Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Official 1.13 Release Docs #11401

Merged
merged 44 commits into from
Dec 4, 2018
Merged

Official 1.13 Release Docs #11401

Changes from 1 commit
Commits
Show all changes
44 commits
Select commit Hold shift + click to select a range
7dc2453
Update metadata.generation behaviour for custom resources (#10705)
nikhita Nov 1, 2018
e3d49bf
update docs promoting plugins to beta (#10796)
juanvallejo Nov 1, 2018
5d63228
docs update to promote TaintBasedEvictions to beta (#10765)
Huang-Wei Nov 2, 2018
555fff8
First Korean l10n work for dev-1.13 (#10719)
gochist Nov 6, 2018
ff0927f
kubeadm: update the configuration docs to v1beta1 (#10959)
neolit123 Nov 12, 2018
d318c99
kubeadm: add small v1beta1 related updates (#10988)
neolit123 Nov 14, 2018
aa7d309
ADD content/zh/docs/reference/setup-tools/kubeadm/kubeadm.md (#11031)
YouthLab Nov 17, 2018
7d97705
Doc updates for volume scheduling GA (#10743)
msau42 Nov 19, 2018
0c53f2f
Document nodelease feature (#10699)
wangzhen127 Nov 19, 2018
c61b405
advanced audit doc for ModeBlockingStrict (#10203)
CaoShuFeng Nov 19, 2018
cda8eba
Rename EncryptionConfig to EncryptionConfiguration (#11080)
stlaz Nov 20, 2018
05c8961
content/zh/docs/reference/setup-tools/kubeadm/kubeadm-init.md
YouthLab Nov 22, 2018
8dd0957
trsanlate create-cluster-kubeadm.md to chinese (#11041)
Nov 25, 2018
f36a29c
update the feature stage in v1.13 (#11307)
Nov 26, 2018
64afbfb
update new feature gates to document (#11295)
Nov 26, 2018
fa87997
refresh controller role list on rbac description page (#11290)
WanLinghao Nov 26, 2018
e180383
node labeling restriction docs (#10944)
liggitt Nov 27, 2018
fad29b7
Update 1.13 docs for CSI GA (#10893)
msau42 Nov 27, 2018
1f91977
dynamic audit documentation (#9947)
pbarker Nov 27, 2018
39773d4
kubeadm: remove kube-proxy workaround (#11162)
neolit123 Nov 27, 2018
49b1022
zh-trans content/en/docs/setup/independent/install-kubeadm.md (#11338)
jiaj12 Nov 27, 2018
29d80d6
Update dry run feature to beta (#11140)
Nov 27, 2018
d07c95e
vSphere volume raw block support doc update (#10932)
vladimirvivien Nov 27, 2018
42ffdba
Add docs for Windows DNS configurations (#10036)
feiskyer Nov 27, 2018
d153750
add device monitoring documentation (#9945)
dashpole Nov 27, 2018
c01f33d
kubeadm: adds upgrade instructions for 1.13 (#11138)
chuckha Nov 27, 2018
663ba14
kubeadm: add improvements to HA docs (#11094)
neolit123 Nov 28, 2018
bdf9e96
kubeadm external etcd HA upgrade 1.13 (#11364)
rdodev Nov 28, 2018
1e19018
kubeadm cert documentation (#11093)
liztio Nov 29, 2018
ab2ceb0
PR for diff docs (#10789)
apelisse Nov 29, 2018
3ef2819
Second Korean l10n work for dev-1.13. (#11030)
gochist Nov 29, 2018
86978a1
Rename encryption-at-rest related objects (#11059)
stlaz Nov 29, 2018
152f430
Documenting FlexVolume Resize alpha feature. (#10097)
brahmaroutu Nov 29, 2018
7ce937a
CR webhook conversion documentation (#10986)
mbohlool Nov 29, 2018
453ddd9
Remove references to etcd2 in v1.13 since support has been removed (#…
spiffxp Nov 30, 2018
71c18d3
Final Korean l10n work for dev-1.13 (#11440)
gochist Dec 1, 2018
62f8199
Fix unopened caution shortcode
tfogo Dec 1, 2018
ea6cc89
kubeadm: update the reference docs for 1.13 (#10960)
neolit123 Dec 2, 2018
27a56f0
Add generated federation API Reference (#11491)
tfogo Dec 3, 2018
a482bb7
Generate kubectl reference docs 1.13 (#11487)
tfogo Dec 3, 2018
b37af1d
Add 1.13 API reference (#11489)
tfogo Dec 3, 2018
e658142
Update config.toml (#11486)
jimangel Dec 3, 2018
b805aba
adding .Site. to Params.currentUrl (#11503)
jimangel Dec 4, 2018
e2dbe1a
Add 1.13 Release notes (#11499)
tfogo Dec 4, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
node labeling restriction docs (#10944)
@liggitt @tfogo
liggitt authored and tfogo committed Dec 1, 2018

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
commit e180383a4e4b9f312f1fced1f98b836ccf92649e
7 changes: 4 additions & 3 deletions content/en/docs/concepts/architecture/nodes.md
View file
Original file line number Diff line number Diff line change
@@ -226,11 +226,12 @@ For self-registration, the kubelet is started with the following options:
- `--register-node` - Automatically register with the API server.
- `--register-with-taints` - Register the node with the given list of taints (comma separated `<key>=<value>:<effect>`). No-op if `register-node` is false.
- `--node-ip` - IP address of the node.
- `--node-labels` - Labels to add when registering the node in the cluster.
- `--node-labels` - Labels to add when registering the node in the cluster (see label restrictions enforced by the [NodeRestriction admission plugin](/docs/reference/access-authn-authz/admission-controllers/#noderestriction) in 1.13+).
- `--node-status-update-frequency` - Specifies how often kubelet posts node status to master.

Currently, any kubelet is authorized to create/modify any node resource, but in practice it only creates/modifies
its own. (In the future, we plan to only allow a kubelet to modify its own node resource.)
When the [Node authorization mode](/docs/reference/access-authn-authz/node/) and
[NodeRestriction admission plugin](/docs/reference/access-authn-authz/admission-controllers/#noderestriction) are enabled,
kubelets are only authorized to create/modify their own Node resource.

#### Manual Node Administration

15 changes: 15 additions & 0 deletions content/en/docs/concepts/configuration/assign-pod-node.md
View file
Original file line number Diff line number Diff line change
@@ -92,6 +92,21 @@ For example, the value of `kubernetes.io/hostname` may be the same as the Node n
and a different value in other environments.
{{< /note >}}

## Node isolation/restriction

Adding labels to Node objects allows targeting pods to specific nodes or groups of nodes.
This can be used to ensure specific pods only run on nodes with certain isolation, security, or regulatory properties.
When using labels for this purpose, choosing label keys that cannot be modified by the kubelet process on the node is strongly recommended.
This prevents a compromised node from using its kubelet credential to set those labels on its own Node object,
and influencing the scheduler to schedule workloads to the compromised node.

The `NodeRestriction` admission plugin prevents kubelets from setting or modifying labels with a `node-restriction.kubernetes.io/` prefix.
To make use of that label prefix for node isolation:

1. Ensure you are using the [Node authorizer](/docs/reference/access-authn-authz/node/) and have enabled the [NodeRestriction admission plugin](/docs/reference/access-authn-authz/admission-controllers/#noderestriction).
2. Add labels under the `node-restriction.kubernetes.io/` prefix to your Node objects, and use those labels in your node selectors.
For example, `example.com.node-restriction.kubernetes.io/fips=true` or `example.com.node-restriction.kubernetes.io/pci-dss=true`.

## Affinity and anti-affinity

`nodeSelector` provides a very simple way to constrain pods to nodes with particular labels. The affinity/anti-affinity
19 changes: 19 additions & 0 deletions content/en/docs/reference/access-authn-authz/admission-controllers.md
View file
Original file line number Diff line number Diff line change
@@ -415,6 +415,25 @@ This admission controller limits the `Node` and `Pod` objects a kubelet can modi
kubelets must use credentials in the `system:nodes` group, with a username in the form `system:node:<nodeName>`.
Such kubelets will only be allowed to modify their own `Node` API object, and only modify `Pod` API objects that are bound to their node.
In Kubernetes 1.11+, kubelets are not allowed to update or remove taints from their `Node` API object.

In Kubernetes 1.13+, the `NodeRestriction` admission plugin prevents kubelets from deleting their `Node` API object,
and enforces kubelet modification of labels under the `kubernetes.io/` or `k8s.io/` prefixes as follows:

* **Prevents** kubelets from adding/removing/updating labels with a `node-restriction.kubernetes.io/` prefix.
This label prefix is reserved for administrators to label their `Node` objects for workload isolation purposes,
and kubelets will not be allowed to modify labels with that prefix.
* **Allows** kubelets to add/remove/update these labels and label prefixes:
* `kubernetes.io/hostname`
* `beta.kubernetes.io/arch`
* `beta.kubernetes.io/instance-type`
* `beta.kubernetes.io/os`
* `failure-domain.beta.kubernetes.io/region`
* `failure-domain.beta.kubernetes.io/zone`
* `kubelet.kubernetes.io/`-prefixed labels
* `node.kubernetes.io/`-prefixed labels

Use of any other labels under the `kubernetes.io` or `k8s.io` prefixes by kubelets is reserved, and may be disallowed or allowed by the `NodeRestriction` admission plugin in the future.

Future versions may add additional restrictions to ensure kubelets have the minimal set of permissions required to operate correctly.

### OwnerReferencesPermissionEnforcement {#ownerreferencespermissionenforcement}