< feature-state for_k8s_version="v1.10" state="alpha" >}} +{{< feature-state for_k8s_version="v1.12" state="beta" >}} {{% /capture %}} diff --git a/content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-12.md b/content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-12.md new file mode 100644 index 0000000000000..6be3b687bf3d6 --- /dev/null +++ b/content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-12.md @@ -0,0 +1,295 @@ +--- +reviewers: +- sig-cluster-lifecycle +title: Upgrading kubeadm clusters from v1.11 to v1.12 +content_template: templates/task +--- + +{{% capture overview %}} + +This page explains how to upgrade a Kubernetes cluster created with `kubeadm` from version 1.11.x to version 1.12.x, and from version 1.12.x to 1.12.y, where `y > x`. + +{{% /capture %}} + +{{% capture prerequisites %}} + +- You need to have a `kubeadm` Kubernetes cluster running version 1.11.0 or later. + [Swap must be disabled][swap]. + The cluster should use a static control plane and etcd pods. +- Make sure you read the [release notes](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.12.md) carefully. +- Make sure to back up any important components, such as app-level state stored in a database. + `kubeadm upgrade` does not touch your workloads, only components internal to Kubernetes, but backups are always a best practice. + + +[swap]: https://serverfault.com/questions/684771/best-way-to-disable-swap-in-linux +### Additional information + +- All containers are restarted after upgrade, because the container spec hash value is changed. +- You can upgrade only from one minor version to the next minor version. + That is, you cannot skip versions when you upgrade. + For example, you can upgrade only from 1.10 to 1.11, not from 1.9 to 1.11. + +{{% /capture %}} + +{{% capture steps %}} + +## Upgrade the control plane + +1. On your master node, upgrade kubeadm: + + {{< tabs name="k8s_install" >}} + {{% tab name="Ubuntu, Debian or HypriotOS" %}} + apt-get update + apt-get upgrade -y kubelet kubeadm + {{% /tab %}} + {{% tab name="CentOS, RHEL or Fedora" %}} + yum upgrade -y kubeadm --disableexcludes=kubernetes + {{% /tab %}} + {{< /tabs >}} + +1. Verify that the download works and has the expected version: + + ```shell + kubeadm version + ``` + +1. On the master node, run: + + ```shell + kubeadm upgrade plan + ``` + + You should see output similar to this: + + ```shell + [preflight] Running pre-flight checks. + [upgrade] Making sure the cluster is healthy: + [upgrade/config] Making sure the configuration is correct: + [upgrade/config] Reading configuration from the cluster... + [upgrade/config] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' + [upgrade] Fetching available versions to upgrade to + [upgrade/versions] Cluster version: v1.11.3 + [upgrade/versions] kubeadm version: v1.12.0 + [upgrade/versions] Latest stable version: v1.11.3 + [upgrade/versions] Latest version in the v1.11 series: v1.11.3 + [upgrade/versions] Latest experimental version: v1.13.0-alpha.0 + + Components that must be upgraded manually after you have upgraded the control plane with 'kubeadm upgrade apply': + COMPONENT CURRENT AVAILABLE + Kubelet 2 x v1.11.1 v1.12.0 + 1 x v1.11.3 v1.12.0 + + Upgrade to the latest experimental version: + + COMPONENT CURRENT AVAILABLE + API Server v1.11.3 v1.12.0 + Controller Manager v1.11.3 v1.12.0 + Scheduler v1.11.3 v1.12.0 + Kube Proxy v1.11.3 v1.12.0 + CoreDNS 1.1.3 1.2.2 + Etcd 3.2.18 3.2.24 + + You can now apply the upgrade by executing the following command: + + kubeadm upgrade apply v1.12.0 + + _____________________________________________________________________ + + ``` + + This command checks that your cluster can be upgraded, and fetches the versions you can upgrade to. + +1. Choose a version to upgrade to, and run the appropriate command. For example: + + ```shell + kubeadm upgrade apply v1.12.0 + ``` + + You should see output similar to this: + + + + ```shell + [preflight] Running pre-flight checks. + [upgrade] Making sure the cluster is healthy: + [upgrade/config] Making sure the configuration is correct: + [upgrade/config] Reading configuration from the cluster... + [upgrade/config] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' + [upgrade/apply] Respecting the --cri-socket flag that is set with higher priority than the config file. + [upgrade/version] You have chosen to change the cluster version to "v1.12.0" + [upgrade/versions] Cluster version: v1.11.3 + [upgrade/versions] kubeadm version: v1.12.0 + [upgrade/confirm] Are you sure you want to proceed with the upgrade? [y/N]: y + [upgrade/prepull] Will prepull images for components [kube-apiserver kube-controller-manager kube-scheduler etcd] + [upgrade/prepull] Prepulling image for component etcd. + [upgrade/prepull] Prepulling image for component kube-apiserver. + [upgrade/prepull] Prepulling image for component kube-controller-manager. + [upgrade/prepull] Prepulling image for component kube-scheduler. + [apiclient] Found 0 Pods for label selector k8s-app=upgrade-prepull-etcd + [apiclient] Found 1 Pods for label selector k8s-app=upgrade-prepull-kube-apiserver + [apiclient] Found 1 Pods for label selector k8s-app=upgrade-prepull-kube-scheduler + [apiclient] Found 1 Pods for label selector k8s-app=upgrade-prepull-kube-controller-manager + [apiclient] Found 1 Pods for label selector k8s-app=upgrade-prepull-etcd + [upgrade/prepull] Prepulled image for component kube-apiserver. + [upgrade/prepull] Prepulled image for component kube-controller-manager. + [upgrade/prepull] Prepulled image for component kube-scheduler. + [upgrade/prepull] Prepulled image for component etcd. + [upgrade/prepull] Successfully prepulled the images for all the control plane components + [upgrade/apply] Upgrading your Static Pod-hosted control plane to version "v1.12.0"... + Static pod: kube-apiserver-ip-172-31-80-76 hash: d9b7af93990d702b3ee9a2beca93384b + Static pod: kube-controller-manager-ip-172-31-80-76 hash: 44a081fb5d26e90773ceb98b4e16fe10 + Static pod: kube-scheduler-ip-172-31-80-76 hash: 009228e74aef4d7babd7968782118d5e + Static pod: etcd-ip-172-31-80-76 hash: 997fcf3d8d974c98abc14556cc02617e + [etcd] Wrote Static Pod manifest for a local etcd instance to "/etc/kubernetes/tmp/kubeadm-upgraded-manifests661777755/etcd.yaml" + [upgrade/staticpods] Moved new manifest to "/etc/kubernetes/manifests/etcd.yaml" and backed up old manifest to "/etc/kubernetes/tmp/kubeadm-backup-manifests-2018-09-19-18-58-14/etcd.yaml" + [upgrade/staticpods] Waiting for the kubelet to restart the component + [upgrade/staticpods] This might take a minute or longer depending on the component/version gap (timeout 5m0s + Static pod: etcd-ip-172-31-80-76 hash: 997fcf3d8d974c98abc14556cc02617e + + [apiclient] Found 1 Pods for label selector component=etcd + [upgrade/staticpods] Component "etcd" upgraded successfully! + [upgrade/etcd] Waiting for etcd to become available + [util/etcd] Waiting 0s for initial delay + [util/etcd] Attempting to see if all cluster endpoints are available 1/10 + [upgrade/staticpods] Writing new Static Pod manifests to "/etc/kubernetes/tmp/kubeadm-upgraded-manifests661777755" + [controlplane] wrote Static Pod manifest for component kube-apiserver to "/etc/kubernetes/tmp/kubeadm-upgraded-manifests661777755/kube-apiserver.yaml" + [controlplane] wrote Static Pod manifest for component kube-controller-manager to "/etc/kubernetes/tmp/kubeadm-upgraded-manifests661777755/kube-controller-manager.yaml" + [controlplane] wrote Static Pod manifest for component kube-scheduler to "/etc/kubernetes/tmp/kubeadm-upgraded-manifests661777755/kube-scheduler.yaml" + [upgrade/staticpods] Moved new manifest to "/etc/kubernetes/manifests/kube-apiserver.yaml" and backed up old manifest to "/etc/kubernetes/tmp/kubeadm-backup-manifests-2018-09-19-18-58-14/kube-apiserver.yaml" + [upgrade/staticpods] Waiting for the kubelet to restart the component + [upgrade/staticpods] This might take a minute or longer depending on the component/version gap (timeout 5m0s + + Static pod: kube-apiserver-ip-172-31-80-76 hash: 854a5a8468f899093c6a967bb81dcfbc + [apiclient] Found 1 Pods for label selector component=kube-apiserver + [upgrade/staticpods] Component "kube-apiserver" upgraded successfully! + [upgrade/staticpods] Moved new manifest to "/etc/kubernetes/manifests/kube-controller-manager.yaml" and backed up old manifest to "/etc/kubernetes/tmp/kubeadm-backup-manifests-2018-09-19-18-58-14/kube-controller-manager.yaml" + [upgrade/staticpods] Waiting for the kubelet to restart the component + [upgrade/staticpods] This might take a minute or longer depending on the component/version gap (timeout 5m0s + Static pod: kube-controller-manager-ip-172-31-80-76 hash: 44a081fb5d26e90773ceb98b4e16fe10 + Static pod: kube-controller-manager-ip-172-31-80-76 hash: b651f83474ae70031d5fb2cab73bd366 + [apiclient] Found 1 Pods for label selector component=kube-controller-manager + [upgrade/staticpods] Component "kube-controller-manager" upgraded successfully! + [upgrade/staticpods] Moved new manifest to "/etc/kubernetes/manifests/kube-scheduler.yaml" and backed up old manifest to "/etc/kubernetes/tmp/kubeadm-backup-manifests-2018-09-19-18-58-14/kube-scheduler.yaml" + [upgrade/staticpods] Waiting for the kubelet to restart the component + [upgrade/staticpods] This might take a minute or longer depending on the component/version gap (timeout 5m0s + Static pod: kube-scheduler-ip-172-31-80-76 hash: 009228e74aef4d7babd7968782118d5e + Static pod: kube-scheduler-ip-172-31-80-76 hash: da406e5a49adfbbeb90fe2a0cf8fd8d1 + [apiclient] Found 1 Pods for label selector component=kube-scheduler + [upgrade/staticpods] Component "kube-scheduler" upgraded successfully! + [uploadconfig] storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace + [kubelet] Creating a ConfigMap "kubelet-config-1.12" in namespace kube-system with the configuration for the kubelets in the cluster + [kubelet] Downloading configuration for the kubelet from the "kubelet-config-1.12" ConfigMap in the kube-system namespace + [kubelet] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml" + [patchnode] Uploading the CRI Socket information "/var/run/dockershim.sock" to the Node API object "ip-172-31-80-76" as an annotation + [bootstraptoken] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials + [bootstraptoken] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token + [bootstraptoken] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster + [addons] Applied essential addon: CoreDNS + [addons] Applied essential addon: kube-proxy + + [upgrade/successful] SUCCESS! Your cluster was upgraded to "v1.12.0". Enjoy! + + [upgrade/kubelet] Now that your control plane is upgraded, please proceed with upgrading your kubelets if you haven't already done so. + ``` + +1. Manually upgrade your Software Defined Network (SDN). + + Your Container Network Interface (CNI) provider may have its own upgrade instructions to follow. + Check the [addons](/docs/concepts/cluster-administration/addons/) page to + find your CNI provider and see whether additional upgrade steps are required. + +## Upgrade master and node packages + +1. Prepare each node for maintenance, marking it unschedulable and evicting the workloads: + + ```shell + kubectl drain $NODE --ignore-daemonsets + ``` + + On the master node, you must add `--ignore-daemonsets`: + + ```shell + kubectl drain ip-172-31-85-18 + node "ip-172-31-85-18" cordoned + error: unable to drain node "ip-172-31-85-18", aborting command... + + There are pending nodes to be drained: + ip-172-31-85-18 + error: DaemonSet-managed pods (use --ignore-daemonsets to ignore): calico-node-5798d, kube-proxy-thjp9 + ``` + + ``` + kubectl drain ip-172-31-85-18 --ignore-daemonsets + node "ip-172-31-85-18" already cordoned + WARNING: Ignoring DaemonSet-managed pods: calico-node-5798d, kube-proxy-thjp9 + node "ip-172-31-85-18" drained + ``` + +1. Upgrade the Kubernetes package version on each `$NODE` node by running the Linux package manager for your distribution: + + {{< tabs name="k8s_install" >}} + {{% tab name="Ubuntu, Debian or HypriotOS" %}} + apt-get update + apt-get upgrade -y kubelet kubeadm + {{% /tab %}} + {{% tab name="CentOS, RHEL or Fedora" %}} + yum upgrade -y kubelet kubeadm --disableexcludes=kubernetes + {{% /tab %}} + {{< /tabs >}} + +## Upgrade kubelet on each node + +1. On each node except the master node, upgrade the kubelet config: + + ```shell + sudo kubeadm upgrade node config --kubelet-version $(kubelet --version | cut -d ' ' -f 2) + ``` + +1. Restart the kubelet process: + + ```shell + sudo systemctl restart kubelet + ``` + +1. Verify that the new version of the `kubelet` is running on the node: + + ```shell + systemctl status kubelet + ``` + +1. Bring the node back online by marking it schedulable: + + ```shell + kubectl uncordon $NODE + ``` + +1. After the kubelet is upgraded on all nodes, verify that all nodes are available again by running the following command from anywhere kubectl can access the cluster: + + ```shell + kubectl get nodes + ``` + + The `STATUS` column should show `Ready` for all your nodes, and the version number should be updated. + +{{% /capture %}} + +## Recovering from a failure state + +If `kubeadm upgrade` fails and does not roll back, for example because of an unexpected shutdown during execution, you can run `kubeadm upgrade` again. +This command is idempotent and eventually makes sure that the actual state is the desired state you declare. + +To recover from a bad state, you can also run `kubeadm upgrade --force` without changing the version that your cluster is running. + +## How it works + +`kubeadm upgrade apply` does the following: + +- Checks that your cluster is in an upgradeable state: + - The API server is reachable + - All nodes are in the `Ready` state + - The control plane is healthy +- Enforces the version skew policies. +- Makes sure the control plane images are available or available to pull to the machine. +- Upgrades the control plane components or rollbacks if any of them fails to come up. +- Applies the new `kube-dns` and `kube-proxy` manifests and enforces that all necessary RBAC rules are created. +- Creates new certificate and key files of the API server and backs up old files if they're about to expire in 180 days. diff --git a/content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-8.md b/content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-8.md deleted file mode 100644 index 24da924d94e88..0000000000000 --- a/content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-8.md +++ /dev/null @@ -1,290 +0,0 @@ ---- -reviewers: -- pipejakob -- luxas -- roberthbailey -- jbeda -title: Upgrading kubeadm clusters from 1.7 to 1.8 -content_template: templates/task ---- - -{{% capture overview %}} - -This guide is for upgrading `kubeadm` clusters from version 1.7.x to 1.8.x, as well as 1.7.x to 1.7.y and 1.8.x to 1.8.y where `y > x`. -See also [upgrading kubeadm clusters from 1.6 to 1.7](/docs/tasks/administer-cluster/kubeadm-upgrade-1-7/) if you're on a 1.6 cluster currently. - -{{% /capture %}} - -{{% capture prerequisites %}} - -Before proceeding: - -- You need to have a functional `kubeadm` Kubernetes cluster running version 1.7.0 or higher in order to use the process described here. -- Make sure you read the [release notes](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG.md#v180-beta1) carefully. -- As `kubeadm upgrade` does not upgrade etcd make sure to back it up. You can, for example, use `etcdctl backup` to take care of this. -- Note that `kubeadm upgrade` will not touch any of your workloads, only Kubernetes-internal components. As a best-practice you should back up what's important to you. For example, any app-level state, such as a database an app might depend on (like MySQL or MongoDB) must be backed up beforehand. - -Also, note that only one minor version upgrade is supported. That is, you can only upgrade from, say 1.7 to 1.8, not from 1.7 to 1.9. - -{{% /capture %}} - -{{% capture steps %}} - -## Upgrading your control plane - -You have to carry out the following steps by executing these commands on your master node: - -1. Install the most recent version of `kubeadm` using `curl` like so: - -{{< caution >}} -```shell -export VERSION=$(curl -sSL https://dl.k8s.io/release/stable.txt) # or manually specify a released Kubernetes version -export ARCH=amd64 # or: arm, arm64, ppc64le, s390x -curl -sSL https://dl.k8s.io/release/${VERSION}/bin/linux/${ARCH}/kubeadm > /usr/bin/kubeadm -chmod a+rx /usr/bin/kubeadm -``` -**Caution:** Upgrading the `kubeadm` package on your system prior to -upgrading the control plane causes a failed upgrade. Even though -`kubeadm` is shipped in the Kubernetes repositories, it's important -to install `kubeadm` manually. The kubeadm team is working on fixing -this limitation. -{{< /caution >}} - -Verify that this download of kubeadm works, and has the expected version: - -```shell -kubeadm version -``` - -2. If this the first time you use `kubeadm upgrade`, in order to preserve the configuration for future upgrades, do: - -Note that for below you will need to recall what CLI args you passed to `kubeadm init` the first time. - -If you used flags, do: - -```shell -kubeadm config upload from-flags [flags] -``` - -Where `flags` can be empty. - -If you used a config file, do: - -```shell -kubeadm config upload from-file --config [config] -``` - -Where the `config` is mandatory. - -3. On the master node, run the following: - -```shell -kubeadm upgrade plan -``` - -You should see output similar to this: - -```shell -[preflight] Running pre-flight checks -[upgrade] Making sure the cluster is healthy: -[upgrade/health] Checking API Server health: Healthy -[upgrade/health] Checking Node health: All Nodes are healthy -[upgrade/health] Checking Static Pod manifests exists on disk: All manifests exist on disk -[upgrade/config] Making sure the configuration is correct: -[upgrade/config] Reading configuration from the cluster... -[upgrade/config] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' -[upgrade] Fetching available versions to upgrade to: -[upgrade/versions] Cluster version: v1.7.1 -[upgrade/versions] kubeadm version: v1.8.0 -[upgrade/versions] Latest stable version: v1.8.0 -[upgrade/versions] Latest version in the v1.7 series: v1.7.6 - -Components that must be upgraded manually after you've upgraded the control plane with 'kubeadm upgrade apply': -COMPONENT CURRENT AVAILABLE -Kubelet 1 x v1.7.1 v1.7.6 - -Upgrade to the latest version in the v1.7 series: - -COMPONENT CURRENT AVAILABLE -API Server v1.7.1 v1.7.6 -Controller Manager v1.7.1 v1.7.6 -Scheduler v1.7.1 v1.7.6 -Kube Proxy v1.7.1 v1.7.6 -Kube DNS 1.14.4 1.14.4 - -You can now apply the upgrade by executing the following command: - - kubeadm upgrade apply v1.7.6 - -_____________________________________________________________________ - -Components that must be upgraded manually after you've upgraded the control plane with 'kubeadm upgrade apply': -COMPONENT CURRENT AVAILABLE -Kubelet 1 x v1.7.1 v1.8.0 - -Upgrade to the latest stable version: - -COMPONENT CURRENT AVAILABLE -API Server v1.7.1 v1.8.0 -Controller Manager v1.7.1 v1.8.0 -Scheduler v1.7.1 v1.8.0 -Kube Proxy v1.7.1 v1.8.0 -Kube DNS 1.14.4 1.14.4 - -You can now apply the upgrade by executing the following command: - - kubeadm upgrade apply v1.8.0 - -Note: Before you do can perform this upgrade, you have to update kubeadm to v1.8.0 - -_____________________________________________________________________ -``` - -The `kubeadm upgrade plan` checks that your cluster is in an upgradeable state and fetches the versions available to upgrade to in an user-friendly way. - -4. Pick a version to upgrade to and run, for example, `kubeadm upgrade apply` as follows: - -```shell -kubeadm upgrade apply v1.8.0 -``` - -You should see output similar to this: - -```shell -[preflight] Running pre-flight checks -[upgrade] Making sure the cluster is healthy: -[upgrade/health] Checking API Server health: Healthy -[upgrade/health] Checking Node health: All Nodes are healthy -[upgrade/health] Checking Static Pod manifests exists on disk: All manifests exist on disk -[upgrade/config] Making sure the configuration is correct: -[upgrade/config] Reading configuration from the cluster... -[upgrade/config] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' -[upgrade/version] You have chosen to upgrade to version "v1.8.0" -[upgrade/versions] Cluster version: v1.7.1 -[upgrade/versions] kubeadm version: v1.8.0 -[upgrade/prepull] Will prepull images for components [kube-apiserver kube-controller-manager kube-scheduler] -[upgrade/prepull] Prepulling image for component kube-scheduler. -[upgrade/prepull] Prepulling image for component kube-apiserver. -[upgrade/prepull] Prepulling image for component kube-controller-manager. -[apiclient] Found 0 Pods for label selector k8s-app=upgrade-prepull-kube-scheduler -[apiclient] Found 1 Pods for label selector k8s-app=upgrade-prepull-kube-scheduler -[apiclient] Found 1 Pods for label selector k8s-app=upgrade-prepull-kube-apiserver -[apiclient] Found 1 Pods for label selector k8s-app=upgrade-prepull-kube-controller-manager -[upgrade/prepull] Prepulled image for component kube-apiserver. -[upgrade/prepull] Prepulled image for component kube-controller-manager. -[upgrade/prepull] Prepulled image for component kube-scheduler. -[upgrade/prepull] Successfully prepulled the images for all the control plane components -[upgrade/apply] Upgrading your Static Pod-hosted control plane to version "v1.8.0"... -[upgrade/staticpods] Writing upgraded Static Pod manifests to "/etc/kubernetes/tmp/kubeadm-upgraded-manifests432902769" -[controlplane] Wrote Static Pod manifest for component kube-apiserver to "/etc/kubernetes/tmp/kubeadm-upgraded-manifests432902769/kube-apiserver.yaml" -[controlplane] Wrote Static Pod manifest for component kube-controller-manager to "/etc/kubernetes/tmp/kubeadm-upgraded-manifests432902769/kube-controller-manager.yaml" -[controlplane] Wrote Static Pod manifest for component kube-scheduler to "/etc/kubernetes/tmp/kubeadm-upgraded-manifests432902769/kube-scheduler.yaml" -[upgrade/staticpods] Moved upgraded manifest to "/etc/kubernetes/manifests/kube-apiserver.yaml" and backed up old manifest to "/etc/kubernetes/tmp/kubeadm-backup-manifests155856668/kube-apiserver.yaml" -[upgrade/staticpods] Waiting for the kubelet to restart the component -[apiclient] Found 1 Pods for label selector component=kube-apiserver -[upgrade/staticpods] Component "kube-apiserver" upgraded successfully! -[upgrade/staticpods] Moved upgraded manifest to "/etc/kubernetes/manifests/kube-controller-manager.yaml" and backed up old manifest to "/etc/kubernetes/tmp/kubeadm-backup-manifests155856668/kube-controller-manager.yaml" -[upgrade/staticpods] Waiting for the kubelet to restart the component -[apiclient] Found 1 Pods for label selector component=kube-controller-manager -[upgrade/staticpods] Component "kube-controller-manager" upgraded successfully! -[upgrade/staticpods] Moved upgraded manifest to "/etc/kubernetes/manifests/kube-scheduler.yaml" and backed up old manifest to "/etc/kubernetes/tmp/kubeadm-backup-manifests155856668/kube-scheduler.yaml" -[upgrade/staticpods] Waiting for the kubelet to restart the component -[apiclient] Found 1 Pods for label selector component=kube-scheduler -[upgrade/staticpods] Component "kube-scheduler" upgraded successfully! -[uploadconfig] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace -[bootstraptoken] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials -[bootstraptoken] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token -[addons] Applied essential addon: kube-dns -[addons] Applied essential addon: kube-proxy - -[upgrade/successful] SUCCESS! Your cluster was upgraded to "v1.8.0". Enjoy! - -[upgrade/kubelet] Now that your control plane is upgraded, please proceed with upgrading your kubelets in turn. -``` - -`kubeadm upgrade apply` does the following: - -- It checks that your cluster is in an upgradeable state, that is: - - The API Server is reachable, - - All nodes are in the `Ready` state, and - - The control plane is healthy -- It enforces the version skew policies. -- It makes sure the control plane images are available or available to pull to the machine. -- It upgrades the control plane components or rollbacks if any of them fails to come up. -- It applies the new `kube-dns` and `kube-proxy` manifests and enforces that all necessary RBAC rules are created. - -5. Manually upgrade your Software Defined Network (SDN). - - Your Container Network Interface (CNI) provider might have its own upgrade instructions to follow now. - Check the [addons](/docs/concepts/cluster-administration/addons/) page to - find your CNI provider and see if there are additional upgrade steps - necessary. - -6. Add RBAC permissions for automated certificate rotation. In the future, kubeadm will perform this step automatically: - -```shell -kubectl create clusterrolebinding kubeadm:node-autoapprove-certificate-rotation --clusterrole=system:certificates.k8s.io:certificatesigningrequests:selfnodeclient --group=system:nodes -``` - -## Upgrading your master and node packages - -For each host (referred to as `$HOST` below) in your cluster, upgrade `kubelet` by executing the following commands: - -1. Prepare the host for maintenance, marking it unschedulable and evicting the workload: - -```shell -kubectl drain $HOST --ignore-daemonsets -``` - -When running this command against the master host, this error is expected and can be safely ignored (since there are static pods running on the master): - -```shell -node "master" already cordoned -error: pods not managed by ReplicationController, ReplicaSet, Job, DaemonSet or StatefulSet (use --force to override): etcd-kubeadm, kube-apiserver-kubeadm, kube-controller-manager-kubeadm, kube-scheduler-kubeadm -``` - -2. Upgrade the Kubernetes package versions on the `$HOST` node by using a Linux distribution-specific package manager: - -If the host is running a Debian-based distro such as Ubuntu, run: - -```shell -apt-get update -apt-get upgrade -``` - -If the host is running CentOS or the like, run: - -```shell -yum update -``` - -Now the new version of the `kubelet` should be running on the host. Verify this using the following command on `$HOST`: - -```shell -systemctl status kubelet -``` - -3. Bring the host back online by marking it schedulable: - -```shell -kubectl uncordon $HOST -``` - -4. After upgrading `kubelet` on each host in your cluster, verify that all nodes are available again by executing the following (from anywhere, for example, from outside the cluster): - -```shell -kubectl get nodes -``` - -If the `STATUS` column of the above command shows `Ready` for all of your hosts, you are done. - -## Recovering from a bad state - -If `kubeadm upgrade` somehow fails and fails to roll back, due to an unexpected shutdown during execution for instance, -you may run `kubeadm upgrade` again as it is idempotent and should eventually make sure the actual state is the desired state you are declaring. - -You can use `kubeadm upgrade` to change a running cluster with `x.x.x --> x.x.x` with `--force`, which can be used to recover from a bad state. - -{{% /capture %}} - - diff --git a/content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-9.md b/content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-9.md deleted file mode 100644 index dac73e9862ac8..0000000000000 --- a/content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-9.md +++ /dev/null @@ -1,264 +0,0 @@ ---- -reviewers: -- pipejakob -- luxas -- roberthbailey -- jbeda -title: Upgrading/downgrading kubeadm clusters between v1.8 to v1.9 -content_template: templates/task ---- - -{{% capture overview %}} - -This guide is for upgrading `kubeadm` clusters from version 1.8.x to 1.9.x, as well as 1.8.x to 1.8.y and 1.9.x to 1.9.y where `y > x`. -See also [upgrading kubeadm clusters from 1.7 to 1.8](/docs/tasks/administer-cluster/kubeadm-upgrade-1-8/) if you're on a 1.7 cluster currently. - -{{% /capture %}} - -{{% capture prerequisites %}} - -Before proceeding: - -- You need to have a functional `kubeadm` Kubernetes cluster running version 1.8.0 or higher in order to use the process described here. Swap also needs to be disabled. -- Make sure you read the [release notes](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.9.md) carefully. -- `kubeadm upgrade` now allows you to upgrade etcd. `kubeadm upgrade` will also upgrade of etcd to 3.1.10 as part of upgrading from v1.8 to v1.9 by default. This is due to the fact that etcd 3.1.10 is the officially validated etcd version for Kubernetes v1.9. The upgrade is handled automatically by kubeadm for you. -- Note that `kubeadm upgrade` will not touch any of your workloads, only Kubernetes-internal components. As a best-practice you should back up what's important to you. For example, any app-level state, such as a database an app might depend on (like MySQL or MongoDB) must be backed up beforehand. - -{{< caution >}} -**Caution:** All the containers will get restarted after the upgrade, due to container spec hash value gets changed. -{{< /caution >}} - -Also, note that only one minor version upgrade is supported. For example, you can only upgrade from 1.8 to 1.9, not from 1.7 to 1.9. - -{{% /capture %}} - -{{% capture steps %}} - -## Upgrading your control plane - -Execute these commands on your master node: - -1. Install the most recent version of `kubeadm` using `curl` like so: - -```shell -export VERSION=$(curl -sSL https://dl.k8s.io/release/stable.txt) # or manually specify a released Kubernetes version -export ARCH=amd64 # or: arm, arm64, ppc64le, s390x -curl -sSL https://dl.k8s.io/release/${VERSION}/bin/linux/${ARCH}/kubeadm > /usr/bin/kubeadm -chmod a+rx /usr/bin/kubeadm -``` - -{{< caution >}} -**Caution:** Upgrading the `kubeadm` package on your system prior to upgrading the control plane causes a failed upgrade. -Even though `kubeadm` ships in the Kubernetes repositories, it's important to install `kubeadm` manually. The kubeadm -team is working on fixing this limitation. -{{< /caution >}} - -Verify that this download of kubeadm works and has the expected version: - -```shell -kubeadm version -``` - -2. On the master node, run the following: - -```shell -kubeadm upgrade plan -``` - -You should see output similar to this: - -```shell -[preflight] Running pre-flight checks -[upgrade] Making sure the cluster is healthy: -[upgrade/health] Checking API Server health: Healthy -[upgrade/health] Checking Node health: All Nodes are healthy -[upgrade/health] Checking Static Pod manifests exists on disk: All manifests exist on disk -[upgrade/config] Making sure the configuration is correct: -[upgrade/config] Reading configuration from the cluster... -[upgrade/config] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' -[upgrade] Fetching available versions to upgrade to: -[upgrade/versions] Cluster version: v1.8.1 -[upgrade/versions] kubeadm version: v1.9.0 -[upgrade/versions] Latest stable version: v1.9.0 -[upgrade/versions] Latest version in the v1.8 series: v1.8.6 - -Components that must be upgraded manually after you've upgraded the control plane with 'kubeadm upgrade apply': -COMPONENT CURRENT AVAILABLE -Kubelet 1 x v1.8.1 v1.8.6 - -Upgrade to the latest version in the v1.8 series: - -COMPONENT CURRENT AVAILABLE -API Server v1.8.1 v1.8.6 -Controller Manager v1.8.1 v1.8.6 -Scheduler v1.8.1 v1.8.6 -Kube Proxy v1.8.1 v1.8.6 -Kube DNS 1.14.4 1.14.5 - -You can now apply the upgrade by executing the following command: - - kubeadm upgrade apply v1.8.6 - -_____________________________________________________________________ - -Components that must be upgraded manually after you've upgraded the control plane with 'kubeadm upgrade apply': -COMPONENT CURRENT AVAILABLE -Kubelet 1 x v1.8.1 v1.9.0 - -Upgrade to the latest stable version: - -COMPONENT CURRENT AVAILABLE -API Server v1.8.1 v1.9.0 -Controller Manager v1.8.1 v1.9.0 -Scheduler v1.8.1 v1.9.0 -Kube Proxy v1.8.1 v1.9.0 -Kube DNS 1.14.5 1.14.7 - -You can now apply the upgrade by executing the following command: - - kubeadm upgrade apply v1.9.0 - -Note: Before you do can perform this upgrade, you have to update kubeadm to v1.9.0 - -_____________________________________________________________________ -``` - -The `kubeadm upgrade plan` checks that your cluster is upgradeable and fetches the versions available to upgrade to in an user-friendly way. - -To check CoreDNS version, include the `--feature-gates=CoreDNS=true` flag to verify the CoreDNS version which will be installed in place of kube-dns. - -3. Pick a version to upgrade to and run. For example: - -```shell -kubeadm upgrade apply v1.9.0 -``` - -You should see output similar to this: - -```shell -[preflight] Running pre-flight checks. -[upgrade] Making sure the cluster is healthy: -[upgrade/config] Making sure the configuration is correct: -[upgrade/config] Reading configuration from the cluster... -[upgrade/config] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' -[upgrade/version] You have chosen to upgrade to version "v1.9.0" -[upgrade/versions] Cluster version: v1.8.1 -[upgrade/versions] kubeadm version: v1.9.0 -[upgrade/confirm] Are you sure you want to proceed with the upgrade? [y/N]: y -[upgrade/prepull] Will prepull images for components [kube-apiserver kube-controller-manager kube-scheduler] -[upgrade/apply] Upgrading your Static Pod-hosted control plane to version "v1.9.0"... -[etcd] Wrote Static Pod manifest for a local etcd instance to "/etc/kubernetes/tmp/kubeadm-upgraded-manifests802453804/etcd.yaml" -[upgrade/staticpods] Moved upgraded manifest to "/etc/kubernetes/manifests/etcd.yaml" and backed up old manifest to "/etc/kubernetes/tmp/kubeadm-backup-manifests502223003/etcd.yaml" -[upgrade/staticpods] Waiting for the kubelet to restart the component -[apiclient] Found 1 Pods for label selector component=etcd -[upgrade/staticpods] Component "etcd" upgraded successfully! -[upgrade/staticpods] Writing upgraded Static Pod manifests to "/etc/kubernetes/tmp/kubeadm-upgraded-manifests802453804" -[controlplane] Wrote Static Pod manifest for component kube-apiserver to "/etc/kubernetes/tmp/kubeadm-upgraded-manifests802453804/kube-apiserver.yaml" -[controlplane] Wrote Static Pod manifest for component kube-controller-manager to "/etc/kubernetes/tmp/kubeadm-upgraded-manifests802453804/kube-controller-manager.yaml" -[controlplane] Wrote Static Pod manifest for component kube-scheduler to "/etc/kubernetes/tmp/kubeadm-upgraded-manifests802453804/kube-scheduler.yaml" -[upgrade/staticpods] Moved upgraded manifest to "/etc/kubernetes/manifests/kube-apiserver.yaml" and backed up old manifest to "/etc/kubernetes/tmp/kubeadm-backup-manifests502223003/kube-apiserver.yaml" -[upgrade/staticpods] Waiting for the kubelet to restart the component -[apiclient] Found 1 Pods for label selector component=kube-apiserver -[upgrade/staticpods] Component "kube-apiserver" upgraded successfully! -[upgrade/staticpods] Moved upgraded manifest to "/etc/kubernetes/manifests/kube-controller-manager.yaml" and backed up old manifest to "/etc/kubernetes/tmp/kubeadm-backup-manifests502223003/kube-controller-manager.yaml" -[upgrade/staticpods] Waiting for the kubelet to restart the component -[apiclient] Found 1 Pods for label selector component=kube-controller-manager -[upgrade/staticpods] Component "kube-controller-manager" upgraded successfully! -[upgrade/staticpods] Moved upgraded manifest to "/etc/kubernetes/manifests/kube-scheduler.yaml" and backed up old manifest to "/etc/kubernetes/tmp/kubeadm-backup-manifests502223003/kube-scheduler.yaml" -[upgrade/staticpods] Waiting for the kubelet to restart the component -[apiclient] Found 1 Pods for label selector component=kube-scheduler -[upgrade/staticpods] Component "kube-scheduler" upgraded successfully! -[uploadconfig] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace -[bootstraptoken] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials -[bootstraptoken] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token -[bootstraptoken] Configured RBAC rules to allow certificate rotation for all node client certificates in the cluster -[addons] Applied essential addon: kube-dns -[addons] Applied essential addon: kube-proxy - -[upgrade/successful] SUCCESS! Your cluster was upgraded to "v1.9.0". Enjoy! - -[upgrade/kubelet] Now that your control plane is upgraded, please proceed with upgrading your kubelets in turn. -``` - -To upgrade the cluster with CoreDNS as the default internal DNS, invoke `kubeadm upgrade apply` with the `--feature-gates=CoreDNS=true` flag. -`kubeadm upgrade apply` does the following: - -- Checks that your cluster is in an upgradeable state: - - The API server is reachable, - - All nodes are in the `Ready` state - - The control plane is healthy -- Enforces the version skew policies. -- Makes sure the control plane images are available or available to pull to the machine. -- Upgrades the control plane components or rollbacks if any of them fails to come up. -- Applies the new `kube-dns` and `kube-proxy` manifests and enforces that all necessary RBAC rules are created. -- Creates new certificate and key files of apiserver and backs up old files if they're about to expire in 180 days. - -4. Manually upgrade your Software Defined Network (SDN). - - Your Container Network Interface (CNI) provider may have its own upgrade instructions to follow. - Check the [addons](/docs/concepts/cluster-administration/addons/) page to - find your CNI provider and see if there are additional upgrade steps - necessary. - -## Upgrading your master and node packages - -For each host (referred to as `$HOST` below) in your cluster, upgrade `kubelet` by executing the following commands: - -1. Prepare the host for maintenance, marking it unschedulable and evicting the workload: - -```shell -kubectl drain $HOST --ignore-daemonsets -``` - -When running this command against the master host, this error is expected and can be safely ignored (since there are static pods running on the master): - -```shell -node "master" already cordoned -error: pods not managed by ReplicationController, ReplicaSet, Job, DaemonSet or StatefulSet (use --force to override): etcd-kubeadm, kube-apiserver-kubeadm, kube-controller-manager-kubeadm, kube-scheduler-kubeadm -``` - -2. Upgrade the Kubernetes package versions on the `$HOST` node by using a Linux distribution-specific package manager: - -If the host is running a Debian-based distro such as Ubuntu, run: - -```shell -apt-get update -apt-get upgrade -``` - -If the host is running CentOS or the like, run: - -```shell -yum update -``` - -Now the new version of the `kubelet` should be running on the host. Verify this using the following command on `$HOST`: - -```shell -systemctl status kubelet -``` - -3. Bring the host back online by marking it schedulable: - -```shell -kubectl uncordon $HOST -``` - -4. After upgrading `kubelet` on each host in your cluster, verify that all nodes are available again by executing the following (from anywhere, for example, from outside the cluster): - -```shell -kubectl get nodes -``` - -If the `STATUS` column of the above command shows `Ready` for all of your hosts, you are done. - -## Recovering from a failure state - -If `kubeadm upgrade` somehow fails and fails to roll back, for example due to an unexpected shutdown during execution, -you can run `kubeadm upgrade` again as it is idempotent and should eventually make sure the actual state is the desired state you are declaring. - -You can use `kubeadm upgrade` to change a running cluster with `x.x.x --> x.x.x` with `--force`, which can be used to recover from a bad state. - -{{% /capture %}} - - diff --git a/content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-ha.md b/content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-ha.md index dfa8c127d9a4a..064dae86d3bc8 100644 --- a/content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-ha.md +++ b/content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-ha.md @@ -1,16 +1,16 @@ --- reviewers: -- jamiehannaford +- jamiehannaford - luxas -- timothysc +- timothysc - jbeda -title: Upgrading kubeadm HA clusters from 1.9.x to 1.9.y +title: Upgrading kubeadm HA clusters from v1.11 to v1.12 content_template: templates/task --- {{% capture overview %}} -This guide is for upgrading `kubeadm` HA clusters from version 1.9.x to 1.9.y where `y > x`. The term "`kubeadm` HA clusters" refers to clusters of more than one master node created with `kubeadm`. To set up an HA cluster for Kubernetes version 1.9.x `kubeadm` requires additional manual steps. See [Creating HA clusters with kubeadm](/docs/setup/independent/high-availability/) for instructions on how to do this. The upgrade procedure described here targets clusters created following those very instructions. See [Upgrading/downgrading kubeadm clusters between v1.8 to v1.9](/docs/tasks/administer-cluster/kubeadm-upgrade-1-9/) for more instructions on how to create an HA cluster with `kubeadm`. +This page explains how to upgrade a highly available (HA) Kubernetes cluster created with `kubeadm` from version 1.11.x to version 1.12.x. In addition to upgrading, you must also follow the instructions in [Creating HA clusters with kubeadm](/docs/setup/independent/high-availability/). {{% /capture %}} @@ -18,119 +18,223 @@ This guide is for upgrading `kubeadm` HA clusters from version 1.9.x to 1.9.y wh Before proceeding: -- You need to have a functional `kubeadm` HA cluster running version 1.9.0 or higher in order to use the process described here. -- Make sure you read the [release notes](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.9.md) carefully. -- Note that `kubeadm upgrade` will not touch any of your workloads, only Kubernetes-internal components. As a best-practice you should back up anything important to you. For example, any application-level state, such as a database and application might depend on (like MySQL or MongoDB) should be backed up beforehand. -- Read [Upgrading/downgrading kubeadm clusters between v1.8 to v1.9](/docs/tasks/administer-cluster/kubeadm-upgrade-1-9/) to learn about the relevant prerequisites. +- You need to have a `kubeadm` HA cluster running version 1.11 or higher. +- Make sure you read the [release notes](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.12.md) carefully. +- Make sure to back up any important components, such as app-level state stored in a database. `kubeadm upgrade` does not touch your workloads, only components internal to Kubernetes, but backups are always a best practice. +- Check the prerequisites for [Upgrading/downgrading kubeadm clusters between v1.11 to v1.12](/docs/tasks/administer-cluster/kubeadm-upgrade-1-12/). + +{{< note >}} +**Note**: All commands on any control plane or etcd node should be +run as root. +{{< /note >}} {{% /capture %}} {{% capture steps %}} -## Preparation +## Prepare for both methods -Some preparation is needed prior to starting the upgrade. First download the version of `kubeadm` that matches the version of Kubernetes that you are upgrading to: +Upgrade `kubeadm` to the version that matches the version of Kubernetes that you are upgrading to: ```shell -# Use the latest stable release or manually specify a -# released Kubernetes version -export VERSION=$(curl -sSL https://dl.k8s.io/release/stable.txt) -export ARCH=amd64 # or: arm, arm64, ppc64le, s390x -curl -sSL https://dl.k8s.io/release/${VERSION}/bin/linux/${ARCH}/kubeadm > /tmp/kubeadm -chmod a+rx /tmp/kubeadm +apt-mark unhold kubeadm && \ +apt-get update && apt-get install -y kubeadm && \ +apt-mark hold kubeadm ``` -Copy this file to `/tmp` on your primary master if necessary. Run this command for checking prerequisites and determining the versions you will receive: +Check prerequisites and determine the upgrade versions: ```shell -/tmp/kubeadm upgrade plan +kubeadm upgrade plan ``` -If the prerequisites are met you'll get a summary of the software versions kubeadm will upgrade to, like this: +You should see something like the following: Upgrade to the latest stable version: COMPONENT CURRENT AVAILABLE - API Server v1.9.0 v1.9.2 - Controller Manager v1.9.0 v1.9.2 - Scheduler v1.9.0 v1.9.2 - Kube Proxy v1.9.0 v1.9.2 - Kube DNS 1.14.5 1.14.7 - Etcd 3.2.7 3.1.11 + API Server v1.11.3 v1.12.0 + Controller Manager v1.11.3 v1.12.0 + Scheduler v1.11.3 v1.12.0 + Kube Proxy v1.11.3 v1.12.0 + CoreDNS 1.1.3 1.2.2 + Etcd 3.2.18 3.2.24 + +## Stacked control plane nodes + +### Upgrade the first control plane node + +Modify `configmap/kubeadm-config` for this control plane node: + +```shell +kubectl get configmap -n kube-system kubeadm-config -o yaml > kubeadm-config-cm.yaml +``` + +Open the file in an editor and replace the following values: + +- `api.advertiseAddress` + + This should be set to the local node's IP address. + +- `etcd.local.extraArgs.advertise-client-urls` + + This should be updated to the local node's IP address. + +- `etcd.local.extraArgs.initial-advertise-peer-urls` + + This should be updated to the local node's IP address. + +- `etcd.local.extraArgs.listen-client-urls` -{{< caution >}} -**Caution:** Currently the only supported configuration for kubeadm HA clusters requires the use of an externally managed etcd cluster. Upgrading etcd is not supported as a part of the upgrade. If necessary you will have to upgrade the etcd cluster according to [etcd's upgrade instructions](/docs/tasks/administer-cluster/configure-upgrade-etcd/), which is beyond the scope of these instructions. -{{< /caution >}} + This should be updated to the local node's IP address. -## Upgrading your control plane +- `etcd.local.extraArgs.listen-peer-urls` -The following procedure must be applied on a single master node and repeated for each subsequent master node sequentially. + This should be updated to the local node's IP address. -Before initiating the upgrade with `kubeadm` `configmap/kubeadm-config` needs to be modified for the current master host. Replace any hard reference to a master host name with the current master hosts' name: +- `etcd.local.extraArgs.initial-cluster` + + This should be updated to include the hostname and IP address pairs for each control plane node in the cluster. For example: + + "ip-172-31-92-42=https://172.31.92.42:2380,ip-172-31-89-186=https://172.31.89.186:2380,ip-172-31-90-42=https://172.31.90.42:2380" + +You must also pass an additional argument (`initial-cluster-state: existing`) to etcd.local.extraArgs. ```shell -kubectl get configmap -n kube-system kubeadm-config -o yaml >/tmp/kubeadm-config-cm.yaml -sed -i 's/^\([ \t]*nodeName:\).*/\1 /' /tmp/kubeadm-config-cm.yaml -kubectl apply -f /tmp/kubeadm-config-cm.yaml --force +kubectl apply -f kubeadm-config-cm.yaml --force ``` -Now the upgrade process can start. Use the target version determined in the preparation step and run the following command (press “y” when prompted): +Start the upgrade: ```shell -/tmp/kubeadm upgrade apply v +kubeadm upgrade apply v ``` -If the operation was successful you’ll get a message like this: +You should see something like the following: - [upgrade/successful] SUCCESS! Your cluster was upgraded to "v1.9.2". Enjoy! + [upgrade/successful] SUCCESS! Your cluster was upgraded to "v1.12.0". Enjoy! -To upgrade the cluster with CoreDNS as the default internal DNS, invoke `kubeadm upgrade apply` with the `--feature-gates=CoreDNS=true` flag. +The `kubeadm-config` ConfigMap is now updated from `v1alpha2` version to `v1alpha3`. -Next, manually upgrade your CNI provider +### Upgrading additional control plane nodes -Your Container Network Interface (CNI) provider may have its own upgrade instructions to follow. Check the [addons](/docs/concepts/cluster-administration/addons/) page to find your CNI provider and see if there are additional upgrade steps necessary. +Each additional control plane node requires modifications that are different from the first control plane node. Run: -{{< note >}} -**Note:** The `kubeadm upgrade apply` step has been known to fail when run initially on the secondary masters (timed out waiting for the restarted static pods to come up). It should succeed if retried after a minute or two. -{{< /note >}} +```shell +kubectl get configmap -n kube-system kubeadm-config -o yaml > kubeadm-config-cm.yaml +``` + +Open the file in an editor and replace the following values for `ClusterConfiguration`: + +- `etcd.local.extraArgs.advertise-client-urls` -## Upgrade base software packages + This should be updated to the local node's IP address. -At this point all the static pod manifests in your cluster, for example API Server, Controller Manager, Scheduler, Kube Proxy have been upgraded, however the base software, for example `kubelet`, `kubectl`, `kubeadm` installed on your nodes’ OS are still of the old version. For upgrading the base software packages we will upgrade them and restart services on all nodes one by one: +- `etcd.local.extraArgs.initial-advertise-peer-urls` + + This should be updated to the local node's IP address. + +- `etcd.local.extraArgs.listen-client-urls` + + This should be updated to the local node's IP address. + +- `etcd.local.extraArgs.listen-peer-urls` + + This should be updated to the local node's IP address. + +You must also modify the `ClusterStatus` to add a mapping for the current host under apiEndpoints. + +Add an annotation for the cri-socket to the current node, for example to use docker: ```shell -# use your distro's package manager, e.g. 'yum' on RH-based systems +kubectl annotate node kubeadm.alpha.kubernetes.io/cri-socket=/var/run/dockershim.sock +``` + +Start the upgrade: + +```shell +kubeadm upgrade apply v +``` + +You should see something like the following: + + [upgrade/successful] SUCCESS! Your cluster was upgraded to "v1.12.0". Enjoy! + +## External etcd + +### Upgrade each control plane + +Get a copy of the kubeadm config used to create this cluster. The config should be the same for every node. The config must exist on every control plane node before the upgrade begins. + +``` +# on each control plane node +kubectl get configmap -n kube-system kubeadm-config -o jsonpath={.data.MasterConfiguration} > kubeadm-config.yaml +``` + +Now run the upgrade on each control plane node one at a time. + +``` +kubeadm upgrade apply v1.12.0 --config kubeadm-config.yaml +``` + +### Upgrade etcd + +Kubernetes v1.11 to v1.12 only changed the patch version of etcd from v3.2.18 to v3.2.24. This is a rolling upgrade with no downtime, because you can run both versions in the same cluster. + +On the first host, modify the etcd manifest: + +```shell +sed -i 's/3.2.18/3.2.24/' /etc/kubernetes/manifests/etcd.yaml +``` + +Wait for the etcd process to reconnect. There will be error warnings in the other etcd node logs. This is expected. + +Repeat this step on the other etcd hosts. + +## Next steps + +### Manually upgrade your CNI provider + +Your Container Network Interface (CNI) provider might have its own upgrade instructions to follow. Check the [addons](/docs/concepts/cluster-administration/addons/) page to find your CNI provider and see whether you need to take additional upgrade steps. + +### Update kubelet and kubectl packages + +Upgrade the kubelet and kubectl by running the following on each node: + +```shell +# use your distro's package manager, e.g. 'apt-get' on Debian-based systems # for the versions stick to kubeadm's output (see above) -yum install -y kubelet- kubectl- kubeadm- kubernetes-cni- +apt-mark unhold kubelet kubectl && \ +apt-get update && \ +apt-get install kubelet= kubectl= && \ +apt-mark hold kubelet kubectl && \ systemctl restart kubelet ``` -In this example an _rpm_-based system is assumed and `yum` is used for installing the upgraded software. On _deb_-based systems it will be `apt-get update` and then `apt-get install =` for all packages. +In this example a _deb_-based system is assumed and `apt-get` is used for installing the upgraded software. On rpm-based systems the command is `yum install =` for all packages. -Now the new version of the `kubelet` should be running on the host. Verify this using the following command on the respective host: +Verify that the new version of the kubelet is running: ```shell systemctl status kubelet ``` -Verify that the upgraded node is available again by executing the following from wherever you run `kubectl` commands: +Verify that the upgraded node is available again by running the following command from wherever you run `kubectl`: ```shell kubectl get nodes ``` -If the `STATUS` column of the above command shows `Ready` for the upgraded host, you can continue (you may have to repeat this for a couple of time before the node gets `Ready`). +If the `STATUS` column shows `Ready` for the upgraded host, you can continue. You might need to repeat the command until the node shows `Ready`. ## If something goes wrong -If the upgrade fails the situation afterwards depends on the phase in which things went wrong: +If the upgrade fails, see whether one of the following scenarios applies: -1. If `/tmp/kubeadm upgrade apply` failed to upgrade the cluster it will try to perform a rollback. Hence if that happened on the first master, chances are pretty good that the cluster is still intact. +- If `kubeadm upgrade apply` failed to upgrade the cluster, it will try to perform a rollback. If this is the case on the first master, the cluster is probably still intact. - You can run `/tmp/kubeadm upgrade apply` again as it is idempotent and should eventually make sure the actual state is the desired state you are declaring. You can use `/tmp/kubeadm upgrade apply` to change a running cluster with `x.x.x --> x.x.x` with `--force`, which can be used to recover from a bad state. + You can run `kubeadm upgrade apply` again, because it is idempotent and should eventually make sure the actual state is the desired state you are declaring. You can run `kubeadm upgrade apply` to change a running cluster with `x.x.x --> x.x.x` with `--force` to recover from a bad state. -2. If `/tmp/kubeadm upgrade apply` on one of the secondary masters failed you still have a working, upgraded cluster, but with the secondary masters in a somewhat undefined condition. You will have to find out what went wrong and join the secondaries manually. As mentioned above, sometimes upgrading one of the secondary masters fails waiting for the restarted static pods first, but succeeds when the operation is simply repeated after a little pause of one or two minutes. +- If `kubeadm upgrade apply` on one of the secondary masters failed, the cluster is upgraded and working, but the secondary masters are in an undefined state. You need to investigate further and join the secondaries manually. {{% /capture %}} - - diff --git a/content/en/docs/tasks/configure-pod-container/configure-service-account.md b/content/en/docs/tasks/configure-pod-container/configure-service-account.md index 5c42fccd746c6..f8eab60ebdc83 100644 --- a/content/en/docs/tasks/configure-pod-container/configure-service-account.md +++ b/content/en/docs/tasks/configure-pod-container/configure-service-account.md @@ -250,12 +250,58 @@ spec: TODO: Test and explain how to use additional non-K8s secrets with an existing service account. --> -## Service Account Volume Projection +## Service Account Token Volume Projection -Kubernetes 1.11 and higher supports a new way to project a service account token into a Pod. -You can specify a token request with audiences, expirationSeconds. The service account token -becomes invalid when the Pod is deleted. A Projected Volume named -[ServiceAccountToken](/docs/concepts/storage/volumes/#projected) requests and stores the token. +{{< feature-state for_k8s_version="v1.12" state="beta" >}} + +{{< note >}} +**Note:** This ServiceAccountTokenVolumeProjection is __beta__ in 1.12 and +enabled by passing all of the following flags to the API server: + +* `--service-account-issuer` +* `--service-account-signing-key-file` +* `--service-account-api-audiences` + +{{< /note >}} + +The kubelet can also project a service account token into a Pod. You can +specify desired properties of the token, such as the audience and the validity +duration. These properties are not configurable on the default service account +token. The service account token will also become invalid against the API when +the Pod or the ServiceAccount is deleted. + +This behavior is configured on a PodSpec using a ProjectedVolume type called +[ServiceAccountToken](/docs/concepts/storage/volumes/#projected). To provide a +pod with a token with an audience of "vault" and a validity duration of two +hours, you would configure the following in your PodSpec: + +```yaml +kind: Pod +apiVersion: v1 +spec: + containers: + - image: nginx + name: nginx + volumeMounts: + - mountPath: /var/run/secrets/tokens + name: vault-token + volumes: + - name: vault-token + projected: + sources: + - serviceAccountToken: + path: vault-token + expirationSeconds: 7200 + audience: vault +``` + +The kubelet will request and store the token on behalf of the pod, make the +token avaialble to the pod at a configurable file path, and refresh the token as +it approaches expiration. Kubelet proactively rotates the token if it is older +than 80% of its total TTL, or if the token is older than 24 hours. + +The application is responsible for reloading the token when it rotates. Periodic +reloading (e.g. once every 5 minutes) is sufficient for most usecases. {{% /capture %}} diff --git a/content/en/docs/tasks/configure-pod-container/share-process-namespace.md b/content/en/docs/tasks/configure-pod-container/share-process-namespace.md index 1e8d902384666..b2b97815f08fa 100644 --- a/content/en/docs/tasks/configure-pod-container/share-process-namespace.md +++ b/content/en/docs/tasks/configure-pod-container/share-process-namespace.md @@ -11,7 +11,7 @@ weight: 160 {{% capture overview %}} -{{< feature-state state="alpha" >}} +{{< feature-state state="beta" >}} This page shows how to configure process namespace sharing for a pod. When process namespace sharing is enabled, processes in a container are visible @@ -27,8 +27,8 @@ include debugging utilities like a shell. {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}} -A special **alpha** feature gate `PodShareProcessNamespace` must be set to true -across the system: `--feature-gates=PodShareProcessNamespace=true`. +Process Namespace Sharing is a **beta** feature that is enabled by default. It +may be disabled by setting `--feature-gates=PodShareProcessNamespace=false`. {{% /capture %}} diff --git a/content/en/docs/tasks/debug-application-cluster/audit.md b/content/en/docs/tasks/debug-application-cluster/audit.md index 54bf093a14369..c4440d247c0d5 100644 --- a/content/en/docs/tasks/debug-application-cluster/audit.md +++ b/content/en/docs/tasks/debug-application-cluster/audit.md @@ -9,8 +9,6 @@ title: Auditing {{% capture overview %}} -{{< feature-state state="beta" >}} - Kubernetes auditing provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators or other components of the system. It allows cluster administrator to @@ -83,7 +81,7 @@ You can use a minimal audit policy file to log all requests at the `Metadata` le ```yaml # Log all requests at the Metadata level. -apiVersion: audit.k8s.io/v1beta1 +apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: Metadata @@ -102,7 +100,7 @@ Audit backends persist audit events to an external storage. In both cases, audit events structure is defined by the API in the `audit.k8s.io` API group. The current version of the API is -[`v1beta1`][auditing-api]. +[`v1`][auditing-api]. {{< note >}} **Note:** In case of patches, request body is a JSON array with patch operations, not a JSON object @@ -363,54 +361,11 @@ Note that in addition to file output plugin, logstash has a variety of outputs t let users route data where they want. For example, users can emit audit events to elasticsearch plugin which supports full-text search and analytics. -## Legacy Audit - -__Note:__ Legacy Audit is deprecated and is disabled by default since 1.8 and -will be removed in 1.12. To fallback to this legacy audit, disable the advanced -auditing feature using the `AdvancedAuditing` feature gate in [kube-apiserver][kube-apiserver]: - -``` ---feature-gates=AdvancedAuditing=false -``` - -In legacy format, each audit log entry contains two lines: - -1. The request line containing a unique ID to match the response and request - metadata, such as the source IP, requesting user, impersonation information, - resource being requested, etc. -2. The response line containing a unique ID matching the request line and the response code. - -Example output for `admin` user listing pods in the `default` namespace: - -``` -2017-03-21T03:57:09.106841886-04:00 AUDIT: id="c939d2a7-1c37-4ef1-b2f7-4ba9b1e43b53" ip="127.0.0.1" method="GET" user="admin" groups="\"system:masters\",\"system:authenticated\"" as="" asgroups="" namespace="default" uri="/api/v1/namespaces/default/pods" -2017-03-21T03:57:09.108403639-04:00 AUDIT: id="c939d2a7-1c37-4ef1-b2f7-4ba9b1e43b53" response="200" -``` - -### Configuration - -[Kube-apiserver][kube-apiserver] provides the following options which are responsible -for configuring where and how audit logs are handled: - -- `audit-log-path` - enables the audit log pointing to a file where the requests are being logged to, '-' means standard out. -- `audit-log-maxage` - specifies maximum number of days to retain old audit log files based on the timestamp encoded in their filename. -- `audit-log-maxbackup` - specifies maximum number of old audit log files to retain. -- `audit-log-maxsize` - specifies maximum size in megabytes of the audit log file before it gets rotated. Defaults to 100MB. - -If an audit log file already exists, Kubernetes appends new audit logs to that file. -Otherwise, Kubernetes creates an audit log file at the location you specified in -`audit-log-path`. If the audit log file exceeds the size you specify in `audit-log-maxsize`, -Kubernetes will rename the current log file by appending the current timestamp on -the file name (before the file extension) and create a new audit log file. -Kubernetes may delete old log files when creating a new log file; you can configure -how many files are retained and how old they can be by specifying the `audit-log-maxbackup` -and `audit-log-maxage` options. - [kube-apiserver]: /docs/admin/kube-apiserver [auditing-proposal]: https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/auditing.md -[auditing-api]: https://github.com/kubernetes/kubernetes/blob/{{< param "githubbranch" >}}/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/types.go +[auditing-api]: https://github.com/kubernetes/kubernetes/blob/{{< param "githubbranch" >}}/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/types.go [gce-audit-profile]: https://github.com/kubernetes/kubernetes/blob/{{< param "githubbranch" >}}/cluster/gce/gci/configure-helper.sh#L735 -[kubeconfig]: https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/ +[kubeconfig]: /docs/tasks/access-application-cluster/configure-access-multiple-clusters/ [fluentd]: http://www.fluentd.org/ [fluentd_install_doc]: http://docs.fluentd.org/v0.12/articles/quickstart#step1-installing-fluentd [fluentd_plugin_management_doc]: https://docs.fluentd.org/v0.12/articles/plugin-management diff --git a/content/en/docs/tasks/extend-kubectl/kubectl-plugins.md b/content/en/docs/tasks/extend-kubectl/kubectl-plugins.md index 4ee79ba7fa503..d4e3b256d3eb6 100644 --- a/content/en/docs/tasks/extend-kubectl/kubectl-plugins.md +++ b/content/en/docs/tasks/extend-kubectl/kubectl-plugins.md @@ -1,7 +1,8 @@ --- title: Extend kubectl with plugins reviewers: -- fabianofranz +- juanvallejo +- soltysh description: With kubectl plugins, you can extend the functionality of the kubectl command by adding new subcommands. content_template: templates/task --- @@ -10,7 +11,8 @@ content_template: templates/task {{< feature-state state="alpha" >}} -This guide shows you how to install and write extensions for [kubectl](/docs/user-guide/kubectl/). Usually called *plugins* or *binary extensions*, this feature allows you to extend the default set of commands available in `kubectl` by adding new subcommands to perform new tasks and extend the set of features available in the main distribution of `kubectl`. +This guide demonstrates how to install and write extensions for [kubectl](/docs/reference/kubectl/kubectl/). By thinking of core `kubectl` commands as essential building blocks for interacting with a Kubernetes cluster, a cluster administrator can think +of plugins as a means of utilizing these building blocks to create more complex behavior. Plugins extend `kubectl` with new sub-commands, allowing for new and custom features not included in the main distribution of `kubectl`. {{% /capture %}} @@ -18,10 +20,10 @@ This guide shows you how to install and write extensions for [kubectl](/docs/use You need to have a working `kubectl` binary installed. {{< note >}} -**Note:** Plugins were officially introduced as an alpha feature in the v1.8.0 release. So, while some parts of the plugins feature were already available in previous versions, a `kubectl` version of 1.8.0 or later is recommended. +**Note:** Plugins were officially introduced as an alpha feature in the v1.8.0 release. They have been re-worked in the v1.12.0 release to support a wider range of use-cases. So, while some parts of the plugins feature were already available in previous versions, a `kubectl` version of 1.12.0 or later is recommended if you are following these docs. {{< /note >}} -Until a GA version is released, plugins will only be available under the `kubectl plugin` subcommand. +Until a GA version is released, plugins should be considered unstable, and their underlying mechanism is prone to change. {{% /capture %}} @@ -29,112 +31,246 @@ Until a GA version is released, plugins will only be available under the `kubect ## Installing kubectl plugins -A plugin is nothing more than a set of files: at least a **plugin.yaml** descriptor, and likely one or more binary, script, or assets files. To install a plugin, copy those files to one of the locations in the filesystem where `kubectl` searches for plugins. +A plugin is nothing more than a standalone executable file, whose name begins with `kubectl-`. To install a plugin, simply move this executable file to anywhere on your PATH. {{< note >}} -**Note:** Kubernetes does not provide a package manager or anything similar to install or update plugins. It is your responsibility to place the plugin files in the correct location. We recommend that each plugin be stored in its own directory so that installing a plugin distributed as a compressed file is as simple as extracting it to one of the locations specified in the [Plugin loader](#plugin-loader) section. +**Note:** Kubernetes does not provide a package manager or anything similar to install or update plugins. It is your responsibility to ensure that plugin executables have a filename that begins with `kubectl-`, and that they are placed somewhere on your PATH. {{< /note >}} -### Plugin loader +### Discovering plugins -The plugin loader is responsible for searching plugin files in the filesystem locations specified below, and checking if the plugin provides the minimum amount of information required for it to run. Files placed in the right location that don't provide the minimum amount of information, for example an incomplete *plugin.yaml* descriptor, are ignored. +`kubectl` provides a command `kubectl plugin list` that searches your PATH for valid plugin executables. +Executing this command causes a traversal of all files in your PATH. Any files that are executable, and begin with `kubectl-` will show up *in the order in which they are present in your PATH* in this command's output. +A warning will be included for any files beginning with `kubectl-` that are *not* executable. +A warning will also be included for any valid plugin files that overlap each other's name. -#### Search order +#### Limitations -The plugin loader uses the following search order: +It is currently not possible to create plugins that overwrite existing `kubectl` commands. For example, creating a plugin `kubectl-version` will cause that plugin to never be executed, as the existing `kubectl version` command will always take precedence over it. Due to this limitation, it is also *not* possible to use plugins to add new subcommands to existing `kubectl` commands. For example, adding a subcommand `kubectl create foo` by naming your plugin `kubectl-create-foo` will cause that plugin to be ignored. Warnings will appear under the output of `kubectl plugin list` for any valid plugins that attempt to do this. -1. `${KUBECTL_PLUGINS_PATH}` If specified, the search stops here. -2. `${XDG_DATA_DIRS}/kubectl/plugins` -3. `~/.kube/plugins` +## Writing kubectl plugins -If the `KUBECTL_PLUGINS_PATH` environment variable is present, the loader uses it as the only location to look for plugins. -The `KUBECTL_PLUGINS_PATH` environment variable is a list of directories. In Linux and Mac, the list is colon-delimited. In -Windows, the list is semicolon-delimited. +You can write a plugin in any programming language or script that allows you to write command-line commands. -If `KUBECTL_PLUGINS_PATH` is not present, the loader searches these additional locations: +There is no plugin installation or pre-loading required. Plugin executables receive the inherited environment from the `kubectl` binary. +A plugin determines which command path it wishes to implement based on its name. For example, a plugin wanting to provide a new command +`kubectl foo`, would simply be named `kubectl-foo`, and live somewhere in the user's PATH. -First, one or more directories specified according to the -[XDG System Directory Structure](https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html) -specification. Specifically, the loader locates the directories specified by the `XDG_DATA_DIRS` environment variable, -and then searches `kubectl/plugins` directory inside of those. -If `XDG_DATA_DIRS` is not specified, it defaults to `/usr/local/share:/usr/share`. +### Example plugin -Second, the `plugins` directory under the user's kubeconfig dir. In most cases, this is `~/.kube/plugins`. +``` +#!/bin/bash + +# optional argument handling +if [[ "$1" == "version" ]] +then + echo "1.0.0" + exit 0 +fi + +# optional argument handling +if [[ "$1" == "config" ]] +then + echo $KUBECONFIG + exit 0 +fi + +echo "I am a plugin named kubectl-foo" +``` -```shell -# Loads plugins from both /path/to/dir1 and /path/to/dir2 -KUBECTL_PLUGINS_PATH=/path/to/dir1:/path/to/dir2 kubectl plugin -h +### Using a plugin + +To use the above plugin, simply make it executable: + +``` +sudo chmod +x ./kubectl-foo ``` -## Writing kubectl plugins +and place it anywhere in your PATH: -You can write a plugin in any programming language or script that allows you to write command-line commands. -A plugin does not necessarily need to have a binary component. It could rely entirely on operating system utilities -like `echo`, `sed`, or `grep`. Or it could rely on the `kubectl` binary. +``` +sudo mv ./kubectl-foo /usr/local/bin +``` -The only strong requirement for a `kubectl` plugin is the `plugin.yaml` descriptor file. This file is responsible for declaring at least the minimum attributes required to register a plugin and must be located under one of the locations specified in the [Search order](#search-order) section. +You may now invoke your plugin as a `kubectl` command: -### The plugin.yaml descriptor +``` +$ kubectl foo +I am a plugin named kubectl-foo +``` -The descriptor file supports the following attributes: +All args and flags are passed as-is to the executable: ``` -name: "targaryen" # REQUIRED: the plugin command name, to be invoked under 'kubectl' -shortDesc: "Dragonized plugin" # REQUIRED: the command short description, for help -longDesc: "" # the command long description, for help -example: "" # command example(s), for help -command: "./dracarys" # REQUIRED: the command, binary, or script to invoke when running the plugin -flags: # flags supported by the plugin - - name: "heat" # REQUIRED for each flag: flag name - shorthand: "h" # short version of the flag name - desc: "Fire heat" # REQUIRED for each flag: flag description - defValue: "extreme" # default value of the flag -tree: # allows the declaration of subcommands - - ... # subcommands support the same set of attributes +$ kubectl foo version +1.0.0 ``` -The preceding descriptor declares the `kubectl plugin targaryen` plugin, which has one flag named `-h | --heat`. -When the plugin is invoked, it calls the `dracarys` binary or script, which is located in the same directory as the descriptor file. The [Accessing runtime attributes](#accessing-runtime-attributes) section describes how the `dracarys` command accesses the flag value and other runtime context. +All environment variables are also passed as-is to the executable: -### Recommended directory structure +```bash +$ export KUBECONFIG=~/.kube/config +$ kubectl foo config +/home//.kube/config -It is recommended that each plugin has its own subdirectory in the filesystem, preferably with the same name as the plugin command. The directory must contain the `plugin.yaml` descriptor and any binary, script, asset, or other dependency it might require. +$ KUBECONFIG=/etc/kube/config kubectl foo config +/etc/kube/config +``` -For example, the directory structure for the `targaryen` plugin could look like this: +Additionally, the first argument that is passed to a plugin will always be the full path to the location where it was invoked (`$0` would equal `/usr/local/bin/kubectl-foo` in our example above). +### Naming a plugin + +As seen in the example above, a plugin determines the command path that it will implement based on its filename. Every sub-command in the command path that a plugin targets, is separated by a dash (`-`). +For example, a plugin that wishes to be invoked whenever the command `kubectl foo bar baz` is invoked by the user, would have the filename of `kubectl-foo-bar-baz`. + +#### Flags and argument handling + +Taking our `kubectl-foo-bar-baz` plugin from the above scenario, we further explore additional cases where users invoke our plugin while providing additional flags and arguments. +For example, in a situation where a user invokes the command `kubectl foo bar baz arg1 --flag=value arg2`, the plugin mechanism will first try to find the plugin with the longest possible name, which in this case +would be `kubectk-foo-bar-baz-arg1`. Upon not finding that plugin, it then treats the last dash-separated value as an argument (`arg1` in this case), and attempts to find the next longest possible name, `kubectl-foo-bar-baz`. +Upon finding a plugin with this name, it then invokes that plugin, passing all args and flags after its name to the plugin executable. + +Example: + +```bash +# create a plugin +$ echo '#!/bin/bash\n\necho "My first command-line argument was $1"' > kubectl-foo-bar-baz +$ sudo chmod +x ./kubectl-foo-bar-baz + +# "install" our plugin by placing it on our PATH +$ sudo mv ./kubectl-foo-bar-baz /usr/local/bin + +# ensure our plugin is recognized by kubectl +$ kubectl plugin list +The following kubectl-compatible plugins are available: + +/usr/local/bin/kubectl-foo-bar-baz + +# test that calling our plugin via a "kubectl" command works +# even when additional arguments and flags are passed to our +# plugin executable by the user. +$ kubectl foo bar baz arg1 --meaningless-flag=true +My first command-line argument was arg1 ``` -~/.kube/plugins/ -└── targaryen - ├── plugin.yaml - └── dracarys + +As you can see, our plugin was found based on the `kubectl` command specified by a user, and all extra arguments and flags were passed as-is to the plugin executable once it was found. + +#### Names with dashes and underscores + +Although the `kubectl` plugin mechanism uses the dashes (`-`) in plugin filenames to determine the sequence of sub-commands that should invoke them, it is still possible to create a plugin +command containing dashes in its commandline invocation by using underscores `_` in its filename. + +Example: + +```bash +# create a plugin containing an underscore in its filename +$ echo '#!/bin/bash\n\necho "I am a plugin with a dash in my name"' > ./kubectl-foo_bar +$ sudo chmod +x ./kubectl-foo_bar + +# move the plugin into your PATH +$ sudo mv ./kubectl-foo_bar /usr/local/bin + +# our plugin can now be invoked from `kubectl` like so: +$ kubectl foo-bar +I am a plugin with a dash in my name +``` + +Note that the introduction of underscores to a plugin filename does not prevent us from having commands such as `kubectl foo_bar`. +The command from the above example, can be invoked using either a dash (`-`) or an underscore (`_`): + +```bash +# our plugin can be invoked with a dash +$ kubectl foo-bar +I am a plugin with a dash in my name + +# it can also be inovked using an underscore +$ kubectl foo_bar +I am a plugin with a dash in my name +``` + +#### Name conflicts and overshadowing + +It can be possible to have multiple pluins with the same filename in different locations throughout your PATH. +For example, given a PATH with the following value: `PATH=/usr/local/bin/plugins:/usr/local/bin/moreplugins`, a copy of plugin `kubectl-foo` could exist in `/usr/local/bin/plugins` and `/usr/local/bin/moreplugins`, +such that the output of the `kubectl plugin list` command is: + +```bash +$ PATH=/usr/local/bin/plugins:/usr/local/bin/moreplugins kubectl plugin list +The following kubectl-compatible plugins are available: + +/usr/local/bin/plugins/kubectl-foo +/usr/local/bin/moreplugins/kubectl-foo + - warning: /usr/local/bin/moreplugins/kubectl-foo is overshadowed by a similarly named plugin: /usr/local/bin/plugins/kubectl-foo + +error: one plugin warning was found ``` -### Accessing runtime attributes +In the above scenario, the warning under `/usr/local/bin/moreplugins/kubectl-foo` tells us that this plugin will never be executed. Instead, the executable that appears first in our PATH, `/usr/local/bin/plugins/kubectl-foo`, willalways be found and executed first by the `kubectl` plugin mechanism. -In most use cases, the binary or script file you write to support the plugin must have access to some contextual information provided by the plugin framework. For example, if you declared flags in the descriptor file, your plugin must have access to the user-provided flag values at runtime. The same is true for global flags. The plugin framework is responsible for doing that, so plugin writers don't need to worry about parsing arguments. This also ensures the best level of consistency between plugins and regular `kubectl` commands. +A way to resolve this issue is to ensure that the location of the plugin that you wish to use with `kubectl` always comes first in your PATH. For example, if we wanted to always use `/usr/local/bin/moreplugins/kubectl-foo` anytime that the `kubectl` command `kubectl foo` was invoked, we would simply change the value of our PATH to be `PATH=/usr/local/bin/moreplugins:/usr/local/bin/plugins`. -Plugins have access to runtime context attributes through environment variables. So to access the value provided through a flag, for example, just look for the value of the proper environment variable using the appropriate function call for your binary or script. +#### Invocation of the longest executable filename -The supported environment variables are: +There is another kind of overshadowing that can occur with plugin filenames. Given two plugins present in a user's PATH `kubectl-foo-bar` and `kubectl-foo-bar-baz`, the `kubectl` plugin mechanism will always choose the longest possible plugin name for a given user command. Some examples below, clarify this further: -* `KUBECTL_PLUGINS_CALLER`: The full path to the `kubectl` binary that was used in the current command invocation. -As a plugin writer, you don't have to implement logic to authenticate and access the Kubernetes API. Instead, you can invoke `kubectl` to obtain the information you need, through something like `kubectl get --raw=/apis`. +```bash +# for a given kubectl command, the plugin with the longest possible filename will always be preferred +$ kubectl foo bar baz +Plugin kubectl-foo-bar-baz is executed + +$ kubectl foo bar +Plugin kubectl-foo-bar is executed + +$ kubectl foo bar baz buz +Plugin kubectl-foo-bar-baz is executed, with "buz" as its first argument + +$ kubectl foo bar buz +Plugin kubectl-foo-bar is executed, with "buz" as its first argument +``` + +This design choice ensures that plugin sub-commands can be implemented across multiple files, if needed, and that these sub-commands can be nested under a "parent" plugin command: + +```bash +$ ls ./plugin_command_tree +kubectl-parent +kubectl-parent-subcommand +kubectl-parent-subcommand-subsubcommand +``` + +### Checking for plugin warnings + +You can use the aforementioned `kubectl plugin list` command to ensure that your plugin is visible by `kubectl`, and verify that there are no warnings preventing it from being called as a `kubectl` command. + +```bash +$ kubectl plugin list +The following kubectl-compatible plugins are available: + +test/fixtures/pkg/kubectl/plugins/kubectl-foo +/usr/local/bin/kubectl-foo + - warning: /usr/local/bin/kubectl-foo is overshadowed by a similarly named plugin: test/fixtures/pkg/kubectl/plugins/kubectl-foo +plugins/kubectl-invalid + - warning: plugins/kubectl-invalid identified as a kubectl plugin, but it is not executable + +error: 2 plugin warnings were found +``` -* `KUBECTL_PLUGINS_CURRENT_NAMESPACE`: The current namespace that is the context for this call. This is the actual namespace to be used, meaning it was already processed in terms of the precedence between what was provided through the kubeconfig, the `--namespace` global flag, environment variables, and so on. +### Using the command line runtime package -* `KUBECTL_PLUGINS_DESCRIPTOR_*`: One environment variable for every attribute declared in the `plugin.yaml` descriptor. -For example, `KUBECTL_PLUGINS_DESCRIPTOR_NAME`, `KUBECTL_PLUGINS_DESCRIPTOR_COMMAND`. +As part of the plugin mechanism update in the v1.12.0 release, an additional set of utilities have been made available to plugin authors. These utilities +exist under the [k8s.io/cli-runtime](https://github.com/kubernetes/cli-runtime) repository, and can be used by plugins written in Go to parse and update +a user's KUBECONFIG file, obtain REST clients to talk to the API server, and automatically bind flags associated with configuration and printing. -* `KUBECTL_PLUGINS_GLOBAL_FLAG_*`: One environment variable for every global flag supported by `kubectl`. -For example, `KUBECTL_PLUGINS_GLOBAL_FLAG_NAMESPACE`, `KUBECTL_PLUGINS_GLOBAL_FLAG_V`. +Plugins *do not* have to be written in Go in order to be recognized as valid plugins by `kubectl`, but they do have to use Go in order to take advantage of +the tools and utilities in the CLI Runtime repository. -* `KUBECTL_PLUGINS_LOCAL_FLAG_*`: One environment variable for every local flag declared in the `plugin.yaml` descriptor. For example, `KUBECTL_PLUGINS_LOCAL_FLAG_HEAT` in the preceding `targaryen` example. +See the [Sample CLI Plugin](https://github.com/kubernetes/sample-cli-plugin) for an example usage of the tools provided in the CLI Runtime repo. {{% /capture %}} {{% capture whatsnext %}} -* Check the repository for [some more examples](https://github.com/kubernetes/kubernetes/tree/release-1.11/pkg/kubectl/plugins/examples) of plugins. +* Check the Sample CLI Plugin repository for [a detailed example](https://github.com/kubernetes/sample-cli-plugin) of a plugin written in Go. * In case of any questions, feel free to reach out to the [CLI SIG team](https://github.com/kubernetes/community/tree/master/sig-cli). * Binary plugins is still an alpha feature, so this is the time to contribute ideas and improvements to the codebase. We're also excited to hear about what you're planning to implement with plugins, so [let us know](https://github.com/kubernetes/community/tree/master/sig-cli)! diff --git a/content/en/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough.md b/content/en/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough.md index 3ccf9dadc5df1..ca1ec171bd932 100644 --- a/content/en/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough.md +++ b/content/en/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough.md @@ -167,18 +167,18 @@ Here CPU utilization dropped to 0, and so HPA autoscaled the number of replicas ## Autoscaling on multiple metrics and custom metrics You can introduce additional metrics to use when autoscaling the `php-apache` Deployment -by making use of the `autoscaling/v2beta1` API version. +by making use of the `autoscaling/v2beta2` API version. -First, get the YAML of your HorizontalPodAutoscaler in the `autoscaling/v2beta1` form: +First, get the YAML of your HorizontalPodAutoscaler in the `autoscaling/v2beta2` form: ```shell -$ kubectl get hpa.v2beta1.autoscaling -o yaml > /tmp/hpa-v2.yaml +$ kubectl get hpa.v2beta2.autoscaling -o yaml > /tmp/hpa-v2.yaml ``` Open the `/tmp/hpa-v2.yaml` file in an editor, and you should see YAML which looks like this: ```yaml -apiVersion: autoscaling/v2beta1 +apiVersion: autoscaling/v2beta2 kind: HorizontalPodAutoscaler metadata: name: php-apache @@ -194,7 +194,9 @@ spec: - type: Resource resource: name: cpu - targetAverageUtilization: 50 + target: + type: Utilization + averageUtilization: 50 status: observedGeneration: 1 lastScaleTime: @@ -204,8 +206,9 @@ status: - type: Resource resource: name: cpu - currentAverageUtilization: 0 - currentAverageValue: 0 + current: + averageUtilization: 0 + averageValue: 0 ``` Notice that the `targetCPUUtilizationPercentage` field has been replaced with an array called `metrics`. @@ -215,8 +218,8 @@ the only other supported resource metric is memory. These resources do not chan to cluster, and should always be available, as long as the `metrics.k8s.io` API is available. You can also specify resource metrics in terms of direct values, instead of as percentages of the -requested value. To do so, use the `targetAverageValue` field instead of the `targetAverageUtilization` -field. +requested value, by using a `target` type of `AverageValue` instead of `AverageUtilization`, and +setting the corresponding `target.averageValue` field instead of the `target.averageUtilization`. There are two other types of metrics, both of which are considered *custom metrics*: pod metrics and object metrics. These metrics may have names which are cluster specific, and require a more @@ -224,31 +227,40 @@ advanced cluster monitoring setup. The first of these alternative metric types is *pod metrics*. These metrics describe pods, and are averaged together across pods and compared with a target value to determine the replica count. -They work much like resource metrics, except that they *only* have the `targetAverageValue` field. +They work much like resource metrics, except that they *only* support a `target` type of `AverageValue`. Pod metrics are specified using a metric block like this: ```yaml type: Pods pods: - metricName: packets-per-second - targetAverageValue: 1k + metric: + name: packets-per-second + target: + type: AverageValue + averageValue: 1k ``` -The second alternative metric type is *object metrics*. These metrics describe a different -object in the same namespace, instead of describing pods. Note that the metrics are not -fetched from the object -- they simply describe it. Object metrics do not involve averaging, -and look like this: +The second alternative metric type is *object metrics*. These metrics describe a different +object in the same namespace, instead of describing pods. The metrics are not necessarily +fetched from the object; they only describe it. Object metrics support `target` types of +both `Value` and `AverageValue`. With `Value`, the target is compared directly to the returned +metric from the API. With `AverageValue`, the value returned from the custom metrics API is divided +by the number of pods before being compared to the target. The following example is the YAML +representation of the `requests-per-second` metric. ```yaml type: Object object: - metricName: requests-per-second - target: + metric: + name: requests-per-second + describedObject: apiVersion: extensions/v1beta1 kind: Ingress name: main-route - targetValue: 2k + target: + type: Value + value: 2k ``` If you provide multiple such metric blocks, the HorizontalPodAutoscaler will consider each metric in turn. @@ -275,19 +287,25 @@ spec: - type: Resource resource: name: cpu - targetAverageUtilization: 50 + target: + kind: AverageUtilization + averageUtilization: 50 - type: Pods pods: - metricName: packets-per-second + metric: + name: packets-per-second targetAverageValue: 1k - type: Object object: - metricName: requests-per-second - target: + metric: + name: requests-per-second + describedObject: apiVersion: extensions/v1beta1 kind: Ingress name: main-route - targetValue: 10k + target: + kind: Value + value: 10k status: observedGeneration: 1 lastScaleTime: @@ -297,14 +315,47 @@ status: - type: Resource resource: name: cpu - currentAverageUtilization: 0 - currentAverageValue: 0 + current: + averageUtilization: 0 + averageValue: 0 + - type: Object + object: + metric: + name: requests-per-second + describedObject: + apiVersion: extensions/v1beta1 + kind: Ingress + name: main-route + current: + value: 10k ``` Then, your HorizontalPodAutoscaler would attempt to ensure that each pod was consuming roughly 50% of its requested CPU, serving 1000 packets per second, and that all pods behind the main-route Ingress were serving a total of 10000 requests per second. +### Autoscaling on more specific metrics + +Many metrics pipelines allow you to describe metrics either by name or by a set of additional +descriptors called _labels_. For all non-resource metric types (pod, object, and external, +described below), you can specify an additional label selector which is passed to your metric +pipeline. For instance, if you collect a metric `http_requests` with the `verb` +label, you can specify the following metric block to scale only on GET requests: + +```yaml +type: Object +object: + metric: + name: `http_requests` + selector: `verb=GET` +``` + +This selector uses the same syntax as the full Kubernetes label selectors. The monitoring pipeline +determines how to collapse multiple series into a single value, if the name and selector +match multiple series. The selector is additive, and cannot select metrics +that describe objects that are **not** the target object (the target pods in the case of the `Pods` +type, and the described object in the case of the `Object` type). + ### Autoscaling on metrics not related to Kubernetes objects Applications running on Kubernetes may need to autoscale based on metrics that don't have an obvious @@ -312,12 +363,14 @@ relationship to any object in the Kubernetes cluster, such as metrics describing no direct correlation to Kubernetes namespaces. In Kubernetes 1.10 and later, you can address this use case with *external metrics*. -Using external metrics requires a certain level of knowledge of your monitoring system, and it requires a cluster -monitoring setup similar to one required for using custom metrics. With external metrics, you can autoscale -based on any metric available in your monitoring system by providing a `metricName` field in your -HorizontalPodAutoscaler manifest. Additionally you can use a `metricSelector` field to limit which -metrics' time series you want to use for autoscaling. If multiple time series are matched by `metricSelector`, +Using external metrics requires knowledge of your monitoring system; the setup is +similar to that required when using custom metrics. External metrics allow you to autoscale your cluster +based on any metric available in your monitoring system. Just provide a `metric` block with a +`name` and `selector`, as above, and use the `External` metric type instead of `Object`. +If multiple time series are matched by the `metricSelector`, the sum of their values is used by the HorizontalPodAutoscaler. +External metrics support both the `Value` and `AverageValue` target types, which function exactly the same +as when you use the `Object` type. For example if your application processes tasks from a hosted queue service, you could add the following section to your HorizontalPodAutoscaler manifest to specify that you need one worker per 30 outstanding tasks. @@ -325,20 +378,21 @@ section to your HorizontalPodAutoscaler manifest to specify that you need one wo ```yaml - type: External external: - metricName: queue_messages_ready - metricSelector: - matchLabels: - queue: worker_tasks - targetAverageValue: 30 + metric: + name: queue_messages_ready + selector: "queue=worker_tasks" + target: + type: AverageValue + averageValue: 30 ``` -If your metric describes work or resources that can be divided between autoscaled pods the `targetAverageValue` -field describes how much of that work each pod can handle. Instead of using the `targetAverageValue` field, you could use the -`targetValue` to define a desired value of your external metric. +When possible, it's preferrable to use the custom metric target types instead of external metrics, since it's +easier for cluster administrators to secure the custom metrics API. The external metrics API potentially allows +access to any metric, so cluster administrators should take care when exposing it. ## Appendix: Horizontal Pod Autoscaler Status Conditions -When using the `autoscaling/v2beta1` form of the HorizontalPodAutoscaler, you will be able to see +When using the `autoscaling/v2beta2` form of the HorizontalPodAutoscaler, you will be able to see *status conditions* set by Kubernetes on the HorizontalPodAutoscaler. These status conditions indicate whether or not the HorizontalPodAutoscaler is able to scale, and whether or not it is currently restricted in any way. @@ -378,6 +432,16 @@ was capped by the maximum or minimum of the HorizontalPodAutoscaler. This is an you may wish to raise or lower the minimum or maximum replica count constraints on your HorizontalPodAutoscaler. +## Appendix: Quantities + +All metrics in the HorizontalPodAutoscaler and metrics APIs are specified using +a special whole-number notation known in Kubernetes as a *quantity*. For example, +the quantity `10500m` would be written as `10.5` in decimal notation. The metrics APIs +will return whole numbers without a suffix when possible, and will generally return +quantities in milli-units otherwise. This means you might see your metric value fluctuate +between `1` and `1500m`, or `1` and `1.5` when written in decimal notation. See the +[glossary entry on quantities](/docs/reference/glossary/quantity.md) for more information. + ## Appendix: Other possible scenarios ### Creating the autoscaler declaratively diff --git a/content/en/docs/tasks/run-application/horizontal-pod-autoscale.md b/content/en/docs/tasks/run-application/horizontal-pod-autoscale.md index 393708cab9fb1..078d2c537f329 100644 --- a/content/en/docs/tasks/run-application/horizontal-pod-autoscale.md +++ b/content/en/docs/tasks/run-application/horizontal-pod-autoscale.md @@ -55,15 +55,19 @@ or the custom metrics API (for all other metrics). the number of desired replicas. Please note that if some of the pod's containers do not have the relevant resource request set, - CPU utilization for the pod will not be defined and the autoscaler will not take any action - for that metric. See the [autoscaling algorithm design document](https://git.k8s.io/community/contributors/design-proposals/autoscaling/horizontal-pod-autoscaler.md#autoscaling-algorithm) for further - details about how the autoscaling algorithm works. + CPU utilization for the pod will not be defined and the autoscaler will + not take any action for that metric. See the [algorithm + details](#algorithm-details) section below for more information about + how the autoscaling algorithm works. * For per-pod custom metrics, the controller functions similarly to per-pod resource metrics, except that it works with raw values, not utilization values. -* For object metrics, a single metric is fetched (which describes the object - in question), and compared to the target value, to produce a ratio as above. +* For object metrics and external metrics, a single metric is fetched, which describes + the object in question. This metric is compared compared to the target + value, to produce a ratio as above. In the `autoscaling/v2beta2` API + version, this value can optionally be divided by the number of pods before the + comparison is made. The HorizontalPodAutoscaler normally fetches metrics from a series of aggregated APIs (`metrics.k8s.io`, `custom.metrics.k8s.io`, and `external.metrics.k8s.io`). The `metrics.k8s.io` API is usually provided by @@ -83,6 +87,85 @@ by using the scale sub-resource. Scale is an interface that allows you to dynami each of their current states. More details on scale sub-resource can be found [here](https://git.k8s.io/community/contributors/design-proposals/autoscaling/horizontal-pod-autoscaler.md#scale-subresource). +### Algorithm Details + +From the most basic perspective, the Horizontal Pod Autoscaler controller +operates on the ratio between desired metric value and current metric +value: + +``` +desiredReplicas = ceil[currentReplicas * ( currentMetricValue / desiredMetricValue )] +``` + +For example, if the current metric value is `200m`, and the desired value +is `100m`, the number of replicas will be doubled, since `200.0 / 100.0 == +2.0` If the the current value is instead `50m`, we'll halve the number of +replicas, since `50.0 / 100.0 == 0.5`. We'll skip scaling if the ratio is +sufficiently close to 1.0 (within a globally-configurable tolerance, from +the `--horizontal-pod-autoscaler-tolerance` flag, which defaults to 0.1). + +When a `targetAverageValue` or `targetAverageUtilization` is specified, +the `currentMetricValue` is computed by taking the average of the given +metric across all Pods in the HorizontalPodAutoscaler's scale target. +Before checking the tolerance and deciding on the final values, we take +pod readiness and missing metrics into consideration, however. + +All Pods with a deletion timestamp set (i.e. Pods in the process of being +shut down) and all failed Pods are discarded. + +If a particular Pod is missing metrics, it is set aside for later; Pods +with missing metrics will be used to adjust the final scaling amount. + +When scaling on CPU, if any pod has yet to become ready (i.e. it's still +initializing) *or* the most recent metric point for the pod was before it +became ready, that pod is set aside as well. + +Due to technical constraints, the HorizontalPodAutoscaler controller +cannot exactly determine the first time a pod becomes ready when +determinining whether to set aside certain CPU metrics. Instead, it +considers a Pod "not yet ready" if it's unready and transitioned to +unready within a short, configurable window of time since it started. +This value is configured with the `--horizontal-pod-autoscaler-initial-readiness-delay` flag, and its default is 30 +seconds. Once a pod has become ready, it considers any transition to +ready to be the first if it occurred within a longer, configurable time +since it started. This value is configured with the `--horizontal-pod-autoscaler-cpu-initialization-period` flag, and its +default is 5 minutes. + +The `currentMetricValue / desiredMetricValue` base scale ratio is then +calculated using the remaining pods not set aside or discarded from above. + +If there were any missing metrics, we recompute the average more +conservatively, assuming those pods were consuming 100% of the desired +value in case of a scale down, and 0% in case of a scale up. This dampens +the magnitude of any potential scale. + +Futhermore, if any not-yet-ready pods were present, and we would have +scaled up without factoring in missing metrics or not-yet-ready pods, we +conservatively assume the non-yet-ready pods are consuming 0% of the +desired metric, further dampening the magnitude of a scale up. + +After factoring in the not-yet-ready pods and missing metrics, we +recalculate the usage ratio. If the new ratio reverses the scale +direction, or is within the tolerance, we skip scaling. Otherwise, we use +the new ratio to scale. + +Note that the *original* value for the average utilization is reported +back via the HorizontalPodAutoscaler status, without factoring in the +not-yet-ready pods or missing metrics, even when the new usage ratio is +used. + +If multiple metrics are specified in a HorizontalPodAutoscaler, this +calculation is done for each metric, and then the largest of the desired +replica counts is chosen. If any of those metrics cannot be converted +into a desired replica count (e.g. due to an error fetching the metrics +from the metrics APIs), scaling is skipped. + +Finally, just before HPA scales the target, the scale reccomendation is recorded. The +controller considers all reccomendations within a configurable window choosing the +highest recommendation from within that window. This value can be configured using the `--horizontal-pod-autoscaler-downscale-stabilization-window` flag, which defaults to 5 minutes. +This means that scaledowns will occur gradually, smothing out the impact of rapidly +fluctuating metric values. + ## API Object The Horizontal Pod Autoscaler is an API resource in the Kubernetes `autoscaling` API group. @@ -90,7 +173,7 @@ The current stable version, which only includes support for CPU autoscaling, can be found in the `autoscaling/v1` API version. The beta version, which includes support for scaling on memory and custom metrics, -can be found in `autoscaling/v2beta1`. The new fields introduced in `autoscaling/v2beta1` +can be found in `autoscaling/v2beta2`. The new fields introduced in `autoscaling/v2beta2` are preserved as annotations when working with `autoscaling/v1`. More details about the API object can be found at @@ -131,16 +214,14 @@ dynamic nature of the metrics evaluated. This is sometimes referred to as *thras Starting from v1.6, a cluster operator can mitigate this problem by tuning the global HPA settings exposed as flags for the `kube-controller-manager` component: +Starting from v1.12, a new algorithmic update removes the need for the +upscale delay. + - `--horizontal-pod-autoscaler-downscale-delay`: The value for this option is a duration that specifies how long the autoscaler has to wait before another downscale operation can be performed after the current one has completed. The default value is 5 minutes (`5m0s`). -- `--horizontal-pod-autoscaler-upscale-delay`: The value for this option is a - duration that specifies how long the autoscaler has to wait before another - upscale operation can be performed after the current one has completed. - The default value is 3 minutes (`3m0s`). - {{< note >}} **Note**: When tuning these parameter values, a cluster operator should be aware of the possible consequences. If the delay (cooldown) value is set too long, there @@ -151,7 +232,7 @@ may keep thrashing as usual. ## Support for multiple metrics -Kubernetes 1.6 adds support for scaling based on multiple metrics. You can use the `autoscaling/v2beta1` API +Kubernetes 1.6 adds support for scaling based on multiple metrics. You can use the `autoscaling/v2beta2` API version to specify multiple metrics for the Horizontal Pod Autoscaler to scale on. Then, the Horizontal Pod Autoscaler controller will evaluate each metric, and propose a new scale based on that metric. The largest of the proposed scales will be used as the new scale. @@ -164,7 +245,7 @@ custom metrics is still available, these metrics will not be available for use b annotations for specifying which custom metrics to scale on are no longer honored by the Horizontal Pod Autoscaler controller. Kubernetes 1.6 adds support for making use of custom metrics in the Horizontal Pod Autoscaler. -You can add custom metrics for the Horizontal Pod Autoscaler to use in the `autoscaling/v2beta1` API. +You can add custom metrics for the Horizontal Pod Autoscaler to use in the `autoscaling/v2beta2` API. Kubernetes then queries the new custom metrics API to fetch the values of the appropriate custom metrics. See [Support for metrics APIs](#support-for-metrics-APIs) for the requirements. diff --git a/content/en/examples/admin/dns/dns-horizontal-autoscaler.yaml b/content/en/examples/admin/dns/dns-horizontal-autoscaler.yaml index 3c7eb40ffe2e1..5e6d55a6b280a 100644 --- a/content/en/examples/admin/dns/dns-horizontal-autoscaler.yaml +++ b/content/en/examples/admin/dns/dns-horizontal-autoscaler.yaml @@ -1,18 +1,18 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: kube-dns-autoscaler + name: dns-autoscaler namespace: kube-system labels: - k8s-app: kube-dns-autoscaler + k8s-app: dns-autoscaler spec: selector: matchLabels: - k8s-app: kube-dns-autoscaler + k8s-app: dns-autoscaler template: metadata: labels: - k8s-app: kube-dns-autoscaler + k8s-app: dns-autoscaler spec: containers: - name: autoscaler @@ -24,7 +24,7 @@ spec: command: - /cluster-proportional-autoscaler - --namespace=kube-system - - --configmap=kube-dns-autoscaler + - --configmap=dns-autoscaler - --target= # When cluster is using large nodes(with more cores), "coresPerReplica" should dominate. # If using small nodes, "nodesPerReplica" should dominate. diff --git a/resources/OWNERS b/resources/OWNERS deleted file mode 100644 index 87ee22388b9f6..0000000000000 --- a/resources/OWNERS +++ /dev/null @@ -1,8 +0,0 @@ -# Allow CSS/SASS updates from blog and case studies owners -options: - no_parent_owners: false -reviewers: - - alexcontini -approvers: - - alexcontini - \ No newline at end of file diff --git a/resources/_gen/assets/sass/sass/case_study_styles.sass_ba3494e18e2339acfc9f811090f8a3d1.content b/resources/_gen/assets/sass/sass/case_study_styles.sass_ba3494e18e2339acfc9f811090f8a3d1.content new file mode 100644 index 0000000000000..eec7d2558f863 --- /dev/null +++ b/resources/_gen/assets/sass/sass/case_study_styles.sass_ba3494e18e2339acfc9f811090f8a3d1.content @@ -0,0 +1 @@ +html,body{margin:0;padding:0}input,button{outline:0}button{cursor:pointer}ul,li{list-style:none}ul{margin:0;padding:0}a{text-decoration:none}.clear{display:block;clear:both}.light-text{color:#fff}.right{float:right}.left{float:left}.center{text-align:center}*,.button{box-sizing:border-box;font-family:roboto,sans-serif;background:0 0;margin:0;border:0}body{font-family:roboto,sans-serif}h1,h2,h5,p{font-weight:300}h3,h4{font-weight:400}html,body{margin:0;padding:0}input,button{outline:0}button{cursor:pointer}ul,li{list-style:none}ul{margin:0;padding:0}a{text-decoration:none}.clear{display:block;clear:both}.light-text{color:#fff}.right{float:right}.left{float:left}.center{text-align:center}h1{font-size:32px;line-height:40px}h2{font-size:28px;line-height:60px}h3{font-size:24px;line-height:32px}h4{font-size:20px;line-height:40px}h5{font-size:16px;line-height:36px}p{font-size:14px;line-height:22px}section,header,#vendorStrip{padding-left:20px;padding-right:20px}section main,header main,#vendorStrip main{width:100%;max-width:100%}header{height:80px}.nav-buttons{height:80px;line-height:80px}.nav-buttons .button+*{margin-left:30px}#hamburger{width:50px;height:50px}#mainNav{padding:140px 0 30px}#mainNav h5{margin-bottom:1em}#mainNav h3{margin-bottom:.6em}#mainNav .nav-box{width:20%}#mainNav .nav-box+.nav-box{margin-left:calc(20%/3)}#mainNav main+main{margin-top:60px}#mainNav .left .button{height:50px;line-height:50px;font-size:18px}.open-nav #tryKubernetes,.y-enough #tryKubernetes{margin-left:30px}#hero{padding-top:80px}#docs #hero h1,#docs #hero h5{padding-left:20px;padding-right:20px}#vendorStrip{height:88px;line-height:88px;font-size:16px}body{background-color:#fff}section{position:relative;background-color:#fff}section main,header main,footer main{position:relative;margin:auto}p{font-size:14px;font-weight:400}.button{display:inline-block;border-radius:6px;padding:0 20px;line-height:40px;color:#fff;background-color:#3371e3;text-decoration:none}#cellophane{position:fixed;top:0;left:0;width:100%;height:100%;display:none}header{position:fixed;top:0;left:0;width:100%;z-index:8888;background-color:transparent;box-shadow:0 0 0 transparent;overflow:hidden;transition:.3s;text-align:center}.logo{position:relative;float:left;display:block;width:180px;height:88px;top:0;left:0;transform:none;background-image:url(/images/nav_logo.svg);background-size:contain;background-position:center center;background-repeat:no-repeat}#docs .flyout-button{position:fixed;top:20px;left:20px;width:50px;height:50px;background-image:url(/images/toc_icon.png);background-position:center center;background-repeat:no-repeat;background-size:auto;border-radius:50%;transition:.3s;z-index:99999}#docs.open-nav .flyout-button{display:none}#docs .logo{position:absolute;top:40px;left:50%;transform:translate(-50%,-50%);display:block;width:45px;height:44px;background-image:url(/images/favicon.png)}#docs.flip-nav .flyout-button{background-image:url(/images/toc_icon_grey.png)}.nav-buttons{float:right}#viewDocs,#tryKubernetes{display:none}#viewDocs{border:2px solid #fff;background-color:transparent;transition:.3s}#viewDocs:hover{background-color:#fff;color:#303030}#tryKubernetes{width:0;padding:0;border:1px solid transparent;background-color:transparent;text-align:center;white-space:nowrap;vertical-align:middle;overflow:hidden;transition:.3s}#hamburger{display:inline-block;position:relative;vertical-align:middle;padding:0;border:0;background:0 0}#hamburger div,#hamburger:before,#hamburger:after{position:absolute;left:15%;width:70%;height:2px;background-color:#3371e3;transition:.3s;content:""}#hamburger div{top:calc(50% - 1px)}#hamburger:before{top:24%}#hamburger:after{bottom:24%}#hamburger:hover div,#hamburger:hover:before,#hamburger:hover:after{background-color:#fff}#mainNav h5{color:#3371e3;font-weight:400}#mainNav main{white-space:nowrap;overflow:hidden;clear:both}#mainNav .nav-box{float:left;white-space:normal}#mainNav h3 a{color:#3371e3;text-decoration:none}ul.global-nav{display:none}ul.global-nav li{display:inline-block;margin-right:14px}ul.global-nav li a{color:#fff;font-weight:400;padding:0;position:relative}ul.global-nav li a.active:after{position:absolute;width:100%;height:2px;content:'';bottom:-4px;left:0;background:#fff}ul.global-nav li a .ui-icon{filter:brightness(0) invert(1)}ul.global-nav li ul{display:none;position:fixed;top:40px;text-align:left}ul.global-nav li ul li{display:block;height:28px}ul.global-nav li ul li a{background:#303030;color:#fff;padding:7px}ul.global-nav li ul li:last-child a{border-radius:7px}ul.global-nav li:hover ul{display:block}.flip-nav ul.global-nav li a,.open-nav ul.global-nav li a{color:#303030}.flip-nav ul.global-nav li a .ui-icon{filter:brightness(0)}.flip-nav ul.global-nav li ul li a{background:#fff;color:#303030}.flip-nav ul.global-nav li a.active:after,.flip-nav ul.global-nav li ul li a.active:after,.open-nav ul.global-nav li a.active:after{background:#3371e3}.flip-nav header{background-color:#fff}.open-nav body{overflow:hidden}.open-nav #cellophane{display:block;z-index:9998}.open-nav header{background-color:#e8e8e8;z-index:9999}.open-nav #hamburger div{opacity:0}.open-nav #hamburger:before,.open-nav #hamburger:after{left:12px;transform-origin:0 1px}.open-nav #hamburger:before{transform:rotate(45deg)}.open-nav #hamburger:after{transform:rotate(-45deg)}.open-nav #tryKubernetes,.y-enough #tryKubernetes{width:150px;background-color:#3371e3;border-color:#3371e3}.flip-nav header,.open-nav header{box-shadow:0 1px 2px #4c4c4c}.flip-nav #viewDocs,.open-nav #viewDocs{border-color:#303030;color:#303030}.flip-nav #viewDocs:hover,.open-nav #viewDocs:hover{border-color:#3371e3;background-color:#3371e3;color:#fff}.flip-nav #hamburger:hover div,.flip-nav #hamburger:hover:before,.flip-nav #hamburger:hover:after,.open-nav #hamburger:hover div,.open-nav #hamburger:hover:before,.open-nav #hamburger:hover:after{background-color:#303030}#hero{background-image:url(/images/texture.png);background-color:#303030;text-align:center;padding-left:0;padding-right:0;margin-bottom:0;position:relative}#hero.bot-bar:after{display:block;margin-bottom:-20px;height:8px;width:100%;background-color:rgba(255,255,255,.1);content:''}#hero.no-sub h5{display:none}#hero.no-sub h1{margin-bottom:20px}#home #hero:after{display:none}#vendorStrip{position:relative;background-color:rgba(255,255,255,.1);font-weight:100;white-space:nowrap;text-align:center}#vendorStrip li a{color:rgba(255,255,255,.5)}#vendorStrip li a.YAH{color:#fff;position:relative}footer{width:100%;background-image:url(/images/texture.png);background-color:#303030}footer main{padding:20px 0}footer nav a{width:100%;text-align:center;display:inline-block;margin:10px 0;font-size:24px;font-weight:300;color:#fff;text-decoration:none}footer .social{margin:20px 0}footer .social div{text-align:center;margin-bottom:20px}footer .social div:last-child{margin:30px 0}footer .social span{display:block;margin-bottom:8px}footer .social input{text-align:center}#search,#wishField{background-color:transparent;padding:10px;font-size:16px;font-weight:100;color:#fff;border:1px solid #fff;transition:.3s}#search:focus,#wishField:focus{background-color:#f7f7f7;color:#303030}.social a{display:inline-block;background-image:url(/images/social_sprite.png);background-repeat:no-repeat;background-size:auto;width:50px;height:50px;border-radius:5px;margin-right:10px}.social a:hover{background-color:#fff}.social a span{position:absolute;display:block;height:0;overflow:hidden}.social a.button{background-image:none;width:auto;height:auto}.social a.button:hover{color:#3371e3}a.twitter{background-position:0 0}a.twitter:hover{background-position:0 100%}a.stack-overflow{background-position:-50px 0}a.stack-overflow:hover{background-position:-50px 100%}a.slack{background-position:-100px 0}a.slack:hover{background-position:-100px 100%}a.github{background-position:-150px 0}a.github:hover{background-position:-150px 100%}a.mailing-list{background-position:-200px 0}a.mailing-list:hover{background-position:-200px 100%}a.calendar{background-position:-250px 0}a.calendar:hover{background-position:-250px 100%}#viewDocs{display:none}section{background-color:#fff}#hero{background-color:#303030}#hero h5{margin:20px 0;line-height:28px}#vendorStrip{position:relative}#vendorStrip ul{float:left}#vendorStrip li{display:inline-block;height:100%}#vendorStrip a{display:block;height:100%;color:#fff;font-size:.75em;font-weight:700}#vendorStrip li+li{margin-left:0}#docs #vendorStrip{line-height:44px}#docs #vendorStrip ul{float:none}#docs #vendorStrip #searchBox{float:none;display:block;width:80%;margin:0 auto;height:44px;line-height:44px;position:relative}#docs #vendorStrip #searchBox:before{position:absolute;width:15px;height:15px;content:'';right:8px;top:7px;background-image:url(/images/search-icon.svg);background-repeat:no-repeat;background-size:100% 100%;z-index:1}#docs #vendorStrip #search{width:100%;padding:0 10px;height:30px;line-height:30px;font-size:16px;vertical-align:top;background:#fff;border:0;border-radius:4px;position:relative}#encyclopedia{position:relative;padding:50px 20px 20px;overflow:hidden;font-size:14px}#encyclopedia>div{height:100%}#docsToc{position:fixed;background-color:#fff;top:0;left:0;width:0;height:100vh;overflow:hidden;padding:50px 0;z-index:999999;transition:.3s}#docsToc .yah>.title{background-color:#f7f7f7;border-left:3px solid #3371e3;padding:7.5px 10px 7.5px 18px;margin-left:-3px;color:#3371e3}.open-toc body{overflow:hidden}.open-toc #docsToc{padding:50px 20px;width:400px;max-width:100vw;overflow-y:auto}.pi-accordion>.container:first-child>.item:first-child>.title:first-child{padding-left:0;font-size:1.5em;font-weight:700}.pi-accordion>.container:first-child>.item.yah:first-child>.title:first-child{margin-left:-20px!important}.pi-accordion .item{overflow:hidden}.pi-accordion .title{color:#303030;position:relative;padding:7.5px 10px 7.5px 18px;cursor:pointer;transition:.3s}.pi-accordion .title:hover{color:#3371e3}.pi-accordion a.item>.title{color:#000}.pi-accordion a.item>.title:hover{color:#3371e3}.pi-accordion div.item>.title:before{content:"";position:absolute;top:12px;left:2px;border-style:solid;border-width:5px 0 5px 8px;border-color:transparent transparent transparent #3371e3;transform:rotate(0deg);transition:.3s}.pi-accordion .wrapper{position:relative;width:100%;transition:height .3s}.pi-accordion .content{padding-left:20px;opacity:0;transition:.3s}.pi-accordion .item.on>.title:before{transform:rotate(90deg)}.pi-accordion .item.on>.wrapper>.content{opacity:1}dt{margin-bottom:8px}dd{margin-bottom:16px}.pi-pushmenu{display:none;position:fixed;top:0;width:100%;height:100%;opacity:0;transition:opacity .3s}.pi-pushmenu.on{opacity:1}.pi-pushmenu .overlay{position:fixed;top:0;left:0;width:100%;height:100%;background-color:rgba(0,0,0,.4)}.pi-pushmenu .sled{position:absolute;top:0;width:0;height:100%;background-color:#fff;overflow:auto;transition:.3s}.pi-pushmenu.on .sled{width:400px;max-width:100vw}.pi-pushmenu .top-bar{height:0;line-height:60px;background-color:#444}.pi-pushmenu ul{margin-top:25px}.pi-pushmenu li{position:relative;display:block;width:100%;min-height:45px;padding:0 60px 0 20px;border-bottom:1px solid #ccc}.pi-pushmenu a{display:inline-block;width:100%;height:45px;line-height:45px;font-family:roboto,sans-serif;font-size:20px;color:#3371e3}.pi-pushmenu .button{background:0 0;padding:0}.pi-pushmenu ul ul{padding:0 20px}.pi-pushmenu ul ul li{min-height:40px}.pi-pushmenu ul ul a{height:40px;line-height:40px;font-size:18px;color:#555}.push-menu-close-button{position:absolute;top:0;right:0;width:50px;height:50px}.push-menu-close-button:before,.push-menu-close-button:after{content:"";position:absolute;top:calc(50% - 1px);left:25%;width:50%;height:2px;background-color:#000}.push-menu-close-button:before{transform:rotate(45deg)}.push-menu-close-button:after{transform:rotate(-45deg)}#docsContent{position:relative;float:right;width:100%}#docsContent *+h2,#docsContent *+h3,#docsContent *+h4,#docsContent *+h5,#docsContent *+h6{margin-top:30px}#docsContent h1,#docsContent h2,#docsContent h3,#docsContent h4,#docsContent h5,#docsContent h6{line-height:normal;font-weight:500;margin-bottom:30px;padding-bottom:10px}#docsContent h1:before,#docsContent h2:before,#docsContent h3:before,#docsContent h4:before,#docsContent h5:before,#docsContent h6:before{display:block;content:" ";margin-top:-100px;height:100px;visibility:hidden}#docsContent h1,#docsContent h2{border-bottom:1px solid #ccc}#docsContent h1{font-size:32px;padding-right:60px}#docsContent h2{font-size:28px}#docsContent h3{font-size:24px;font-weight:300;margin-bottom:5px}#docsContent h4{font-size:20px;margin-bottom:0}#docsContent h5,#docsContent h6{font-size:16px;font-weight:500}#docsContent p{font-size:16px;font-weight:300;line-height:1.75em}#docsContent p+p{margin-top:10px}#docsContent code{display:inline-block;box-sizing:border-box;background-color:#f7f7f7;color:#303030;font-family:roboto mono,monospace;vertical-align:baseline;font-size:14px;font-weight:700;padding:2px 4px}#docsContent a code{color:#3371e3;text-decoration:underline}#docsContent pre .pi,#docsContent pre .s{margin:0;padding:0}#docsContent .highlight code span,#docsContent code,#docsContent pre code{font-family:roboto mono,monospace}#docsContent code,#docsContent pre code{color:#303030}#docsContent pre code{padding:0}#docsContent pre{background-color:#f7f7f7;display:block;margin:20px 0;padding:15px;position:relative;overflow-x:auto}#docsContent h1 code,#docsContent h2 code,#docsContent h3 code,#docsContent h4 code,#docsContent h5 code,#docsContent h6 code{font-family:inherit;font-size:inherit;background-color:transparent}#docsContent .includecode{table-layout:fixed}#docsContent .includecode,#docsContent .includecode th,#docsContent .includecode td{padding:0!important}#docsContent .includecode th{text-align:right!important;padding:10px!important}#docsContent .includecode th a,#docsContent .includecode th a code{color:#fff!important;background-color:transparent!important}#docsContent .includecode pre{margin:0!important}#docsContent ul li{list-style:disc}#docsContent ol li{list-style:decimal}#docsContent ul,#docsContent ol{margin:20px 0;padding-left:30px;font-weight:300}#docsContent ul ul,#docsContent ol ol,#docsContent ul ol,#docsContent ol ul{margin:.75em 0}#docsContent li{margin-bottom:.75em;font-size:16px;line-height:1.75em}#docsContent table{width:100%;border:1px solid #ccc;border-spacing:0;margin-top:30px;margin-bottom:30px}#docsContent thead,#docsContent tr:nth-child(even){background-color:#f7f7f7}#docsContent thead{background-color:#555;color:#fff}#docsContent th,#docsContent td{padding:8px;text-align:left;margin:0}#docsContent th{font-weight:400}#docsContent td{font-size:.85em}#docsContent #editPageButton{position:absolute;top:-25px;right:5px;width:50px;height:50px;line-height:50px;border-radius:50%;white-space:nowrap;text-indent:50px;overflow:hidden;background:#3371e3 url(/images/icon-pencil.svg) no-repeat;background-position:12px 10px;background-size:29px 29px}#docsContent #markdown-toc,#docsContent #TableOfContents{margin-bottom:20px}#docsContent #markdown-toc ul,#docsContent #markdown-toc li,#docsContent #TableOfContents ul,#docsContent #TableOfContents li{list-style:disc;color:#3371e3}#docsContent #markdown-toc ul,#docsContent #TableOfContents ul{padding:0 15px;margin:0}#docsContent #markdown-toc li,#docsContent #TableOfContents li{padding:0;line-height:1.5em;margin-bottom:0}#docsContent #markdown-toc a,#docsContent #TableOfContents a{position:relative;color:#3371e3;font-weight:700}#docsContent img{max-width:100%}#docsContent a{text-decoration:underline}#docsContent #TableOfContents>ul>li{list-style:none}#docsContent #TableOfContents ul,#docsContent #TableOfContents li{list-style:disk}.fixed footer{position:fixed;bottom:0}#miceType{clear:both;font-size:11px;line-height:18px;color:#aaa}html.search #docsContent{position:relative;float:none;width:90%;max-width:850px;margin:0 auto}html.search #docsContent #editPageButton{display:none}html.search #docsContent table{border:0;margin-bottom:0}html.search #docsContent td{padding:0}html.search #docsContent h1{margin-bottom:0;border-bottom:0;padding-bottom:0;padding-left:8px}#home.flip-nav .logo,#home.open-nav .logo{background-image:url(/images/nav_logo2.svg)}#home #hero{margin-bottom:0;padding-bottom:1px}#home #hero main{padding:0 10px;margin-bottom:30px}#home #hero #vendorStrip{display:none}#oceanNodes{padding-top:60px;padding-bottom:60px}#oceanNodes a{color:#3371e3}#oceanNodes main{margin-bottom:60px;min-height:160px}#oceanNodes .image-wrapper{max-width:75%;margin:0 auto 20px;text-align:center}#oceanNodes .image-wrapper img{width:100%;max-width:160px}#oceanNodes main:first-child .image-wrapper{max-width:100%}#oceanNodes main:first-child .image-wrapper img{max-width:491px}#oceanNodes h3{margin-bottom:30px}#video{height:200px}#video{width:100%;position:relative;background-image:url(/images/kub_video_banner_homepage.jpg);background-position:center center;background-size:cover}#video>.light-text{display:none;position:absolute;top:50%;left:75%;width:525px;padding-right:80px;transform:translate(-50%,-50%);color:#fff}#video h2{font-size:32px;line-height:44px;margin-bottom:20px}#video p{margin-bottom:20px}#video #desktopKCButton{position:relative;font-size:18px;background-color:#303030;border-radius:8px;color:#fff;padding:20px 10px}#video #desktopShowVideoButton{position:relative;font-size:24px;background-color:#fff;border-radius:8px;color:#3371e3;padding:15px 30px 15px 80px;margin-bottom:15px}#video #desktopShowVideoButton:before{content:"";position:absolute;position:absolute;top:50%;left:40px;transform:translate(-50%,-50%);width:0;height:0;border-style:solid;border-width:10px 0 10px 20px;border-color:transparent transparent transparent #3371e3}#video #mobileShowVideoButton{position:absolute;top:50%;left:50%;transform:translate(-50%,-50%);width:80px;height:80px;border-radius:50%;background-color:transparent;border:5px solid rgba(255,255,255,.2);overflow:visible}#video #mobileShowVideoButton:after{position:absolute;top:50%;left:50%;transform:translate(-50%,-50%);left:40px;content:"";width:0;height:0;border-style:solid;border-width:20px 0 20px 30px;border-color:transparent transparent transparent #fff}#videoPlayer{position:fixed;top:0;left:0;width:100vw;height:100vh;background-color:rgba(0,0,0,.9);display:none}#videoPlayer iframe{position:absolute;top:50%;left:50%;transform:translate(-50%,-50%);width:80vw;height:45vw;max-width:142.22222222vh;max-height:80vh}#videoPlayer #closeButton{position:absolute;top:20px;right:20px;width:50px;height:50px;border:2px solid transparent;transition:.3s}#videoPlayer #closeButton:before,#videoPlayer #closeButton:after{content:"";position:absolute;top:calc(50% - 1px);left:10%;width:80%;height:2px;background-color:#fff}#videoPlayer #closeButton:before{transform:rotate(45deg)}#videoPlayer #closeButton:after{transform:rotate(-45deg)}#videoPlayer #closeButton:hover{border-color:#fff}#cncf{padding-top:60px;padding-bottom:140px;background-color:#f7f7f7;background-image:url(/images/cncf-color.png);background-position:center 100px;background-repeat:no-repeat;background-size:300px}#features{padding-top:140px;background-color:#f7f7f7;background-image:url(/images/wheel.png);background-position:center 60px;background-repeat:no-repeat;background-size:auto}.feature-box{width:100%;overflow:hidden;clear:both}.feature-box h4{line-height:normal;margin-bottom:15px}.feature-box>div:first-child{float:left}.feature-box>div:last-child{float:right}#features h3{margin-bottom:20px}#features .feature-box{margin-bottom:0}#features .feature-box>div{width:100%;margin-bottom:40px}#community.open-nav .logo,#community.flip-nav .logo,.gridPage.open-nav .logo,.gridPage.flip-nav .logo{background-image:url(/images/nav_logo2.svg)}#community #hero,.gridPage #hero{padding-bottom:20px}#community #mainContent,.gridPage #mainContent{padding:20px 0}#community #mainContent main,.gridPage #mainContent main{max-width:none}#community #mainContent a,.gridPage #mainContent a{color:#3371e3}#community #mainContent .content,.gridPage #mainContent .content{margin-bottom:30px;padding:30px 0}#community #mainContent .content h1,#community #mainContent .content h2,#community #mainContent .content h3,#community #mainContent .content h4,#community #mainContent .content h5,#community #mainContent .content h6,#community #mainContent .content p,.gridPage #mainContent .content h1,.gridPage #mainContent .content h2,.gridPage #mainContent .content h3,.gridPage #mainContent .content h4,.gridPage #mainContent .content h5,.gridPage #mainContent .content h6,.gridPage #mainContent .content p{line-height:normal;max-width:1200px;padding:0 20px;margin:0 auto 20px}#community #mainContent .content:nth-child(even),.gridPage #mainContent .content:nth-child(even){background-color:#f7f7f7}#community #mainContent .company-logos,.gridPage #mainContent .company-logos{text-align:center;max-width:1200px;margin:0 auto}#community #mainContent .company-logos img,.gridPage #mainContent .company-logos img{width:auto;margin:10px;background-color:#f7f7f7}#community #mainContent .partner-logos,.gridPage #mainContent .partner-logos{text-align:center;max-width:1200px;margin:0 auto}#community #mainContent .partner-logos img,.gridPage #mainContent .partner-logos img{width:auto;margin:10px;background-color:#fff;box-shadow:0 5px 5px rgba(0,0,0,.24),0 0 5px rgba(0,0,0,.12)}#community #mainContent #calendarMeetings,.gridPage #mainContent #calendarMeetings{position:relative;width:80vw;height:60vw;max-width:1200px;max-height:900px;margin:20px auto}#community #mainContent #calendarEvents,.gridPage #mainContent #calendarEvents{position:relative;width:80vw;height:30vw;max-width:1200px;max-height:450px;margin:20px auto}#community #mainContent iframe,.gridPage #mainContent iframe{position:absolute;border:0;width:100%;height:100%}.ui-icon{display:inline-block!important}#feature-state-dialog-link{text-decoration:none!important;padding:5px!important}#feature-state-dialog-link a:visited{color:#454545!important}#feature-state-dialog-link a code{display:inline-block!important;box-sizing:border-box!important;background-color:#f7f7f7!important;color:#303030!important;font-family:roboto mono,monospace!important;vertical-align:baseline!important;font-size:14px!important;font-weight:700!important;padding:0 4px!important}#feature-state-dialog{background:#fff!important;border:1px solid #ddd!important;padding:.5em 1em!important}#feature-state-dialog ul,#feature-state-dialog li{list-style:disc!important;margin:4px 12px!important}#feature-state-dialog p{margin:8px 0!important}#feature-state-dialog code{display:inline-block!important;box-sizing:border-box!important;background-color:#f7f7f7!important;color:#303030!important;font-family:roboto mono,monospace!important;vertical-align:baseline!important;font-size:14px!important;font-weight:700!important;padding:0 4px!important}.ui-dialog{background:#f7f7f7!important;padding:.5em}.ui-dialog-content{position:relative;float:right;width:100%}.ui-dialog-content *+h2,.ui-dialog-content *+h3,.ui-dialog-content *+h4,.ui-dialog-content *+h5,.ui-dialog-content *+h6{margin-top:30px}.ui-dialog-content h1,.ui-dialog-content h2,.ui-dialog-content h3,.ui-dialog-content h4,.ui-dialog-content h5,.ui-dialog-content h6{line-height:normal;font-weight:500;margin-bottom:30px;padding-bottom:10px}.ui-dialog-content h1:before,.ui-dialog-content h2:before,.ui-dialog-content h3:before,.ui-dialog-content h4:before,.ui-dialog-content h5:before,.ui-dialog-content h6:before{display:block;content:" ";margin-top:-100px;height:100px;visibility:hidden}.ui-dialog-content h1,.ui-dialog-content h2{border-bottom:1px solid #ccc}.ui-dialog-content h1{font-size:32px;padding-right:60px}.ui-dialog-content h2{font-size:28px}.ui-dialog-content h3{font-size:24px;font-weight:300;margin-bottom:5px}.ui-dialog-content h4{font-size:20px;margin-bottom:0}.ui-dialog-content h5,.ui-dialog-content h6{font-size:16px;font-weight:500}.ui-dialog-content p{font-size:16px;font-weight:300;line-height:1.75em}.ui-dialog-content p+p{margin-top:10px}.ui-dialog-content code{display:inline-block;box-sizing:border-box;background-color:#f7f7f7;color:#303030;font-family:roboto mono,monospace;vertical-align:baseline;font-size:14px;font-weight:700;padding:2px 4px}.ui-dialog-content a code{color:#3371e3;text-decoration:underline}.ui-dialog-content pre .pi,.ui-dialog-content pre .s{margin:0;padding:0}.ui-dialog-content .highlight code span,.ui-dialog-content code,.ui-dialog-content pre code{font-family:roboto mono,monospace}.ui-dialog-content code,.ui-dialog-content pre code{color:#303030}.ui-dialog-content pre code{padding:0}.ui-dialog-content pre{background-color:#f7f7f7;display:block;margin:20px 0;padding:15px;position:relative;overflow-x:auto}.ui-dialog-content h1 code,.ui-dialog-content h2 code,.ui-dialog-content h3 code,.ui-dialog-content h4 code,.ui-dialog-content h5 code,.ui-dialog-content h6 code{font-family:inherit;font-size:inherit;background-color:transparent}.ui-dialog-content .includecode{table-layout:fixed}.ui-dialog-content .includecode,.ui-dialog-content .includecode th,.ui-dialog-content .includecode td{padding:0!important}.ui-dialog-content .includecode th{text-align:right!important;padding:10px!important}.ui-dialog-content .includecode th a,.ui-dialog-content .includecode th a code{color:#fff!important;background-color:transparent!important}.ui-dialog-content .includecode pre{margin:0!important}.ui-dialog-content ul li{list-style:disc}.ui-dialog-content ol li{list-style:decimal}.ui-dialog-content ul,.ui-dialog-content ol{margin:20px 0;padding-left:30px;font-weight:300}.ui-dialog-content ul ul,.ui-dialog-content ol ol,.ui-dialog-content ul ol,.ui-dialog-content ol ul{margin:.75em 0}.ui-dialog-content li{margin-bottom:.75em;font-size:16px;line-height:1.75em}.ui-dialog-content table{width:100%;border:1px solid #ccc;border-spacing:0;margin-top:30px;margin-bottom:30px}.ui-dialog-content thead,.ui-dialog-content tr:nth-child(even){background-color:#f7f7f7}.ui-dialog-content thead{background-color:#555;color:#fff}.ui-dialog-content th,.ui-dialog-content td{padding:8px;text-align:left;margin:0}.ui-dialog-content th{font-weight:400}.ui-dialog-content td{font-size:.85em}.ui-dialog-content #editPageButton{position:absolute;top:-25px;right:5px;width:50px;height:50px;line-height:50px;border-radius:50%;white-space:nowrap;text-indent:50px;overflow:hidden;background:#3371e3 url(/images/icon-pencil.svg) no-repeat;background-position:12px 10px;background-size:29px 29px}.ui-dialog-content #markdown-toc{margin-bottom:20px}.ui-dialog-content #markdown-toc ul,.ui-dialog-content #markdown-toc li{list-style:disc;color:#3371e3}.ui-dialog-content #markdown-toc ul{padding:0 15px;margin:0}.ui-dialog-content #markdown-toc li{padding:0;line-height:1.5em;margin-bottom:0}.ui-dialog-content #markdown-toc a{position:relative;color:#3371e3;font-weight:700}.ui-dialog-content img{max-width:100%}.ui-dialog-content a{text-decoration:underline}.ui-dialog-buttonpane{background:#f7f7f7!important}.ui-widget-header{background:0 0!important;background-color:transparent!important;border:0!important}.ui-tabs ul,.ui-tabs ol,.ui-tabs li{padding:0!important;list-style:none!important;margin-bottom:0!important;margin-left:4px!important}.ui-tabs-panel ul li{list-style:disc!important}.ui-tabs-panel ol li{list-style:decimal!important}.ui-widget-content{border:0!important}.ui-widget-content table{margin:0!important}.ui-tabs .ui-tabs-panel{border:1px solid #ccc!important}.ui-tabs-anchor{text-decoration:none!important}#talkToUs h3,#talkToUs h4{text-align:center}#talkToUs h3{margin-bottom:15px}#talkToUs h4{line-height:normal;margin-bottom:50px}#talkToUs h4 br{display:none}#talkToUs #bigSocial{overflow:hidden}#talkToUs #bigSocial div{width:100%;float:left;padding:30px;padding-top:110px;background-position:center top;background-size:auto;background-repeat:no-repeat}#talkToUs #bigSocial div:nth-child(1){background-image:url(/images/twitter_icon.png)}#talkToUs #bigSocial div:nth-child(2){background-image:url(/images/github_icon.png)}#talkToUs #bigSocial div:nth-child(3){background-image:url(/images/slack_icon.png)}#talkToUs #bigSocial div:nth-child(4){background-image:url(/images/stackoverflow_icon.png)}#talkToUs #bigSocial div+div{margin-top:20px;margin-left:0}#talkToUs #bigSocial a{display:inline-block;color:#3371e3;font-size:24px;font-weight:400;text-decoration:none;margin-bottom:15px}#talkToUs #bigSocial a,#talkToUs #bigSocial p{text-align:center;width:100%}#home #talkToUs main{padding:30px 0}#home #talkToUs h5{font-size:20px}#home #caseStudiesWrapper{position:relative;text-align:center;margin-bottom:30px}#home #caseStudiesWrapper div{position:relative;display:inline-block;vertical-align:top;width:100%;min-height:230px;padding:125px 10px 15px;margin-bottom:30px;background-position:top center;background-repeat:no-repeat}#home #caseStudiesWrapper div:nth-child(1){background-image:url(/images/community_logos/pearson_logo.png)}#home #caseStudiesWrapper div:nth-child(2){background-image:url(/images/community_logos/box_logo.png)}#home #caseStudiesWrapper div:nth-child(3){background-image:url(/images/community_logos/ebay_logo.png)}#home #caseStudiesWrapper div:nth-child(4){background-image:url(/images/community_logos/wikimedia_foundation_logo.png)}#home #caseStudiesWrapper p{font-size:20px}#home #caseStudiesWrapper a{position:absolute;bottom:0;left:50%;transform:translateX(-50%);color:#3371e3;font-weight:400}.cse .gsc-control-cse,.gsc-control-cse{padding:0}.gsc-control-cse table,.gsc-control-cse-en table{margin:0!important}.gsc-above-wrapper-area{border-bottom:0}#bing-results-container{margin-top:30px;margin-left:20px}.bing-result{margin-bottom:20px}.bing-result-name a{font-size:16px;color:#00c}.bing-result-url{color:green;font-size:13px}.bing-result-snippet{color:#000;font-size:11px}#bing-pagination-container{margin:10px;margin-left:20px}.bing-page-anchor{text-decoration:none!important;cursor:pointer;color:#00c;margin-right:8px}hr{background-color:#999}h2{margin-bottom:15px!important}.subhead{padding-bottom:2%!important;padding-top:0%!important}.details{margin-left:1.9%;padding-right:5%;font-size:16px!important;padding-bottom:2%!important}.section1{margin-bottom:3%}.section1 .cols{width:80%!important;margin-left:6.8%;padding-top:1.5%}.section1 .cols .col1{width:52%!important;font-weight:300!important}.section1 .cols .col2{width:46%!important}.banner2text{width:63%;padding-top:10%;padding-left:0%!important;float:initial!important;text-align:center;margin:0 auto;position:relative}.banner3text,.banner4text,.banner5text{width:63%;padding-left:0%!important;float:initial!important;text-align:center;margin:0 auto;position:relative}.fullcol{float:initial!important}body footer{background-color:#585858!important}.section1{float:left!important}.banner1{padding-left:11.9%!important}.banner2{float:initial!important;padding-bottom:2%!important}footer{padding:0% 7%}.banner4,.banner3,.banner5{float:initial!important}@media screen and (max-width:910px){.banner2text{width:47%;padding-top:45%}.details{margin-left:0%;margin-bottom:3%}.subhead{padding-bottom:0%!important;padding-top:0%!important}.banner3{width:100%!important}}@media screen and (max-width:780px){.section1 .cols{width:100%!important;margin-left:0%;padding-top:5%}.section1 .cols .col1,.section1 .cols .col2{width:100%!important;margin-left:0%!important}.fullcol{width:90%!important;margin-left:5%!important}.banner1{padding-left:10%!important;margin-bottom:6%!important}.banner2text{padding-top:60%!important;padding-bottom:2%!important}}@media screen and (min-width:750px){h1{font-size:32px;line-height:40px}h2{font-size:28px;line-height:60px}h3{font-size:24px;line-height:32px}h4{font-size:20px;line-height:40px}h5{font-size:16px;line-height:36px}p{font-size:14px;line-height:22px}section,header,#vendorStrip{padding-left:20px;padding-right:20px}section main,header main,#vendorStrip main{width:100%;max-width:100%}header{height:80px}.nav-buttons{height:80px;line-height:80px}.nav-buttons .button+*{margin-left:30px}#hamburger{width:50px;height:50px}#mainNav{padding:140px 0 30px}#mainNav h5{margin-bottom:1em}#mainNav h3{margin-bottom:.6em}#mainNav .nav-box{width:20%}#mainNav .nav-box+.nav-box{margin-left:calc(20%/3)}#mainNav main+main{margin-top:60px}#mainNav .left .button{height:50px;line-height:50px;font-size:18px}.open-nav #tryKubernetes,.y-enough #tryKubernetes{margin-left:30px}#hero{padding-top:80px}#docs #hero h1,#docs #hero h5{padding-left:20px;padding-right:20px}#vendorStrip{height:88px;line-height:88px;font-size:16px}p{font-size:16px;line-height:24px;letter-spacing:.1px}h1{font-size:36px;line-height:44px}h3{font-size:28px;line-height:36px}h4{font-size:24px;line-height:40px}#home #viewDocs,#home #tryKubernetes{display:inline-block}#vendorStrip{display:block;text-align:center}#vendorStrip img{max-height:24px;vertical-align:middle;margin:0 30px}#docs #vendorStrip li a{font-size:1em;font-weight:400}#docs #vendorStrip li li+li{margin-left:60px}#oceanNodes h3{text-align:left;margin-bottom:18px}#oceanNodes main{position:relative;clear:both;display:table}#oceanNodes main .content{display:table-cell;position:relative;vertical-align:middle}#oceanNodes main .image-wrapper{position:absolute;top:50%;max-width:25%;max-height:100%;transform:translateY(-50%)}#oceanNodes main:nth-child(odd){padding-right:210px}#oceanNodes main:nth-child(odd) .image-wrapper{right:0}#oceanNodes main:nth-child(even){padding-left:210px}#oceanNodes main:nth-child(even) .image-wrapper{left:0}#oceanNodes main:nth-child(1){padding-right:0}#oceanNodes main:nth-child(1) h3,#oceanNodes main:nth-child(1) p{text-align:center}#oceanNodes main:nth-child(1) .image-wrapper{position:relative;display:block;float:none;max-width:100%;transform:none}#oceanNodes main:nth-child(1) .content{display:block}#oceanNodes main img{width:100%}#video{height:400px;display:block}#video>.light-text{display:block}#mobileShowVideoButton{display:none}#features{padding-bottom:60px}#features .feature-box{margin-bottom:30px}#features .feature-box:last-child{margin-bottom:0}#features h3{margin-bottom:40px}#features .feature-box>div{width:45%;margin-bottom:0}#talkToUs #bigSocial div{width:calc(50% - 15px)}#talkToUs #bigSocial div+div{margin-top:0}#talkToUs #bigSocial div:nth-child(2){margin-left:20px}#talkToUs #bigSocial div:nth-child(3){margin-top:20px}#talkToUs #bigSocial div:nth-child(4){margin-top:20px;margin-left:20px}#talkToUs #bigSocial a{display:inline-block;color:#3371e3;font-weight:400;text-decoration:none}footer nav{text-align:center}footer nav a{width:30%;padding:0 20px}footer .social{text-align:center}footer .social div{display:inline-block}footer .social div:last-child{display:block;margin:0}footer .social span{display:inline-block;margin-right:10px}footer .social input{text-align:left}#home #caseStudiesWrapper div{width:48%}}@media screen and (min-width:1025px){#hamburger{display:none}ul.global-nav{display:inline-block}#docs #vendorStrip #searchBox:before{top:15px}#vendorStrip{height:44px;line-height:44px}#vendorStrip li a.YAH:after{content:"";display:block;position:absolute;left:0;bottom:0;width:100%;height:4px;background-color:#3371e3}#vendorStrip #searchBox{float:right}#home #hero #vendorStrip{display:block}#docs #hero h1,#docs #hero h5{text-align:left}#docs #hero #vendorStrip ul{float:left}#docs #hero #vendorStrip #searchBox{float:right;width:250px}#docs #hero #vendorStrip #search{vertical-align:middle}#docs .flyout-button{display:none}#docs .logo{position:relative;float:left;display:block;width:180px;height:88px;top:0;left:0;transform:none;background-image:url(../images/nav_logo.svg)}#docs.flip-nav .logo,#docs.open-nav .logo{background-image:url(../images/nav_logo2.svg)}#encyclopedia{padding:50px 50px 100px 100px;clear:both}#docsToc{position:relative;float:left;padding:0 20px;left:0;width:350px;z-index:auto}#docsToc .push-menu-close-button{display:none}#docsContent{width:calc(100% - 400px)}#docsContent #editPageButton{right:-25px}section main,header main,footer main{max-width:1200px}header,#vendorStrip,#encyclopedia,#hero h1,#hero h5,#docs #hero h1,#docs #hero h5,#community #hero h1,.gridPage #hero h1,#community #hero h5,.gridPage #hero h5{padding-left:100px;padding-right:100px}#vendorStrip{padding-right:10px}#home section main,#home header main,#home footer main{max-width:1e3px}#oceanNodes main{position:relative;max-width:830px}#oceanNodes main:nth-child(1){max-width:1e3px;padding-right:475px}#oceanNodes main:nth-child(1) h3,#oceanNodes main:nth-child(1) p{text-align:left}#oceanNodes main:nth-child(1) .image-wrapper{position:absolute;max-width:48%;transform:translateY(-50%)}#oceanNodes main:nth-child(1) .image-wrapper img{max-width:425px}#video{height:550px;position:relative;background-image:url(../images/kub_video_banner_homepage.jpg);background-position:center center;background-size:cover}#talkToUs h4 br{display:block}#talkToUs #bigSocial div{width:calc(25% - 18px)}#talkToUs #bigSocial div+div{margin-left:20px}footer{width:100%;background-image:url(../images/texture.png);background-color:#303030}footer main{padding:20px 0}footer nav{overflow:hidden;margin-bottom:20px}footer nav a{width:16.65%;float:left;font-size:24px;font-weight:300;white-space:nowrap}footer .social{padding:0 30px;max-width:1200px}footer .social div{float:left}footer .social div:last-child{float:right}#search,#wishField{background-color:transparent;padding:10px;font-size:16px;font-weight:100;color:#fff;border:1px solid #fff;transition:.3s}#search:focus,#wishField:focus{background-color:#f7f7f7;color:#303030}.social a{display:inline-block;background-image:url(../images/social_sprite.png);background-repeat:no-repeat;background-size:auto;width:50px;height:50px;border-radius:5px;margin-right:10px}.social a:hover{background-color:#fff}.social a span{position:absolute;display:block;height:0;overflow:hidden}a.twitter{background-position:0 0}a.twitter:hover{background-position:0 100%}a.stack-overflow{background-position:-50px 0}a.stack-overflow:hover{background-position:-50px 100%}a.slack{background-position:-100px 0}a.slack:hover{background-position:-100px 100%}a.github{background-position:-150px 0}a.github:hover{background-position:-150px 100%}a.mailing-list{background-position:-200px 0}a.mailing-list:hover{background-position:-200px 100%}a.calendar{background-position:-250px 0}a.calendar:hover{background-position:-250px 100%}#community #hero,.gridPage #hero{text-align:left}#community #hero h1,.gridPage #hero h1{padding:20px 100px}#community #tryKubernetes,.gridPage #tryKubernetes{width:auto;background-color:#3371e3;padding:0 20px}#bigSocial div{width:calc(25% - 18px)}#home #caseStudiesWrapper div{width:24%;min-height:260px}}@media screen and (min-width:1300px){#vendorStrip{padding-right:100px}}@media screen and (min-width:456px){#vendorStrip li+li{margin-left:20px}} \ No newline at end of file diff --git a/resources/_gen/assets/sass/sass/case_study_styles.sass_ba3494e18e2339acfc9f811090f8a3d1.json b/resources/_gen/assets/sass/sass/case_study_styles.sass_ba3494e18e2339acfc9f811090f8a3d1.json new file mode 100644 index 0000000000000..a2c5ded24ab6e --- /dev/null +++ b/resources/_gen/assets/sass/sass/case_study_styles.sass_ba3494e18e2339acfc9f811090f8a3d1.json @@ -0,0 +1 @@ +{"Target":"css/styles.min.55d1e72cc5418eace24df1a4450abe45a6ee9111f9814269bc6540e8c49d2399.css","MediaType":"text/css","Data":{"Integrity":"sha256-VdHnLMVBjqziTfGkRQq+RabukRH5gUJpvGVA6MSdI5k="}} \ No newline at end of file diff --git a/resources/_gen/assets/sass/sass/styles.sass_146085a92036d31fa476cb2cbb0682ce.content b/resources/_gen/assets/sass/sass/styles.sass_146085a92036d31fa476cb2cbb0682ce.content new file mode 100644 index 0000000000000..f72db6b2e74b1 --- /dev/null +++ b/resources/_gen/assets/sass/sass/styles.sass_146085a92036d31fa476cb2cbb0682ce.content @@ -0,0 +1,1937 @@ +html, body { + margin: 0; + padding: 0; } + +input, button { + outline: none; } + +button { + cursor: pointer; } + +ul, li { + list-style: none; } + +ul { + margin: 0; + padding: 0; } + +a { + text-decoration: none; } + +.clear { + display: block; + clear: both; } + +.light-text { + color: white; } + +.right { + float: right; } + +.left { + float: left; } + +.center { + text-align: center; } + +*, .button { + box-sizing: border-box; + font-family: "Roboto", sans-serif; + background: none; + margin: 0; + border: 0; } + +body { + font-family: "Roboto", sans-serif; } + +h1, h2, h5, p { + font-weight: 300; } + +h3, h4 { + font-weight: 400; } + +html, body { + margin: 0; + padding: 0; } + +input, button { + outline: none; } + +button { + cursor: pointer; } + +ul, li { + list-style: none; } + +ul { + margin: 0; + padding: 0; } + +a { + text-decoration: none; } + +.clear { + display: block; + clear: both; } + +.light-text { + color: white; } + +.right { + float: right; } + +.left { + float: left; } + +.center { + text-align: center; } + +h1 { + font-size: 32px; + line-height: 40px; } + +h2 { + font-size: 28px; + line-height: 60px; } + +h3 { + font-size: 24px; + line-height: 32px; } + +h4 { + font-size: 20px; + line-height: 40px; } + +h5 { + font-size: 16px; + line-height: 36px; } + +p { + font-size: 14px; + line-height: 22px; } + +section, header, #vendorStrip { + padding-left: 20px; + padding-right: 20px; } + section main, header main, #vendorStrip main { + width: 100%; + max-width: 100%; } + +header { + height: 80px; } + +.nav-buttons { + height: 80px; + line-height: 80px; } + .nav-buttons .button + * { + margin-left: 30px; } + +#hamburger { + width: 50px; + height: 50px; } + +#mainNav { + padding: 140px 0 30px; } + #mainNav h5 { + margin-bottom: 1em; } + #mainNav h3 { + margin-bottom: 0.6em; } + #mainNav .nav-box { + width: 20%; } + #mainNav .nav-box + .nav-box { + margin-left: calc(20% / 3); } + #mainNav main + main { + margin-top: 60px; } + #mainNav .left .button { + height: 50px; + line-height: 50px; + font-size: 18px; } + +.open-nav #tryKubernetes, .y-enough #tryKubernetes { + margin-left: 30px; } + +#hero { + padding-top: 80px; } + +#docs #hero h1, #docs #hero h5 { + padding-left: 20px; + padding-right: 20px; } + +#vendorStrip { + height: 88px; + line-height: 88px; + font-size: 16px; } + +body { + background-color: white; } + +section { + position: relative; + background-color: white; } + +section main, header main, footer main { + position: relative; + margin: auto; } + +p { + font-size: 14px; + font-weight: 400; } + +.button { + display: inline-block; + border-radius: 6px; + padding: 0 20px; + line-height: 40px; + color: white; + background-color: #3371e3; + text-decoration: none; } + +#cellophane { + position: fixed; + top: 0; + left: 0; + width: 100%; + height: 100%; + display: none; } + +header { + position: fixed; + top: 0; + left: 0; + width: 100%; + z-index: 8888; + background-color: transparent; + box-shadow: 0 0 0 transparent; + overflow: hidden; + transition: 0.3s; + text-align: center; } + +.logo { + position: relative; + float: left; + display: block; + width: 180px; + height: 88px; + top: 0; + left: 0; + transform: none; + background-image: url(/images/nav_logo.svg); + background-size: contain; + background-position: center center; + background-repeat: no-repeat; } + +#docs .flyout-button { + position: fixed; + top: 20px; + left: 20px; + width: 50px; + height: 50px; + background-image: url(/images/toc_icon.png); + background-position: center center; + background-repeat: no-repeat; + background-size: auto; + border-radius: 50%; + transition: 0.3s; + z-index: 99999; } + +#docs.open-nav .flyout-button { + display: none; } + +#docs .logo { + position: absolute; + top: 40px; + left: 50%; + transform: translate(-50%, -50%); + display: block; + width: 45px; + height: 44px; + background-image: url(/images/favicon.png); } + +#docs.flip-nav .flyout-button { + background-image: url(/images/toc_icon_grey.png); } + +.nav-buttons { + float: right; } + +#viewDocs, #tryKubernetes { + display: none; } + +#viewDocs { + border: 2px solid white; + background-color: transparent; + transition: 0.3s; } + #viewDocs:hover { + background-color: white; + color: #303030; } + +#tryKubernetes { + width: 0; + padding: 0 0; + border: 1px solid transparent; + background-color: transparent; + text-align: center; + white-space: nowrap; + vertical-align: middle; + overflow: hidden; + transition: 0.3s; } + +#hamburger { + display: inline-block; + position: relative; + vertical-align: middle; + padding: 0; + border: 0; + background: none; } + #hamburger div, #hamburger:before, #hamburger:after { + position: absolute; + left: 15%; + width: 70%; + height: 2px; + background-color: #3371e3; + transition: 0.3s; + content: ""; } + #hamburger div { + top: calc(50% - 1px); } + #hamburger:before { + top: 24%; } + #hamburger:after { + bottom: 24%; } + #hamburger:hover div, #hamburger:hover:before, #hamburger:hover:after { + background-color: white; } + +#mainNav h5 { + color: #3371e3; + font-weight: normal; } + +#mainNav main { + white-space: nowrap; + overflow: hidden; + clear: both; } + +#mainNav .nav-box { + float: left; + white-space: normal; } + +#mainNav h3 a { + color: #3371e3; + text-decoration: none; } + +ul.global-nav { + display: none; } + ul.global-nav li { + display: inline-block; + margin-right: 14px; } + ul.global-nav li a { + color: #fff; + font-weight: 400; + padding: 0; + position: relative; } + ul.global-nav li a.active:after { + position: absolute; + width: 100%; + height: 2px; + content: ''; + bottom: -4px; + left: 0; + background: #fff; } + ul.global-nav li a .ui-icon { + filter: brightness(0) invert(1); } + ul.global-nav li ul { + display: none; + position: fixed; + top: 40px; + text-align: left; } + ul.global-nav li ul li { + display: block; + height: 28px; } + ul.global-nav li ul li a { + background: #303030; + color: #fff; + padding: 7px; } + ul.global-nav li ul li:last-child a { + border-radius: 7px; } + ul.global-nav li:hover ul { + display: block; } + +.flip-nav ul.global-nav li a, +.open-nav ul.global-nav li a { + color: #303030; } + +.flip-nav ul.global-nav li a .ui-icon { + filter: brightness(0); } + +.flip-nav ul.global-nav li ul li a { + background: #fff; + color: #303030; } + +.flip-nav ul.global-nav li a.active:after, +.flip-nav ul.global-nav li ul li a.active:after, +.open-nav ul.global-nav li a.active:after { + background: #3371e3; } + +.flip-nav header { + background-color: white; } + +.open-nav body { + overflow: hidden; } + +.open-nav #cellophane { + display: block; + z-index: 9998; } + +.open-nav header { + background-color: #e8e8e8; + z-index: 9999; } + +.open-nav #hamburger div { + opacity: 0; } + +.open-nav #hamburger:before, .open-nav #hamburger:after { + left: 12px; + transform-origin: 0 1px; } + +.open-nav #hamburger:before { + transform: rotate(45deg); } + +.open-nav #hamburger:after { + transform: rotate(-45deg); } + +.open-nav #tryKubernetes, .y-enough #tryKubernetes { + width: 150px; + background-color: #3371e3; + border-color: #3371e3; } + +.flip-nav header, .open-nav header { + box-shadow: 0 1px 2px #4c4c4c; } + +.flip-nav #viewDocs, .open-nav #viewDocs { + border-color: #303030; + color: #303030; } + .flip-nav #viewDocs:hover, .open-nav #viewDocs:hover { + border-color: #3371e3; + background-color: #3371e3; + color: white; } + +.flip-nav #hamburger:hover div, .flip-nav #hamburger:hover:before, .flip-nav #hamburger:hover:after, .open-nav #hamburger:hover div, .open-nav #hamburger:hover:before, .open-nav #hamburger:hover:after { + background-color: #303030; } + +#hero { + background-image: url(/images/texture.png); + background-color: #303030; + text-align: center; + padding-left: 0; + padding-right: 0; + margin-bottom: 0; + position: relative; } + #hero.bot-bar:after { + display: block; + margin-bottom: -20px; + height: 8px; + width: 100%; + background-color: rgba(255, 255, 255, 0.1); + content: ''; } + #hero.no-sub h5 { + display: none; } + #hero.no-sub h1 { + margin-bottom: 20px; } + +#home #hero:after { + display: none; } + +#vendorStrip { + position: relative; + background-color: rgba(255, 255, 255, 0.1); + font-weight: 100; + white-space: nowrap; + text-align: center; } + #vendorStrip li a { + color: rgba(255, 255, 255, 0.5); } + #vendorStrip li a.YAH { + color: white; + position: relative; } + +footer { + width: 100%; + background-image: url(/images/texture.png); + background-color: #303030; } + footer main { + padding: 20px 0; } + footer nav a { + width: 100%; + text-align: center; + display: inline-block; + margin: 10px 0; + font-size: 24px; + font-weight: 300; + color: white; + text-decoration: none; } + footer .social { + margin: 20px 0; } + footer .social div { + text-align: center; + margin-bottom: 20px; } + footer .social div:last-child { + margin: 30px 0; } + footer .social span { + display: block; + margin-bottom: 8px; } + footer .social input { + text-align: center; } + +#search, #wishField { + background-color: transparent; + padding: 10px; + font-size: 16px; + font-weight: 100; + color: white; + border: 1px solid white; + transition: 0.3s; } + #search:focus, #wishField:focus { + background-color: #f7f7f7; + color: #303030; } + +.social a { + display: inline-block; + background-image: url(/images/social_sprite.png); + background-repeat: no-repeat; + background-size: auto; + width: 50px; + height: 50px; + border-radius: 5px; + margin-right: 10px; } + .social a:hover { + background-color: #fff; } + .social a span { + position: absolute; + display: block; + height: 0; + overflow: hidden; } + .social a.button { + background-image: none; + width: auto; + height: auto; } + .social a.button:hover { + color: #3371e3; } + +a.twitter { + background-position: 0 0; } + a.twitter:hover { + background-position: 0 100%; } + +a.stack-overflow { + background-position: -50px 0; } + a.stack-overflow:hover { + background-position: -50px 100%; } + +a.slack { + background-position: -100px 0; } + a.slack:hover { + background-position: -100px 100%; } + +a.github { + background-position: -150px 0; } + a.github:hover { + background-position: -150px 100%; } + +a.mailing-list { + background-position: -200px 0; } + a.mailing-list:hover { + background-position: -200px 100%; } + +a.calendar { + background-position: -250px 0; } + a.calendar:hover { + background-position: -250px 100%; } + +#viewDocs { + display: none; } + +section { + background-color: white; } + +#hero { + background-color: #303030; } + #hero h5 { + margin: 20px 0; + line-height: 28px; } + +#vendorStrip { + position: relative; } + #vendorStrip ul { + float: left; } + #vendorStrip li { + display: inline-block; + height: 100%; } + #vendorStrip a { + display: block; + height: 100%; + color: white; + font-size: 0.75em; + font-weight: bold; } + #vendorStrip li + li { + margin-left: 0; } + +#docs #vendorStrip { + line-height: 44px; } + #docs #vendorStrip ul { + float: none; } + #docs #vendorStrip #searchBox { + float: none; + display: block; + width: 80%; + margin: 0 auto; + height: 44px; + line-height: 44px; + position: relative; } + #docs #vendorStrip #searchBox:before { + position: absolute; + width: 15px; + height: 15px; + content: ''; + right: 8px; + top: 7px; + background-image: url(/images/search-icon.svg); + background-repeat: no-repeat; + background-size: 100% 100%; + z-index: 1; } + #docs #vendorStrip #search { + width: 100%; + padding: 0 10px; + height: 30px; + line-height: 30px; + font-size: 16px; + vertical-align: top; + background: #fff; + border: none; + border-radius: 4px; + position: relative; } + +#encyclopedia { + position: relative; + padding: 50px 20px 20px 20px; + overflow: hidden; + font-size: 14px; } + #encyclopedia > div { + height: 100%; } + +#docsToc { + position: fixed; + background-color: white; + top: 0; + left: 0; + width: 0; + height: 100vh; + overflow: hidden; + padding: 50px 0; + z-index: 999999; + transition: 0.3s; } + #docsToc .yah > .title { + background-color: #f7f7f7; + border-left: 3px solid #3371e3; + padding: 7.5px 10px 7.5px 18px; + margin-left: -3px; + color: #3371e3; } + +.open-toc body { + overflow: hidden; } + +.open-toc #docsToc { + padding: 50px 20px; + width: 400px; + max-width: 100vw; + overflow-y: auto; } + +.pi-accordion > .container:first-child > .item:first-child > .title:first-child { + padding-left: 0; + font-size: 1.5em; + font-weight: 700; } + +.pi-accordion > .container:first-child > .item.yah:first-child > .title:first-child { + margin-left: -20px !important; } + +.pi-accordion .item { + overflow: hidden; } + +.pi-accordion .title { + color: #303030; + position: relative; + padding: 7.5px 10px 7.5px 18px; + cursor: pointer; + transition: 0.3s; } + .pi-accordion .title:hover { + color: #3371e3; } + +.pi-accordion a.item > .title { + color: black; } + .pi-accordion a.item > .title:hover { + color: #3371e3; } + +.pi-accordion div.item > .title:before { + content: ""; + position: absolute; + top: 12px; + left: 2px; + border-style: solid; + border-width: 5px 0 5px 8px; + border-color: transparent transparent transparent #3371e3; + transform: rotate(0deg); + transition: 0.3s; } + +.pi-accordion .wrapper { + position: relative; + width: 100%; + transition: height 0.3s; } + +.pi-accordion .content { + padding-left: 20px; + opacity: 0; + transition: 0.3s; } + +.pi-accordion .item.on > .title:before { + transform: rotate(90deg); } + +.pi-accordion .item.on > .wrapper > .content { + opacity: 1; } + +dt { + margin-bottom: 8px; } + +dd { + margin-bottom: 16px; } + +.pi-pushmenu { + display: none; + position: fixed; + top: 0; + width: 100%; + height: 100%; + opacity: 0; + transition: opacity 0.3s; } + .pi-pushmenu.on { + opacity: 1; } + .pi-pushmenu .overlay { + position: fixed; + top: 0; + left: 0; + width: 100%; + height: 100%; + background-color: rgba(0, 0, 0, 0.4); } + .pi-pushmenu .sled { + position: absolute; + top: 0; + width: 0; + height: 100%; + background-color: white; + overflow: auto; + transition: 0.3s; } + .pi-pushmenu.on .sled { + width: 400px; + max-width: 100vw; } + .pi-pushmenu .top-bar { + height: 0; + line-height: 60px; + background-color: #444; } + .pi-pushmenu ul { + margin-top: 25px; } + .pi-pushmenu li { + position: relative; + display: block; + width: 100%; + min-height: 45px; + padding: 0 60px 0 20px; + border-bottom: 1px solid #cccccc; } + .pi-pushmenu a { + display: inline-block; + width: 100%; + height: 45px; + line-height: 45px; + font-family: "Roboto", sans-serif; + font-size: 20px; + color: #3371e3; } + .pi-pushmenu .button { + background: none; + padding: 0; } + .pi-pushmenu ul ul { + padding: 0 20px; } + .pi-pushmenu ul ul li { + min-height: 40px; } + .pi-pushmenu ul ul a { + height: 40px; + line-height: 40px; + font-size: 18px; + color: #555555; } + +.push-menu-close-button { + position: absolute; + top: 0; + right: 0; + width: 50px; + height: 50px; } + .push-menu-close-button:before, .push-menu-close-button:after { + content: ""; + position: absolute; + top: calc(50% - 1px); + left: 25%; + width: 50%; + height: 2px; + background-color: black; } + .push-menu-close-button:before { + transform: rotate(45deg); } + .push-menu-close-button:after { + transform: rotate(-45deg); } + +#docsContent { + position: relative; + float: right; + width: 100%; } + #docsContent * + h2, #docsContent * + h3, #docsContent * + h4, #docsContent * + h5, #docsContent * + h6 { + margin-top: 30px; } + #docsContent h1, #docsContent h2, #docsContent h3, #docsContent h4, #docsContent h5, #docsContent h6 { + line-height: normal; + font-weight: 500; + margin-bottom: 30px; + padding-bottom: 10px; } + #docsContent h1:before, #docsContent h2:before, #docsContent h3:before, #docsContent h4:before, #docsContent h5:before, #docsContent h6:before { + display: block; + content: " "; + margin-top: -100px; + height: 100px; + visibility: hidden; } + #docsContent h1, #docsContent h2 { + border-bottom: 1px solid #cccccc; } + #docsContent h1 { + font-size: 32px; + padding-right: 60px; } + #docsContent h2 { + font-size: 28px; } + #docsContent h3 { + font-size: 24px; + font-weight: 300; + margin-bottom: 5px; } + #docsContent h4 { + font-size: 20px; + margin-bottom: 0px; } + #docsContent h5, #docsContent h6 { + font-size: 16px; + font-weight: 500; } + #docsContent p { + font-size: 16px; + font-weight: 300; + line-height: 1.75em; } + #docsContent p + p { + margin-top: 10px; } + #docsContent code { + display: inline-block; + box-sizing: border-box; + background-color: #f7f7f7; + color: #303030; + font-family: "Roboto Mono", monospace; + vertical-align: baseline; + font-size: 14px; + font-weight: bold; + padding: 2px 4px; } + #docsContent a code { + color: #3371e3; + text-decoration: underline; } + #docsContent pre .pi, #docsContent pre .s { + margin: 0; + padding: 0; } + #docsContent .highlight code span, #docsContent code, #docsContent pre code { + font-family: "Roboto Mono", monospace; } + #docsContent code, #docsContent pre code { + color: #303030; } + #docsContent pre code { + padding: 0; } + #docsContent pre { + background-color: #f7f7f7; + display: block; + margin: 20px 0; + padding: 15px; + position: relative; + overflow-x: auto; } + #docsContent h1 code, #docsContent h2 code, #docsContent h3 code, #docsContent h4 code, #docsContent h5 code, #docsContent h6 code { + font-family: inherit; + font-size: inherit; + background-color: transparent; } + #docsContent .includecode { + table-layout: fixed; } + #docsContent .includecode, #docsContent .includecode th, #docsContent .includecode td { + padding: 0 !important; } + #docsContent .includecode th { + text-align: right !important; + padding: 10px !important; } + #docsContent .includecode th a, #docsContent .includecode th a code { + color: white !important; + background-color: transparent !important; } + #docsContent .includecode pre { + margin: 0 !important; } + #docsContent ul li { + list-style: disc; } + #docsContent ol li { + list-style: decimal; } + #docsContent ul, #docsContent ol { + margin: 20px 0; + padding-left: 30px; + font-weight: 300; } + #docsContent ul ul, #docsContent ol ol, #docsContent ul ol, #docsContent ol ul { + margin: 0.75em 0; } + #docsContent li { + margin-bottom: 0.75em; + font-size: 16px; + line-height: 1.75em; } + #docsContent table { + width: 100%; + border: 1px solid #ccc; + border-spacing: 0; + margin-top: 30px; + margin-bottom: 30px; } + #docsContent thead, #docsContent tr:nth-child(even) { + background-color: #f7f7f7; } + #docsContent thead { + background-color: #555; + color: white; } + #docsContent th, #docsContent td { + padding: 8px; + text-align: left; + margin: 0; } + #docsContent th { + font-weight: normal; } + #docsContent td { + font-size: 0.85em; } + #docsContent #editPageButton { + position: absolute; + top: -25px; + right: 5px; + width: 50px; + height: 50px; + line-height: 50px; + border-radius: 50%; + white-space: nowrap; + text-indent: 50px; + overflow: hidden; + background: #3371e3 url(/images/icon-pencil.svg) no-repeat; + background-position: 12px 10px; + background-size: 29px 29px; } + #docsContent #markdown-toc, #docsContent #TableOfContents { + margin-bottom: 20px; } + #docsContent #markdown-toc ul, #docsContent #markdown-toc li, #docsContent #TableOfContents ul, #docsContent #TableOfContents li { + list-style: disc; + color: #3371e3; } + #docsContent #markdown-toc ul, #docsContent #TableOfContents ul { + padding: 0 15px; + margin: 0; } + #docsContent #markdown-toc li, #docsContent #TableOfContents li { + padding: 0; + line-height: 1.5em; + margin-bottom: 0; } + #docsContent #markdown-toc a, #docsContent #TableOfContents a { + position: relative; + color: #3371e3; + font-weight: 700; } + #docsContent img { + max-width: 100%; } + #docsContent a { + text-decoration: underline; } + #docsContent #TableOfContents > ul > li { + list-style: none; } + #docsContent #TableOfContents ul, #docsContent #TableOfContents li { + list-style: disk; } + +.fixed footer { + position: fixed; + bottom: 0; } + +#miceType { + clear: both; + font-size: 11px; + line-height: 18px; + color: #aaa; } + +html.search #docsContent { + position: relative; + float: none; + width: 90%; + max-width: 850px; + margin: 0 auto; } + html.search #docsContent #editPageButton { + display: none; } + html.search #docsContent table { + border: 0; + margin-bottom: 0; } + html.search #docsContent td { + padding: 0; } + html.search #docsContent h1 { + margin-bottom: 0; + border-bottom: 0; + padding-bottom: 0; + padding-left: 8px; } + +#home.flip-nav .logo, #home.open-nav .logo { + background-image: url(/images/nav_logo2.svg); } + +#home #hero { + margin-bottom: 0; + padding-bottom: 1px; } + #home #hero main { + padding: 0 10px; + margin-bottom: 30px; } + #home #hero #vendorStrip { + display: none; } + +#oceanNodes { + padding-top: 60px; + padding-bottom: 60px; } + #oceanNodes a { + color: #3371e3; } + #oceanNodes main { + margin-bottom: 60px; + min-height: 160px; } + #oceanNodes .image-wrapper { + max-width: 75%; + margin: 0 auto 20px; + text-align: center; } + #oceanNodes .image-wrapper img { + width: 100%; + max-width: 160px; } + #oceanNodes main:first-child .image-wrapper { + max-width: 100%; } + #oceanNodes main:first-child .image-wrapper img { + max-width: 491px; } + #oceanNodes h3 { + margin-bottom: 30px; } + +#video { + height: 200px; } + +#video { + width: 100%; + position: relative; + background-image: url(/images/kub_video_banner_homepage.jpg); + background-position: center center; + background-size: cover; } + #video > .light-text { + display: none; + position: absolute; + top: 50%; + left: 75%; + width: 525px; + padding-right: 80px; + transform: translate(-50%, -50%); + color: white; } + #video h2 { + font-size: 32px; + line-height: 44px; + margin-bottom: 20px; } + #video p { + margin-bottom: 20px; } + #video #desktopKCButton { + position: relative; + font-size: 18px; + background-color: #303030; + border-radius: 8px; + color: #ffffff; + padding: 20px 10px 20px 10px; } + #video #desktopShowVideoButton { + position: relative; + font-size: 24px; + background-color: white; + border-radius: 8px; + color: #3371e3; + padding: 15px 30px 15px 80px; + margin-bottom: 15px; } + #video #desktopShowVideoButton:before { + content: ""; + position: absolute; + position: absolute; + top: 50%; + left: 40px; + transform: translate(-50%, -50%); + width: 0; + height: 0; + border-style: solid; + border-width: 10px 0 10px 20px; + border-color: transparent transparent transparent #3371e3; } + #video #mobileShowVideoButton { + position: absolute; + top: 50%; + left: 50%; + transform: translate(-50%, -50%); + width: 80px; + height: 80px; + border-radius: 50%; + background-color: transparent; + border: 5px solid rgba(255, 255, 255, 0.2); + overflow: visible; } + #video #mobileShowVideoButton:after { + position: absolute; + top: 50%; + left: 50%; + transform: translate(-50%, -50%); + left: 40px; + content: ""; + width: 0; + height: 0; + border-style: solid; + border-width: 20px 0 20px 30px; + border-color: transparent transparent transparent #ffffff; } + +#videoPlayer { + position: fixed; + top: 0; + left: 0; + width: 100vw; + height: 100vh; + background-color: rgba(0, 0, 0, 0.9); + display: none; } + #videoPlayer iframe { + position: absolute; + top: 50%; + left: 50%; + transform: translate(-50%, -50%); + width: 80vw; + height: 45vw; + max-width: 142.22222222vh; + max-height: 80vh; } + #videoPlayer #closeButton { + position: absolute; + top: 20px; + right: 20px; + width: 50px; + height: 50px; + border: 2px solid transparent; + transition: 0.3s; } + #videoPlayer #closeButton:before, #videoPlayer #closeButton:after { + content: ""; + position: absolute; + top: calc(50% - 1px); + left: 10%; + width: 80%; + height: 2px; + background-color: white; } + #videoPlayer #closeButton:before { + transform: rotate(45deg); } + #videoPlayer #closeButton:after { + transform: rotate(-45deg); } + #videoPlayer #closeButton:hover { + border-color: white; } + +#cncf { + padding-top: 60px; + padding-bottom: 140px; + background-color: #f7f7f7; + background-image: url(/images/cncf-color.png); + background-position: center 100px; + background-repeat: no-repeat; + background-size: 300px; } + +#features { + padding-top: 140px; + background-color: #f7f7f7; + background-image: url(/images/wheel.png); + background-position: center 60px; + background-repeat: no-repeat; + background-size: auto; } + +.feature-box { + width: 100%; + overflow: hidden; + clear: both; } + .feature-box h4 { + line-height: normal; + margin-bottom: 15px; } + .feature-box > div:first-child { + float: left; } + .feature-box > div:last-child { + float: right; } + +#features h3 { + margin-bottom: 20px; } + +#features .feature-box { + margin-bottom: 0; } + #features .feature-box > div { + width: 100%; + margin-bottom: 40px; } + +#community.open-nav .logo, #community.flip-nav .logo, .gridPage.open-nav .logo, .gridPage.flip-nav .logo { + background-image: url(/images/nav_logo2.svg); } + +#community #hero, .gridPage #hero { + padding-bottom: 20px; } + +#community #mainContent, .gridPage #mainContent { + padding: 20px 0; } + #community #mainContent main, .gridPage #mainContent main { + max-width: none; } + #community #mainContent a, .gridPage #mainContent a { + color: #3371e3; } + #community #mainContent .content, .gridPage #mainContent .content { + margin-bottom: 30px; + padding: 30px 0; } + #community #mainContent .content h1, #community #mainContent .content h2, #community #mainContent .content h3, #community #mainContent .content h4, #community #mainContent .content h5, #community #mainContent .content h6, #community #mainContent .content p, .gridPage #mainContent .content h1, .gridPage #mainContent .content h2, .gridPage #mainContent .content h3, .gridPage #mainContent .content h4, .gridPage #mainContent .content h5, .gridPage #mainContent .content h6, .gridPage #mainContent .content p { + line-height: normal; + max-width: 1200px; + padding: 0 20px; + margin: 0 auto 20px; } + #community #mainContent .content:nth-child(even), .gridPage #mainContent .content:nth-child(even) { + background-color: #f7f7f7; } + #community #mainContent .company-logos, .gridPage #mainContent .company-logos { + text-align: center; + max-width: 1200px; + margin: 0 auto; } + #community #mainContent .company-logos img, .gridPage #mainContent .company-logos img { + width: auto; + margin: 10px; + background-color: #f7f7f7; } + #community #mainContent .partner-logos, .gridPage #mainContent .partner-logos { + text-align: center; + max-width: 1200px; + margin: 0 auto; } + #community #mainContent .partner-logos img, .gridPage #mainContent .partner-logos img { + width: auto; + margin: 10px; + background-color: #ffffff; + box-shadow: 0 5px 5px rgba(0, 0, 0, 0.24), 0 0 5px rgba(0, 0, 0, 0.12); } + #community #mainContent #calendarMeetings, .gridPage #mainContent #calendarMeetings { + position: relative; + width: 80vw; + height: 60vw; + max-width: 1200px; + max-height: 900px; + margin: 20px auto; } + #community #mainContent #calendarEvents, .gridPage #mainContent #calendarEvents { + position: relative; + width: 80vw; + height: 30vw; + max-width: 1200px; + max-height: 450px; + margin: 20px auto; } + #community #mainContent iframe, .gridPage #mainContent iframe { + position: absolute; + border: 0; + width: 100%; + height: 100%; } + +.ui-icon { + display: inline-block !important; } + +#feature-state-dialog-link { + text-decoration: none !important; + padding: 5px !important; } + #feature-state-dialog-link a:visited { + color: #454545 !important; } + #feature-state-dialog-link a code { + display: inline-block !important; + box-sizing: border-box !important; + background-color: #f7f7f7 !important; + color: #303030 !important; + font-family: "Roboto Mono", monospace !important; + vertical-align: baseline !important; + font-size: 14px !important; + font-weight: bold !important; + padding: 0px 4px !important; } + +#feature-state-dialog { + background: #fff !important; + border: 1px solid #ddd !important; + padding: 0.5em 1em !important; } + #feature-state-dialog ul, #feature-state-dialog li { + list-style: disc !important; + margin: 4px 12px !important; } + #feature-state-dialog p { + margin: 8px 0px !important; } + #feature-state-dialog code { + display: inline-block !important; + box-sizing: border-box !important; + background-color: #f7f7f7 !important; + color: #303030 !important; + font-family: "Roboto Mono", monospace !important; + vertical-align: baseline !important; + font-size: 14px !important; + font-weight: bold !important; + padding: 0px 4px !important; } + +.ui-dialog { + background: #f7f7f7 !important; + padding: 0.5em; } + +.ui-dialog-content { + position: relative; + float: right; + width: 100%; } + .ui-dialog-content * + h2, .ui-dialog-content * + h3, .ui-dialog-content * + h4, .ui-dialog-content * + h5, .ui-dialog-content * + h6 { + margin-top: 30px; } + .ui-dialog-content h1, .ui-dialog-content h2, .ui-dialog-content h3, .ui-dialog-content h4, .ui-dialog-content h5, .ui-dialog-content h6 { + line-height: normal; + font-weight: 500; + margin-bottom: 30px; + padding-bottom: 10px; } + .ui-dialog-content h1:before, .ui-dialog-content h2:before, .ui-dialog-content h3:before, .ui-dialog-content h4:before, .ui-dialog-content h5:before, .ui-dialog-content h6:before { + display: block; + content: " "; + margin-top: -100px; + height: 100px; + visibility: hidden; } + .ui-dialog-content h1, .ui-dialog-content h2 { + border-bottom: 1px solid #cccccc; } + .ui-dialog-content h1 { + font-size: 32px; + padding-right: 60px; } + .ui-dialog-content h2 { + font-size: 28px; } + .ui-dialog-content h3 { + font-size: 24px; + font-weight: 300; + margin-bottom: 5px; } + .ui-dialog-content h4 { + font-size: 20px; + margin-bottom: 0px; } + .ui-dialog-content h5, .ui-dialog-content h6 { + font-size: 16px; + font-weight: 500; } + .ui-dialog-content p { + font-size: 16px; + font-weight: 300; + line-height: 1.75em; } + .ui-dialog-content p + p { + margin-top: 10px; } + .ui-dialog-content code { + display: inline-block; + box-sizing: border-box; + background-color: #f7f7f7; + color: #303030; + font-family: "Roboto Mono", monospace; + vertical-align: baseline; + font-size: 14px; + font-weight: bold; + padding: 2px 4px; } + .ui-dialog-content a code { + color: #3371e3; + text-decoration: underline; } + .ui-dialog-content pre .pi, .ui-dialog-content pre .s { + margin: 0; + padding: 0; } + .ui-dialog-content .highlight code span, .ui-dialog-content code, .ui-dialog-content pre code { + font-family: "Roboto Mono", monospace; } + .ui-dialog-content code, .ui-dialog-content pre code { + color: #303030; } + .ui-dialog-content pre code { + padding: 0; } + .ui-dialog-content pre { + background-color: #f7f7f7; + display: block; + margin: 20px 0; + padding: 15px; + position: relative; + overflow-x: auto; } + .ui-dialog-content h1 code, .ui-dialog-content h2 code, .ui-dialog-content h3 code, .ui-dialog-content h4 code, .ui-dialog-content h5 code, .ui-dialog-content h6 code { + font-family: inherit; + font-size: inherit; + background-color: transparent; } + .ui-dialog-content .includecode { + table-layout: fixed; } + .ui-dialog-content .includecode, .ui-dialog-content .includecode th, .ui-dialog-content .includecode td { + padding: 0 !important; } + .ui-dialog-content .includecode th { + text-align: right !important; + padding: 10px !important; } + .ui-dialog-content .includecode th a, .ui-dialog-content .includecode th a code { + color: white !important; + background-color: transparent !important; } + .ui-dialog-content .includecode pre { + margin: 0 !important; } + .ui-dialog-content ul li { + list-style: disc; } + .ui-dialog-content ol li { + list-style: decimal; } + .ui-dialog-content ul, .ui-dialog-content ol { + margin: 20px 0; + padding-left: 30px; + font-weight: 300; } + .ui-dialog-content ul ul, .ui-dialog-content ol ol, .ui-dialog-content ul ol, .ui-dialog-content ol ul { + margin: 0.75em 0; } + .ui-dialog-content li { + margin-bottom: 0.75em; + font-size: 16px; + line-height: 1.75em; } + .ui-dialog-content table { + width: 100%; + border: 1px solid #ccc; + border-spacing: 0; + margin-top: 30px; + margin-bottom: 30px; } + .ui-dialog-content thead, .ui-dialog-content tr:nth-child(even) { + background-color: #f7f7f7; } + .ui-dialog-content thead { + background-color: #555; + color: white; } + .ui-dialog-content th, .ui-dialog-content td { + padding: 8px; + text-align: left; + margin: 0; } + .ui-dialog-content th { + font-weight: normal; } + .ui-dialog-content td { + font-size: 0.85em; } + .ui-dialog-content #editPageButton { + position: absolute; + top: -25px; + right: 5px; + width: 50px; + height: 50px; + line-height: 50px; + border-radius: 50%; + white-space: nowrap; + text-indent: 50px; + overflow: hidden; + background: #3371e3 url(/images/icon-pencil.svg) no-repeat; + background-position: 12px 10px; + background-size: 29px 29px; } + .ui-dialog-content #markdown-toc { + margin-bottom: 20px; } + .ui-dialog-content #markdown-toc ul, .ui-dialog-content #markdown-toc li { + list-style: disc; + color: #3371e3; } + .ui-dialog-content #markdown-toc ul { + padding: 0 15px; + margin: 0; } + .ui-dialog-content #markdown-toc li { + padding: 0; + line-height: 1.5em; + margin-bottom: 0; } + .ui-dialog-content #markdown-toc a { + position: relative; + color: #3371e3; + font-weight: 700; } + .ui-dialog-content img { + max-width: 100%; } + .ui-dialog-content a { + text-decoration: underline; } + +.ui-dialog-buttonpane { + background: #f7f7f7 !important; } + +.ui-widget-header { + background: transparent !important; + background-color: transparent !important; + border: 0px !important; } + +.ui-tabs ul, .ui-tabs ol, .ui-tabs li { + padding: 0px !important; + list-style: none !important; + margin-bottom: 0px !important; + margin-left: 4px !important; } + +.ui-tabs-panel ul li { + list-style: disc !important; } + +.ui-tabs-panel ol li { + list-style: decimal !important; } + +.ui-widget-content { + border: 0px !important; } + .ui-widget-content table { + margin: 0px !important; } + +.ui-tabs .ui-tabs-panel { + border: 1px solid #ccc !important; } + +.ui-tabs-anchor { + text-decoration: none !important; } + +#talkToUs h3, #talkToUs h4 { + text-align: center; } + +#talkToUs h3 { + margin-bottom: 15px; } + +#talkToUs h4 { + line-height: normal; + margin-bottom: 50px; } + #talkToUs h4 br { + display: none; } + +#talkToUs #bigSocial { + overflow: hidden; } + #talkToUs #bigSocial div { + width: 100%; + float: left; + padding: 30px; + padding-top: 110px; + background-position: center top; + background-size: auto; + background-repeat: no-repeat; } + #talkToUs #bigSocial div:nth-child(1) { + background-image: url(/images/twitter_icon.png); } + #talkToUs #bigSocial div:nth-child(2) { + background-image: url(/images/github_icon.png); } + #talkToUs #bigSocial div:nth-child(3) { + background-image: url(/images/slack_icon.png); } + #talkToUs #bigSocial div:nth-child(4) { + background-image: url(/images/stackoverflow_icon.png); } + #talkToUs #bigSocial div + div { + margin-top: 20px; + margin-left: 0; } + #talkToUs #bigSocial a { + display: inline-block; + color: #3371e3; + font-size: 24px; + font-weight: 400; + text-decoration: none; + margin-bottom: 15px; } + #talkToUs #bigSocial a, #talkToUs #bigSocial p { + text-align: center; + width: 100%; } + +#home #talkToUs main { + padding: 30px 0; } + +#home #talkToUs h5 { + font-size: 20px; } + +#home #caseStudiesWrapper { + position: relative; + text-align: center; + margin-bottom: 30px; } + #home #caseStudiesWrapper div { + position: relative; + display: inline-block; + vertical-align: top; + width: 100%; + min-height: 230px; + padding: 125px 10px 15px; + margin-bottom: 30px; + background-position: top center; + background-repeat: no-repeat; } + #home #caseStudiesWrapper div:nth-child(1) { + background-image: url(/images/community_logos/pearson_logo.png); } + #home #caseStudiesWrapper div:nth-child(2) { + background-image: url(/images/community_logos/box_logo.png); } + #home #caseStudiesWrapper div:nth-child(3) { + background-image: url(/images/community_logos/ebay_logo.png); } + #home #caseStudiesWrapper div:nth-child(4) { + background-image: url(/images/community_logos/wikimedia_foundation_logo.png); } + #home #caseStudiesWrapper p { + font-size: 20px; } + #home #caseStudiesWrapper a { + position: absolute; + bottom: 0; + left: 50%; + transform: translateX(-50%); + color: #3371e3; + font-weight: 400; } + +/* Google Search */ +.cse .gsc-control-cse, .gsc-control-cse { + padding: 0; } + +.gsc-control-cse table, .gsc-control-cse-en table { + margin: 0px !important; } + +.gsc-above-wrapper-area { + border-bottom: 0; } + +/* Bing Search */ +#bing-results-container { + margin-top: 30px; + margin-left: 20px; } + +.bing-result { + margin-bottom: 20px; } + +.bing-result-name a { + font-size: 16px; + color: #0000CC; } + +.bing-result-url { + color: #008000; + font-size: 13px; } + +.bing-result-snippet { + color: #000; + font-size: 11px; } + +#bing-pagination-container { + margin: 10px; + margin-left: 20px; } + +.bing-page-anchor { + text-decoration: none !important; + cursor: pointer; + color: #0000CC; + margin-right: 8px; } + +@media screen and (min-width: 750px) { + h1 { + font-size: 32px; + line-height: 40px; } + h2 { + font-size: 28px; + line-height: 60px; } + h3 { + font-size: 24px; + line-height: 32px; } + h4 { + font-size: 20px; + line-height: 40px; } + h5 { + font-size: 16px; + line-height: 36px; } + p { + font-size: 14px; + line-height: 22px; } + section, header, #vendorStrip { + padding-left: 20px; + padding-right: 20px; } + section main, header main, #vendorStrip main { + width: 100%; + max-width: 100%; } + header { + height: 80px; } + .nav-buttons { + height: 80px; + line-height: 80px; } + .nav-buttons .button + * { + margin-left: 30px; } + #hamburger { + width: 50px; + height: 50px; } + #mainNav { + padding: 140px 0 30px; } + #mainNav h5 { + margin-bottom: 1em; } + #mainNav h3 { + margin-bottom: 0.6em; } + #mainNav .nav-box { + width: 20%; } + #mainNav .nav-box + .nav-box { + margin-left: calc(20% / 3); } + #mainNav main + main { + margin-top: 60px; } + #mainNav .left .button { + height: 50px; + line-height: 50px; + font-size: 18px; } + .open-nav #tryKubernetes, .y-enough #tryKubernetes { + margin-left: 30px; } + #hero { + padding-top: 80px; } + #docs #hero h1, #docs #hero h5 { + padding-left: 20px; + padding-right: 20px; } + #vendorStrip { + height: 88px; + line-height: 88px; + font-size: 16px; } + p { + font-size: 16px; + line-height: 24px; + letter-spacing: 0.1px; } + h1 { + font-size: 36px; + line-height: 44px; } + h3 { + font-size: 28px; + line-height: 36px; } + h4 { + font-size: 24px; + line-height: 40px; } + #home #viewDocs, #home #tryKubernetes { + display: inline-block; } + #vendorStrip { + display: block; + text-align: center; } + #vendorStrip img { + max-height: 24px; + vertical-align: middle; + margin: 0 30px; } + #docs #vendorStrip li a { + font-size: 1em; + font-weight: normal; } + #docs #vendorStrip li li + li { + margin-left: 60px; } + #oceanNodes h3 { + text-align: left; + margin-bottom: 18px; } + #oceanNodes main { + position: relative; + clear: both; + display: table; } + #oceanNodes main .content { + display: table-cell; + position: relative; + vertical-align: middle; } + #oceanNodes main .image-wrapper { + position: absolute; + top: 50%; + max-width: 25%; + max-height: 100%; + transform: translateY(-50%); } + #oceanNodes main:nth-child(odd) { + padding-right: 210px; } + #oceanNodes main:nth-child(odd) .image-wrapper { + right: 0; } + #oceanNodes main:nth-child(even) { + padding-left: 210px; } + #oceanNodes main:nth-child(even) .image-wrapper { + left: 0; } + #oceanNodes main:nth-child(1) { + padding-right: 0; } + #oceanNodes main:nth-child(1) h3, #oceanNodes main:nth-child(1) p { + text-align: center; } + #oceanNodes main:nth-child(1) .image-wrapper { + position: relative; + display: block; + float: none; + max-width: 100%; + transform: none; } + #oceanNodes main:nth-child(1) .content { + display: block; } + #oceanNodes main img { + width: 100%; } + #video { + height: 400px; + display: block; } + #video > .light-text { + display: block; } + #mobileShowVideoButton { + display: none; } + #features { + padding-bottom: 60px; } + #features .feature-box { + margin-bottom: 30px; } + #features .feature-box:last-child { + margin-bottom: 0; } + #features h3 { + margin-bottom: 40px; } + #features .feature-box > div { + width: 45%; + margin-bottom: 0; } + #talkToUs #bigSocial div { + width: calc(50% - 15px); } + #talkToUs #bigSocial div + div { + margin-top: 0; } + #talkToUs #bigSocial div:nth-child(2) { + margin-left: 20px; } + #talkToUs #bigSocial div:nth-child(3) { + margin-top: 20px; } + #talkToUs #bigSocial div:nth-child(4) { + margin-top: 20px; + margin-left: 20px; } + #talkToUs #bigSocial a { + display: inline-block; + color: #3371e3; + font-weight: 400; + text-decoration: none; } + footer nav { + text-align: center; } + footer nav a { + width: 30%; + padding: 0 20px; } + footer .social { + text-align: center; } + footer .social div { + display: inline-block; } + footer .social div:last-child { + display: block; + margin: 0; } + footer .social span { + display: inline-block; + margin-right: 10px; } + footer .social input { + text-align: left; } + #home #caseStudiesWrapper div { + width: 48%; } } + +@media screen and (min-width: 1025px) { + #hamburger { + display: none; } + ul.global-nav { + display: inline-block; } + #docs #vendorStrip #searchBox:before { + top: 15px; } + #vendorStrip { + height: 44px; + line-height: 44px; } + #vendorStrip li a.YAH:after { + content: ""; + display: block; + position: absolute; + left: 0; + bottom: 0; + width: 100%; + height: 4px; + background-color: #3371e3; } + #vendorStrip #searchBox { + float: right; } + #home #hero #vendorStrip { + display: block; } + #docs #hero h1, #docs #hero h5 { + text-align: left; } + #docs #hero #vendorStrip ul { + float: left; } + #docs #hero #vendorStrip #searchBox { + float: right; + width: 250px; } + #docs #hero #vendorStrip #search { + vertical-align: middle; } + #docs .flyout-button { + display: none; } + #docs .logo { + position: relative; + float: left; + display: block; + width: 180px; + height: 88px; + top: 0; + left: 0; + transform: none; + background-image: url(../images/nav_logo.svg); } + #docs.flip-nav .logo, #docs.open-nav .logo { + background-image: url(../images/nav_logo2.svg); } + #encyclopedia { + padding: 50px 50px 100px 100px; + clear: both; } + #docsToc { + position: relative; + float: left; + padding: 0 20px; + left: 0; + width: 350px; + z-index: auto; } + #docsToc .push-menu-close-button { + display: none; } + #docsContent { + width: calc(100% - 400px); } + #docsContent #editPageButton { + right: -25px; } + section main, header main, footer main { + max-width: 1200px; } + header, #vendorStrip, #encyclopedia, #hero h1, #hero h5, #docs #hero h1, #docs #hero h5, + #community #hero h1, .gridPage #hero h1, #community #hero h5, .gridPage #hero h5 { + padding-left: 100px; + padding-right: 100px; } + #vendorStrip { + padding-right: 10px; } + #home section main, #home header main, #home footer main { + max-width: 1000px; } + #oceanNodes main { + position: relative; + max-width: 830px; } + #oceanNodes main:nth-child(1) { + max-width: 1000px; + padding-right: 475px; } + #oceanNodes main:nth-child(1) h3, #oceanNodes main:nth-child(1) p { + text-align: left; } + #oceanNodes main:nth-child(1) .image-wrapper { + position: absolute; + max-width: 48%; + transform: translateY(-50%); } + #oceanNodes main:nth-child(1) .image-wrapper img { + max-width: 425px; } + #video { + height: 550px; + position: relative; + background-image: url(../images/kub_video_banner_homepage.jpg); + background-position: center center; + background-size: cover; } + #talkToUs h4 br { + display: block; } + #talkToUs #bigSocial div { + width: calc(25% - 18px); } + #talkToUs #bigSocial div + div { + margin-left: 20px; } + footer { + width: 100%; + background-image: url(../images/texture.png); + background-color: #303030; } + footer main { + padding: 20px 0; } + footer nav { + overflow: hidden; + margin-bottom: 20px; } + footer nav a { + width: 16.65%; + float: left; + font-size: 24px; + font-weight: 300; + white-space: nowrap; } + footer .social { + padding: 0 30px; + max-width: 1200px; } + footer .social div { + float: left; } + footer .social div:last-child { + float: right; } + #search, #wishField { + background-color: transparent; + padding: 10px; + font-size: 16px; + font-weight: 100; + color: white; + border: 1px solid white; + transition: 0.3s; } + #search:focus, #wishField:focus { + background-color: #f7f7f7; + color: #303030; } + .social a { + display: inline-block; + background-image: url(../images/social_sprite.png); + background-repeat: no-repeat; + background-size: auto; + width: 50px; + height: 50px; + border-radius: 5px; + margin-right: 10px; } + .social a:hover { + background-color: #fff; } + .social a span { + position: absolute; + display: block; + height: 0; + overflow: hidden; } + a.twitter { + background-position: 0 0; } + a.twitter:hover { + background-position: 0 100%; } + a.stack-overflow { + background-position: -50px 0; } + a.stack-overflow:hover { + background-position: -50px 100%; } + a.slack { + background-position: -100px 0; } + a.slack:hover { + background-position: -100px 100%; } + a.github { + background-position: -150px 0; } + a.github:hover { + background-position: -150px 100%; } + a.mailing-list { + background-position: -200px 0; } + a.mailing-list:hover { + background-position: -200px 100%; } + a.calendar { + background-position: -250px 0; } + a.calendar:hover { + background-position: -250px 100%; } + #community #hero, .gridPage #hero { + text-align: left; } + #community #hero h1, .gridPage #hero h1 { + padding: 20px 100px; } + #community #tryKubernetes, .gridPage #tryKubernetes { + width: auto; + background-color: #3371e3; + padding: 0 20px; } + #bigSocial div { + width: calc(25% - 18px); } + #home #caseStudiesWrapper div { + width: 24%; + min-height: 260px; } } + +@media screen and (min-width: 1300px) { + #vendorStrip { + padding-right: 100px; } } + +@media screen and (min-width: 456px) { + #vendorStrip li + li { + margin-left: 20px; } } diff --git a/resources/_gen/assets/sass/sass/styles.sass_146085a92036d31fa476cb2cbb0682ce.json b/resources/_gen/assets/sass/sass/styles.sass_146085a92036d31fa476cb2cbb0682ce.json new file mode 100644 index 0000000000000..081a4beb86c9d --- /dev/null +++ b/resources/_gen/assets/sass/sass/styles.sass_146085a92036d31fa476cb2cbb0682ce.json @@ -0,0 +1 @@ +{"Target":"css/styles.css","MediaType":"text/css","Data":{}} \ No newline at end of file diff --git a/update-imported-docs/reference.yml b/update-imported-docs/reference.yml index 43745288bb7ea..6410f38e4c76c 100644 --- a/update-imported-docs/reference.yml +++ b/update-imported-docs/reference.yml @@ -8,7 +8,7 @@ repos: cd $GOPATH git clone https://github.com/kubernetes/kubernetes.git src/k8s.io/kubernetes cd src/k8s.io/kubernetes - git checkout release-1.11 + git checkout release-1.12 make generated_files cp -L -R vendor $GOPATH/src rm -r vendor diff --git a/update-imported-docs/release.yml b/update-imported-docs/release.yml index 71cd1c25d8180..0da74c95bd421 100644 --- a/update-imported-docs/release.yml +++ b/update-imported-docs/release.yml @@ -4,5 +4,5 @@ repos: branch: master gen-absolute-links: true files: - - src: CHANGELOG-1.11.md + - src: CHANGELOG-1.12.md dst: content/en/docs/setup/release/notes.md