Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Apply suggestions from code review Co-authored-by: Dmitry Shurupov <dmitry.shurupov@palark.com> Update assign-pod-node.md Copy /docs/reference/issues-security/* from EN Update content/ru/docs/concepts/scheduling-eviction/assign-pod-node.md Add examples/pods/*.yaml files
- Loading branch information
Showing
31 changed files
with
941 additions
and
0 deletions.
There are no files selected for viewing
349 changes: 349 additions & 0 deletions
349
content/ru/docs/concepts/scheduling-eviction/assign-pod-node.md
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
--- | ||
title: Kubernetes Issues and Security | ||
weight: 70 | ||
--- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
--- | ||
title: Kubernetes Issue Tracker | ||
weight: 10 | ||
aliases: [/cve/,/cves/] | ||
--- | ||
|
||
To report a security issue, please follow the [Kubernetes security disclosure process](/docs/reference/issues-security/security/#report-a-vulnerability). | ||
|
||
Work on Kubernetes code and public issues are tracked using [GitHub Issues](https://github.com/kubernetes/kubernetes/issues/). | ||
|
||
* Official [list of known CVEs](/docs/reference/issues-security/official-cve-feed/) | ||
(security vulnerabilities) that have been announced by the | ||
[Security Response Committee](https://github.com/kubernetes/committee-security-response) | ||
* [CVE-related GitHub issues](https://github.com/kubernetes/kubernetes/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Aarea%2Fsecurity+in%3Atitle+CVE) | ||
|
||
Security-related announcements are sent to the [kubernetes-security-announce@googlegroups.com](https://groups.google.com/forum/#!forum/kubernetes-security-announce) mailing list. |
44 changes: 44 additions & 0 deletions
44
content/ru/docs/reference/issues-security/official-cve-feed.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
--- | ||
title: Official CVE Feed | ||
weight: 25 | ||
outputs: | ||
- json | ||
- html | ||
layout: cve-feed | ||
--- | ||
|
||
{{< feature-state for_k8s_version="v1.25" state="alpha" >}} | ||
|
||
This is a community maintained list of official CVEs announced by | ||
the Kubernetes Security Response Committee. See | ||
[Kubernetes Security and Disclosure Information](/docs/reference/issues-security/security/) | ||
for more details. | ||
|
||
The Kubernetes project publishes a programmatically accessible | ||
[JSON Feed](/docs/reference/issues-security/official-cve-feed/index.json) of | ||
published security issues. You can access it by executing the following command: | ||
|
||
{{< comment >}} | ||
`replace` is used to bypass known issue with rendering ">" | ||
: https://github.com/gohugoio/hugo/issues/7229 in JSON layouts template | ||
`layouts/_default/cve-feed.json` | ||
{{< /comment >}} | ||
|
||
```shell | ||
curl -Lv https://k8s.io/docs/reference/issues-security/official-cve-feed/index.json | ||
``` | ||
|
||
{{< cve-feed >}} | ||
|
||
<!-- | CVE ID | Issue Summary | CVE GitHub Issue URL | | ||
| ----------- | ----------- | --------- | | ||
| [CVE-2021-25741](https://www.cve.org/CVERecord?id=CVE-2021-25741) | Symlink Exchange Can Allow Host Filesystem Access | [#104980](https://github.com/kubernetes/kubernetes/issues/104980) | | ||
| [CVE-2020-8565](https://www.cve.org/CVERecord?id=CVE-2020-8565) | Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9 | [#95623](https://github.com/kubernetes/kubernetes/issues/95623) | --> | ||
|
||
This feed is auto-refreshing with a noticeable but small lag (minutes to hours) | ||
from the time a CVE is announced to the time it is accessible in this feed. | ||
|
||
The source of truth of this feed is a set of GitHub Issues, filtered by a controlled and | ||
restricted label `official-cve-feed`. The raw data is stored in a Google Cloud | ||
Bucket which is writable only by a small number of trusted members of the | ||
Community. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
--- | ||
title: Kubernetes Security and Disclosure Information | ||
aliases: [/security/] | ||
reviewers: | ||
- eparis | ||
- erictune | ||
- philips | ||
- jessfraz | ||
content_type: concept | ||
weight: 20 | ||
--- | ||
|
||
<!-- overview --> | ||
This page describes Kubernetes security and disclosure information. | ||
|
||
|
||
<!-- body --> | ||
## Security Announcements | ||
|
||
Join the [kubernetes-security-announce](https://groups.google.com/forum/#!forum/kubernetes-security-announce) group for emails about security and major API announcements. | ||
|
||
## Report a Vulnerability | ||
|
||
We're extremely grateful for security researchers and users that report vulnerabilities to the Kubernetes Open Source Community. All reports are thoroughly investigated by a set of community volunteers. | ||
|
||
To make a report, submit your vulnerability to the [Kubernetes bug bounty program](https://hackerone.com/kubernetes). This allows triage and handling of the vulnerability with standardized response times. | ||
|
||
You can also email the private [security@kubernetes.io](mailto:security@kubernetes.io) list with the security details and the details expected for [all Kubernetes bug reports](https://github.com/kubernetes/kubernetes/blob/master/.github/ISSUE_TEMPLATE/bug-report.yaml). | ||
|
||
You may encrypt your email to this list using the GPG keys of the [Security Response Committee members](https://git.k8s.io/security/README.md#product-security-committee-psc). Encryption using GPG is NOT required to make a disclosure. | ||
|
||
### When Should I Report a Vulnerability? | ||
|
||
- You think you discovered a potential security vulnerability in Kubernetes | ||
- You are unsure how a vulnerability affects Kubernetes | ||
- You think you discovered a vulnerability in another project that Kubernetes depends on | ||
- For projects with their own vulnerability reporting and disclosure process, please report it directly there | ||
|
||
|
||
### When Should I NOT Report a Vulnerability? | ||
|
||
- You need help tuning Kubernetes components for security | ||
- You need help applying security related updates | ||
- Your issue is not security related | ||
|
||
## Security Vulnerability Response | ||
|
||
Each report is acknowledged and analyzed by Security Response Committee members within 3 working days. This will set off the [Security Release Process](https://git.k8s.io/security/security-release-process.md#disclosures). | ||
|
||
Any vulnerability information shared with Security Response Committee stays within Kubernetes project and will not be disseminated to other projects unless it is necessary to get the issue fixed. | ||
|
||
As the security issue moves from triage, to identified fix, to release planning we will keep the reporter updated. | ||
|
||
## Public Disclosure Timing | ||
|
||
A public disclosure date is negotiated by the Kubernetes Security Response Committee and the bug submitter. We prefer to fully disclose the bug as soon as possible once a user mitigation is available. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination. The timeframe for disclosure is from immediate (especially if it's already publicly known) to a few weeks. For a vulnerability with a straightforward mitigation, we expect report date to disclosure date to be on the order of 7 days. The Kubernetes Security Response Committee holds the final say when setting a disclosure date. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: command-demo | ||
labels: | ||
purpose: demonstrate-command | ||
spec: | ||
containers: | ||
- name: command-demo-container | ||
image: debian | ||
command: ["printenv"] | ||
args: ["HOSTNAME", "KUBERNETES_PORT"] | ||
restartPolicy: OnFailure |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: init-demo | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
ports: | ||
- containerPort: 80 | ||
volumeMounts: | ||
- name: workdir | ||
mountPath: /usr/share/nginx/html | ||
# These containers are run during pod initialization | ||
initContainers: | ||
- name: install | ||
image: busybox:1.28 | ||
command: | ||
- wget | ||
- "-O" | ||
- "/work-dir/index.html" | ||
- http://info.cern.ch | ||
volumeMounts: | ||
- name: workdir | ||
mountPath: "/work-dir" | ||
dnsPolicy: Default | ||
volumes: | ||
- name: workdir | ||
emptyDir: {} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: lifecycle-demo | ||
spec: | ||
containers: | ||
- name: lifecycle-demo-container | ||
image: nginx | ||
lifecycle: | ||
postStart: | ||
exec: | ||
command: ["/bin/sh", "-c", "echo Hello from the postStart handler > /usr/share/message"] | ||
preStop: | ||
exec: | ||
command: ["/bin/sh","-c","nginx -s quit; while killall -0 nginx; do sleep 1; done"] | ||
|
21 changes: 21 additions & 0 deletions
21
content/ru/examples/pods/pod-configmap-env-var-valueFrom.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: dapi-test-pod | ||
spec: | ||
containers: | ||
- name: test-container | ||
image: registry.k8s.io/busybox | ||
command: [ "/bin/echo", "$(SPECIAL_LEVEL_KEY) $(SPECIAL_TYPE_KEY)" ] | ||
env: | ||
- name: SPECIAL_LEVEL_KEY | ||
valueFrom: | ||
configMapKeyRef: | ||
name: special-config | ||
key: SPECIAL_LEVEL | ||
- name: SPECIAL_TYPE_KEY | ||
valueFrom: | ||
configMapKeyRef: | ||
name: special-config | ||
key: SPECIAL_TYPE | ||
restartPolicy: Never |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: dapi-test-pod | ||
spec: | ||
containers: | ||
- name: test-container | ||
image: registry.k8s.io/busybox | ||
command: [ "/bin/sh", "-c", "env" ] | ||
envFrom: | ||
- configMapRef: | ||
name: special-config | ||
restartPolicy: Never |
20 changes: 20 additions & 0 deletions
20
content/ru/examples/pods/pod-configmap-volume-specific-key.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: dapi-test-pod | ||
spec: | ||
containers: | ||
- name: test-container | ||
image: registry.k8s.io/busybox | ||
command: [ "/bin/sh","-c","cat /etc/config/keys" ] | ||
volumeMounts: | ||
- name: config-volume | ||
mountPath: /etc/config | ||
volumes: | ||
- name: config-volume | ||
configMap: | ||
name: special-config | ||
items: | ||
- key: SPECIAL_LEVEL | ||
path: keys | ||
restartPolicy: Never |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: dapi-test-pod | ||
spec: | ||
containers: | ||
- name: test-container | ||
image: registry.k8s.io/busybox | ||
command: [ "/bin/sh", "-c", "ls /etc/config/" ] | ||
volumeMounts: | ||
- name: config-volume | ||
mountPath: /etc/config | ||
volumes: | ||
- name: config-volume | ||
configMap: | ||
# Provide the name of the ConfigMap containing the files you want | ||
# to add to the container | ||
name: special-config | ||
restartPolicy: Never |
21 changes: 21 additions & 0 deletions
21
content/ru/examples/pods/pod-multiple-configmap-env-variable.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: dapi-test-pod | ||
spec: | ||
containers: | ||
- name: test-container | ||
image: registry.k8s.io/busybox | ||
command: [ "/bin/sh", "-c", "env" ] | ||
env: | ||
- name: SPECIAL_LEVEL_KEY | ||
valueFrom: | ||
configMapKeyRef: | ||
name: special-config | ||
key: special.how | ||
- name: LOG_LEVEL | ||
valueFrom: | ||
configMapKeyRef: | ||
name: env-config | ||
key: log_level | ||
restartPolicy: Never |
19 changes: 19 additions & 0 deletions
19
content/ru/examples/pods/pod-nginx-preferred-affinity.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx | ||
spec: | ||
affinity: | ||
nodeAffinity: | ||
preferredDuringSchedulingIgnoredDuringExecution: | ||
- weight: 1 | ||
preference: | ||
matchExpressions: | ||
- key: disktype | ||
operator: In | ||
values: | ||
- ssd | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
imagePullPolicy: IfNotPresent |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx | ||
spec: | ||
affinity: | ||
nodeAffinity: | ||
requiredDuringSchedulingIgnoredDuringExecution: | ||
nodeSelectorTerms: | ||
- matchExpressions: | ||
- key: disktype | ||
operator: In | ||
values: | ||
- ssd | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
imagePullPolicy: IfNotPresent |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx | ||
spec: | ||
nodeName: foo-node # schedule pod to specific node | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
imagePullPolicy: IfNotPresent |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx | ||
labels: | ||
env: test | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
imagePullPolicy: IfNotPresent | ||
nodeSelector: | ||
disktype: ssd |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx | ||
spec: | ||
containers: | ||
- image: nginx | ||
name: nginx | ||
volumeMounts: | ||
- mountPath: /var/run/secrets/tokens | ||
name: vault-token | ||
serviceAccountName: build-robot | ||
volumes: | ||
- name: vault-token | ||
projected: | ||
sources: | ||
- serviceAccountToken: | ||
path: vault-token | ||
expirationSeconds: 7200 | ||
audience: vault |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: pod1 | ||
labels: | ||
tier: frontend | ||
spec: | ||
containers: | ||
- name: hello1 | ||
image: gcr.io/google-samples/hello-app:2.0 | ||
|
||
--- | ||
|
||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: pod2 | ||
labels: | ||
tier: frontend | ||
spec: | ||
containers: | ||
- name: hello2 | ||
image: gcr.io/google-samples/hello-app:1.0 |
Oops, something went wrong.