Skip to content

Commit

Permalink
Merge 1.10 to master for release (#7861)
Browse files Browse the repository at this point in the history
* 1.10 update (#7151)

* Fix partition value expected behaviour explanation (#7123)

Fixes issue #7057

* Correct "On-Premise" to "On-Premises"

* Updates the Calico installation page (#7094)

* All files for Haufe Groups case study (#7051)

* Fix typo (#7127)

* fix typo of device-plugins.md (#7106)

* fix broken links (#7136)

* Updated configure-service-account (#7147)

Error from server resolved by escaping kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "myregistrykey"}]}' JSON string by '\'

* Remove docs related to 'require-kubeconfig' (#7138)

With kubernetes/kubernetes#58367 merged, v1.10 will not use the
"require-kubeconfig" flag. The flag has become a no-op solely to ensure
existing deployments won't break.

* Added Verification Scenario for a Pod that Uses a PVC in Terminating State (#7164)

The below PR:
kubernetes/kubernetes#55873
modified scheduler in such a way that scheduling of a pod that uses a PVC in Terminating state fails.

That's why verification of such scenario was added to documentation.

* fix LimitPodHardAntiAffinityTopology name (#7221)

* Document the removal of the KubeletConfigFile feature gate (#7140)

With kubernetes/kubernetes#58978 merged, the said feature gate is
removed. This PR removes texts related to the gate and revises the
Feature Gates reference to reflect this change.

* deprecate three admission controller (#7363)

* Document the removal of Accelerators feature gate (#7389)

The `Accelerators` feature gate will be removed in 1.11. 1.10 will be
its last mile.
References: kubernetes/kubernetes#57384

* Update local storage docs for beta (#7473)

* Document that HugePages feature gate is Beta (#7387)

The `HugePages` feature gate has graduated to Beta in v1.10. This PR
documents this fact.

* Add HyperVContainer feature gates (#7502)

* Remove the beta reference from Taints and Tolerations doc (#7493)

* Kms provider doc (#7479)

* Kms provider doc

* issue# 7399, Create KMS-provider.md and update encrypt-data.md

* address review comments

* Document that Device Plugin feature is Beta (1.10) (#7512)

* Add docs for CRD features for 1.10 (#7439)

* Add docs for CRD features for 1.10

* Add CustomResourcesSubresources to list of feature gates

* Add latest changes to custom resources doc

* Add crds as abbreviated alias (#7437)

* Bring PVC Protection Feature to Beta (#7165)

* Bring PVC Protection Feature to Beta

The PR: kubernetes/kubernetes#59052
brought PVC Protection feature to beta.

That's why the documentation is updated accordingly.

* The PVC Protection feature was renamed to Storage Protection. That's why the documentation is updated.

* promote PodNodeSelector to stable; document detailed behavior (#7134)

* promote PodNodeSelector to stable; document detailed behavior

* respond to feedback

* Update CPU manager feature enabling (#7390)

With `CPUManager` feature graduating to beta. No explicit enabling is
required starting v1.10.
References: kubernetes/kubernetes#55977

* Adding block volumeMode documentation for local volumes. (#7531)

Code review comments.

Changed property to field.

Address tech review comment.

* remove description kubectl --show-all (#7574)

--show-all has been deprecated and set to true by default.
kubernetes/kubernetes#60210

* fix description about contribute style guide (#7592)

* fix description about KUBECONFIG (#7589)

s/envrionment/environment

* fix description about cni (#7588)

s/simultanously/simultaneously/

* fix description about MutatingAdmissionWebhook and ValidatingAdmissionWebhook (#7587)

* fix description about persistent volume binding (#7590)

s/slighty/slightly/

* Doc change for configurable pod resolv.conf Beta (#7611)

* fix description about out of resource handling (#7597)

s/threshhold/threshold

* fix description about zookeeper (#7598)

s/achive/achieve

* fix description about kubeadm (#7594)

s/compatability/compatibility/

* fix description about kubeadm (#7593)

* fix description about kubeadm implementation details (#7595)

* fix description about api concepts (#7596)

* Storage Protection was renamed to Storage Object in Use Protection (#7576)

* Storage Protection was renamed to Storage Object in Use Protection

The K8s PR: kubernetes/kubernetes#59901
renamed Storage Protection to Storage Object in Use Protection.

That's why the same is also renamed in the documentation.

* Moved Storage Object in Use Protection admission plugin description down according to alphabetic order.

* Use PSP from policy API group. (#7562)

* update kubeletconfig docs for v1.10, beta (#7561)

* Update port-forwarding docs (#7575)

* add pv protection description (#7620)

* fix description about client library (#7634)

* Add docs on configuring NodePort IP (#7631)

* Document that LocalStorageCapacityIsolation is beta (#7635)

A follow-up to the kubernetes/kubernetes#60159 change which has promoted
the `LocalStorageCapacityIsolation` feature gate to Beta.

* Update CoreDNS docs for beta (#7638)

* Update CoreDNS docs for beta

* Review comments

* Fix typo (#7640)

* Update feature gates move to beta (#7662)

* Added the inability to use colon ':' character as environment variable names and described workaround (#7657)

* merge master to 1.10, with fixes (#7682)

* Flag names changed (s/admission-control/enable-admission-plugins); disable-admissions-plugin entry added; removed reference to admission controller/plugins requiring set order (for v1.10), redundant example enabling specific plugin, and redundant version-specific info (#7449)

* Documentation for MountPropagation beta (#7655)

* Remove job's scale-related operations (#7684)

* authentication: document client-go exec plugins (#7648)

* authentication: document client-go exec plugins

* Update authentication.md

* Update local ephemeral storage feature to beta (#7685)

Update local ephemeral storage feature to beta

* Update docs for windows container resources (#7653)

* add server-side print docs (#7671)

* Create a task describing Pod process namespace sharing (#7489)

* Add external metrics to HPA docs (#7664)

* Add external metrics to HPA docs

* Update horizontal-pod-autoscale-walkthrough.md

* Apply review comments to HPA walkthrough

* remove description about "scale jobs" (#7712)

* CSI Docs for K8s v1.10 (#7698)

* Add a warning about increased memory consumption for audit logging feature. (#7725)

Signed-off-by: Mik Vyatskov <vmik@google.com>

* Update Audit Logging documentation for 1.10 (#7679)

Signed-off-by: Mik Vyatskov <vmik@google.com>

* Fix stage names in audit logging documentation (#7746)

Signed-off-by: Mik Vyatskov <vmik@google.com>

* Feature gate update for release 1.10 (#7742)

* State in the docs that the value of default Node labels are not reliable. (#7794)

* Kill the reference to --admission-control option (#7755)

The `--admission-control` option has been replaced by two new options in
v1.10. This PR kills the last appearance of the old option in the doc.

* Pvcprotection toc (#7807)

* Refreshing installation instructions (#7495)

* Refreshing installation instructions

Added conjure-up. Updated displays and juju versions to current versions.

* Updated anchors

* Fixed image value version typo (#7768)

Was inconsistent with other values

* Update flocker reference to the github repo (#7784)

* Fix typo in federation document (#7779)

* an user -> a user (#7778)

* Events are namespaced (#7767)

* fix 'monitoring' link lose efficacy problem' (#7764)

* docs/concepts/policy/pod-security-policy.md: minor fix. (#7659)

* Update downward-api-volume-expose-pod-information.md (#7771)

* Update downward-api-volume-expose-pod-information.md

The pod spec puts the downward api files into /etc/podinfo, not directly in /etc. Updated docs to reflect this fact.

* Update downward-api-volume-expose-pod-information.md

One more spot needed fixing.

* Update downward-api-volume-expose-pod-information.md

Yet another fix, in the container example.

* Add Amadeus Case Study (#7783)

* Add Amadeus Case Study

* add Amadeus logo

* Fixed Cyrillic с in 'kube-proxy-cm' (#7787)

There was a typo (wrong character) in kube-proxy-cm.yaml - Cyrillic с (UTF-8 0x0441) was used instead of Latin c.

* install-kubectl: choose one installation method (#7705)

The previous text layout suggested that all installations had to be done, one after another.

* Update install-kubeadm.md (#7781)

Add note to kubeadm install instruction to help install in other arch i.e. aarch64, ppc64le etc.

* repair failure link (#7788)

* repair failure link

* repair failure link

* do change as required

* Update k8s201.md (#7777)

* Update k8s201.md

Change instructions to download yams files directly from the website (as used in other pages.)

Added instructions to delete labeled pod to avoid warnings in the subsequent deployment step.

* Update k8s201.md

Added example of using the exposed host from the a node running Kubernetes. (This works on AWS with Weave; not able to test it on other variations...)

* Gramatical fix to kompose introduction (#7792)

The original wording didn't through very well. As much of the original sentence has been preserved as possible, primarily to ensure the kompose web address is see both in text and as a href link.

* update amadeus.html (#7800)

* Fix a missing word in endpoint reconciler section (#7804)

* add toc entry for pvcprotection downgrade issue doc

* Pvcprotection toc (#7809)

* Refreshing installation instructions (#7495)

* Refreshing installation instructions

Added conjure-up. Updated displays and juju versions to current versions.

* Updated anchors

* Fixed image value version typo (#7768)

Was inconsistent with other values

* Update flocker reference to the github repo (#7784)

* Fix typo in federation document (#7779)

* an user -> a user (#7778)

* Events are namespaced (#7767)

* fix 'monitoring' link lose efficacy problem' (#7764)

* docs/concepts/policy/pod-security-policy.md: minor fix. (#7659)

* Update downward-api-volume-expose-pod-information.md (#7771)

* Update downward-api-volume-expose-pod-information.md

The pod spec puts the downward api files into /etc/podinfo, not directly in /etc. Updated docs to reflect this fact.

* Update downward-api-volume-expose-pod-information.md

One more spot needed fixing.

* Update downward-api-volume-expose-pod-information.md

Yet another fix, in the container example.

* Add Amadeus Case Study (#7783)

* Add Amadeus Case Study

* add Amadeus logo

* Fixed Cyrillic с in 'kube-proxy-cm' (#7787)

There was a typo (wrong character) in kube-proxy-cm.yaml - Cyrillic с (UTF-8 0x0441) was used instead of Latin c.

* install-kubectl: choose one installation method (#7705)

The previous text layout suggested that all installations had to be done, one after another.

* Update install-kubeadm.md (#7781)

Add note to kubeadm install instruction to help install in other arch i.e. aarch64, ppc64le etc.

* repair failure link (#7788)

* repair failure link

* repair failure link

* do change as required

* Update k8s201.md (#7777)

* Update k8s201.md

Change instructions to download yams files directly from the website (as used in other pages.)

Added instructions to delete labeled pod to avoid warnings in the subsequent deployment step.

* Update k8s201.md

Added example of using the exposed host from the a node running Kubernetes. (This works on AWS with Weave; not able to test it on other variations...)

* Gramatical fix to kompose introduction (#7792)

The original wording didn't through very well. As much of the original sentence has been preserved as possible, primarily to ensure the kompose web address is see both in text and as a href link.

* update amadeus.html (#7800)

* Fix a missing word in endpoint reconciler section (#7804)

* add toc entry for pvcprotection downgrade issue doc

* revert TOC change

* Release 1.10 (#7818)

* Refreshing installation instructions (#7495)

* Refreshing installation instructions

Added conjure-up. Updated displays and juju versions to current versions.

* Updated anchors

* Fixed image value version typo (#7768)

Was inconsistent with other values

* Update flocker reference to the github repo (#7784)

* Fix typo in federation document (#7779)

* an user -> a user (#7778)

* Events are namespaced (#7767)

* fix 'monitoring' link lose efficacy problem' (#7764)

* docs/concepts/policy/pod-security-policy.md: minor fix. (#7659)

* Update downward-api-volume-expose-pod-information.md (#7771)

* Update downward-api-volume-expose-pod-information.md

The pod spec puts the downward api files into /etc/podinfo, not directly in /etc. Updated docs to reflect this fact.

* Update downward-api-volume-expose-pod-information.md

One more spot needed fixing.

* Update downward-api-volume-expose-pod-information.md

Yet another fix, in the container example.

* Add Amadeus Case Study (#7783)

* Add Amadeus Case Study

* add Amadeus logo

* Fixed Cyrillic с in 'kube-proxy-cm' (#7787)

There was a typo (wrong character) in kube-proxy-cm.yaml - Cyrillic с (UTF-8 0x0441) was used instead of Latin c.

* install-kubectl: choose one installation method (#7705)

The previous text layout suggested that all installations had to be done, one after another.

* Update install-kubeadm.md (#7781)

Add note to kubeadm install instruction to help install in other arch i.e. aarch64, ppc64le etc.

* repair failure link (#7788)

* repair failure link

* repair failure link

* do change as required

* Update k8s201.md (#7777)

* Update k8s201.md

Change instructions to download yams files directly from the website (as used in other pages.)

Added instructions to delete labeled pod to avoid warnings in the subsequent deployment step.

* Update k8s201.md

Added example of using the exposed host from the a node running Kubernetes. (This works on AWS with Weave; not able to test it on other variations...)

* Gramatical fix to kompose introduction (#7792)

The original wording didn't through very well. As much of the original sentence has been preserved as possible, primarily to ensure the kompose web address is see both in text and as a href link.

* update amadeus.html (#7800)

* Fix a missing word in endpoint reconciler section (#7804)

* Partners page updates (#7802)

* Partners page updates

* Update to ZTE link

* Make using sysctls a task instead of a concept (#6808)

Closes: #4505

* add a note when mount a configmap to pod (#7745)

* adjust a note format (#7812)

* Update docker-cli-to-kubectl.md (#7748)

* Update docker-cli-to-kubectl.md

Edited the document for adherence to the style guide and word usage.

* Update docker-cli-to-kubectl.md

* Incorporated the changes suggested.

* Mount propagation update to include docker config (#7854)

* update overridden config for 1.10 (#7847)

* update overridden config for 1.10

* fix config file per comments

* Update Extended Resource doc wrt cluster-level resources (#7759)
  • Loading branch information
Bradamant3 authored and steveperry-53 committed Mar 27, 2018
1 parent 770440d commit 409e77d
Show file tree
Hide file tree
Showing 69 changed files with 2,043 additions and 400 deletions.
1 change: 1 addition & 0 deletions OWNERS
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ reviewers:
- tengqm
- zhangxiaoyu-zidif
- xiangpengzhao
- bradtopol
approvers:
- heckj
- bradamant3
Expand Down
18 changes: 9 additions & 9 deletions _config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,22 +13,27 @@ incremental: true
safe: false
lsi: false

latest: "v1.9"
latest: "v1.10"
defaults:
-
scope:
path: ""
values:
fullversion: "v1.9.0"
version: "v1.9"
fullversion: "v1.10.0"
version: "v1.10"
githubbranch: "master"
docsbranch: "master"
versions:
- fullversion: "v1.10.0"
version: "v1.10"
githubbranch: "v1.10.0"
docsbranch: "release-1.10"
url: https://kubernetes.io
- fullversion: "v1.9.0"
version: "v1.9"
githubbranch: "v1.9.0"
docsbranch: "release-1.9"
url: https://kubernetes.io
url: https://v1-9.docs.kubernetes.io
- fullversion: "v1.8.4"
version: "v1.8"
githubbranch: "v1.8.4"
Expand All @@ -44,11 +49,6 @@ defaults:
githubbranch: "v1.6.8"
docsbranch: "release-1.6"
url: https://v1-6.docs.kubernetes.io
- fullversion: "v1.5.7"
version: "v1.5"
githubbranch: "v1.5.7"
docsbranch: "release-1.5"
url: https://v1-5.docs.kubernetes.io
deprecated: false
currentUrl: https://kubernetes.io/docs/home/
nextUrl: http://kubernetes-io-vnext-staging.netlify.com/
Expand Down
6 changes: 3 additions & 3 deletions _data/reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,10 +32,10 @@ toc:
- docs/reference/workloads-18-19.md

- title: API Reference
landing_page: /docs/api-reference/v1.8/
landing_page: /docs/api-reference/v1.10/
section:
- title: v1.9
path: /docs/reference/generated/kubernetes-api/v1.9/
- title: v1.10
path: /docs/reference/generated/kubernetes-api/v1.10/
- docs/reference/labels-annotations-taints.md
- title: OpenAPI and Swagger
section:
Expand Down
5 changes: 5 additions & 0 deletions _data/setup.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,11 @@ toc:
- docs/imported/release/notes.md
- docs/setup/building-from-source.md

- title: Version 1.10 Troubleshooting
landing page: /docs/reference/pvc-finalizer-downgrade-issue/
section:
- docs/reference/pvc-finalizer-downgrade-issue.md

- title: Independent Solutions
landing_page: /docs/getting-started-guides/minikube/
section:
Expand Down
3 changes: 3 additions & 0 deletions _data/tasks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ toc:
- docs/tasks/configure-pod-container/configure-pod-initialization.md
- docs/tasks/configure-pod-container/attach-handler-lifecycle-event.md
- docs/tasks/configure-pod-container/configure-pod-configmap.md
- docs/tasks/configure-pod-container/share-process-namespace.md
- docs/tools/kompose/user-guide.md

- title: Inject Data Into Applications
Expand Down Expand Up @@ -163,6 +164,7 @@ toc:
- docs/tasks/administer-cluster/reserve-compute-resources.md
- docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods.md
- docs/tasks/administer-cluster/declare-network-policy.md
- docs/tasks/administer-cluster/kms-provider.md
- title: Install Network Policy Provider
section:
- docs/tasks/administer-cluster/calico-network-policy.md
Expand All @@ -184,6 +186,7 @@ toc:
- docs/tasks/administer-cluster/dns-custom-nameservers.md
- docs/tasks/administer-cluster/dns-debugging-resolution.md
- docs/tasks/administer-cluster/pvc-protection.md
- docs/tasks/administer-cluster/storage-object-in-use-protection.md

- title: Federation - Run an App on Multiple Clusters
landing_page: /docs/tasks/federation/set-up-cluster-federation-kubefed/
Expand Down
8 changes: 2 additions & 6 deletions cn/docs/admin/kubelet-authentication-authorization.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,11 +33,9 @@ To enable X509 client certificate authentication to the kubelet's HTTPS endpoint
To enable API bearer tokens (including service account tokens) to be used to authenticate to the kubelet's HTTPS endpoint:

* ensure the `authentication.k8s.io/v1beta1` API group is enabled in the API server
* start the kubelet with the `--authentication-token-webhook`, `--kubeconfig`, and `--require-kubeconfig` flags
* start the kubelet with the `--authentication-token-webhook` and the `--kubeconfig` flags
* the kubelet calls the `TokenReview` API on the configured API server to determine user information from bearer tokens

**Note:** The flag `--require-kubeconfig` is deprecated as of Kubernetes 1.8, this will be removed in a future version. You no longer need to use `--require-kubeconfig` in Kubernetes 1.8.

## Kubelet authorization

Any request that is successfully authenticated (including an anonymous request) is then authorized. The default authorization mode is `AlwaysAllow`, which allows all requests.
Expand All @@ -51,11 +49,9 @@ There are many possible reasons to subdivide access to the kubelet API:
To subdivide access to the kubelet API, delegate authorization to the API server:

* ensure the `authorization.k8s.io/v1beta1` API group is enabled in the API server
* start the kubelet with the `--authorization-mode=Webhook`, `--kubeconfig`, and `--require-kubeconfig` flags
* start the kubelet with the `--authorization-mode=Webhook` and the `--kubeconfig` flags
* the kubelet calls the `SubjectAccessReview` API on the configured API server to determine whether each request is authorized

**Note:** The flag `--require-kubeconfig` is deprecated as of Kubernetes 1.8, this will be removed in a future version. You no longer need to use `--require-kubeconfig` in Kubernetes 1.8.

The kubelet authorizes API requests using the same [request attributes](/docs/admin/authorization/#request-attributes) approach as the apiserver.

The verb is determined from the incoming request's HTTP verb:
Expand Down
1 change: 0 additions & 1 deletion cn/docs/admin/kubelet-tls-bootstrapping.md
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,6 @@ When starting the kubelet, if the file specified by `--kubeconfig` does not exis
**Note:** The following flags are required to enable this bootstrapping when starting the kubelet:

```
--require-kubeconfig
--bootstrap-kubeconfig="/path/to/bootstrap/kubeconfig"
```
Expand Down
2 changes: 1 addition & 1 deletion cn/docs/tasks/administer-cluster/kubelet-config-file.md
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ title: 通过配置文件设置 Kubelet 参数
## 启动通过配置文件配置的 Kubelet 进程


启动 Kubelet,需要打开 `KubeletConfigFile` 特性开关(feature gate)并将其 `--init-config-dir` 标志设置为包含 `kubelet` 文件的文件夹路径。Kubelet 将从 `kubelet` 文件中读取由 `KubeletConfiguration` 定义的参数,而不是从参数相关的命令行标志中读取。
启动 Kubelet 需要将其 `--init-config-dir` 标志设置为包含 `kubelet` 文件的文件夹路径。Kubelet 将从 `kubelet` 文件中读取由 `KubeletConfiguration` 定义的参数,而不是从参数相关的命令行标志中读取。

{% endcapture %}

Expand Down
2 changes: 1 addition & 1 deletion cn/docs/user-guide/kubectl-overview.md
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ Operation | Syntax | Description
`configmaps` |`cm`
`controllerrevisions` |
`cronjobs` |
`customresourcedefinition` |`crd`
`customresourcedefinition` |`crd`, `crds`
`daemonsets` |`ds`
`deployments` |`deploy`
`endpoints` |`ep`
Expand Down
76 changes: 44 additions & 32 deletions docs/admin/admission-controllers.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,7 @@ controllers may modify the objects they admit; validating controllers may not.
The admission control process proceeds in two phases. In the first phase,
mutating admission controllers are run. In the second phase, validating
admission controllers are run. Note again that some of the controllers are
both. In both phases, the controllers are run in the order specified by the
`--admission-control` flag of `kube-apiserver`.
both.

If any of the controllers in either phase reject the request, the entire
request is rejected immediately and an error is returned to the end-user.
Expand All @@ -54,13 +53,12 @@ support all the features you expect.

## How do I turn on an admission controller?

The Kubernetes API server supports a flag, `admission-control` that takes a comma-delimited,
ordered list of admission control choices to invoke prior to modifying objects in the cluster.
For example, the following command line turns on the `NamespaceLifecycle` and the `LimitRanger`
admission controller:
The Kubernetes API server flag `enable-admission-plugins` takes a comma-delimited list of admission control plugins to invoke prior to modifying objects in the cluster.
For example, the following command line enables the `NamespaceLifecycle` and the `LimitRanger`
admission control plugins:

```shell
kube-apiserver --admission-control=NamespaceLifecyle,LimitRanger ...
kube-apiserver --enable-admission-plugins=NamespaceLifecyle,LimitRanger ...
```

**Note**: Depending on the way your Kubernetes cluster is deployed and how the
Expand All @@ -70,11 +68,19 @@ deployed as a systemd service, you may modify the manifest file for the API
server if Kubernetes is deployed in a self-hosted way.
{: .note}

## How do I turn off an admission controller?

The Kubernetes API server flag `disable-admission-plugins` takes a comma-delimited list of admission control plugins to be disabled, even if they are in the list of plugins enabled by default.

```shell
kube-apiserver --disable-admission-plugins=PodNodeSelector,AlwaysDeny ...
```

## What does each admission controller do?

### AlwaysAdmit
### AlwaysAdmit (DEPRECATED)

Use this admission controller by itself to pass-through all requests.
Use this admission controller by itself to pass-through all requests. AlwaysAdmit is DEPRECATED as no real meaning.

### AlwaysPullImages

Expand All @@ -86,9 +92,9 @@ scheduled onto the right node), without any authorization check against the imag
is enabled, images are always pulled prior to starting containers, which means valid credentials are
required.

### AlwaysDeny
### AlwaysDeny (DEPRECATED)

Rejects all requests. Used for testing.
Rejects all requests. AlwaysDeny is DEPRECATED as no real meaning.

### DefaultStorageClass

Expand Down Expand Up @@ -134,7 +140,7 @@ enabling this admission controller.

### EventRateLimit (alpha)

This admission controller is introduced in v1.9 to mitigate the problem where the API server gets flooded by
This admission controller mitigates the problem where the API server gets flooded by
event requests. The cluster admin can specify event rate limits by:

* Ensuring that `eventratelimit.admission.k8s.io/v1alpha1=true` is included in the
Expand Down Expand Up @@ -180,19 +186,15 @@ for more details.
### ExtendedResourceToleration
This plug-in is introduced in v1.9 to facilitate creation of dedicated nodes with extended resources.
This plug-in facilitates creation of dedicated nodes with extended resources.
If operators want to create dedicated nodes with extended resources (like GPUs, FPGAs etc.), they are expected to
taint the node with the extended resource name as the key. This admission controller, if enabled, automatically
adds tolerations for such taints to pods requesting extended resources, so users don't have to manually
add these tolerations.
### ImagePolicyWebhook
The ImagePolicyWebhook admission controller allows a backend webhook to make admission decisions. You enable this admission controller by setting the admission-control option as follows:
```shell
--admission-control=ImagePolicyWebhook
```
The ImagePolicyWebhook admission controller allows a backend webhook to make admission decisions.
#### Configuration File Format
Expand Down Expand Up @@ -314,7 +316,6 @@ In any case, the annotations are provided by the user and are not validated by K

### Initializers (alpha)

This admission controller is introduced in v1.7.
The admission controller determines the initializers of a resource based on the existing
`InitializerConfiguration`s. It sets the pending initializers by modifying the
metadata of the resource to be created.
Expand All @@ -331,7 +332,7 @@ The annotations added contain the information on what compute resources were aut

See the [InitialResources proposal](https://git.k8s.io/community/contributors/design-proposals/autoscaling/initial-resources.md) for more details.

### LimitPodHardAntiAffinity
### LimitPodHardAntiAffinityTopology

This admission controller denies any pod that defines `AntiAffinity` topology key other than
`kubernetes.io/hostname` in `requiredDuringSchedulingRequiredDuringExecution`.
Expand Down Expand Up @@ -414,27 +415,23 @@ This admission controller also protects the access to `metadata.ownerReferences[
of an object, so that only users with "update" permission to the `finalizers`
subresource of the referenced *owner* can change it.

### Persistent Volume Claim Protection (alpha)
{% assign for_k8s_version="v1.9" %}{% include feature-state-alpha.md %}
The `PVCProtection` plugin adds the `kubernetes.io/pvc-protection` finalizer to newly created Persistent Volume Claims (PVCs). In case a user deletes a PVC the PVC is not removed until the finalizer is removed from the PVC by PVC Protection Controller. Refer to the [PVC Protection](/docs/concepts/storage/persistent-volumes/#persistent-volume-claim-protection) for more detailed information.

### PersistentVolumeLabel
### PersistentVolumeLabel (DEPRECATED)

This admission controller automatically attaches region or zone labels to PersistentVolumes
as defined by the cloud provider (for example, GCE or AWS).
It helps ensure the Pods and the PersistentVolumes mounted are in the same
region and/or zone.
If the admission controller doesn't support automatic labelling your PersistentVolumes, you
may need to add the labels manually to prevent pods from mounting volumes from
a different zone.
a different zone. PersistentVolumeLabel is DEPRECATED and labeling persistent volumes has been taken over by [cloud controller manager](/docs/tasks/administer-cluster/running-cloud-controller/).

### PodNodeSelector

This admission controller defaults and limits what node selectors may be used within a namespace by reading a namespace annotation and a global configuration.

#### Configuration File Format

PodNodeSelector uses a configuration file to set options for the behavior of the backend.
`PodNodeSelector` uses a configuration file to set options for the behavior of the backend.
Note that the configuration file format will move to a versioned file in a future release.
This file may be json or yaml and has the following format:

Expand All @@ -445,7 +442,7 @@ podNodeSelectorPluginConfig:
namespace2: <node-selectors-labels>
```

Reference the PodNodeSelector configuration file from the file provided to the API server's command line flag `--admission-control-config-file`:
Reference the `PodNodeSelector` configuration file from the file provided to the API server's command line flag `--admission-control-config-file`:

```yaml
kind: AdmissionConfiguration
Expand All @@ -457,7 +454,7 @@ plugins:
```

#### Configuration Annotation Format
PodNodeSelector uses the annotation key `scheduler.alpha.kubernetes.io/node-selector` to assign node selectors to namespaces.
`PodNodeSelector` uses the annotation key `scheduler.kubernetes.io/node-selector` to assign node selectors to namespaces.

```yaml
apiVersion: v1
Expand All @@ -468,6 +465,19 @@ metadata:
name: namespace3
```

#### Internal Behavior
This admission controller has the following behavior:
1. If the `Namespace` has an annotation with a key `scheduler.kubernetes.io/nodeSelector`, use its value as the
node selector.
1. If the namespace lacks such an annotation, use the `clusterDefaultNodeSelector` defined in the `PodNodeSelector`
plugin configuration file as the node selector.
1. Evaluate the pod's node selector against the namespace node selector for conflicts. Conflicts result in rejection.
1. Evaluate the pod's node selector against the namespace-specific whitelist defined the plugin configuration file.
Conflicts result in rejection.

**Note:** `PodTolerationRestriction` is more versatile and powerful than `PodNodeSelector` and can encompass the scenarios supported by `PodNodeSelector`.
{: .note}

### PersistentVolumeClaimResize

This admission controller implements additional validations for checking incoming `PersistentVolumeClaim` resize requests.
Expand Down Expand Up @@ -545,8 +555,6 @@ objects in your Kubernetes deployment, you MUST use this admission controller to

See the [resourceQuota design doc](https://git.k8s.io/community/contributors/design-proposals/resource-management/admission_control_resource_quota.md) and the [example of Resource Quota](/docs/concepts/policy/resource-quotas/) for more details.

It is strongly encouraged that this admission controller is configured last in the sequence of admission controllers. This is
so that quota is not prematurely incremented only for the request to be rejected later in admission control.

### SecurityContextDeny

Expand All @@ -557,6 +565,10 @@ This admission controller will deny any pod that attempts to set certain escalat
This admission controller implements automation for [serviceAccounts](/docs/user-guide/service-accounts).
We strongly recommend using this admission controller if you intend to make use of Kubernetes `ServiceAccount` objects.

### Storage Object in Use Protection (beta)
{% assign for_k8s_version="v1.10" %}{% include feature-state-beta.md %}
The `StorageObjectInUseProtection` plugin adds the `kubernetes.io/pvc-protection` or `kubernetes.io/pv-protection` finalizers to newly created Persistent Volume Claims (PVCs) or Persistent Volumes (PV). In case a user deletes a PVC or PV the PVC or PV is not removed until the finalizer is removed from the PVC or PV by PVC or PV Protection Controller. Refer to the [Storage Object in Use Protection](/docs/concepts/storage/persistent-volumes/#storage-object-in-use-protection) for more detailed information.

### ValidatingAdmissionWebhook (alpha in 1.8; beta in 1.9)

This admission controller calls any validating webhooks which match the request. Matching
Expand All @@ -577,7 +589,7 @@ versions >= 1.9).
## Is there a recommended set of admission controllers to use?

Yes.
For Kubernetes >= 1.9.0, we strongly recommend running the following set of admission controllers (order matters):
For Kubernetes >= 1.9.0, we strongly recommend running the following set of admission controllers (order matters for 1.9 but not >1.10):

```shell
--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota
Expand Down
Loading

0 comments on commit 409e77d

Please sign in to comment.