Encrypting secrets at rest and cluster security guide #4181
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
the
cncf-cla: yes
|
Still WIP, need to complete the sections @destijl @sakshamsharma for encrypt at rest |
|
Sections are complete |
|
FYI, moving this into the |
chenopis
reviewed
Jun 25, 2017
| ``` | ||
|
|
||
| and restart all `kube-apiserver` processes. Then run the command `kubectl get secrets -o json | kubectl update -f -` | ||
| to force all secrets to be decrypted. |
There was a problem hiding this comment.
You need to close this section w/ a {% endcapture %} tag and add the include for the Task template {% include templates/task.md %}, i.e.:
and restart all `kube-apiserver` processes. Then run the command `kubectl get secrets -o json | kubectl update -f -`
to force all secrets to be decrypted.
{% endcapture %}
{% include templates/task.md %}
|
@smarterclayton You'll also need to add entries for these docs in the Tasks table of contents file, |
|
@smarterclayton FYI, all feedback must be addressed and LGTMs given by EOD Tue, June 27th so that this can be merged for the 1.7 release on June 28th. |
cody-clark
suggested changes
Jun 26, 2017
There was a problem hiding this comment.
Some minor edits according to the style guide, for phrasing, and formatting @chenopis
| but not both in the same item). | ||
|
|
||
| The first provider in the list will be used to encrypt resources going into storage. When reading | ||
| resources from storage the providers will be attempted in order to decrypt data. If no provider |
There was a problem hiding this comment.
[RW] When reading resources from storage, the providers attempt to decrypt the data in order.
Avoids future tense and adds comma
| providers. Only one provider type may be specified per entry (`identity` or `aescbc` may be provided, | ||
| but not both in the same item). | ||
|
|
||
| The first provider in the list will be used to encrypt resources going into storage. When reading |
There was a problem hiding this comment.
[RW] The first provider in the list is used to encrypt resources going into storage.
Avoids future tense
|
|
||
| The first provider in the list will be used to encrypt resources going into storage. When reading | ||
| resources from storage the providers will be attempted in order to decrypt data. If no provider | ||
| can read the stored data, an error will be returned which will prevent clients from accessing that |
There was a problem hiding this comment.
[RW] ...an error is returned which prevents clients from accessing that resource.
avoids future tense
| can read the stored data, an error will be returned which will prevent clients from accessing that | ||
| resource. | ||
|
|
||
| IMPORTANT: If any resource is not readable via the encryption config (because keys were changed), |
There was a problem hiding this comment.
[format] IMPORTANT:
The more we offset this text the more likely a user will notice it
| Set the `--experimental-encryption-provider-config` flag on the `kube-apiserver` to point to the location | ||
| of the config file and restart your API server. | ||
|
|
||
| IMPORTANT: Your config file contains keys that can decrypt the content in etcd and should be properly |
There was a problem hiding this comment.
[format and concision] IMPORTANT: Your config file contains keys that can decrypt content in etcd, so you must properly restrict permissions on your masters so only the user who runs the kube-apiserver can read it.
| provide against the possible risk to your security posture. When in doubt, disable features you | ||
| do not use. | ||
|
|
||
| ### Rotate infrastructure credentials frequently |
There was a problem hiding this comment.
Is there content for this heading?
There was a problem hiding this comment.
Now there is
There was a problem hiding this comment.
Perfect, thanks @smarterclayton!
| the only recourse is to delete that key from the underlying etcd directly. Calls that attempt to | ||
| read that resource will fail until it is deleted or a valid decryption key is provided. | ||
|
|
||
| ### Providers: |
There was a problem hiding this comment.
This might be better represented in a table
Name | Encryption | Byte Key | Speed/ Other Considerations
| - identity: {} | ||
| ``` | ||
|
|
||
| To create a new secret, generate a 32 byte random key and base64 encode it. On Linux or Mac OS X, the |
There was a problem hiding this comment.
[format] Since the following steps are sequential, they belong in an ordered list
To create a new secret, perform the following steps:
- Generate a 32 byte random key then base64 encode it. If you're on Linux or Mac OS X, run the following command:
head -c 32 /dev/urandom | base64 -i - -o -
- Place that value in the secret field
- Set the.....
| updated secret should be encrypted when stored. To check, you can use the `etcdctl` command line | ||
| program to retrieve the contents of your secret. | ||
|
|
||
| Create a new secret called `secret1` in the `default` namespace: |
There was a problem hiding this comment.
[format] Make numbered list
- Create a new secret called
secret1in thedefaultnamespace:
kubectl create secret generic secret1 -n default --from-literal=mykey=mydata
- Read that secret out of etcd using the etcdctl command line:
ETCDCTL_API=3 etcdctl get /kubernetes.io/secrets/default/secret1 [...] | hexdump -C
[. . .]must be...
- Verify the secret...
|
|
||
| ### API Authentication | ||
|
|
||
| When a cluster is installed, choose an appropriate authentication mechanism for the API servers to use that |
There was a problem hiding this comment.
[RW - clarity] Choose an authentication mechanism for the API servers to use that matches the common access patterns when you install a cluster.
| resource. | ||
|
|
||
| IMPORTANT: If any resource is not readable via the encryption config (because keys were changed), | ||
| the only recourse is to delete that key from the underlying etcd directly. Calls that attempt to |
There was a problem hiding this comment.
s/delete that key/delete that resource if I interpret this correctly?
There was a problem hiding this comment.
Yes, but you will not be able to delete it via the API
| * It is the recommended choice for encryption at rest but may be slightly slower than `secretbox`. | ||
| * It requires 32 byte keys | ||
| * `aesgcm` uses AES in GCM mode with a randomly assigned nonce | ||
| * This mode is the fastest, but is not recommended for use except when an automated key rotation scheme is implemented. * Because these nonces are small the secret key must be rotated frequently - at most every 200k writes. |
There was a problem hiding this comment.
Were these 2 different bullet points which got merged into one? There seems to be a wayward * in the middle. Also, the sentence after that ampersand does not seem like a standalone sentence, because it starts with Because. Something like:
* Since these nonces are small, the secret key must be rotated frequently.
|
Updated with review comments |
|
Ah, sorry, applied to the other but left securing-a-cluster |
|
No worries, the content's solid and that's what matters most! Thanks! |
|
@ericchiang @sakshamsharma Is this Tech LGTM? |
|
"Securing a cluster" doc lgtm |
|
Ok, so we still need Tech LGTMs for both of them. |
liggitt
reviewed
Jun 28, 2017
| `aesgcm` | AES-GCM with random nonce | Must be rotated every 200k writes | Fastest | 16, 24, or 32-byte | Is not recommended for use except when an automated key rotation scheme is implemented. | ||
|
|
||
| Each provider supports multiple keys - the keys are tried in order for decryption, and if the provider | ||
| is the first provider the first key is used for decryption. |
liggitt
reviewed
Jun 28, 2017
| should match `mykey: mydata` | ||
|
|
||
|
|
||
| ## Ensuring all secrets to be encrypted |
There was a problem hiding this comment.
changed to Ensure all secrets are encrypted
liggitt
reviewed
Jun 28, 2017
| All API clients must be authenticated, even those that are part of the infrastructure like nodes, | ||
| proxies, the scheduler, and volume plugins. These clients are typically [service accounts](/docs/admin/service-accounts-admin.md) and are created automatically at cluster startup. | ||
|
|
||
| Consult the [authentication reference document](/docs/admin/authentication.md) for more information. |
There was a problem hiding this comment.
links on the site don't end in .md, prefer /docs/admin/authentication/, etc
There was a problem hiding this comment.
updated links to use trailing / instead of .md
liggitt
reviewed
Jun 28, 2017
| other places. For instance, a user may not be able to create pods directly, but allowing them to | ||
| create a deployment (which creates pods on their behalf) will let them create those pods | ||
| indirectly. Likewise deleting a node from the API will result in the pods scheduled to that node | ||
| being terminated and recreated on other nodes. The out of the box roles represent a compromise |
liggitt
reviewed
Jun 28, 2017
| create a deployment (which creates pods on their behalf) will let them create those pods | ||
| indirectly. Likewise deleting a node from the API will result in the pods scheduled to that node | ||
| being terminated and recreated on other nodes. The out of the box roles represent a compromise | ||
| between flexibility and the common use cases, but more limited roles should be carefully reviewed |
There was a problem hiding this comment.
I'm not sure what this is saying... is this talking about roles they create themselves? I think it would be good to mention that they are able to make roles specific to their use cases if the out-of-box ones don't meet their needs.
liggitt
reviewed
Jun 28, 2017
| that allows it to request access to running as a specific Linux user on a node (like root), | ||
| access to run privileged or access the host network, and other controls that would otherwise | ||
| allow it to run unfettered on a hosting node. [Pod security policies](/docs/concepts/policy/pod-security-policy.md) | ||
| can limit which users or service accounts can provide dangerous security context settings. |
There was a problem hiding this comment.
should mention volume mounts (especially hostPath) as an aspect of a pod that should be controlled, and that PSP can limit that as well
liggitt
reviewed
Jun 28, 2017
|
|
||
| ### Restricting network access | ||
|
|
||
| The [network policy](/docs/tasks/administer-cluster/declare-network-policy.md) for a namespace |
There was a problem hiding this comment.
nit: "The network policies..."?
liggitt
reviewed
Jun 28, 2017
|
|
||
| ### Controlling which nodes pods may access | ||
|
|
||
| By default there are no limits on which nodes a pod may run. Kubernetes offers a |
There was a problem hiding this comment.
no restrictions on which nodes may run a pod
liggitt
reviewed
Jun 28, 2017
| that are available to end users. For many clusters use of these policies to separate workloads | ||
| can be a convention that authors adopt or enforce via tooling. | ||
|
|
||
| As an administrator, a beta admission plugin `PodNodeSelector` can be used to force pods |
There was a problem hiding this comment.
did you want to mention the flip side PodTolerationRestriction plugin and talk about tainting nodes and preventing pods from tolerating taints?
There was a problem hiding this comment.
Can you suggest some wording for that?
There was a problem hiding this comment.
Maybe as a follow up.
liggitt
reviewed
Jun 28, 2017
| lifetimes where possible. If you use service account tokens in external integrations plan to | ||
| rotate those tokens frequently. | ||
|
|
||
| ### Review third party integrations before enabling them |
There was a problem hiding this comment.
Not sure if it belongs here or in its own section, but anything created with kubectl create -f ... should be reviewed first... the more security aspects of a cluster can be driven via APIs, the more things a blind create of unreviewed objects could affect.
A parallel recommendation would be to use a read-only or lower-powered user for normal operations and to perform cluster-admin operations with separate credentials (kubectl create -f ... --kubeconfig=admin.kubeconfig) or via impersonation (kubectl create -f ... --as=cluster-admin-user)
There was a problem hiding this comment.
Can you write something up that I can drop in for this?
liggitt
reviewed
Jun 28, 2017
| an authentication provider that can control how long issued tokens are available and use short | ||
| lifetimes where possible. If you use service account tokens in external integrations plan to | ||
| rotate those tokens frequently. | ||
|
|
There was a problem hiding this comment.
As an example, a bootstrap token used for setting up nodes should be revoked or its authorization removed once the bootstrap phase is complete.
liggitt
reviewed
Jun 28, 2017
| ### API Authorization | ||
|
|
||
| Once authenticated, every API call is also expected to pass an authorization check. Kubernetes ships an | ||
| integrated Role-Based Access Control (RBAC) component that matches an incoming user or group to a |
There was a problem hiding this comment.
If we're going to call out RBAC specifically here, we should probably also mention/link the Node authorizer and NodeRestriction admission plugin. The recommendation is to use the Node and RBAC authorizers together, in combination with the NodeRestriction admission plugin.
There was a problem hiding this comment.
added links and recommendation
There was a problem hiding this comment.
That can be a follow up - I'll review a PR
liggitt
reviewed
Jun 28, 2017
| allow users to be subdivided into groups. | ||
|
|
||
| All API clients must be authenticated, even those that are part of the infrastructure like nodes, | ||
| proxies, the scheduler, and volume plugins. These clients are typically [service accounts](/docs/admin/service-accounts-admin.md) and are created automatically at cluster startup. |
There was a problem hiding this comment.
"...are typically service accounts" - or use x509 client certificates
"and are created automatically at cluster startup" - or are set up as part of the cluster installation
liggitt
reviewed
Jun 28, 2017
| your backups using a well reviewed backup and encryption solution, and consider using full disk | ||
| encryption where possible. | ||
|
|
||
| Kubernetes 1.7 contains an alpha feature that will encrypt `Secret` resources in etcd, preventing |
|
some suggestions and nits, looks good overall. |
|
I was told @smarterclayton is unavailable today, so I'm going to merge this and incorporate the feedback from @liggitt in a follow-up PR. |
Merged
chenopis
added a commit
that referenced
this pull request
Jun 28, 2017
dchen1107
pushed a commit
that referenced
this pull request
Jun 30, 2017
* Minor fixes in the Deployment doc Signed-off-by: Michail Kargakis <mkargaki@redhat.com> * add NodeRestriction to admission-controllers (#3842) * Admins Can Configure Zones in Storage Class The PR #38505 (kubernetes/kubernetes#38505) added zones optional parameter to Storage Class for AWS and GCE provisioners. That's why documentation needs to be updated accordingly. * document custom resource definitions * add host paths to psp (#3971) * add host paths to psp * add italics * Update ConfigMap doc to explain TTL-based cache updates (#3989) * Update ConfigMap doc to explain TTL-based cache updates * swap word order Change "When a ConfigMap being already consumed..." to "When a ConfigMap already being consumed..." * Update NetworkPolicy docs for v1 * StorageOS Volume plugin * Update GPU docs * docs: HPA autoscaling/v2alpha1 status conditions This commit documents the new status conditions feature for HPA autoscaling/v2alpha1. It demonstrates how to get the status conditions using `kubectl describe`, and how to interpret them. * Update description about NodeRestriction kubelet node can alse create mirror pods for their own static pods. * adding storage as a supported resource to node allocatable Signed-off-by: Vishnu kannan <vishnuk@google.com> * Add documentation for podpreset opt-out annotation This adds the annotation for having the podpreset admission controller to skip (opt-out) manipulating the pod spec. Also, the annotation format for what presets have acted on a pod has been modified to add a prefix of "podpreset-". The new naming makes it such that there is no chance of collision with the newly introduced opt-out annotation (or future ones yet to be added). Opt-out annotation PR: kubernetes/kubernetes#44965 * Update PDB documentation to explain new field (#3885) * update-docs-pdb * Addressed erictune@'s comments * Fix title and add a TOC to the logging concept page * Patch #4118 for typos * Describe setting coredns server in nameserver resolv chain * Address comments in PR #3997. Comment is in https://github.com/kubernetes/kubernetes.github.io/pull/3997/files/f6eb59c67e28efc298c87b1ef49a96bc6adacd1e#diff-7a14981f3dd8eb203f897ce6c11d9828 * Update task for DaemonSet history and rollback (#4098) * Update task for DaemonSet history and rollback Also remove mentions of templateGeneration field because it's deprecated * Address comments * removed lt and gt as operators (#4152) * removed lt and gt as operators * replace lt and gt for node-affinfity * updated based on bsalamat review * Initial draft of upgrade guide for kubeadm clusters. In-place upgrades are supported between 1.6 and 1.7 releases. Rollback instructions to come in a separate commit. Fixes kubernetes/kubeadm#278 * Add local volume documentation (#4050) * Add local volume documentation * Add PV local volume example * Patch PR #3999 * Add documentation for Stackdriver event exporter * Add documentation about controller metrics * Federation: Add task for setting up placement policies (#4075) * Add task for setting up placement policies * Update version of management sidecar in policy engine deployment * Address @nikhiljindal's comments - Lower case filenames - Comments in policy - Typo fixes - Removed type LoadBalancer from OPA Service * Add example that sets cluster selector Per-@nikhiljindal's suggestion * Fix wording and templating per @chenopis * PodDisruptionBudget documentation Improvements (#4140) * Changes from #3885 Title: Update PDB documentation to explain new field Author: foxish * Added Placeholder Disruptions Concept Guide New file: docs/concepts/workloads/pods/disruptions.md Intented contents: concept for Pod Disruption Budget, cross reference to Eviction and Preemption docs. Linked from: concepts > workloads > pods * Added placeholder Configuring PDB Task New file: docs/tasks/run-application/configure-pdb.md Intented contents: task for writing a Pod Disruption Budget. Linked from: tasks > configuring-applications > configure pdb. * Add refs to the "drain a node" task. * Refactor PDB docs. Move the "Requesting an eviction" section from: docs/tasks/administer-cluster/configure-pod-disruption-budget.md -- which is going away -- to: docs/tasks/administer-cluster/safely-drain-node.md The move is verbatim, except for an introductory sentence. Also added assignees. * Refactor of PDB docs Moved the section: Specifying a PodDisruptionBudget from: docs/tasks/administer-cluster/configure-pod-disruption-budget.md to: docs/tasks/run-application/configure-pdb.md because that former file is going away. Move is verbatim. * Explain how Eviction tools should handle failures * Refactor PDB docs Move text from: docs/tasks/administer-cluster/configure-pod-disruption-budget.md to: docs/concepts/workloads/pods/disruptions.md Delete the now empty: docs/tasks/administer-cluster/configure-pod-disruption-budget.md Added a redirects_from section to the new doc, containing the path of the now-deleted doc, plus all the redirects from the deleted doc. * Expand PDB Concept guide Building on a little content from the old task, greatly expanded the Disruptions concept guide, including an abstract example. * Update creating a pdb Task. * Address review comments. * Fixed for all cody-clark's review comments * Address review comments from mml * Address review comments from maisem * Fix missing backtick * Api and Kubectl reference docs updates for 1.7 (#4193) * Fix includes groups * Generated kubectl docs for 1.7 * Generated references docs for 1.7 api * Document node authorization mode * API Aggregator (#4173) * API Aggregator * Additional bullet points * incorporated feedback for apiserver-aggregation.md * split setup-api-aggregator.md into two docs and address feedback * fix link * addressed docs feedback * incorporate feedback * integrate feedback * Add documentation for DNS stub domains (#4063) * Add documentation for DNS stub domains * add additional prereq * fix image path * review feedback * minor grammar and style nits * documentation for using hostAliases to manage hosts file (#4080) * documentation for using hostAliases to manage hosts file * add to table of contents * review comments * update the right command to see hosts file * reformat doc based on suggestion and change some wording * Fix typo for #4080 * Patch PR #4063 * Fix wording in placement policy task introduction * Add update to statefulset concepts and basic tutorial (#4174) * Add update to statefulset concpets and basic tutorial * Address tech comments. * Update ESIPP docs for new added API fields * Custom resource docs * update audit document with advanced audit features added in 1.7 * kubeadm v1.7 documentation updates (#4018) * v1.7 updates for kubeadm * Address review comments * Address Luke's comments * Encrypting secrets at rest and cluster security guide * Edits for Custom DNS Documentation (#4207) * reorganize custom dns doc * format fixes * Update version numbers to 1.7 * Patch PR #4140 (#4215) * Patch PR #4140 * fix link and typos * Update PR template * Update TLS bootstrapping with 1.7 features This includes documenting the new CSR approver built into the controller manager and the kubelet alpha features for certificate rotation. Since the CSR approver changed over the 1.7 release cycle we need to call out the migration steps for those using the alpha feature. This document as a whole could probably use some updates, but the main focus of this PR is just to get these features minimally documented before the release. * Federated ClusterSelector formatting updates from review * complete PR #4181 (#4223) * complete PR #4181 * fix security link * Extensible admission controller (#4092) * extensible-admission-controllers * Update extensible-admission-controllers.md * more on initializers * fixes * Expand external admission webhooks documentation * wrap at 80 chars * more * add reference * Use correct apigroup for network policy * Docs changes to PR #4092 (#4224) * Docs changes to PR #4092 * address feedback * add doc for --as-group in cli Add doc for this pr: kubernetes/kubernetes#43696
jesscodez
pushed a commit
that referenced
this pull request
Sep 22, 2017
jesscodez
pushed a commit
that referenced
this pull request
Sep 22, 2017
* Minor fixes in the Deployment doc Signed-off-by: Michail Kargakis <mkargaki@redhat.com> * add NodeRestriction to admission-controllers (#3842) * Admins Can Configure Zones in Storage Class The PR #38505 (kubernetes/kubernetes#38505) added zones optional parameter to Storage Class for AWS and GCE provisioners. That's why documentation needs to be updated accordingly. * document custom resource definitions * add host paths to psp (#3971) * add host paths to psp * add italics * Update ConfigMap doc to explain TTL-based cache updates (#3989) * Update ConfigMap doc to explain TTL-based cache updates * swap word order Change "When a ConfigMap being already consumed..." to "When a ConfigMap already being consumed..." * Update NetworkPolicy docs for v1 * StorageOS Volume plugin * Update GPU docs * docs: HPA autoscaling/v2alpha1 status conditions This commit documents the new status conditions feature for HPA autoscaling/v2alpha1. It demonstrates how to get the status conditions using `kubectl describe`, and how to interpret them. * Update description about NodeRestriction kubelet node can alse create mirror pods for their own static pods. * adding storage as a supported resource to node allocatable Signed-off-by: Vishnu kannan <vishnuk@google.com> * Add documentation for podpreset opt-out annotation This adds the annotation for having the podpreset admission controller to skip (opt-out) manipulating the pod spec. Also, the annotation format for what presets have acted on a pod has been modified to add a prefix of "podpreset-". The new naming makes it such that there is no chance of collision with the newly introduced opt-out annotation (or future ones yet to be added). Opt-out annotation PR: kubernetes/kubernetes#44965 * Update PDB documentation to explain new field (#3885) * update-docs-pdb * Addressed erictune@'s comments * Fix title and add a TOC to the logging concept page * Patch #4118 for typos * Describe setting coredns server in nameserver resolv chain * Address comments in PR #3997. Comment is in https://github.com/kubernetes/kubernetes.github.io/pull/3997/files/f6eb59c67e28efc298c87b1ef49a96bc6adacd1e#diff-7a14981f3dd8eb203f897ce6c11d9828 * Update task for DaemonSet history and rollback (#4098) * Update task for DaemonSet history and rollback Also remove mentions of templateGeneration field because it's deprecated * Address comments * removed lt and gt as operators (#4152) * removed lt and gt as operators * replace lt and gt for node-affinfity * updated based on bsalamat review * Initial draft of upgrade guide for kubeadm clusters. In-place upgrades are supported between 1.6 and 1.7 releases. Rollback instructions to come in a separate commit. Fixes kubernetes/kubeadm#278 * Add local volume documentation (#4050) * Add local volume documentation * Add PV local volume example * Patch PR #3999 * Add documentation for Stackdriver event exporter * Add documentation about controller metrics * Federation: Add task for setting up placement policies (#4075) * Add task for setting up placement policies * Update version of management sidecar in policy engine deployment * Address @nikhiljindal's comments - Lower case filenames - Comments in policy - Typo fixes - Removed type LoadBalancer from OPA Service * Add example that sets cluster selector Per-@nikhiljindal's suggestion * Fix wording and templating per @chenopis * PodDisruptionBudget documentation Improvements (#4140) * Changes from #3885 Title: Update PDB documentation to explain new field Author: foxish * Added Placeholder Disruptions Concept Guide New file: docs/concepts/workloads/pods/disruptions.md Intented contents: concept for Pod Disruption Budget, cross reference to Eviction and Preemption docs. Linked from: concepts > workloads > pods * Added placeholder Configuring PDB Task New file: docs/tasks/run-application/configure-pdb.md Intented contents: task for writing a Pod Disruption Budget. Linked from: tasks > configuring-applications > configure pdb. * Add refs to the "drain a node" task. * Refactor PDB docs. Move the "Requesting an eviction" section from: docs/tasks/administer-cluster/configure-pod-disruption-budget.md -- which is going away -- to: docs/tasks/administer-cluster/safely-drain-node.md The move is verbatim, except for an introductory sentence. Also added assignees. * Refactor of PDB docs Moved the section: Specifying a PodDisruptionBudget from: docs/tasks/administer-cluster/configure-pod-disruption-budget.md to: docs/tasks/run-application/configure-pdb.md because that former file is going away. Move is verbatim. * Explain how Eviction tools should handle failures * Refactor PDB docs Move text from: docs/tasks/administer-cluster/configure-pod-disruption-budget.md to: docs/concepts/workloads/pods/disruptions.md Delete the now empty: docs/tasks/administer-cluster/configure-pod-disruption-budget.md Added a redirects_from section to the new doc, containing the path of the now-deleted doc, plus all the redirects from the deleted doc. * Expand PDB Concept guide Building on a little content from the old task, greatly expanded the Disruptions concept guide, including an abstract example. * Update creating a pdb Task. * Address review comments. * Fixed for all cody-clark's review comments * Address review comments from mml * Address review comments from maisem * Fix missing backtick * Api and Kubectl reference docs updates for 1.7 (#4193) * Fix includes groups * Generated kubectl docs for 1.7 * Generated references docs for 1.7 api * Document node authorization mode * API Aggregator (#4173) * API Aggregator * Additional bullet points * incorporated feedback for apiserver-aggregation.md * split setup-api-aggregator.md into two docs and address feedback * fix link * addressed docs feedback * incorporate feedback * integrate feedback * Add documentation for DNS stub domains (#4063) * Add documentation for DNS stub domains * add additional prereq * fix image path * review feedback * minor grammar and style nits * documentation for using hostAliases to manage hosts file (#4080) * documentation for using hostAliases to manage hosts file * add to table of contents * review comments * update the right command to see hosts file * reformat doc based on suggestion and change some wording * Fix typo for #4080 * Patch PR #4063 * Fix wording in placement policy task introduction * Add update to statefulset concepts and basic tutorial (#4174) * Add update to statefulset concpets and basic tutorial * Address tech comments. * Update ESIPP docs for new added API fields * Custom resource docs * update audit document with advanced audit features added in 1.7 * kubeadm v1.7 documentation updates (#4018) * v1.7 updates for kubeadm * Address review comments * Address Luke's comments * Encrypting secrets at rest and cluster security guide * Edits for Custom DNS Documentation (#4207) * reorganize custom dns doc * format fixes * Update version numbers to 1.7 * Patch PR #4140 (#4215) * Patch PR #4140 * fix link and typos * Update PR template * Update TLS bootstrapping with 1.7 features This includes documenting the new CSR approver built into the controller manager and the kubelet alpha features for certificate rotation. Since the CSR approver changed over the 1.7 release cycle we need to call out the migration steps for those using the alpha feature. This document as a whole could probably use some updates, but the main focus of this PR is just to get these features minimally documented before the release. * Federated ClusterSelector formatting updates from review * complete PR #4181 (#4223) * complete PR #4181 * fix security link * Extensible admission controller (#4092) * extensible-admission-controllers * Update extensible-admission-controllers.md * more on initializers * fixes * Expand external admission webhooks documentation * wrap at 80 chars * more * add reference * Use correct apigroup for network policy * Docs changes to PR #4092 (#4224) * Docs changes to PR #4092 * address feedback * add doc for --as-group in cli Add doc for this pr: kubernetes/kubernetes#43696
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Provides documentation for kubernetes/enhancements#92 and a general security guide to link to it.
This change is