Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Audit Logging documentation for 1.10 #7679

Merged

Conversation

crassirostris
Copy link

@crassirostris crassirostris commented Mar 8, 2018

Sorry for the late PR

This is a docs PR for the Advanced Audit Logging feature. Items to address in this update are listed in the umbrella issue for this release.

Fixes kubernetes/kubernetes#60110

/cc @tallclair @sttts @ericchiang @CaoShuFeng

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 8, 2018
@crassirostris
Copy link
Author

/milestone v1.10

@k8sio-netlify-preview-bot
Copy link
Collaborator

k8sio-netlify-preview-bot commented Mar 8, 2018

Deploy preview for kubernetes-io-vnext-staging ready!

Built with commit d03415c

https://deploy-preview-7679--kubernetes-io-vnext-staging.netlify.com

Copy link
Contributor

@ericchiang ericchiang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this!

Can someone from the docs team comment on the use of "you" and "your"? Instead of:

Parameters should be set to accommodate your load on the apiserver.

I generally prefer:

Parameters should be set to accommodate expected apiserver load.

Though I see "you" and "your" used throughout the docs, so it doesn't seem like we have a hard rule.

@@ -72,6 +72,9 @@ In both cases, audit events structure is defined by the API in the
`audit.k8s.io` API group. The current version of the API is
[`v1beta1`][auditing-api].

**Note:** in case of patches, request objects are arrays, containing operations, not the appropriate
API objects. You should design your system to behave correctly in this case.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Drop "You should design your system to behave correctly in this case." It's already implied.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done


The following flags are only used in the `batch` mode.

- `--audit-webhook-batch-buffer-size` defines the size of the buffer to store events before batching.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/size of the buffer to store events/number of events to buffer/

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

10 batches, i.e. 1000 events.

In most cases however, the default parameters should be sufficient and you don't have to worry about
setting them manually. You can look at the Prometheus metric `apiserver_audit_error_total` and
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does apiserver_audit_error_total include dropped events? If it doesn't can we include the dropped metric here too?

Also can you link to a doc explaining how an admin can scrape the API server?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added apiserver_audit_error_total to the description

Also can you link to a doc explaining how an admin can scrape the API server?

Couldn't find any good place to link :( It seems we lack such documentation

@piosz FYI

## Multi-cluster setup

If you're extending the Kubernetes API with the [aggregation layer][kube-aggregator], you can also
set up audit logging for the aggregated apiserver. To do this, pass the same configuration options
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the same configuration required? Should we mark it "MUST"?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, configuration can be different

What I meant to say is that all the flags are the same

Clarified, thanks

@@ -72,6 +72,9 @@ In both cases, audit events structure is defined by the API in the
`audit.k8s.io` API group. The current version of the API is
[`v1beta1`][auditing-api].

**Note:** in case of patches, request objects are arrays, containing operations, not the appropriate
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe:

Audit events for PATCH requests are an array of request objects containing operations, not the entire API object.

what do you think?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a limiting statement. Who knows what types of request will support using JSON arrays as a request body in the future? Rewrote the paragraph though

- `--audit-webhook-batch-throttle-burst` defines the maximum number of batches generated per second
if the allowed QPS was underutilized previously

#### How to set up parameters
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe:

Parameter tuning

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@bradtopol
Copy link
Contributor

Per request of @Bradamant3 putting a temporary hold on anything going into 1.10 until her big patch merges

@bradtopol bradtopol added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 8, 2018
@Bradamant3 Bradamant3 added this to the 1.10 milestone Mar 8, 2018
@Bradamant3
Copy link
Contributor

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 8, 2018
@Bradamant3
Copy link
Contributor

In this case it's probably better to avoid "you" not because the style guide says so (the style guide actually recommends "you" over "we", for example), but because load isn't a thing that makes sense to apply personal ownership to. I'd take @ericchiang's suggestion.

Can someone from the docs team comment on the use of "you" and "your"? Instead of:

Parameters should be set to accommodate your load on the apiserver.

I generally prefer:

Parameters should be set to accommodate expected apiserver load.

Though I see "you" and "your" used throughout the docs, so it doesn't seem like we have a hard rule.

@@ -72,6 +72,9 @@ In both cases, audit events structure is defined by the API in the
`audit.k8s.io` API group. The current version of the API is
[`v1beta1`][auditing-api].

**Note:** in case of patches, request objects are arrays, containing operations, not the appropriate
API objects. You should design your system to behave correctly in this case.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in case of patches, request objects are arrays, containing operations, not the appropriate API objects. You should design your system to behave correctly in this case.

Sorry, in fact, I don't understand this sentence at all....:crying_cat_face:
What's the relation between audit objects and patches?
When would we patch an audit object?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe an example would help?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added an example

@Bradamant3
Copy link
Contributor

@crassirostris can you get the requested changes in today? We need to get docs PRs for 1.10 merged. Thanks! (or give an ETA if today's impossible?)

@crassirostris
Copy link
Author

crassirostris commented Mar 9, 2018

@Bradamant3 can I apply the fixes on Monday?

@Bradamant3
Copy link
Contributor

@crassirostris we can make that work. Thanks for the update!

@crassirostris
Copy link
Author

@Bradamant3 thanks a lot! First thing Monday morning then

batching events in the queue
- `--audit-webhook-batch-throttle-qps` defines the maximum average number of batches generated
per second
- `--audit-webhook-batch-throttle-burst` defines the maximum number of batches generated per second
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

per second -> at the same moment

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

Copy link
Author

@crassirostris crassirostris left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, thanks for the review! PTAL

batching events in the queue
- `--audit-webhook-batch-throttle-qps` defines the maximum average number of batches generated
per second
- `--audit-webhook-batch-throttle-burst` defines the maximum number of batches generated per second
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

- `--audit-webhook-batch-throttle-burst` defines the maximum number of batches generated per second
if the allowed QPS was underutilized previously

#### How to set up parameters
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

10 batches, i.e. 1000 events.

In most cases however, the default parameters should be sufficient and you don't have to worry about
setting them manually. You can look at the Prometheus metric `apiserver_audit_error_total` and
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added apiserver_audit_error_total to the description

Also can you link to a doc explaining how an admin can scrape the API server?

Couldn't find any good place to link :( It seems we lack such documentation

@piosz FYI

## Multi-cluster setup

If you're extending the Kubernetes API with the [aggregation layer][kube-aggregator], you can also
set up audit logging for the aggregated apiserver. To do this, pass the same configuration options
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, configuration can be different

What I meant to say is that all the flags are the same

Clarified, thanks


The following flags are only used in the `batch` mode.

- `--audit-webhook-batch-buffer-size` defines the size of the buffer to store events before batching.
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@@ -72,6 +72,9 @@ In both cases, audit events structure is defined by the API in the
`audit.k8s.io` API group. The current version of the API is
[`v1beta1`][auditing-api].

**Note:** in case of patches, request objects are arrays, containing operations, not the appropriate
API objects. You should design your system to behave correctly in this case.
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added an example

@@ -72,6 +72,9 @@ In both cases, audit events structure is defined by the API in the
`audit.k8s.io` API group. The current version of the API is
[`v1beta1`][auditing-api].

**Note:** in case of patches, request objects are arrays, containing operations, not the appropriate
API objects. You should design your system to behave correctly in this case.
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@@ -72,6 +72,9 @@ In both cases, audit events structure is defined by the API in the
`audit.k8s.io` API group. The current version of the API is
[`v1beta1`][auditing-api].

**Note:** in case of patches, request objects are arrays, containing operations, not the appropriate
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a limiting statement. Who knows what types of request will support using JSON arrays as a request body in the future? Rewrote the paragraph though

Copy link
Contributor

@ericchiang ericchiang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thanks!

@crassirostris
Copy link
Author

Also addressed some out of place "you"s

@crassirostris
Copy link
Author

@Bradamant3 Could you please review this PR?

Copy link
Contributor

@Bradamant3 Bradamant3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly nits, but a couple of items that affect meaning/comprehension. Thanks!

@@ -72,6 +72,24 @@ In both cases, audit events structure is defined by the API in the
`audit.k8s.io` API group. The current version of the API is
[`v1beta1`][auditing-api].

**Note:** for example, in case of patches, request body is a JSON array with patch operations, not
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit, but do we need this first "for example"? (Starts the second sentence also)
if you omit, s/in/In

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed first for example. I think the second one is legitimate, since it indicates that an example follows

This is the default
- `blocking` - block API server responses on sending each event to the external service
- `--audit-webhook-initial-backoff` specifies the amount of time to wait after the first failed
request before retrying. From the second request and so on, exponential backoff is used.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

edit last sentence here to:
"Subsequent requests are retried with exponential backoff."
("and so on" indicates other types of events, not additional requests)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, thanks

name. By default, batching is enabled in `webhook` and disabled in `log`. Similarly, by default
throttling is enabled in `webhook` and disabled in `log`.

- `--audit-webhook-mode` define the buffering strategy, one of the following:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/define/defines (as below).
s/,/.
s/one/One

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

throttling is enabled in `webhook` and disabled in `log`.

- `--audit-webhook-mode` define the buffering strategy, one of the following:
- `batch` - buffer events and asynchronously process then in batches. This is the default
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add period (.) at the end.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done


- `--audit-webhook-mode` define the buffering strategy, one of the following:
- `batch` - buffer events and asynchronously process then in batches. This is the default
- `blocking` - block API server responses on processing each individual event
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add period at the end.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

The following flags are only used in the `batch` mode.

- `--audit-webhook-batch-buffer-size` defines the number of events to buffer before batching.
If the rate of incoming events is too high and the buffer is overflown, events are dropped
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/is overflown/overflows
Add period at end.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

- `--audit-webhook-batch-throttle-qps` defines the maximum average number of batches generated
per second
- `--audit-webhook-batch-throttle-burst` defines the maximum number of batches generated at the same
moment if the allowed QPS was underutilized previously
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add periods at the end of these four items

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

Copy link
Author

@crassirostris crassirostris left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Bradamant3 Addressed your comments, thanks a lot for the review!

@@ -72,6 +72,24 @@ In both cases, audit events structure is defined by the API in the
`audit.k8s.io` API group. The current version of the API is
[`v1beta1`][auditing-api].

**Note:** for example, in case of patches, request body is a JSON array with patch operations, not
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed first for example. I think the second one is legitimate, since it indicates that an example follows

This is the default
- `blocking` - block API server responses on sending each event to the external service
- `--audit-webhook-initial-backoff` specifies the amount of time to wait after the first failed
request before retrying. From the second request and so on, exponential backoff is used.
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, thanks

throttling is enabled in `webhook` and disabled in `log`.

- `--audit-webhook-mode` define the buffering strategy, one of the following:
- `batch` - buffer events and asynchronously process then in batches. This is the default
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done


- `--audit-webhook-mode` define the buffering strategy, one of the following:
- `batch` - buffer events and asynchronously process then in batches. This is the default
- `blocking` - block API server responses on processing each individual event
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

name. By default, batching is enabled in `webhook` and disabled in `log`. Similarly, by default
throttling is enabled in `webhook` and disabled in `log`.

- `--audit-webhook-mode` define the buffering strategy, one of the following:
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

The following flags are only used in the `batch` mode.

- `--audit-webhook-batch-buffer-size` defines the number of events to buffer before batching.
If the rate of incoming events is too high and the buffer is overflown, events are dropped
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

- `--audit-webhook-batch-throttle-qps` defines the maximum average number of batches generated
per second
- `--audit-webhook-batch-throttle-burst` defines the maximum number of batches generated at the same
moment if the allowed QPS was underutilized previously
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

throttling is enabled in `webhook` and disabled in `log`.

- `--audit-webhook-mode` defines the buffering strategy. One of the following:
- `batch` - buffer events and asynchronously process then in batches. This is the default.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, missed a misspelling.
s/then/them

- `batch` - buffer events and asynchronously process then in batches. This is the default.
- `blocking` - block API server responses on processing each individual event.

The following flags are only used in the `batch` mode.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and only bc there's already another fix:
"The following flags are used only in the the batch mode."

@Bradamant3
Copy link
Contributor

@crassirostris sorry caught two more things. Thank you!

Signed-off-by: Mik Vyatskov <vmik@google.com>
@crassirostris
Copy link
Author

@Bradamant3 Done, thanks so much for your thorough review!

@Bradamant3
Copy link
Contributor

/approve

/lgtm

(because tech reviewer forgot the slash on the /lgtm)

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 13, 2018
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Bradamant3

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 14, 2018
@k8s-ci-robot k8s-ci-robot merged commit a4af6f5 into kubernetes:release-1.10 Mar 14, 2018
Parameters should be set to accommodate the load on the apiserver.

For example, if kube-apiserver receives 100 requests each second, and each request is audited only
on `StageResponseStarted` and `StageResponseComplete` stages, you should account for ~200 audit
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These should be ResponseStarted and ResponseComplete respectively.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, thanks! Filed #7746

steveperry-53 pushed a commit that referenced this pull request Mar 27, 2018
* 1.10 update (#7151)

* Fix partition value expected behaviour explanation (#7123)

Fixes issue #7057

* Correct "On-Premise" to "On-Premises"

* Updates the Calico installation page (#7094)

* All files for Haufe Groups case study (#7051)

* Fix typo (#7127)

* fix typo of device-plugins.md (#7106)

* fix broken links (#7136)

* Updated configure-service-account (#7147)

Error from server resolved by escaping kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "myregistrykey"}]}' JSON string by '\'

* Remove docs related to 'require-kubeconfig' (#7138)

With kubernetes/kubernetes#58367 merged, v1.10 will not use the
"require-kubeconfig" flag. The flag has become a no-op solely to ensure
existing deployments won't break.

* Added Verification Scenario for a Pod that Uses a PVC in Terminating State (#7164)

The below PR:
kubernetes/kubernetes#55873
modified scheduler in such a way that scheduling of a pod that uses a PVC in Terminating state fails.

That's why verification of such scenario was added to documentation.

* fix LimitPodHardAntiAffinityTopology name (#7221)

* Document the removal of the KubeletConfigFile feature gate (#7140)

With kubernetes/kubernetes#58978 merged, the said feature gate is
removed. This PR removes texts related to the gate and revises the
Feature Gates reference to reflect this change.

* deprecate three admission controller (#7363)

* Document the removal of Accelerators feature gate (#7389)

The `Accelerators` feature gate will be removed in 1.11. 1.10 will be
its last mile.
References: kubernetes/kubernetes#57384

* Update local storage docs for beta (#7473)

* Document that HugePages feature gate is Beta (#7387)

The `HugePages` feature gate has graduated to Beta in v1.10. This PR
documents this fact.

* Add HyperVContainer feature gates (#7502)

* Remove the beta reference from Taints and Tolerations doc (#7493)

* Kms provider doc (#7479)

* Kms provider doc

* issue# 7399, Create KMS-provider.md and update encrypt-data.md

* address review comments

* Document that Device Plugin feature is Beta (1.10) (#7512)

* Add docs for CRD features for 1.10 (#7439)

* Add docs for CRD features for 1.10

* Add CustomResourcesSubresources to list of feature gates

* Add latest changes to custom resources doc

* Add crds as abbreviated alias (#7437)

* Bring PVC Protection Feature to Beta (#7165)

* Bring PVC Protection Feature to Beta

The PR: kubernetes/kubernetes#59052
brought PVC Protection feature to beta.

That's why the documentation is updated accordingly.

* The PVC Protection feature was renamed to Storage Protection. That's why the documentation is updated.

* promote PodNodeSelector to stable; document detailed behavior (#7134)

* promote PodNodeSelector to stable; document detailed behavior

* respond to feedback

* Update CPU manager feature enabling (#7390)

With `CPUManager` feature graduating to beta. No explicit enabling is
required starting v1.10.
References: kubernetes/kubernetes#55977

* Adding block volumeMode documentation for local volumes. (#7531)

Code review comments.

Changed property to field.

Address tech review comment.

* remove description kubectl --show-all (#7574)

--show-all has been deprecated and set to true by default.
kubernetes/kubernetes#60210

* fix description about contribute style guide (#7592)

* fix description about KUBECONFIG (#7589)

s/envrionment/environment

* fix description about cni (#7588)

s/simultanously/simultaneously/

* fix description about MutatingAdmissionWebhook and ValidatingAdmissionWebhook (#7587)

* fix description about persistent volume binding (#7590)

s/slighty/slightly/

* Doc change for configurable pod resolv.conf Beta (#7611)

* fix description about out of resource handling (#7597)

s/threshhold/threshold

* fix description about zookeeper (#7598)

s/achive/achieve

* fix description about kubeadm (#7594)

s/compatability/compatibility/

* fix description about kubeadm (#7593)

* fix description about kubeadm implementation details (#7595)

* fix description about api concepts (#7596)

* Storage Protection was renamed to Storage Object in Use Protection (#7576)

* Storage Protection was renamed to Storage Object in Use Protection

The K8s PR: kubernetes/kubernetes#59901
renamed Storage Protection to Storage Object in Use Protection.

That's why the same is also renamed in the documentation.

* Moved Storage Object in Use Protection admission plugin description down according to alphabetic order.

* Use PSP from policy API group. (#7562)

* update kubeletconfig docs for v1.10, beta (#7561)

* Update port-forwarding docs (#7575)

* add pv protection description (#7620)

* fix description about client library (#7634)

* Add docs on configuring NodePort IP (#7631)

* Document that LocalStorageCapacityIsolation is beta (#7635)

A follow-up to the kubernetes/kubernetes#60159 change which has promoted
the `LocalStorageCapacityIsolation` feature gate to Beta.

* Update CoreDNS docs for beta (#7638)

* Update CoreDNS docs for beta

* Review comments

* Fix typo (#7640)

* Update feature gates move to beta (#7662)

* Added the inability to use colon ':' character as environment variable names and described workaround (#7657)

* merge master to 1.10, with fixes (#7682)

* Flag names changed (s/admission-control/enable-admission-plugins); disable-admissions-plugin entry added; removed reference to admission controller/plugins requiring set order (for v1.10), redundant example enabling specific plugin, and redundant version-specific info (#7449)

* Documentation for MountPropagation beta (#7655)

* Remove job's scale-related operations (#7684)

* authentication: document client-go exec plugins (#7648)

* authentication: document client-go exec plugins

* Update authentication.md

* Update local ephemeral storage feature to beta (#7685)

Update local ephemeral storage feature to beta

* Update docs for windows container resources (#7653)

* add server-side print docs (#7671)

* Create a task describing Pod process namespace sharing (#7489)

* Add external metrics to HPA docs (#7664)

* Add external metrics to HPA docs

* Update horizontal-pod-autoscale-walkthrough.md

* Apply review comments to HPA walkthrough

* remove description about "scale jobs" (#7712)

* CSI Docs for K8s v1.10 (#7698)

* Add a warning about increased memory consumption for audit logging feature. (#7725)

Signed-off-by: Mik Vyatskov <vmik@google.com>

* Update Audit Logging documentation for 1.10 (#7679)

Signed-off-by: Mik Vyatskov <vmik@google.com>

* Fix stage names in audit logging documentation (#7746)

Signed-off-by: Mik Vyatskov <vmik@google.com>

* Feature gate update for release 1.10 (#7742)

* State in the docs that the value of default Node labels are not reliable. (#7794)

* Kill the reference to --admission-control option (#7755)

The `--admission-control` option has been replaced by two new options in
v1.10. This PR kills the last appearance of the old option in the doc.

* Pvcprotection toc (#7807)

* Refreshing installation instructions (#7495)

* Refreshing installation instructions

Added conjure-up. Updated displays and juju versions to current versions.

* Updated anchors

* Fixed image value version typo (#7768)

Was inconsistent with other values

* Update flocker reference to the github repo (#7784)

* Fix typo in federation document (#7779)

* an user -> a user (#7778)

* Events are namespaced (#7767)

* fix 'monitoring' link lose efficacy problem' (#7764)

* docs/concepts/policy/pod-security-policy.md: minor fix. (#7659)

* Update downward-api-volume-expose-pod-information.md (#7771)

* Update downward-api-volume-expose-pod-information.md

The pod spec puts the downward api files into /etc/podinfo, not directly in /etc. Updated docs to reflect this fact.

* Update downward-api-volume-expose-pod-information.md

One more spot needed fixing.

* Update downward-api-volume-expose-pod-information.md

Yet another fix, in the container example.

* Add Amadeus Case Study (#7783)

* Add Amadeus Case Study

* add Amadeus logo

* Fixed Cyrillic с in 'kube-proxy-cm' (#7787)

There was a typo (wrong character) in kube-proxy-cm.yaml - Cyrillic с (UTF-8 0x0441) was used instead of Latin c.

* install-kubectl: choose one installation method (#7705)

The previous text layout suggested that all installations had to be done, one after another.

* Update install-kubeadm.md (#7781)

Add note to kubeadm install instruction to help install in other arch i.e. aarch64, ppc64le etc.

* repair failure link (#7788)

* repair failure link

* repair failure link

* do change as required

* Update k8s201.md (#7777)

* Update k8s201.md

Change instructions to download yams files directly from the website (as used in other pages.)

Added instructions to delete labeled pod to avoid warnings in the subsequent deployment step.

* Update k8s201.md

Added example of using the exposed host from the a node running Kubernetes. (This works on AWS with Weave; not able to test it on other variations...)

* Gramatical fix to kompose introduction (#7792)

The original wording didn't through very well. As much of the original sentence has been preserved as possible, primarily to ensure the kompose web address is see both in text and as a href link.

* update amadeus.html (#7800)

* Fix a missing word in endpoint reconciler section (#7804)

* add toc entry for pvcprotection downgrade issue doc

* Pvcprotection toc (#7809)

* Refreshing installation instructions (#7495)

* Refreshing installation instructions

Added conjure-up. Updated displays and juju versions to current versions.

* Updated anchors

* Fixed image value version typo (#7768)

Was inconsistent with other values

* Update flocker reference to the github repo (#7784)

* Fix typo in federation document (#7779)

* an user -> a user (#7778)

* Events are namespaced (#7767)

* fix 'monitoring' link lose efficacy problem' (#7764)

* docs/concepts/policy/pod-security-policy.md: minor fix. (#7659)

* Update downward-api-volume-expose-pod-information.md (#7771)

* Update downward-api-volume-expose-pod-information.md

The pod spec puts the downward api files into /etc/podinfo, not directly in /etc. Updated docs to reflect this fact.

* Update downward-api-volume-expose-pod-information.md

One more spot needed fixing.

* Update downward-api-volume-expose-pod-information.md

Yet another fix, in the container example.

* Add Amadeus Case Study (#7783)

* Add Amadeus Case Study

* add Amadeus logo

* Fixed Cyrillic с in 'kube-proxy-cm' (#7787)

There was a typo (wrong character) in kube-proxy-cm.yaml - Cyrillic с (UTF-8 0x0441) was used instead of Latin c.

* install-kubectl: choose one installation method (#7705)

The previous text layout suggested that all installations had to be done, one after another.

* Update install-kubeadm.md (#7781)

Add note to kubeadm install instruction to help install in other arch i.e. aarch64, ppc64le etc.

* repair failure link (#7788)

* repair failure link

* repair failure link

* do change as required

* Update k8s201.md (#7777)

* Update k8s201.md

Change instructions to download yams files directly from the website (as used in other pages.)

Added instructions to delete labeled pod to avoid warnings in the subsequent deployment step.

* Update k8s201.md

Added example of using the exposed host from the a node running Kubernetes. (This works on AWS with Weave; not able to test it on other variations...)

* Gramatical fix to kompose introduction (#7792)

The original wording didn't through very well. As much of the original sentence has been preserved as possible, primarily to ensure the kompose web address is see both in text and as a href link.

* update amadeus.html (#7800)

* Fix a missing word in endpoint reconciler section (#7804)

* add toc entry for pvcprotection downgrade issue doc

* revert TOC change

* Release 1.10 (#7818)

* Refreshing installation instructions (#7495)

* Refreshing installation instructions

Added conjure-up. Updated displays and juju versions to current versions.

* Updated anchors

* Fixed image value version typo (#7768)

Was inconsistent with other values

* Update flocker reference to the github repo (#7784)

* Fix typo in federation document (#7779)

* an user -> a user (#7778)

* Events are namespaced (#7767)

* fix 'monitoring' link lose efficacy problem' (#7764)

* docs/concepts/policy/pod-security-policy.md: minor fix. (#7659)

* Update downward-api-volume-expose-pod-information.md (#7771)

* Update downward-api-volume-expose-pod-information.md

The pod spec puts the downward api files into /etc/podinfo, not directly in /etc. Updated docs to reflect this fact.

* Update downward-api-volume-expose-pod-information.md

One more spot needed fixing.

* Update downward-api-volume-expose-pod-information.md

Yet another fix, in the container example.

* Add Amadeus Case Study (#7783)

* Add Amadeus Case Study

* add Amadeus logo

* Fixed Cyrillic с in 'kube-proxy-cm' (#7787)

There was a typo (wrong character) in kube-proxy-cm.yaml - Cyrillic с (UTF-8 0x0441) was used instead of Latin c.

* install-kubectl: choose one installation method (#7705)

The previous text layout suggested that all installations had to be done, one after another.

* Update install-kubeadm.md (#7781)

Add note to kubeadm install instruction to help install in other arch i.e. aarch64, ppc64le etc.

* repair failure link (#7788)

* repair failure link

* repair failure link

* do change as required

* Update k8s201.md (#7777)

* Update k8s201.md

Change instructions to download yams files directly from the website (as used in other pages.)

Added instructions to delete labeled pod to avoid warnings in the subsequent deployment step.

* Update k8s201.md

Added example of using the exposed host from the a node running Kubernetes. (This works on AWS with Weave; not able to test it on other variations...)

* Gramatical fix to kompose introduction (#7792)

The original wording didn't through very well. As much of the original sentence has been preserved as possible, primarily to ensure the kompose web address is see both in text and as a href link.

* update amadeus.html (#7800)

* Fix a missing word in endpoint reconciler section (#7804)

* Partners page updates (#7802)

* Partners page updates

* Update to ZTE link

* Make using sysctls a task instead of a concept (#6808)

Closes: #4505

* add a note when mount a configmap to pod (#7745)

* adjust a note format (#7812)

* Update docker-cli-to-kubectl.md (#7748)

* Update docker-cli-to-kubectl.md

Edited the document for adherence to the style guide and word usage.

* Update docker-cli-to-kubectl.md

* Incorporated the changes suggested.

* Mount propagation update to include docker config (#7854)

* update overridden config for 1.10 (#7847)

* update overridden config for 1.10

* fix config file per comments

* Update Extended Resource doc wrt cluster-level resources (#7759)
zacharysarah pushed a commit that referenced this pull request Apr 16, 2018
Signed-off-by: Mik Vyatskov <vmik@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants