-
Notifications
You must be signed in to change notification settings - Fork 14.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
begin updating webhook documentation #6368
Conversation
I don't think this is done yet but I want to get something out there. |
Deploy preview ready! Built with commit bb756bf https://deploy-preview-6368--kubernetes-io-vnext-staging.netlify.com |
docs/admin/admission-controllers.md
Outdated
and authorized. The plug-ins discussed in this document are compiled into the | ||
API server process and may only be configured by the cluster administrator. As of 1.9, [user provided | ||
webhooks](/docs/admin/extensible-admission-controllers.md#external-admission-webhooks) | ||
are in beta; these are dynamically configurable. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
runtime configurable is more specific than dynamically configurable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Confusing to talk about plugins and then suddenly about webhooks. Question a read might have: is a webhook a plugin?
docs/admin/admission-controllers.md
Outdated
@@ -16,16 +16,27 @@ title: Using Admission Controllers | |||
|
|||
An admission control plug-in is a piece of code that intercepts requests to the Kubernetes | |||
API server prior to persistence of the object, but after the request is authenticated | |||
and authorized. The plug-in code is in the API server process | |||
and must be compiled into the binary in order to be used at this time. | |||
and authorized. The plug-ins discussed in this document are compiled into the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's expunge the term plug-ins.
We don't want to accept more, and we don't want to encourage forking, so why use a term which invites plugging things in?
Maybe "modules".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or just "admission controller"?
docs/admin/admission-controllers.md
Outdated
any of the plug-ins in the sequence reject the request, the entire request is rejected immediately | ||
and an error is returned to the end-user. | ||
Admission control plug-ins may be "validating", "mutating", or both. Mutating | ||
plug-ins may modify the objects they admit; validating plug-ins may not. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm a reader unfamiliar with this: I can't tell if the word "plug-ins" includes or excludes "user provided webhooks"
docs/admin/admission-controllers.md
Outdated
@@ -101,14 +112,16 @@ If your cluster supports containers that run with escalated privileges, and you | |||
restrict the ability of end-users to exec commands in those containers, we strongly encourage | |||
enabling this plug-in. | |||
|
|||
### GenericAdmissionWebhook (alpha) | |||
### GenericAdmissionWebhook (alpha in 1.8; beta in 1.9) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We now have the following terms that appear to mean the same thing:
- extensible-admission-controllers
- external-admission-webhooks
- Dynamic Admission Control
- External Admission Webhooks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I intend to fix the names before this is finalized.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Chao is already on it: kubernetes/kubernetes#55988
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's called ValidatingAdmissionWebhook
docs/admin/admission-controllers.md
Outdated
@@ -101,14 +112,16 @@ If your cluster supports containers that run with escalated privileges, and you | |||
restrict the ability of end-users to exec commands in those containers, we strongly encourage | |||
enabling this plug-in. | |||
|
|||
### GenericAdmissionWebhook (alpha) | |||
### GenericAdmissionWebhook (alpha in 1.8; beta in 1.9) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why did this get called Generic, when we use the term Validating elsewhere. Wasn't naming settled in the design phase?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is Validating. Will fix this when kubernetes/kubernetes#55988 merges.
docs/admin/admission-controllers.md
Outdated
For Kubernetes >= 1.9.0, we strongly recommend running the following set of admission control plug-ins (order matters): | ||
|
||
```shell | ||
--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,GenericAdmissionWebhook,ResourceQuota,DefaultTolerationSeconds,MutatingAdmissionWebhook |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kubernetes/sig-auth-api-reviews who's ready to add PSP to the list?
EDIT: actually, I didn't see a bootstrapping pull go by, so probably not.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Others to add:
- OwnerReferencesPermissionEnforcement
- NodeRestriction
- PodNodeSelector
- PodTolerationRestriction - @kubernetes/sig-scheduling-api-reviews the annotation have been alpha for a while, but the taints are not alpha. Ready for this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's called ValidatingAdmissionWebhook
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's add those in a followup PR.
docs/admin/admission-controllers.md
Outdated
The admission control process proceeds in two phases. In the first phase, | ||
mutating admission control plug-ins are run. In the second phase, validating | ||
admission control plug-ins are run. Note again that some of the plug-ins are | ||
both. In both phases, the plug-ins are run in the order specified by the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
only in the mutating phase the order matters and is defined. plugin are called in serial, webhooks are not.
docs/admin/admission-controllers.md
Outdated
If a webhook called by this has side effects (e.g., decrementing quota) it | ||
*must* have a reconcilation system, as it is not guaranteed that subsequent | ||
webhooks or validating plugins will permit the request to finish. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add the following text:
Use caution when authoring and installing mutating webhooks.
- Users may be confused when the objects they try to create are different from what they get back.
- Setting originally unset fields is less confusing that overwriting fields set in the request. Avoid doing the latter.
- Built in control loops may break when the objects they try to create are different when read back.
- Setting originally unset fields is less likely to cause problems than overwriting fields set in the original request. Avoid doing the latter.
- This is a beta feature. Future versions of Kubernetes may restrict the types of mutating webhooks can make.
- Future changes to control loops for built-in resources or third-party resources may break webhooks that work well today. Even when the webhook installation API is field, not all possible webhook behaviors will be guaranteed to be supported indefinitely.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some tweaks to @erictune's additions:
Use caution when authoring and installing mutating webhooks.
* This is a beta feature. Future versions of Kubernetes may restrict the types of mutations webhooks can make.
* Users may be confused when the objects they try to create are different from what they receive.
* Avoid overwriting fields. Setting originally unset fields is less confusing than overwriting fields set in the request.
* Built in control loops may break when the objects they try to create are different when read back.
* Future changes to control loops for built-in resources or third-party resources may break webhooks that work well today. Even when the webhook installation API is a field, not all possible webhook behaviors will be guaranteed to be supported indefinitely.
So:
Use caution when authoring and installing mutating webhooks.
- Users may be confused when the objects they try to create are different from what they receive.
- Avoid overwriting fields. Setting originally unset fields is less confusing than overwriting fields set in the request.
- Built in control loops may break when the objects they try to create are different when read back.
- This is a beta feature. Future versions of Kubernetes may restrict the types of mutations webhooks can make.
- Future changes to control loops for built-in resources or third-party resources may break webhooks that work well today. Even when the webhook installation API is a field, not all possible webhook behaviors will be guaranteed to be supported indefinitely.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a great start. ✨ Some small edits for clarity and formatting. Pending technical edits (thanks, everyone!) must also be addressed.
docs/admin/admission-controllers.md
Outdated
and only admits the operation if all the webhooks admit it. | ||
Currently, the plug-in always fails open. | ||
In other words, it ignores the failed calls to a webhook. | ||
If a webhook called by this has side effects (e.g., decrementing quota) it |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If a webhook called by this has side effects (for example, decrementing quota), it
docs/admin/admission-controllers.md
Outdated
If a webhook called by this has side effects (e.g., decrementing quota) it | ||
*must* have a reconcilation system, as it is not guaranteed that subsequent | ||
webhooks or validating plugins will permit the request to finish. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some tweaks to @erictune's additions:
Use caution when authoring and installing mutating webhooks.
* This is a beta feature. Future versions of Kubernetes may restrict the types of mutations webhooks can make.
* Users may be confused when the objects they try to create are different from what they receive.
* Avoid overwriting fields. Setting originally unset fields is less confusing than overwriting fields set in the request.
* Built in control loops may break when the objects they try to create are different when read back.
* Future changes to control loops for built-in resources or third-party resources may break webhooks that work well today. Even when the webhook installation API is a field, not all possible webhook behaviors will be guaranteed to be supported indefinitely.
So:
Use caution when authoring and installing mutating webhooks.
- Users may be confused when the objects they try to create are different from what they receive.
- Avoid overwriting fields. Setting originally unset fields is less confusing than overwriting fields set in the request.
- Built in control loops may break when the objects they try to create are different when read back.
- This is a beta feature. Future versions of Kubernetes may restrict the types of mutations webhooks can make.
- Future changes to control loops for built-in resources or third-party resources may break webhooks that work well today. Even when the webhook installation API is a field, not all possible webhook behaviors will be guaranteed to be supported indefinitely.
docs/admin/admission-controllers.md
Outdated
@@ -426,6 +450,11 @@ We strongly recommend using this plug-in if you intend to make use of Kubernetes | |||
## Is there a recommended set of plug-ins to use? | |||
|
|||
Yes. | |||
For Kubernetes >= 1.9.0, we strongly recommend running the following set of admission control plug-ins (order matters): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For Kubernetes >= 1.9.0, we strongly recommend running the following set of admission control plug-ins in the following order:
So:
For Kubernetes >= 1.9.0, we strongly recommend running the following set of admission control plug-ins in the following order:
PTAL |
The find-and-replaces are going to make rebasing this a huge pain, so the faster we can commit this, the better. Happy to make further changes in follow-ups if this meets some minimum bar. |
I think there's some comments I didn't see that github hid after one of my edits--will try to double check later. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we should document if each admission controller is mutating, validating or both.
|
||
Finally, in addition to sometimes mutating the object in question, admission | ||
controllers may sometimes have side effects, that is, mutate related | ||
resources as part of request processing. Incrementing quota usage is the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Clarifying that the quota admission is actually a validation webhook, since it doesn't mutate the request itself.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This isn't talking about our specific quota mechanism, I think that's not a relevant detail.
|
||
This admission controller (as implied by the name) only runs in the mutating phase. | ||
|
||
If a webhook called by this has side effects (for example, decrementing quota) it |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Quota is a validating plugin, to avoid confusion, use another example.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This isn't talking about our specific quota mechanism, I think that's not a relevant detail.
If you disable the MutatingAdmissionWebhook, you must also disable the | ||
`MutatingWebhookConfiguration` object in the `admissionregistration/v1beta1` | ||
group/version via the `--runtime-config` flag (both are on by default in | ||
versions >= 1.9). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would say it reversely: if you disable the API, you must disable the admission controller.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Having the admission controller but not the api on will just cause error messages in the logs. The other way around people might add webhooks and be confused about why they aren't running, and there'd be no error messages anywhere.
|
||
* Users may be confused when the objects they try to create are different from | ||
what they get back. | ||
* Setting originally unset fields is less confusing that overwriting fields set in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Duplicate
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed in new PR as soon as I push
If you disable the ValidatingAdmissionWebhook, you must also disable the | ||
`ValidatingWebhookConfiguration` object in the `admissionregistration/v1beta1` | ||
group/version via the `--runtime-config` flag (both are on by default in | ||
versions >= 1.9). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's the reverse.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same response.
For Kubernetes >= 1.9.0, we strongly recommend running the following set of admission controllers (order matters): | ||
|
||
```shell | ||
--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ValidatingAdmissionWebhook,ResourceQuota,DefaultTolerationSeconds,MutatingAdmissionWebhook |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Leaving MutatingAdmissionWebhook
at last might be confusing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added more explanation instead. It's more important to explain how the flag works IMO.
Thanks for the comments, I will try to address them today.
…On Fri, Dec 1, 2017 at 5:31 PM, Chao Xu ***@***.***> wrote:
***@***.**** commented on this pull request.
Maybe we should document if each admission controller is mutating,
validating or both.
------------------------------
In docs/admin/admission-controllers.md
<#6368 (comment)>:
> +
+Admission controllers may be "validating", "mutating", or both. Mutating
+controllers may modify the objects they admit; validating controllers may not.
+
+The admission control process proceeds in two phases. In the first phase,
+mutating admission controllers are run. In the second phase, validating
+admission controllers are run. Note again that some of the controllers are
+both. In both phases, the controllers are run in the order specified by the
+`--admission-control` flag of `kube-apiserver`.
+
+If any of the controllers in either phase reject the request, the entire
+request is rejected immediately and an error is returned to the end-user.
+
+Finally, in addition to sometimes mutating the object in question, admission
+controllers may sometimes have side effects, that is, mutate related
+resources as part of request processing. Incrementing quota usage is the
Clarifying that the quota admission is actually a validation webhook,
since it doesn't mutate the request itself.
------------------------------
In docs/admin/admission-controllers.md
<#6368 (comment)>:
> be used to apply default resource requests to Pods that don't specify any; currently, the default LimitRanger
applies a 0.1 CPU requirement to all Pods in the `default` namespace.
See the [limitRange design doc](https://git.k8s.io/community/contributors/design-proposals/resource-management/admission_control_limit_range.md) and the [example of Limit Range](/docs/tasks/configure-pod-container/limit-range/) for more details.
+### MutatingAdmissionWebhook (beta in 1.9)
+
+This admission controller calls any mutating webhooks which match the request. Matching
+webhooks are called in serial; each one may modify the object if it desires.
+
+This admission controller (as implied by the name) only runs in the mutating phase.
+
+If a webhook called by this has side effects (for example, decrementing quota) it
Quota is a validating plugin, to avoid confusion, use another example.
------------------------------
In docs/admin/admission-controllers.md
<#6368 (comment)>:
> be used to apply default resource requests to Pods that don't specify any; currently, the default LimitRanger
applies a 0.1 CPU requirement to all Pods in the `default` namespace.
See the [limitRange design doc](https://git.k8s.io/community/contributors/design-proposals/resource-management/admission_control_limit_range.md) and the [example of Limit Range](/docs/tasks/configure-pod-container/limit-range/) for more details.
+### MutatingAdmissionWebhook (beta in 1.9)
+
+This admission controller calls any mutating webhooks which match the request. Matching
+webhooks are called in serial; each one may modify the object if it desires.
+
+This admission controller (as implied by the name) only runs in the mutating phase.
+
+If a webhook called by this has side effects (for example, decrementing quota) it
+*must* have a reconcilation system, as it is not guaranteed that subsequent
+webhooks or validating admission controllers will permit the request to finish.
+
+If you disable the MutatingAdmissionWebhook, you must also disable the
+`MutatingWebhookConfiguration` object in the `admissionregistration/v1beta1`
+group/version via the `--runtime-config` flag (both are on by default in
+versions >= 1.9).
I would say it reversely: if you disable the API, you must disable the
admission controller.
------------------------------
In docs/admin/admission-controllers.md
<#6368 (comment)>:
> +This admission controller (as implied by the name) only runs in the mutating phase.
+
+If a webhook called by this has side effects (for example, decrementing quota) it
+*must* have a reconcilation system, as it is not guaranteed that subsequent
+webhooks or validating admission controllers will permit the request to finish.
+
+If you disable the MutatingAdmissionWebhook, you must also disable the
+`MutatingWebhookConfiguration` object in the `admissionregistration/v1beta1`
+group/version via the `--runtime-config` flag (both are on by default in
+versions >= 1.9).
+
+#### Use caution when authoring and installing mutating webhooks
+
+ * Users may be confused when the objects they try to create are different from
+ what they get back.
+ * Setting originally unset fields is less confusing that overwriting fields set in
Duplicate
------------------------------
In docs/admin/admission-controllers.md
<#6368 (comment)>:
>
+If you disable the ValidatingAdmissionWebhook, you must also disable the
+`ValidatingWebhookConfiguration` object in the `admissionregistration/v1beta1`
+group/version via the `--runtime-config` flag (both are on by default in
+versions >= 1.9).
It's the reverse.
------------------------------
In docs/admin/admission-controllers.md
<#6368 (comment)>:
>
Yes.
-For Kubernetes >= 1.6.0, we strongly recommend running the following set of admission control plug-ins (order matters):
+For Kubernetes >= 1.9.0, we strongly recommend running the following set of admission controllers (order matters):
+
+```shell
+--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ValidatingAdmissionWebhook,ResourceQuota,DefaultTolerationSeconds,MutatingAdmissionWebhook
Leaving MutatingAdmissionWebhook at last might be confusing.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#6368 (review)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAnglsDWCmqK2kdDU5go1eNcifPM4fe3ks5s8KiIgaJpZM4QiyDk>
.
|
sigh :( |
@lavalamp Sorry. 😞 |
@lavalamp 👋 Just a heads up that docs need to be complete by this Friday, 12/8. I'm happy to help with whatever I can; please let me know. |
You could un-revert this PR? ;) ;)
More seriously I have three KubeCon sessions tomorrow and I am traveling
Friday.
What happens if it is not done on Friday?
…On Wed, Dec 6, 2017 at 5:48 PM, Zach Corleissen ***@***.***> wrote:
@lavalamp <https://github.com/lavalamp> 👋 Just a heads up that docs need
to be complete by this Friday, 12/8. I'm happy to help with whatever I can;
please let me know.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#6368 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAnglrbJW5zKxsoLNhWht-zpOzW9tuEGks5s90PQgaJpZM4QiyDk>
.
|
That's real.
Can you have it done by the end of Monday? It's already in pretty good shape, so I can arrange to review your PR last before we freeze and merge. Note: After opening the new PR, be sure to un-check and re-check the box allowing edits from maintainers. (It's a workaround for a broken GitHub UI component.) This will shorten the amount of back and forth considerably. Does that work? |
Yeah, my plan was to work on it Monday, although I just looked at my
calendar and, yikes. I will do my best to get something presentable
sometime monday.
…On Wed, Dec 6, 2017 at 9:06 PM, Zach Corleissen ***@***.***> wrote:
You could un-revert this PR? ;) ;)
[image: giphy 1]
<https://user-images.githubusercontent.com/3210446/33699537-5d21fb56-dad9-11e7-9555-62ca69939468.gif>
More seriously I have three KubeCon sessions tomorrow and I am traveling
Friday.
That's real.
What happens if it is not done on Friday?
Can you have it done by the end of Monday?
It's already in pretty good shape, so I can arrange to review your PR last
before we freeze and merge.
*Note:* After opening the new PR, be sure to *un-check and re-check* the
box allowing edits from maintainers. (It's a workaround for a broken GitHub
UI component.) This will shorten the amount of back and forth considerably.
Does that work?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#6368 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAnglmFPHG0p9Bg-ShIMPNWhDPx8-Q--ks5s93JUgaJpZM4QiyDk>
.
|
* Trivial change to open release branch * Undo trivial change * add service ipvs overview * Add instructions on how to setup kubectl * Document conntrack dependency for kube-proxy * Add an a This is kind of jarring / missing an article. I'm guessing it should either be ' to a rack of bare metal servers.' or '...to racks of bare metal servers.'. * adding example responses for common issues - support request - code bug report * Trivial change to open release branch * Undo trivial change * Signed-off-by: Ziqi Zhao <zhaoziqi@qiniu.com> (#5366) Fix the not-working test case yaml for /doc/concepts/storage/volumes.md * kubectl-overview * temp fix for broken pod and deployment links * Update Table of Solutions for Juju * Revise certificates documentation (#5965) * Update review-issues.md Some edits for clarity and condensed language. * Update init-containers.md Fix leading spaces in commands. * Update kubectl-overview.md Fix format. * Update clc.md Fix format. * Update openstack-heat.md The url no need. just highlight. * Typo I believe this should be "users" not "uses" * making explicit hostname uniq requirement * Update scheduling-hugepages.md * Update update-daemon-set.md * fix redirection of PersistentVolume * Update hpa.md * update kubectl instruction * Use the format of kubeadm init * fix spelling error guarnatees to guarantees * add matchLabels description (#6020) * search and replace for k8s.github.io to website (#6019) * fix scale command of object-management (#6011) * Update replicaset.md (#6009) * Update secret.md (#6008) * specify password for mysql image (#5990) * specify password for mysql image * specify password for mysql image * link error for run-stateless-application-deployment.md (#5985) * link error for run-stateless-application-deployment.md * link error for run-stateless-application-deployment.md * Add performance implications of inter-pod affinity/anti-affinity (#5979) * 404 monthly maintenance - October 2017 (#5977) * Updated redirects * More redirects * Add conjure-up to Turnkey Cloud Solutions list (#5973) * Add conjure-up to Turnkey Cloud Solutions list * Changed wording slightly * change the StatefulSet to ReplicaSet in reference (#5968) * Clarification of failureThreshold of probes (#5963) * Mention usage of block storage version param (#5925) Mention usage of block storage version (bs-version) parameter to workaround attachment issues using older K8S versions on an OpenStack cloud with path-based endpoints. Resolves: #5924 * Update sysctl-cluster.md (#5894) Include guide on enabling unsafe sysctls in minikube * Avoid Latin phrases & format note (#5889) * Avoid Latin phrases & format note according the Documentation Style Guide * Update scratch.md * Update scratch.md * resolves jekyll rendering error (#5976) - chinese isn't understood for keys in YAML frontmatter in jekyll, so replaced it with the english equivalent that doesn't throw the following error on rendering: Error reading file src/kubernetes.github.io/cn/docs/concepts/cluster-administration/device-plugins.md: (<unknown>): could not find expected ':' while scanning a simple key at line 4 column 1 * Change VM to pod. (#6022) * Add link to custom metrics. (#6023) * Rephrase core group. (#6024) * Added explanation on context to when joining (#6018) * Update create-cluster-kubeadm.md (#5761) Update Canal version in pod network apply commands * Fixes issue #5620 (#5869) * Fixes issue #5620 Signed-off-by: Brad Topol <btopol@us.ibm.com> * Restructured so that review process is for both current and upcoming releases. Added content describing the use of tech reviewers. * Removed incorrect Kubernetes reviewer link. * Fixed tech reviewer URL to now use website * Update pod-priority-preemption.md fix-wrong-link-to-pod-preemption * pod-security-policy.md: add links to the page about admission plugins. * Adding all files for BlaBlaCar case study (#5857) * Adding all files for BlaBlaCar case study * Update blablacar.html * Fix changed URL for google containers * Add /docs/reference/auto-generated directory * correct the downwardapi redirect * Remove links using "here" * Rename to /docs/reference/generated directory * add Concept template * Change title to just Ingress * Link mistake (#6038) * link mistake * link mistake * skip title check for skip_title_check.txt * skip title check for skip_title_check.txt * remove doesn't exist link. * Fix podpreset task (#5705) * Add a simple pod manifest to pod overview (#5986) * Split PodPreset concept out from task doc (#5984) * Add selector spec description (#5789) * Add selector spec description * Fix selector field explanation * Put orphaned topics in TOC. (#6051) * static-pod example bad format in the final page (#6050) * static-pod example bad format in the final page * static-pod example bad format in the final page * static-pod example bad format in the final page * static-pod example bad format in the final page * static-pod example bad format in the final page * Fix `backoffLimit` field misplacement (#6042) It should be placed in JobSpec according to: https://github.com/kubernetes/kubernetes/blob/master/api/swagger-spec/batch_v1.json#L1488-L1514 * Update addons.md (#6061) * add info about VMware NSX-T CNI plugin (#5987) * add info about VMware NSX-T CNI plugin Hello, I'm VMware Networking and Security Architect and would like to include short information about our CNI plugin implementation similar to what other vendors did Best regards Emil Gagala * Update networking.md * Update networking.md * Update networking.md * Update: Using universal zsh configuration (#5669) * Update install-kubectl.md Zsh is not only oh-my-zsh, so I added universal configuration for zsh that also can be used in prezto. * fix merge error after rebase * Operating etcd cluster for Kubernetes bad format in the final page (#6056) * Operating etcd cluster for Kubernetes bad format in the final page * Update configure-upgrade-etcd.md * Update configure-upgrade-etcd.md * Usage note and warning tags. (#6053) * Usage note and warning tags. * Update configure-upgrade-etcd.md * Update configure-upgrade-etcd.md * Document jekyll includes snippets * Add jekyll includes to docs home toc - Remove extra kubernetes home in toc * document docker cgroupdriver req (#5937) * Update test blacklists (#6063) * Update toc check blacklist * Update title check blacklist * wip * wip * Fix typo * Document unconfined apparmor profile * Revert "Document the unconfined profile for AppArmor" (#6268) * CRD Validation: remove alpha warning, change enable instructions to (#6066) disable * Documented service annotation for AWS ELB SSL policy * kubeadm: add a note about the new `--print-join-command` flag. This is a new flag for the `kubeadm token create` command. * Add a note to PDB page * Improve Kubeadm reference doc (#6103) * automatically-generated kubeadm reference doc * user-mantained kubeadm reference doc * Documentation for CSIPersistentVolume * change replicaset documentation to use apps/v1 APIs * Update service.md ipvs alpha version -> beta version * Updated Deployment concept docs (#6494) * Updated Deployment concept docs * Addressed comments * Documentation for volume scheduling alpha feature * Update admission control docs for webhooks * Improve DNS documentation (#6479) * update ds for 1.9 * Update service.md * Update service.md * Revert "begin updating webhook documentation" (#6575) * Update version numbers to include 1.9 (#6518) * Update site versions for 1.9 * Removed 1.4 docs * Update _config.yml * Update _config.yml * updates for raw block devices * rbac: docs for aggregated cluster roles (#6474) * Added IPv6 information for Kubelet arguments (#6498) * Added IPv6 info to kube-proxy arguments * Added IPv6 information for argument for kubelet * Update PVC resizing documentation (#6487) * Updates for Windows Server version 1709 with K8s v1.8 (#6180) * Updated for WSv1709 and K8s v1.8 * Updated picture and CNI config * Fixed formatting on CNI Config * Updated docs to reference Microsoft/SDN GitHub docs * fix typo * Workaround for Jekyllr frontmatter * Added section on features and limitations, with example yaml files. * Update index.md * Added kubeadm section, few other small fixes * Few minor grammar fixes * Update access-cluster.md with a comment that for IPv6 the user should use [::1] for the localhost * Addressed a number of issues brought up against the base PR * Fixed windows-host-setup link * Rewrite PodSecurityPolicy guide * Update index.md Signed-off-by: Alin Balutoiu <abalutoiu@cloudbasesolutions.com> Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org> * Spelling correction and sentence capitalization. - Corrected the spelling error for storing, was put in as 'stoing'. - Capitalized list items. - Added '.' at end of sentences in the list items. * Update index.md * Update index.md * Addressed comments and rebased * Fixed formatting * Fixed formatting * Updated header link * Updated hyperlinks * Updated warning * formatting * formatting * formatting * Revert "Update access-cluster.md with a comment that for IPv6" This reverts commit 31e4dbd. * Revert "fix typo" This reverts commit c056787. * Revert "Workaround for Jekyllr frontmatter" This reverts commit b84ac59. * Fixed grammatical issues and reverted non-related commits * Revert "Rewrite PodSecurityPolicy guide" This reverts commit 5d39cfe. * Revert "Spelling correction and sentence capitalization." This reverts commit 47eed43. * Fixed auto-numbering * Minor formatting updates * CoreDNS feature documentation (#6463) * Initial placeholder PR for CoreDNS feature documentation * Remove from admin, add content * Fix missing endcapture * Add to tasks.yml * Review feedback * Postpone Deletion of a Persistent Volume Claim in case It Is Used by a Pod (#6415) * Postpone Deletion of a Persistent Volume Claim in case It Is Used by a Pod A new feature PVC Protection was added into K8s 1.9 that's why this documentation change is needed. * Added tag at the top of each new area. * Fix typo * Fix: switched on in (all kubelets) -> (all K8s components). * Added link to admission controller * Moved PVC Protection configuration into Before you begin section. * Added steps how to verify PVC Protection feature. * Fixes for admission controller plugin description and for PVC Protection description in PVC lifecycle. * Testing official rendering of enumerations (1., 2., 3., etc.) * Re-write to address comments from review. * Fixed definition when a PVC is in active use by a pod. * Change auditing docs page for 1.9 release (#6427) * Change auditing docs page for 1.9 release Signed-off-by: Mik Vyatskov <vmik@google.com> * Address review comments Signed-off-by: Mik Vyatskov <vmik@google.com> * Address review comments Signed-off-by: Mik Vyatskov <vmik@google.com> * Address review comments Signed-off-by: Mik Vyatskov <vmik@google.com> * Fix broken link Signed-off-by: Mik Vyatskov <vmik@google.com> * short circuit deny docs (#6536) * line wrap * short circuit deny * address comments * Add kubeadm 1.9 upgrade docs (#6485) * kubeadm: Improve kubeadm documentation for v1.9 (#6645) * Update admission control docs for webhooks (re-send #6368) (#6650) * Update admission control docs for webhooks * update in response to comments * Revamp rkt and add CRI-O as alternative runtime (#6371) Signed-off-by: Lorenzo Fontana <lo@linux.com> * Documented NLB for Kubernetes 1.9 (#6260) * Added IPV6 information to setup cluster using kubeadm (#6465) * Added IPV6 information to setup cluster using kubeadm * Updated kubeadm.md & create-cluster-kubeadm.md with IPv6 related information * Added IPv6 options for kubeadm --init & automated address binding for kube-proxy based on version of IP configured for API server) * Changes to kubeadm.md as per comments * Modified kubeadm.md and create-cluster-kubeadm.md * Implemented changes requested by zacharysarah * Removed autogenerated kubeadm.md changes * StatefulSet 1.9 updates. (#6550) * updates sts concept and tutorials to use 1.9 apps/v1 * Update statefulset.md * clarify pod name label * Garbage collection updates for 1.9 (#6555) * 1.9 gc policy update * carify deletion * Couple nits for dnsConfig doc (#6652) * Add doc for AllowedFlexVolume (#6563) * Update OpenStack Cloud Provider API support for v1.9 (#6638) * Flex volume is GA. Remove alpha notation. (#6666) * Update generated ref docs for Kubernetes and Federation components. (#6658) * Update generated ref docs for Kubernetes and Federation components. * Rename kubectl-options to kubectl. * Add title to kubectl. * Fix double synopsis. * Update Federation API ref docs for 1.9. (#6636) * Update federation API ref docs. * Move and redirect. * Move generated Federation docs to the generated directory. * Fix titles. * Type * Fix titles * Update auto-generated Kubernetes APi ref docs. (#6646) * Update kubectl commands for 1.9 (#6635) * add ExtendedResourceToleration admission controller (#6618) * Update API reference paths for v1.9 (#6681)
* Trivial change to open release branch * Undo trivial change * add service ipvs overview * Add instructions on how to setup kubectl * Document conntrack dependency for kube-proxy * Add an a This is kind of jarring / missing an article. I'm guessing it should either be ' to a rack of bare metal servers.' or '...to racks of bare metal servers.'. * adding example responses for common issues - support request - code bug report * Trivial change to open release branch * Undo trivial change * Signed-off-by: Ziqi Zhao <zhaoziqi@qiniu.com> (#5366) Fix the not-working test case yaml for /doc/concepts/storage/volumes.md * kubectl-overview * temp fix for broken pod and deployment links * Update Table of Solutions for Juju * Revise certificates documentation (#5965) * Update review-issues.md Some edits for clarity and condensed language. * Update init-containers.md Fix leading spaces in commands. * Update kubectl-overview.md Fix format. * Update clc.md Fix format. * Update openstack-heat.md The url no need. just highlight. * Typo I believe this should be "users" not "uses" * making explicit hostname uniq requirement * Update scheduling-hugepages.md * Update update-daemon-set.md * fix redirection of PersistentVolume * Update hpa.md * update kubectl instruction * Use the format of kubeadm init * fix spelling error guarnatees to guarantees * add matchLabels description (#6020) * search and replace for k8s.github.io to website (#6019) * fix scale command of object-management (#6011) * Update replicaset.md (#6009) * Update secret.md (#6008) * specify password for mysql image (#5990) * specify password for mysql image * specify password for mysql image * link error for run-stateless-application-deployment.md (#5985) * link error for run-stateless-application-deployment.md * link error for run-stateless-application-deployment.md * Add performance implications of inter-pod affinity/anti-affinity (#5979) * 404 monthly maintenance - October 2017 (#5977) * Updated redirects * More redirects * Add conjure-up to Turnkey Cloud Solutions list (#5973) * Add conjure-up to Turnkey Cloud Solutions list * Changed wording slightly * change the StatefulSet to ReplicaSet in reference (#5968) * Clarification of failureThreshold of probes (#5963) * Mention usage of block storage version param (#5925) Mention usage of block storage version (bs-version) parameter to workaround attachment issues using older K8S versions on an OpenStack cloud with path-based endpoints. Resolves: #5924 * Update sysctl-cluster.md (#5894) Include guide on enabling unsafe sysctls in minikube * Avoid Latin phrases & format note (#5889) * Avoid Latin phrases & format note according the Documentation Style Guide * Update scratch.md * Update scratch.md * resolves jekyll rendering error (#5976) - chinese isn't understood for keys in YAML frontmatter in jekyll, so replaced it with the english equivalent that doesn't throw the following error on rendering: Error reading file src/kubernetes.github.io/cn/docs/concepts/cluster-administration/device-plugins.md: (<unknown>): could not find expected ':' while scanning a simple key at line 4 column 1 * Change VM to pod. (#6022) * Add link to custom metrics. (#6023) * Rephrase core group. (#6024) * Added explanation on context to when joining (#6018) * Update create-cluster-kubeadm.md (#5761) Update Canal version in pod network apply commands * Fixes issue #5620 (#5869) * Fixes issue #5620 Signed-off-by: Brad Topol <btopol@us.ibm.com> * Restructured so that review process is for both current and upcoming releases. Added content describing the use of tech reviewers. * Removed incorrect Kubernetes reviewer link. * Fixed tech reviewer URL to now use website * Update pod-priority-preemption.md fix-wrong-link-to-pod-preemption * pod-security-policy.md: add links to the page about admission plugins. * Adding all files for BlaBlaCar case study (#5857) * Adding all files for BlaBlaCar case study * Update blablacar.html * Fix changed URL for google containers * Add /docs/reference/auto-generated directory * correct the downwardapi redirect * Remove links using "here" * Rename to /docs/reference/generated directory * add Concept template * Change title to just Ingress * Link mistake (#6038) * link mistake * link mistake * skip title check for skip_title_check.txt * skip title check for skip_title_check.txt * remove doesn't exist link. * Fix podpreset task (#5705) * Add a simple pod manifest to pod overview (#5986) * Split PodPreset concept out from task doc (#5984) * Add selector spec description (#5789) * Add selector spec description * Fix selector field explanation * Put orphaned topics in TOC. (#6051) * static-pod example bad format in the final page (#6050) * static-pod example bad format in the final page * static-pod example bad format in the final page * static-pod example bad format in the final page * static-pod example bad format in the final page * static-pod example bad format in the final page * Fix `backoffLimit` field misplacement (#6042) It should be placed in JobSpec according to: https://github.com/kubernetes/kubernetes/blob/master/api/swagger-spec/batch_v1.json#L1488-L1514 * Update addons.md (#6061) * add info about VMware NSX-T CNI plugin (#5987) * add info about VMware NSX-T CNI plugin Hello, I'm VMware Networking and Security Architect and would like to include short information about our CNI plugin implementation similar to what other vendors did Best regards Emil Gagala * Update networking.md * Update networking.md * Update networking.md * Update: Using universal zsh configuration (#5669) * Update install-kubectl.md Zsh is not only oh-my-zsh, so I added universal configuration for zsh that also can be used in prezto. * fix merge error after rebase * Operating etcd cluster for Kubernetes bad format in the final page (#6056) * Operating etcd cluster for Kubernetes bad format in the final page * Update configure-upgrade-etcd.md * Update configure-upgrade-etcd.md * Usage note and warning tags. (#6053) * Usage note and warning tags. * Update configure-upgrade-etcd.md * Update configure-upgrade-etcd.md * Document jekyll includes snippets * Add jekyll includes to docs home toc - Remove extra kubernetes home in toc * document docker cgroupdriver req (#5937) * Update test blacklists (#6063) * Update toc check blacklist * Update title check blacklist * wip * wip * Fix typo * Document unconfined apparmor profile * Revert "Document the unconfined profile for AppArmor" (#6268) * CRD Validation: remove alpha warning, change enable instructions to (#6066) disable * Documented service annotation for AWS ELB SSL policy * kubeadm: add a note about the new `--print-join-command` flag. This is a new flag for the `kubeadm token create` command. * Add a note to PDB page * Improve Kubeadm reference doc (#6103) * automatically-generated kubeadm reference doc * user-mantained kubeadm reference doc * Documentation for CSIPersistentVolume * change replicaset documentation to use apps/v1 APIs * Update service.md ipvs alpha version -> beta version * Updated Deployment concept docs (#6494) * Updated Deployment concept docs * Addressed comments * Documentation for volume scheduling alpha feature * Update admission control docs for webhooks * Improve DNS documentation (#6479) * update ds for 1.9 * Update service.md * Update service.md * Revert "begin updating webhook documentation" (#6575) * Update version numbers to include 1.9 (#6518) * Update site versions for 1.9 * Removed 1.4 docs * Update _config.yml * Update _config.yml * updates for raw block devices * rbac: docs for aggregated cluster roles (#6474) * Added IPv6 information for Kubelet arguments (#6498) * Added IPv6 info to kube-proxy arguments * Added IPv6 information for argument for kubelet * Update PVC resizing documentation (#6487) * Updates for Windows Server version 1709 with K8s v1.8 (#6180) * Updated for WSv1709 and K8s v1.8 * Updated picture and CNI config * Fixed formatting on CNI Config * Updated docs to reference Microsoft/SDN GitHub docs * fix typo * Workaround for Jekyllr frontmatter * Added section on features and limitations, with example yaml files. * Update index.md * Added kubeadm section, few other small fixes * Few minor grammar fixes * Update access-cluster.md with a comment that for IPv6 the user should use [::1] for the localhost * Addressed a number of issues brought up against the base PR * Fixed windows-host-setup link * Rewrite PodSecurityPolicy guide * Update index.md Signed-off-by: Alin Balutoiu <abalutoiu@cloudbasesolutions.com> Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org> * Spelling correction and sentence capitalization. - Corrected the spelling error for storing, was put in as 'stoing'. - Capitalized list items. - Added '.' at end of sentences in the list items. * Update index.md * Update index.md * Addressed comments and rebased * Fixed formatting * Fixed formatting * Updated header link * Updated hyperlinks * Updated warning * formatting * formatting * formatting * Revert "Update access-cluster.md with a comment that for IPv6" This reverts commit 31e4dbd. * Revert "fix typo" This reverts commit c056787. * Revert "Workaround for Jekyllr frontmatter" This reverts commit b84ac59. * Fixed grammatical issues and reverted non-related commits * Revert "Rewrite PodSecurityPolicy guide" This reverts commit 5d39cfe. * Revert "Spelling correction and sentence capitalization." This reverts commit 47eed43. * Fixed auto-numbering * Minor formatting updates * CoreDNS feature documentation (#6463) * Initial placeholder PR for CoreDNS feature documentation * Remove from admin, add content * Fix missing endcapture * Add to tasks.yml * Review feedback * Postpone Deletion of a Persistent Volume Claim in case It Is Used by a Pod (#6415) * Postpone Deletion of a Persistent Volume Claim in case It Is Used by a Pod A new feature PVC Protection was added into K8s 1.9 that's why this documentation change is needed. * Added tag at the top of each new area. * Fix typo * Fix: switched on in (all kubelets) -> (all K8s components). * Added link to admission controller * Moved PVC Protection configuration into Before you begin section. * Added steps how to verify PVC Protection feature. * Fixes for admission controller plugin description and for PVC Protection description in PVC lifecycle. * Testing official rendering of enumerations (1., 2., 3., etc.) * Re-write to address comments from review. * Fixed definition when a PVC is in active use by a pod. * Change auditing docs page for 1.9 release (#6427) * Change auditing docs page for 1.9 release Signed-off-by: Mik Vyatskov <vmik@google.com> * Address review comments Signed-off-by: Mik Vyatskov <vmik@google.com> * Address review comments Signed-off-by: Mik Vyatskov <vmik@google.com> * Address review comments Signed-off-by: Mik Vyatskov <vmik@google.com> * Fix broken link Signed-off-by: Mik Vyatskov <vmik@google.com> * short circuit deny docs (#6536) * line wrap * short circuit deny * address comments * Add kubeadm 1.9 upgrade docs (#6485) * kubeadm: Improve kubeadm documentation for v1.9 (#6645) * Update admission control docs for webhooks (re-send #6368) (#6650) * Update admission control docs for webhooks * update in response to comments * Revamp rkt and add CRI-O as alternative runtime (#6371) Signed-off-by: Lorenzo Fontana <lo@linux.com> * Documented NLB for Kubernetes 1.9 (#6260) * Added IPV6 information to setup cluster using kubeadm (#6465) * Added IPV6 information to setup cluster using kubeadm * Updated kubeadm.md & create-cluster-kubeadm.md with IPv6 related information * Added IPv6 options for kubeadm --init & automated address binding for kube-proxy based on version of IP configured for API server) * Changes to kubeadm.md as per comments * Modified kubeadm.md and create-cluster-kubeadm.md * Implemented changes requested by zacharysarah * Removed autogenerated kubeadm.md changes * StatefulSet 1.9 updates. (#6550) * updates sts concept and tutorials to use 1.9 apps/v1 * Update statefulset.md * clarify pod name label * Garbage collection updates for 1.9 (#6555) * 1.9 gc policy update * carify deletion * Couple nits for dnsConfig doc (#6652) * Add doc for AllowedFlexVolume (#6563) * Update OpenStack Cloud Provider API support for v1.9 (#6638) * Flex volume is GA. Remove alpha notation. (#6666) * Update generated ref docs for Kubernetes and Federation components. (#6658) * Update generated ref docs for Kubernetes and Federation components. * Rename kubectl-options to kubectl. * Add title to kubectl. * Fix double synopsis. * Update Federation API ref docs for 1.9. (#6636) * Update federation API ref docs. * Move and redirect. * Move generated Federation docs to the generated directory. * Fix titles. * Type * Fix titles * Update auto-generated Kubernetes APi ref docs. (#6646) * Update kubectl commands for 1.9 (#6635) * add ExtendedResourceToleration admission controller (#6618) * Update API reference paths for v1.9 (#6681)
This change is