Merge pull request #26801 from pohly/generic-ephemeral-volumes-beta

generic ephemeral volumes: beta
kubernetes · Mar 25, 2021 · d53aef4 · d53aef4
2 parents 5027422 + 4021005
commit d53aef4
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 9 deletions.
diff --git a/content/en/docs/concepts/storage/ephemeral-volumes.md b/content/en/docs/concepts/storage/ephemeral-volumes.md
@@ -131,12 +131,16 @@ As a cluster administrator, you can use a [PodSecurityPolicy](/docs/concepts/pol
 ### Generic ephemeral volumes
 
 {{< feature-state for_k8s_version="v1.19" state="alpha" >}}
+{{< feature-state for_k8s_version="v1.21" state="beta" >}}
 
 This feature requires the `GenericEphemeralVolume` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) to be
-enabled. Because this is an alpha feature, it is disabled by default.
+enabled. Because this is a beta feature, it is enabled by default.
+
+Generic ephemeral volumes are similar to `emptyDir` volumes in the
+sense that they provide a per-pod directory for scratch data that is
+usually empty after provisioning. But they may also have additional
+features:
 
-Generic ephemeral volumes are similar to `emptyDir` volumes, just more
-flexible:
 - Storage can be local or network-attached.
 - Volumes can have a fixed size that Pods are not able to exceed.
 - Volumes may have some initial data, depending on the driver and
@@ -242,14 +246,16 @@ PVCs indirectly if they can create Pods, even if they do not have
 permission to create PVCs directly. Cluster administrators must be
 aware of this. If this does not fit their security model, they have
 two choices:
-- Explicitly disable the feature through the feature gate, to avoid
-  being surprised when some future Kubernetes version enables it
-  by default.
+- Explicitly disable the feature through the feature gate.
 - Use a [Pod Security
   Policy](/docs/concepts/policy/pod-security-policy/) where the
-  `volumes` list does not contain the `ephemeral` volume type.
+  `volumes` list does not contain the `ephemeral` volume type
+  (deprecated in Kubernetes 1.21).
+- Use an [admission webhook](/docs/reference/access-authn-authz/extensible-admission-controllers/)
+  which rejects objects like Pods that have a generic ephemeral
+  volume.
 
-The normal namespace quota for PVCs in a namespace still applies, so
+The normal [namespace quota for PVCs](/docs/concepts/policy/resource-quotas/#storage-resource-quota) still applies, so
 even if users are allowed to use this new mechanism, they cannot use
 it to circumvent other policies.
 

diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
@@ -118,7 +118,8 @@ different Kubernetes components.
 | `ExpandPersistentVolumes` | `false` | Alpha | 1.8 | 1.10 |
 | `ExpandPersistentVolumes` | `true` | Beta | 1.11 | |
 | `ExperimentalHostUserNamespaceDefaulting` | `false` | Beta | 1.5 | |
-| `GenericEphemeralVolume` | `false` | Alpha | 1.19 | |
+| `GenericEphemeralVolume` | `false` | Alpha | 1.19 | 1.20 |
+| `GenericEphemeralVolume` | `true` | Beta | 1.21 | |
 | `GracefulNodeShutdown` | `false` | Alpha | 1.20 | |
 | `HPAContainerMetrics` | `false` | Alpha | 1.20 | |
 | `HPAScaleToZero` | `false` | Alpha | 1.16 | |