-
Notifications
You must be signed in to change notification settings - Fork 14.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Audit Logging documentation for 1.10 #7679
Update Audit Logging documentation for 1.10 #7679
Conversation
/milestone v1.10 |
Deploy preview for kubernetes-io-vnext-staging ready! Built with commit d03415c https://deploy-preview-7679--kubernetes-io-vnext-staging.netlify.com |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this!
Can someone from the docs team comment on the use of "you" and "your"? Instead of:
Parameters should be set to accommodate your load on the apiserver.
I generally prefer:
Parameters should be set to accommodate expected apiserver load.
Though I see "you" and "your" used throughout the docs, so it doesn't seem like we have a hard rule.
@@ -72,6 +72,9 @@ In both cases, audit events structure is defined by the API in the | |||
`audit.k8s.io` API group. The current version of the API is | |||
[`v1beta1`][auditing-api]. | |||
|
|||
**Note:** in case of patches, request objects are arrays, containing operations, not the appropriate | |||
API objects. You should design your system to behave correctly in this case. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Drop "You should design your system to behave correctly in this case." It's already implied.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
|
||
The following flags are only used in the `batch` mode. | ||
|
||
- `--audit-webhook-batch-buffer-size` defines the size of the buffer to store events before batching. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/size of the buffer to store events/number of events to buffer/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
10 batches, i.e. 1000 events. | ||
|
||
In most cases however, the default parameters should be sufficient and you don't have to worry about | ||
setting them manually. You can look at the Prometheus metric `apiserver_audit_error_total` and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does apiserver_audit_error_total
include dropped events? If it doesn't can we include the dropped metric here too?
Also can you link to a doc explaining how an admin can scrape the API server?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added apiserver_audit_error_total
to the description
Also can you link to a doc explaining how an admin can scrape the API server?
Couldn't find any good place to link :( It seems we lack such documentation
@piosz FYI
## Multi-cluster setup | ||
|
||
If you're extending the Kubernetes API with the [aggregation layer][kube-aggregator], you can also | ||
set up audit logging for the aggregated apiserver. To do this, pass the same configuration options |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the same configuration required? Should we mark it "MUST"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, configuration can be different
What I meant to say is that all the flags are the same
Clarified, thanks
@@ -72,6 +72,9 @@ In both cases, audit events structure is defined by the API in the | |||
`audit.k8s.io` API group. The current version of the API is | |||
[`v1beta1`][auditing-api]. | |||
|
|||
**Note:** in case of patches, request objects are arrays, containing operations, not the appropriate |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe:
Audit events for PATCH requests are an array of request objects containing operations, not the entire API object.
what do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a limiting statement. Who knows what types of request will support using JSON arrays as a request body in the future? Rewrote the paragraph though
- `--audit-webhook-batch-throttle-burst` defines the maximum number of batches generated per second | ||
if the allowed QPS was underutilized previously | ||
|
||
#### How to set up parameters |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe:
Parameter tuning
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
Per request of @Bradamant3 putting a temporary hold on anything going into 1.10 until her big patch merges |
/hold cancel |
In this case it's probably better to avoid "you" not because the style guide says so (the style guide actually recommends "you" over "we", for example), but because load isn't a thing that makes sense to apply personal ownership to. I'd take @ericchiang's suggestion.
|
@@ -72,6 +72,9 @@ In both cases, audit events structure is defined by the API in the | |||
`audit.k8s.io` API group. The current version of the API is | |||
[`v1beta1`][auditing-api]. | |||
|
|||
**Note:** in case of patches, request objects are arrays, containing operations, not the appropriate | |||
API objects. You should design your system to behave correctly in this case. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in case of patches, request objects are arrays, containing operations, not the appropriate API objects. You should design your system to behave correctly in this case.
Sorry, in fact, I don't understand this sentence at all....:crying_cat_face:
What's the relation between audit objects and patches
?
When would we patch an audit object?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe an example would help?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added an example
@crassirostris can you get the requested changes in today? We need to get docs PRs for 1.10 merged. Thanks! (or give an ETA if today's impossible?) |
@Bradamant3 can I apply the fixes on Monday? |
@crassirostris we can make that work. Thanks for the update! |
@Bradamant3 thanks a lot! First thing Monday morning then |
batching events in the queue | ||
- `--audit-webhook-batch-throttle-qps` defines the maximum average number of batches generated | ||
per second | ||
- `--audit-webhook-batch-throttle-burst` defines the maximum number of batches generated per second |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
per second
-> at the same moment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
1940c2c
to
a961913
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done, thanks for the review! PTAL
batching events in the queue | ||
- `--audit-webhook-batch-throttle-qps` defines the maximum average number of batches generated | ||
per second | ||
- `--audit-webhook-batch-throttle-burst` defines the maximum number of batches generated per second |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
- `--audit-webhook-batch-throttle-burst` defines the maximum number of batches generated per second | ||
if the allowed QPS was underutilized previously | ||
|
||
#### How to set up parameters |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
10 batches, i.e. 1000 events. | ||
|
||
In most cases however, the default parameters should be sufficient and you don't have to worry about | ||
setting them manually. You can look at the Prometheus metric `apiserver_audit_error_total` and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added apiserver_audit_error_total
to the description
Also can you link to a doc explaining how an admin can scrape the API server?
Couldn't find any good place to link :( It seems we lack such documentation
@piosz FYI
## Multi-cluster setup | ||
|
||
If you're extending the Kubernetes API with the [aggregation layer][kube-aggregator], you can also | ||
set up audit logging for the aggregated apiserver. To do this, pass the same configuration options |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, configuration can be different
What I meant to say is that all the flags are the same
Clarified, thanks
|
||
The following flags are only used in the `batch` mode. | ||
|
||
- `--audit-webhook-batch-buffer-size` defines the size of the buffer to store events before batching. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
@@ -72,6 +72,9 @@ In both cases, audit events structure is defined by the API in the | |||
`audit.k8s.io` API group. The current version of the API is | |||
[`v1beta1`][auditing-api]. | |||
|
|||
**Note:** in case of patches, request objects are arrays, containing operations, not the appropriate | |||
API objects. You should design your system to behave correctly in this case. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added an example
@@ -72,6 +72,9 @@ In both cases, audit events structure is defined by the API in the | |||
`audit.k8s.io` API group. The current version of the API is | |||
[`v1beta1`][auditing-api]. | |||
|
|||
**Note:** in case of patches, request objects are arrays, containing operations, not the appropriate | |||
API objects. You should design your system to behave correctly in this case. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
@@ -72,6 +72,9 @@ In both cases, audit events structure is defined by the API in the | |||
`audit.k8s.io` API group. The current version of the API is | |||
[`v1beta1`][auditing-api]. | |||
|
|||
**Note:** in case of patches, request objects are arrays, containing operations, not the appropriate |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a limiting statement. Who knows what types of request will support using JSON arrays as a request body in the future? Rewrote the paragraph though
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm, thanks!
a961913
to
22e2c1a
Compare
Also addressed some out of place "you"s |
@Bradamant3 Could you please review this PR? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mostly nits, but a couple of items that affect meaning/comprehension. Thanks!
@@ -72,6 +72,24 @@ In both cases, audit events structure is defined by the API in the | |||
`audit.k8s.io` API group. The current version of the API is | |||
[`v1beta1`][auditing-api]. | |||
|
|||
**Note:** for example, in case of patches, request body is a JSON array with patch operations, not |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit, but do we need this first "for example"? (Starts the second sentence also)
if you omit, s/in/In
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed first for example
. I think the second one is legitimate, since it indicates that an example follows
This is the default | ||
- `blocking` - block API server responses on sending each event to the external service | ||
- `--audit-webhook-initial-backoff` specifies the amount of time to wait after the first failed | ||
request before retrying. From the second request and so on, exponential backoff is used. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
edit last sentence here to:
"Subsequent requests are retried with exponential backoff."
("and so on" indicates other types of events, not additional requests)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done, thanks
name. By default, batching is enabled in `webhook` and disabled in `log`. Similarly, by default | ||
throttling is enabled in `webhook` and disabled in `log`. | ||
|
||
- `--audit-webhook-mode` define the buffering strategy, one of the following: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/define/defines (as below).
s/,/.
s/one/One
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
throttling is enabled in `webhook` and disabled in `log`. | ||
|
||
- `--audit-webhook-mode` define the buffering strategy, one of the following: | ||
- `batch` - buffer events and asynchronously process then in batches. This is the default |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add period (.) at the end.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
|
||
- `--audit-webhook-mode` define the buffering strategy, one of the following: | ||
- `batch` - buffer events and asynchronously process then in batches. This is the default | ||
- `blocking` - block API server responses on processing each individual event |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add period at the end.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
The following flags are only used in the `batch` mode. | ||
|
||
- `--audit-webhook-batch-buffer-size` defines the number of events to buffer before batching. | ||
If the rate of incoming events is too high and the buffer is overflown, events are dropped |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/is overflown/overflows
Add period at end.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
- `--audit-webhook-batch-throttle-qps` defines the maximum average number of batches generated | ||
per second | ||
- `--audit-webhook-batch-throttle-burst` defines the maximum number of batches generated at the same | ||
moment if the allowed QPS was underutilized previously |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add periods at the end of these four items
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Bradamant3 Addressed your comments, thanks a lot for the review!
@@ -72,6 +72,24 @@ In both cases, audit events structure is defined by the API in the | |||
`audit.k8s.io` API group. The current version of the API is | |||
[`v1beta1`][auditing-api]. | |||
|
|||
**Note:** for example, in case of patches, request body is a JSON array with patch operations, not |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed first for example
. I think the second one is legitimate, since it indicates that an example follows
This is the default | ||
- `blocking` - block API server responses on sending each event to the external service | ||
- `--audit-webhook-initial-backoff` specifies the amount of time to wait after the first failed | ||
request before retrying. From the second request and so on, exponential backoff is used. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done, thanks
throttling is enabled in `webhook` and disabled in `log`. | ||
|
||
- `--audit-webhook-mode` define the buffering strategy, one of the following: | ||
- `batch` - buffer events and asynchronously process then in batches. This is the default |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
|
||
- `--audit-webhook-mode` define the buffering strategy, one of the following: | ||
- `batch` - buffer events and asynchronously process then in batches. This is the default | ||
- `blocking` - block API server responses on processing each individual event |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
name. By default, batching is enabled in `webhook` and disabled in `log`. Similarly, by default | ||
throttling is enabled in `webhook` and disabled in `log`. | ||
|
||
- `--audit-webhook-mode` define the buffering strategy, one of the following: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
The following flags are only used in the `batch` mode. | ||
|
||
- `--audit-webhook-batch-buffer-size` defines the number of events to buffer before batching. | ||
If the rate of incoming events is too high and the buffer is overflown, events are dropped |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
- `--audit-webhook-batch-throttle-qps` defines the maximum average number of batches generated | ||
per second | ||
- `--audit-webhook-batch-throttle-burst` defines the maximum number of batches generated at the same | ||
moment if the allowed QPS was underutilized previously |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
22e2c1a
to
db026ee
Compare
throttling is enabled in `webhook` and disabled in `log`. | ||
|
||
- `--audit-webhook-mode` defines the buffering strategy. One of the following: | ||
- `batch` - buffer events and asynchronously process then in batches. This is the default. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, missed a misspelling.
s/then/them
- `batch` - buffer events and asynchronously process then in batches. This is the default. | ||
- `blocking` - block API server responses on processing each individual event. | ||
|
||
The following flags are only used in the `batch` mode. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and only bc there's already another fix:
"The following flags are used only in the the batch
mode."
@crassirostris sorry caught two more things. Thank you! |
Signed-off-by: Mik Vyatskov <vmik@google.com>
db026ee
to
d03415c
Compare
@Bradamant3 Done, thanks so much for your thorough review! |
/approve /lgtm (because tech reviewer forgot the slash on the /lgtm) |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Bradamant3 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Parameters should be set to accommodate the load on the apiserver. | ||
|
||
For example, if kube-apiserver receives 100 requests each second, and each request is audited only | ||
on `StageResponseStarted` and `StageResponseComplete` stages, you should account for ~200 audit |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These should be ResponseStarted
and ResponseComplete
respectively.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point, thanks! Filed #7746
* 1.10 update (#7151) * Fix partition value expected behaviour explanation (#7123) Fixes issue #7057 * Correct "On-Premise" to "On-Premises" * Updates the Calico installation page (#7094) * All files for Haufe Groups case study (#7051) * Fix typo (#7127) * fix typo of device-plugins.md (#7106) * fix broken links (#7136) * Updated configure-service-account (#7147) Error from server resolved by escaping kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "myregistrykey"}]}' JSON string by '\' * Remove docs related to 'require-kubeconfig' (#7138) With kubernetes/kubernetes#58367 merged, v1.10 will not use the "require-kubeconfig" flag. The flag has become a no-op solely to ensure existing deployments won't break. * Added Verification Scenario for a Pod that Uses a PVC in Terminating State (#7164) The below PR: kubernetes/kubernetes#55873 modified scheduler in such a way that scheduling of a pod that uses a PVC in Terminating state fails. That's why verification of such scenario was added to documentation. * fix LimitPodHardAntiAffinityTopology name (#7221) * Document the removal of the KubeletConfigFile feature gate (#7140) With kubernetes/kubernetes#58978 merged, the said feature gate is removed. This PR removes texts related to the gate and revises the Feature Gates reference to reflect this change. * deprecate three admission controller (#7363) * Document the removal of Accelerators feature gate (#7389) The `Accelerators` feature gate will be removed in 1.11. 1.10 will be its last mile. References: kubernetes/kubernetes#57384 * Update local storage docs for beta (#7473) * Document that HugePages feature gate is Beta (#7387) The `HugePages` feature gate has graduated to Beta in v1.10. This PR documents this fact. * Add HyperVContainer feature gates (#7502) * Remove the beta reference from Taints and Tolerations doc (#7493) * Kms provider doc (#7479) * Kms provider doc * issue# 7399, Create KMS-provider.md and update encrypt-data.md * address review comments * Document that Device Plugin feature is Beta (1.10) (#7512) * Add docs for CRD features for 1.10 (#7439) * Add docs for CRD features for 1.10 * Add CustomResourcesSubresources to list of feature gates * Add latest changes to custom resources doc * Add crds as abbreviated alias (#7437) * Bring PVC Protection Feature to Beta (#7165) * Bring PVC Protection Feature to Beta The PR: kubernetes/kubernetes#59052 brought PVC Protection feature to beta. That's why the documentation is updated accordingly. * The PVC Protection feature was renamed to Storage Protection. That's why the documentation is updated. * promote PodNodeSelector to stable; document detailed behavior (#7134) * promote PodNodeSelector to stable; document detailed behavior * respond to feedback * Update CPU manager feature enabling (#7390) With `CPUManager` feature graduating to beta. No explicit enabling is required starting v1.10. References: kubernetes/kubernetes#55977 * Adding block volumeMode documentation for local volumes. (#7531) Code review comments. Changed property to field. Address tech review comment. * remove description kubectl --show-all (#7574) --show-all has been deprecated and set to true by default. kubernetes/kubernetes#60210 * fix description about contribute style guide (#7592) * fix description about KUBECONFIG (#7589) s/envrionment/environment * fix description about cni (#7588) s/simultanously/simultaneously/ * fix description about MutatingAdmissionWebhook and ValidatingAdmissionWebhook (#7587) * fix description about persistent volume binding (#7590) s/slighty/slightly/ * Doc change for configurable pod resolv.conf Beta (#7611) * fix description about out of resource handling (#7597) s/threshhold/threshold * fix description about zookeeper (#7598) s/achive/achieve * fix description about kubeadm (#7594) s/compatability/compatibility/ * fix description about kubeadm (#7593) * fix description about kubeadm implementation details (#7595) * fix description about api concepts (#7596) * Storage Protection was renamed to Storage Object in Use Protection (#7576) * Storage Protection was renamed to Storage Object in Use Protection The K8s PR: kubernetes/kubernetes#59901 renamed Storage Protection to Storage Object in Use Protection. That's why the same is also renamed in the documentation. * Moved Storage Object in Use Protection admission plugin description down according to alphabetic order. * Use PSP from policy API group. (#7562) * update kubeletconfig docs for v1.10, beta (#7561) * Update port-forwarding docs (#7575) * add pv protection description (#7620) * fix description about client library (#7634) * Add docs on configuring NodePort IP (#7631) * Document that LocalStorageCapacityIsolation is beta (#7635) A follow-up to the kubernetes/kubernetes#60159 change which has promoted the `LocalStorageCapacityIsolation` feature gate to Beta. * Update CoreDNS docs for beta (#7638) * Update CoreDNS docs for beta * Review comments * Fix typo (#7640) * Update feature gates move to beta (#7662) * Added the inability to use colon ':' character as environment variable names and described workaround (#7657) * merge master to 1.10, with fixes (#7682) * Flag names changed (s/admission-control/enable-admission-plugins); disable-admissions-plugin entry added; removed reference to admission controller/plugins requiring set order (for v1.10), redundant example enabling specific plugin, and redundant version-specific info (#7449) * Documentation for MountPropagation beta (#7655) * Remove job's scale-related operations (#7684) * authentication: document client-go exec plugins (#7648) * authentication: document client-go exec plugins * Update authentication.md * Update local ephemeral storage feature to beta (#7685) Update local ephemeral storage feature to beta * Update docs for windows container resources (#7653) * add server-side print docs (#7671) * Create a task describing Pod process namespace sharing (#7489) * Add external metrics to HPA docs (#7664) * Add external metrics to HPA docs * Update horizontal-pod-autoscale-walkthrough.md * Apply review comments to HPA walkthrough * remove description about "scale jobs" (#7712) * CSI Docs for K8s v1.10 (#7698) * Add a warning about increased memory consumption for audit logging feature. (#7725) Signed-off-by: Mik Vyatskov <vmik@google.com> * Update Audit Logging documentation for 1.10 (#7679) Signed-off-by: Mik Vyatskov <vmik@google.com> * Fix stage names in audit logging documentation (#7746) Signed-off-by: Mik Vyatskov <vmik@google.com> * Feature gate update for release 1.10 (#7742) * State in the docs that the value of default Node labels are not reliable. (#7794) * Kill the reference to --admission-control option (#7755) The `--admission-control` option has been replaced by two new options in v1.10. This PR kills the last appearance of the old option in the doc. * Pvcprotection toc (#7807) * Refreshing installation instructions (#7495) * Refreshing installation instructions Added conjure-up. Updated displays and juju versions to current versions. * Updated anchors * Fixed image value version typo (#7768) Was inconsistent with other values * Update flocker reference to the github repo (#7784) * Fix typo in federation document (#7779) * an user -> a user (#7778) * Events are namespaced (#7767) * fix 'monitoring' link lose efficacy problem' (#7764) * docs/concepts/policy/pod-security-policy.md: minor fix. (#7659) * Update downward-api-volume-expose-pod-information.md (#7771) * Update downward-api-volume-expose-pod-information.md The pod spec puts the downward api files into /etc/podinfo, not directly in /etc. Updated docs to reflect this fact. * Update downward-api-volume-expose-pod-information.md One more spot needed fixing. * Update downward-api-volume-expose-pod-information.md Yet another fix, in the container example. * Add Amadeus Case Study (#7783) * Add Amadeus Case Study * add Amadeus logo * Fixed Cyrillic с in 'kube-proxy-cm' (#7787) There was a typo (wrong character) in kube-proxy-cm.yaml - Cyrillic с (UTF-8 0x0441) was used instead of Latin c. * install-kubectl: choose one installation method (#7705) The previous text layout suggested that all installations had to be done, one after another. * Update install-kubeadm.md (#7781) Add note to kubeadm install instruction to help install in other arch i.e. aarch64, ppc64le etc. * repair failure link (#7788) * repair failure link * repair failure link * do change as required * Update k8s201.md (#7777) * Update k8s201.md Change instructions to download yams files directly from the website (as used in other pages.) Added instructions to delete labeled pod to avoid warnings in the subsequent deployment step. * Update k8s201.md Added example of using the exposed host from the a node running Kubernetes. (This works on AWS with Weave; not able to test it on other variations...) * Gramatical fix to kompose introduction (#7792) The original wording didn't through very well. As much of the original sentence has been preserved as possible, primarily to ensure the kompose web address is see both in text and as a href link. * update amadeus.html (#7800) * Fix a missing word in endpoint reconciler section (#7804) * add toc entry for pvcprotection downgrade issue doc * Pvcprotection toc (#7809) * Refreshing installation instructions (#7495) * Refreshing installation instructions Added conjure-up. Updated displays and juju versions to current versions. * Updated anchors * Fixed image value version typo (#7768) Was inconsistent with other values * Update flocker reference to the github repo (#7784) * Fix typo in federation document (#7779) * an user -> a user (#7778) * Events are namespaced (#7767) * fix 'monitoring' link lose efficacy problem' (#7764) * docs/concepts/policy/pod-security-policy.md: minor fix. (#7659) * Update downward-api-volume-expose-pod-information.md (#7771) * Update downward-api-volume-expose-pod-information.md The pod spec puts the downward api files into /etc/podinfo, not directly in /etc. Updated docs to reflect this fact. * Update downward-api-volume-expose-pod-information.md One more spot needed fixing. * Update downward-api-volume-expose-pod-information.md Yet another fix, in the container example. * Add Amadeus Case Study (#7783) * Add Amadeus Case Study * add Amadeus logo * Fixed Cyrillic с in 'kube-proxy-cm' (#7787) There was a typo (wrong character) in kube-proxy-cm.yaml - Cyrillic с (UTF-8 0x0441) was used instead of Latin c. * install-kubectl: choose one installation method (#7705) The previous text layout suggested that all installations had to be done, one after another. * Update install-kubeadm.md (#7781) Add note to kubeadm install instruction to help install in other arch i.e. aarch64, ppc64le etc. * repair failure link (#7788) * repair failure link * repair failure link * do change as required * Update k8s201.md (#7777) * Update k8s201.md Change instructions to download yams files directly from the website (as used in other pages.) Added instructions to delete labeled pod to avoid warnings in the subsequent deployment step. * Update k8s201.md Added example of using the exposed host from the a node running Kubernetes. (This works on AWS with Weave; not able to test it on other variations...) * Gramatical fix to kompose introduction (#7792) The original wording didn't through very well. As much of the original sentence has been preserved as possible, primarily to ensure the kompose web address is see both in text and as a href link. * update amadeus.html (#7800) * Fix a missing word in endpoint reconciler section (#7804) * add toc entry for pvcprotection downgrade issue doc * revert TOC change * Release 1.10 (#7818) * Refreshing installation instructions (#7495) * Refreshing installation instructions Added conjure-up. Updated displays and juju versions to current versions. * Updated anchors * Fixed image value version typo (#7768) Was inconsistent with other values * Update flocker reference to the github repo (#7784) * Fix typo in federation document (#7779) * an user -> a user (#7778) * Events are namespaced (#7767) * fix 'monitoring' link lose efficacy problem' (#7764) * docs/concepts/policy/pod-security-policy.md: minor fix. (#7659) * Update downward-api-volume-expose-pod-information.md (#7771) * Update downward-api-volume-expose-pod-information.md The pod spec puts the downward api files into /etc/podinfo, not directly in /etc. Updated docs to reflect this fact. * Update downward-api-volume-expose-pod-information.md One more spot needed fixing. * Update downward-api-volume-expose-pod-information.md Yet another fix, in the container example. * Add Amadeus Case Study (#7783) * Add Amadeus Case Study * add Amadeus logo * Fixed Cyrillic с in 'kube-proxy-cm' (#7787) There was a typo (wrong character) in kube-proxy-cm.yaml - Cyrillic с (UTF-8 0x0441) was used instead of Latin c. * install-kubectl: choose one installation method (#7705) The previous text layout suggested that all installations had to be done, one after another. * Update install-kubeadm.md (#7781) Add note to kubeadm install instruction to help install in other arch i.e. aarch64, ppc64le etc. * repair failure link (#7788) * repair failure link * repair failure link * do change as required * Update k8s201.md (#7777) * Update k8s201.md Change instructions to download yams files directly from the website (as used in other pages.) Added instructions to delete labeled pod to avoid warnings in the subsequent deployment step. * Update k8s201.md Added example of using the exposed host from the a node running Kubernetes. (This works on AWS with Weave; not able to test it on other variations...) * Gramatical fix to kompose introduction (#7792) The original wording didn't through very well. As much of the original sentence has been preserved as possible, primarily to ensure the kompose web address is see both in text and as a href link. * update amadeus.html (#7800) * Fix a missing word in endpoint reconciler section (#7804) * Partners page updates (#7802) * Partners page updates * Update to ZTE link * Make using sysctls a task instead of a concept (#6808) Closes: #4505 * add a note when mount a configmap to pod (#7745) * adjust a note format (#7812) * Update docker-cli-to-kubectl.md (#7748) * Update docker-cli-to-kubectl.md Edited the document for adherence to the style guide and word usage. * Update docker-cli-to-kubectl.md * Incorporated the changes suggested. * Mount propagation update to include docker config (#7854) * update overridden config for 1.10 (#7847) * update overridden config for 1.10 * fix config file per comments * Update Extended Resource doc wrt cluster-level resources (#7759)
Signed-off-by: Mik Vyatskov <vmik@google.com>
Sorry for the late PR
This is a docs PR for the Advanced Audit Logging feature. Items to address in this update are listed in the umbrella issue for this release.
Fixes kubernetes/kubernetes#60110
/cc @tallclair @sttts @ericchiang @CaoShuFeng