Change auditing docs page for 1.9 release #6427
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Mik Vyatskov <vmik@google.com>
k8s-ci-robot
requested review from
CaoShuFeng,
ericchiang,
sttts and
tallclair
k8s-ci-robot
added
cncf-cla: yes
|
Deploy preview ready! Built with commit ff1f784 https://deploy-preview-6427--kubernetes-io-vnext-staging.netlify.com |
3 tasks
CaoShuFeng
reviewed
Nov 24, 2017
| [audit-api]: https://github.com/kubernetes/kubernetes/blob/v1.8.0-beta.1/staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1/types.go | ||
| ## Legacy Audit | ||
|
|
||
| __Note:__ Legacy Audit is deprecated and is disabled by defaule since Kubernetes 1.8. |
CaoShuFeng
reviewed
Nov 24, 2017
| they should include. When an event is processed, it's compared against the list | ||
| of rules in order. The first matching rule sets the [audit level][auditing-level] | ||
| of the event. The audit policy object structure is defined in the | ||
| [`audit.k8s.io` API group][audit-api]. |
There was a problem hiding this comment.
This will not be transformed I think.
Should it be [`audit.k8s.io` API group][auditing-api]?
There was a problem hiding this comment.
A link would be very helpful here.
| using the `--audit-policy-file` flag. If the flag is omitted, no events are logged. | ||
| __Note:__ `kind` and `apiVersion` fields along with `rules` __must__ be provided | ||
| in the audit policy file. A policy with 0 rules, or a policy that doesn't | ||
| provide valid `apiVersion` and `kind` values is treated as illgal. |
| ``` | ||
| In both cases, audit events structure is defined by the API in the | ||
| `audit.k8s.io` API group. The current version of the API is | ||
| [`v1beta1`][auditing-beta-api]. |
There was a problem hiding this comment.
This can't be transformed.
|
/cc @hzxuzhonghu |
|
@CaoShuFeng: GitHub didn't allow me to request PR reviews from the following users: hzxuzhonghu. Note that only kubernetes members can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
tengqm
requested changes
Nov 24, 2017
| - `--audit-webhook-config-file` specifies the path to a file with a webhook | ||
| configuration. Webhook configuration is effectively a [kubeconfig][kubeconfig]. | ||
| - `--audit-webhook-mode` define the buffering strategy, one of the following: | ||
| - `batch` - buffer events and asynchronously send the set of events to the external service. |
| audit events. Not specifying this flag disables log backend. | ||
| - `--audit-log-maxage` defined the maximum number of days to retain old audit log files. | ||
| - `--audit-log-maxbackup` defines the maximum number of audit log files to retain. | ||
| - `--audit-log-maxsize` defines the maximum size of the audit log file before it gets rotated. |
| `RequestResponse` levels are equivalent to `Metadata` for legacy format. This legacy format | ||
| of advanced audit is different from the [Legacy Audit](# Legacy Audit) discussed above, such | ||
| as changes to the method values and the introduction of a "stage" for each event. | ||
| - `--audit-log-path` specifies the log file path, that log backend uses to write |
| cluster: name-of-remote-audit-service | ||
| user: name-of-api-sever | ||
| name: webhook | ||
| ``` |
There was a problem hiding this comment.
Should we retain the config file sample?
There was a problem hiding this comment.
We have a kubeconfig file in logstash example.
I am OK to let this go.
There was a problem hiding this comment.
That's the reason I removed it: an example is already present in another place
| [Kube-apiserver][kube-apiserver] provides the following options which are responsible | ||
| for configuring where and how audit logs are handled: | ||
|
|
||
| - `audit-log-path` - enables the audit log pointing to a file where the requests are being logged to, '-' means standard out. |
There was a problem hiding this comment.
when comparing the differences, I'm not sure if the "-" syntax is still supported?
There was a problem hiding this comment.
Yes, it is. Added to the description above, thanks
|
/cc @soltysh ^^ |
hzxuzhonghu
reviewed
Nov 25, 2017
| - `blocking` - block API server responses on sending each event to the external service. | ||
| - `--audit-webhook-config-file` specifies the path to a file with a webhook | ||
| configuration. Webhook configuration is effectively a [kubeconfig][kubeconfig]. | ||
| - `--audit-webhook-mode` define the buffering strategy, one of the following: |
There was a problem hiding this comment.
Should we use --audit-webhook-buffered default is true?
There was a problem hiding this comment.
Let's not deprecate this flag in this release, since it's too close. It'll be a TODO for the next release
Signed-off-by: Mik Vyatskov <vmik@google.com>
tengqm
approved these changes
Nov 28, 2017
tallclair
reviewed
Nov 28, 2017
| @@ -9,7 +9,7 @@ title: Auditing | |||
| * TOC | |||
| {:toc} | |||
There was a problem hiding this comment.
Maybe add the beta label, since you're removing the legacy section?
{% include feature-state-beta.md %}
| using the `--audit-policy-file` flag. If the flag is omitted, no events are logged. | ||
| __Note:__ `kind` and `apiVersion` fields along with `rules` __must__ be provided | ||
| in the audit policy file. A policy with 0 rules, or a policy that doesn't | ||
| provide valid `apiVersion` and `kind` values is treated as illegal. | ||
|
|
||
| Some example audit policy files: | ||
|
|
||
| ```yaml |
There was a problem hiding this comment.
Consider moving this to a separate file so it can be tested, and including with
{% include code.html language="yaml" file="policy.yaml" ghlink="/docs/.../audit-policy.yaml" %}
|
|
||
| ``` | ||
| {"kind":"Event","apiVersion":"audit.k8s.io/v1beta1","metadata":{"creationTimestamp":null},"level":"Metadata","timestamp":"2017-09-05T10:04:55Z","auditID":"77e58433-d345-40ac-b2d8-9866bd355cea","stage":"RequestReceived","requestURI":"/apis/rbac.authorization.k8s.io/v1/namespaces/default/roles","verb":"list","user":{"username":"kubecfg","groups":["system:masters","system:authenticated"]},"sourceIPs":["172.16.116.128"],"objectRef":{"resource":"roles","namespace":"default","apiGroup":"rbac.authorization.k8s.io","apiVersion":"v1"}} | ||
| {"kind":"Event","apiVersion":"audit.k8s.io/v1beta1","metadata":{"creationTimestamp":null},"level":"Metadata","timestamp":"2017-09-05T10:04:55Z","auditID":"77e58433-d345-40ac-b2d8-9866bd355cea","stage":"ResponseComplete","requestURI":"/apis/rbac.authorization.k8s.io/v1/namespaces/default/roles","verb":"list","user":{"username":"kubecfg","groups":["system:masters","system:authenticated"]},"sourceIPs":["172.16.116.128"],"objectRef":{"resource":"roles","namespace":"default","apiGroup":"rbac.authorization.k8s.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200}} |
There was a problem hiding this comment.
It looks like you cut out all the examples of actual audit lines? I think it would be good to retain an example, and maybe even document the API.
There was a problem hiding this comment.
I'm not sure this particular example is useful. It duplicates a lot of info in a poorer format: user can look into its own logs or into the API definition for a much better picture. Additionally, it looks like a big human-unparsable blob, so I'm against keeping it in the current form anyway.
If you want to describe the API in this docs, that's going to encounter a problem of docs obsoletion. Having better docs in the API code seems better to me, it creates a single place where it's described.
There was a problem hiding this comment.
This example does not have RequestReceivedTimestamp and StageTimestamp introduced here
2 tasks
|
This has tech approval from @tengqm. Waiting for tech approval from @tallclair. |
Merged
zacharysarah
suggested changes
Dec 3, 2017
| You can pass a file with the policy to [kube-apiserver][kube-apiserver] | ||
| using the `--audit-policy-file` flag. If the flag is omitted, no events are logged. | ||
| __Note:__ `kind` and `apiVersion` fields along with `rules` __must__ be provided | ||
| in the audit policy file. A policy with 0 rules, or a policy that doesn't |
There was a problem hiding this comment.
+in the audit policy file. A policy with no (0) rules, or a policy that doesn't
|
|
||
| In alpha version, objectRef.apiVersion holds both the api group and version. | ||
| In beta version these were break out into objectRef.apiGroup and objectRef.apiVersion. | ||
| - Log backend, which writes events to a disk. |
There was a problem hiding this comment.
- Log backend, which writes events to a disk
| In alpha version, objectRef.apiVersion holds both the api group and version. | ||
| In beta version these were break out into objectRef.apiGroup and objectRef.apiVersion. | ||
| - Log backend, which writes events to a disk. | ||
| - Webhook backend, which sends events to an external API. |
There was a problem hiding this comment.
- Webhook backend, which sends events to an external API
| - `--audit-log-path` specifies the log file path that log backend uses to write | ||
| audit events. Not specifying this flag disables log backend. `-` means standard out | ||
| - `--audit-log-maxage` defined the maximum number of days to retain old audit log files. | ||
| - `--audit-log-maxbackup` defines the maximum number of audit log files to retain. |
| audit events. Not specifying this flag disables log backend. `-` means standard out | ||
| - `--audit-log-maxage` defined the maximum number of days to retain old audit log files. | ||
| - `--audit-log-maxbackup` defines the maximum number of audit log files to retain. | ||
| - `--audit-log-maxsize` defines the maximum size in megabytes of the audit log file before it gets rotated. |
| - `--audit-webhook-config-file` specifies the path to a file with a webhook | ||
| configuration. Webhook configuration is effectively a [kubeconfig][kubeconfig]. | ||
| - `--audit-webhook-mode` define the buffering strategy, one of the following: | ||
| - `batch` - buffer events and asynchronously send the set of events to the external service. |
| - `--audit-webhook-mode` define the buffering strategy, one of the following: | ||
| - `batch` - buffer events and asynchronously send the set of events to the external service. | ||
| This is the default. | ||
| - `blocking` - block API server responses on sending each event to the external service. |
Signed-off-by: Mik Vyatskov <vmik@google.com>
crassirostris
commented
Dec 4, 2017
| You can pass a file with the policy to [kube-apiserver][kube-apiserver] | ||
| using the `--audit-policy-file` flag. If the flag is omitted, no events are logged. | ||
| __Note:__ `kind` and `apiVersion` fields along with `rules` __must__ be provided | ||
| in the audit policy file. A policy with 0 rules, or a policy that doesn't |
| using the `--audit-policy-file` flag. If the flag is omitted, no events are logged. | ||
| __Note:__ `kind` and `apiVersion` fields along with `rules` __must__ be provided | ||
| in the audit policy file. A policy with 0 rules, or a policy that doesn't | ||
| provide valid `apiVersion` and `kind` values is treated as illegal. | ||
|
|
||
| Some example audit policy files: | ||
|
|
||
| ```yaml |
| @@ -9,7 +9,7 @@ title: Auditing | |||
| * TOC | |||
| {:toc} | |||
|
|
||
| ``` | ||
| {"kind":"Event","apiVersion":"audit.k8s.io/v1beta1","metadata":{"creationTimestamp":null},"level":"Metadata","timestamp":"2017-09-05T10:04:55Z","auditID":"77e58433-d345-40ac-b2d8-9866bd355cea","stage":"RequestReceived","requestURI":"/apis/rbac.authorization.k8s.io/v1/namespaces/default/roles","verb":"list","user":{"username":"kubecfg","groups":["system:masters","system:authenticated"]},"sourceIPs":["172.16.116.128"],"objectRef":{"resource":"roles","namespace":"default","apiGroup":"rbac.authorization.k8s.io","apiVersion":"v1"}} | ||
| {"kind":"Event","apiVersion":"audit.k8s.io/v1beta1","metadata":{"creationTimestamp":null},"level":"Metadata","timestamp":"2017-09-05T10:04:55Z","auditID":"77e58433-d345-40ac-b2d8-9866bd355cea","stage":"ResponseComplete","requestURI":"/apis/rbac.authorization.k8s.io/v1/namespaces/default/roles","verb":"list","user":{"username":"kubecfg","groups":["system:masters","system:authenticated"]},"sourceIPs":["172.16.116.128"],"objectRef":{"resource":"roles","namespace":"default","apiGroup":"rbac.authorization.k8s.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200}} |
There was a problem hiding this comment.
I'm not sure this particular example is useful. It duplicates a lot of info in a poorer format: user can look into its own logs or into the API definition for a much better picture. Additionally, it looks like a big human-unparsable blob, so I'm against keeping it in the current form anyway.
If you want to describe the API in this docs, that's going to encounter a problem of docs obsoletion. Having better docs in the API code seems better to me, it creates a single place where it's described.
|
|
||
| In alpha version, objectRef.apiVersion holds both the api group and version. | ||
| In beta version these were break out into objectRef.apiGroup and objectRef.apiVersion. | ||
| - Log backend, which writes events to a disk. |
| In alpha version, objectRef.apiVersion holds both the api group and version. | ||
| In beta version these were break out into objectRef.apiGroup and objectRef.apiVersion. | ||
| - Log backend, which writes events to a disk. | ||
| - Webhook backend, which sends events to an external API. |
| - `--audit-log-path` specifies the log file path that log backend uses to write | ||
| audit events. Not specifying this flag disables log backend. `-` means standard out | ||
| - `--audit-log-maxage` defined the maximum number of days to retain old audit log files. | ||
| - `--audit-log-maxbackup` defines the maximum number of audit log files to retain. |
| audit events. Not specifying this flag disables log backend. `-` means standard out | ||
| - `--audit-log-maxage` defined the maximum number of days to retain old audit log files. | ||
| - `--audit-log-maxbackup` defines the maximum number of audit log files to retain. | ||
| - `--audit-log-maxsize` defines the maximum size in megabytes of the audit log file before it gets rotated. |
| - `--audit-webhook-config-file` specifies the path to a file with a webhook | ||
| configuration. Webhook configuration is effectively a [kubeconfig][kubeconfig]. | ||
| - `--audit-webhook-mode` define the buffering strategy, one of the following: | ||
| - `batch` - buffer events and asynchronously send the set of events to the external service. |
| - `--audit-webhook-mode` define the buffering strategy, one of the following: | ||
| - `batch` - buffer events and asynchronously send the set of events to the external service. | ||
| This is the default. | ||
| - `blocking` - block API server responses on sending each event to the external service. |
Signed-off-by: Mik Vyatskov <vmik@google.com>
|
@crassirostris 👋 It looks like the preview build is failing due to YAML file inclusion syntax:
|
|
@tallclair 👋 Does this look Tech LGTM? |
Signed-off-by: Mik Vyatskov <vmik@google.com>
|
@zacharysarah Oh, thanks a lot for pointing this out! Fixed the link |
zacharysarah
approved these changes
Dec 7, 2017
zacharysarah
added a commit
that referenced
this pull request
Dec 15, 2017
* Trivial change to open release branch * Undo trivial change * add service ipvs overview * Add instructions on how to setup kubectl * Document conntrack dependency for kube-proxy * Add an a This is kind of jarring / missing an article. I'm guessing it should either be ' to a rack of bare metal servers.' or '...to racks of bare metal servers.'. * adding example responses for common issues - support request - code bug report * Trivial change to open release branch * Undo trivial change * Signed-off-by: Ziqi Zhao <zhaoziqi@qiniu.com> (#5366) Fix the not-working test case yaml for /doc/concepts/storage/volumes.md * kubectl-overview * temp fix for broken pod and deployment links * Update Table of Solutions for Juju * Revise certificates documentation (#5965) * Update review-issues.md Some edits for clarity and condensed language. * Update init-containers.md Fix leading spaces in commands. * Update kubectl-overview.md Fix format. * Update clc.md Fix format. * Update openstack-heat.md The url no need. just highlight. * Typo I believe this should be "users" not "uses" * making explicit hostname uniq requirement * Update scheduling-hugepages.md * Update update-daemon-set.md * fix redirection of PersistentVolume * Update hpa.md * update kubectl instruction * Use the format of kubeadm init * fix spelling error guarnatees to guarantees * add matchLabels description (#6020) * search and replace for k8s.github.io to website (#6019) * fix scale command of object-management (#6011) * Update replicaset.md (#6009) * Update secret.md (#6008) * specify password for mysql image (#5990) * specify password for mysql image * specify password for mysql image * link error for run-stateless-application-deployment.md (#5985) * link error for run-stateless-application-deployment.md * link error for run-stateless-application-deployment.md * Add performance implications of inter-pod affinity/anti-affinity (#5979) * 404 monthly maintenance - October 2017 (#5977) * Updated redirects * More redirects * Add conjure-up to Turnkey Cloud Solutions list (#5973) * Add conjure-up to Turnkey Cloud Solutions list * Changed wording slightly * change the StatefulSet to ReplicaSet in reference (#5968) * Clarification of failureThreshold of probes (#5963) * Mention usage of block storage version param (#5925) Mention usage of block storage version (bs-version) parameter to workaround attachment issues using older K8S versions on an OpenStack cloud with path-based endpoints. Resolves: #5924 * Update sysctl-cluster.md (#5894) Include guide on enabling unsafe sysctls in minikube * Avoid Latin phrases & format note (#5889) * Avoid Latin phrases & format note according the Documentation Style Guide * Update scratch.md * Update scratch.md * resolves jekyll rendering error (#5976) - chinese isn't understood for keys in YAML frontmatter in jekyll, so replaced it with the english equivalent that doesn't throw the following error on rendering: Error reading file src/kubernetes.github.io/cn/docs/concepts/cluster-administration/device-plugins.md: (<unknown>): could not find expected ':' while scanning a simple key at line 4 column 1 * Change VM to pod. (#6022) * Add link to custom metrics. (#6023) * Rephrase core group. (#6024) * Added explanation on context to when joining (#6018) * Update create-cluster-kubeadm.md (#5761) Update Canal version in pod network apply commands * Fixes issue #5620 (#5869) * Fixes issue #5620 Signed-off-by: Brad Topol <btopol@us.ibm.com> * Restructured so that review process is for both current and upcoming releases. Added content describing the use of tech reviewers. * Removed incorrect Kubernetes reviewer link. * Fixed tech reviewer URL to now use website * Update pod-priority-preemption.md fix-wrong-link-to-pod-preemption * pod-security-policy.md: add links to the page about admission plugins. * Adding all files for BlaBlaCar case study (#5857) * Adding all files for BlaBlaCar case study * Update blablacar.html * Fix changed URL for google containers * Add /docs/reference/auto-generated directory * correct the downwardapi redirect * Remove links using "here" * Rename to /docs/reference/generated directory * add Concept template * Change title to just Ingress * Link mistake (#6038) * link mistake * link mistake * skip title check for skip_title_check.txt * skip title check for skip_title_check.txt * remove doesn't exist link. * Fix podpreset task (#5705) * Add a simple pod manifest to pod overview (#5986) * Split PodPreset concept out from task doc (#5984) * Add selector spec description (#5789) * Add selector spec description * Fix selector field explanation * Put orphaned topics in TOC. (#6051) * static-pod example bad format in the final page (#6050) * static-pod example bad format in the final page * static-pod example bad format in the final page * static-pod example bad format in the final page * static-pod example bad format in the final page * static-pod example bad format in the final page * Fix `backoffLimit` field misplacement (#6042) It should be placed in JobSpec according to: https://github.com/kubernetes/kubernetes/blob/master/api/swagger-spec/batch_v1.json#L1488-L1514 * Update addons.md (#6061) * add info about VMware NSX-T CNI plugin (#5987) * add info about VMware NSX-T CNI plugin Hello, I'm VMware Networking and Security Architect and would like to include short information about our CNI plugin implementation similar to what other vendors did Best regards Emil Gagala * Update networking.md * Update networking.md * Update networking.md * Update: Using universal zsh configuration (#5669) * Update install-kubectl.md Zsh is not only oh-my-zsh, so I added universal configuration for zsh that also can be used in prezto. * fix merge error after rebase * Operating etcd cluster for Kubernetes bad format in the final page (#6056) * Operating etcd cluster for Kubernetes bad format in the final page * Update configure-upgrade-etcd.md * Update configure-upgrade-etcd.md * Usage note and warning tags. (#6053) * Usage note and warning tags. * Update configure-upgrade-etcd.md * Update configure-upgrade-etcd.md * Document jekyll includes snippets * Add jekyll includes to docs home toc - Remove extra kubernetes home in toc * document docker cgroupdriver req (#5937) * Update test blacklists (#6063) * Update toc check blacklist * Update title check blacklist * wip * wip * Fix typo * Document unconfined apparmor profile * Revert "Document the unconfined profile for AppArmor" (#6268) * CRD Validation: remove alpha warning, change enable instructions to (#6066) disable * Documented service annotation for AWS ELB SSL policy * kubeadm: add a note about the new `--print-join-command` flag. This is a new flag for the `kubeadm token create` command. * Add a note to PDB page * Improve Kubeadm reference doc (#6103) * automatically-generated kubeadm reference doc * user-mantained kubeadm reference doc * Documentation for CSIPersistentVolume * change replicaset documentation to use apps/v1 APIs * Update service.md ipvs alpha version -> beta version * Updated Deployment concept docs (#6494) * Updated Deployment concept docs * Addressed comments * Documentation for volume scheduling alpha feature * Update admission control docs for webhooks * Improve DNS documentation (#6479) * update ds for 1.9 * Update service.md * Update service.md * Revert "begin updating webhook documentation" (#6575) * Update version numbers to include 1.9 (#6518) * Update site versions for 1.9 * Removed 1.4 docs * Update _config.yml * Update _config.yml * updates for raw block devices * rbac: docs for aggregated cluster roles (#6474) * Added IPv6 information for Kubelet arguments (#6498) * Added IPv6 info to kube-proxy arguments * Added IPv6 information for argument for kubelet * Update PVC resizing documentation (#6487) * Updates for Windows Server version 1709 with K8s v1.8 (#6180) * Updated for WSv1709 and K8s v1.8 * Updated picture and CNI config * Fixed formatting on CNI Config * Updated docs to reference Microsoft/SDN GitHub docs * fix typo * Workaround for Jekyllr frontmatter * Added section on features and limitations, with example yaml files. * Update index.md * Added kubeadm section, few other small fixes * Few minor grammar fixes * Update access-cluster.md with a comment that for IPv6 the user should use [::1] for the localhost * Addressed a number of issues brought up against the base PR * Fixed windows-host-setup link * Rewrite PodSecurityPolicy guide * Update index.md Signed-off-by: Alin Balutoiu <abalutoiu@cloudbasesolutions.com> Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org> * Spelling correction and sentence capitalization. - Corrected the spelling error for storing, was put in as 'stoing'. - Capitalized list items. - Added '.' at end of sentences in the list items. * Update index.md * Update index.md * Addressed comments and rebased * Fixed formatting * Fixed formatting * Updated header link * Updated hyperlinks * Updated warning * formatting * formatting * formatting * Revert "Update access-cluster.md with a comment that for IPv6" This reverts commit 31e4dbd. * Revert "fix typo" This reverts commit c056787. * Revert "Workaround for Jekyllr frontmatter" This reverts commit b84ac59. * Fixed grammatical issues and reverted non-related commits * Revert "Rewrite PodSecurityPolicy guide" This reverts commit 5d39cfe. * Revert "Spelling correction and sentence capitalization." This reverts commit 47eed43. * Fixed auto-numbering * Minor formatting updates * CoreDNS feature documentation (#6463) * Initial placeholder PR for CoreDNS feature documentation * Remove from admin, add content * Fix missing endcapture * Add to tasks.yml * Review feedback * Postpone Deletion of a Persistent Volume Claim in case It Is Used by a Pod (#6415) * Postpone Deletion of a Persistent Volume Claim in case It Is Used by a Pod A new feature PVC Protection was added into K8s 1.9 that's why this documentation change is needed. * Added tag at the top of each new area. * Fix typo * Fix: switched on in (all kubelets) -> (all K8s components). * Added link to admission controller * Moved PVC Protection configuration into Before you begin section. * Added steps how to verify PVC Protection feature. * Fixes for admission controller plugin description and for PVC Protection description in PVC lifecycle. * Testing official rendering of enumerations (1., 2., 3., etc.) * Re-write to address comments from review. * Fixed definition when a PVC is in active use by a pod. * Change auditing docs page for 1.9 release (#6427) * Change auditing docs page for 1.9 release Signed-off-by: Mik Vyatskov <vmik@google.com> * Address review comments Signed-off-by: Mik Vyatskov <vmik@google.com> * Address review comments Signed-off-by: Mik Vyatskov <vmik@google.com> * Address review comments Signed-off-by: Mik Vyatskov <vmik@google.com> * Fix broken link Signed-off-by: Mik Vyatskov <vmik@google.com> * short circuit deny docs (#6536) * line wrap * short circuit deny * address comments * Add kubeadm 1.9 upgrade docs (#6485) * kubeadm: Improve kubeadm documentation for v1.9 (#6645) * Update admission control docs for webhooks (re-send #6368) (#6650) * Update admission control docs for webhooks * update in response to comments * Revamp rkt and add CRI-O as alternative runtime (#6371) Signed-off-by: Lorenzo Fontana <lo@linux.com> * Documented NLB for Kubernetes 1.9 (#6260) * Added IPV6 information to setup cluster using kubeadm (#6465) * Added IPV6 information to setup cluster using kubeadm * Updated kubeadm.md & create-cluster-kubeadm.md with IPv6 related information * Added IPv6 options for kubeadm --init & automated address binding for kube-proxy based on version of IP configured for API server) * Changes to kubeadm.md as per comments * Modified kubeadm.md and create-cluster-kubeadm.md * Implemented changes requested by zacharysarah * Removed autogenerated kubeadm.md changes * StatefulSet 1.9 updates. (#6550) * updates sts concept and tutorials to use 1.9 apps/v1 * Update statefulset.md * clarify pod name label * Garbage collection updates for 1.9 (#6555) * 1.9 gc policy update * carify deletion * Couple nits for dnsConfig doc (#6652) * Add doc for AllowedFlexVolume (#6563) * Update OpenStack Cloud Provider API support for v1.9 (#6638) * Flex volume is GA. Remove alpha notation. (#6666) * Update generated ref docs for Kubernetes and Federation components. (#6658) * Update generated ref docs for Kubernetes and Federation components. * Rename kubectl-options to kubectl. * Add title to kubectl. * Fix double synopsis. * Update Federation API ref docs for 1.9. (#6636) * Update federation API ref docs. * Move and redirect. * Move generated Federation docs to the generated directory. * Fix titles. * Type * Fix titles * Update auto-generated Kubernetes APi ref docs. (#6646) * Update kubectl commands for 1.9 (#6635) * add ExtendedResourceToleration admission controller (#6618) * Update API reference paths for v1.9 (#6681)
zacharysarah
added a commit
that referenced
this pull request
Dec 16, 2017
* Trivial change to open release branch * Undo trivial change * add service ipvs overview * Add instructions on how to setup kubectl * Document conntrack dependency for kube-proxy * Add an a This is kind of jarring / missing an article. I'm guessing it should either be ' to a rack of bare metal servers.' or '...to racks of bare metal servers.'. * adding example responses for common issues - support request - code bug report * Trivial change to open release branch * Undo trivial change * Signed-off-by: Ziqi Zhao <zhaoziqi@qiniu.com> (#5366) Fix the not-working test case yaml for /doc/concepts/storage/volumes.md * kubectl-overview * temp fix for broken pod and deployment links * Update Table of Solutions for Juju * Revise certificates documentation (#5965) * Update review-issues.md Some edits for clarity and condensed language. * Update init-containers.md Fix leading spaces in commands. * Update kubectl-overview.md Fix format. * Update clc.md Fix format. * Update openstack-heat.md The url no need. just highlight. * Typo I believe this should be "users" not "uses" * making explicit hostname uniq requirement * Update scheduling-hugepages.md * Update update-daemon-set.md * fix redirection of PersistentVolume * Update hpa.md * update kubectl instruction * Use the format of kubeadm init * fix spelling error guarnatees to guarantees * add matchLabels description (#6020) * search and replace for k8s.github.io to website (#6019) * fix scale command of object-management (#6011) * Update replicaset.md (#6009) * Update secret.md (#6008) * specify password for mysql image (#5990) * specify password for mysql image * specify password for mysql image * link error for run-stateless-application-deployment.md (#5985) * link error for run-stateless-application-deployment.md * link error for run-stateless-application-deployment.md * Add performance implications of inter-pod affinity/anti-affinity (#5979) * 404 monthly maintenance - October 2017 (#5977) * Updated redirects * More redirects * Add conjure-up to Turnkey Cloud Solutions list (#5973) * Add conjure-up to Turnkey Cloud Solutions list * Changed wording slightly * change the StatefulSet to ReplicaSet in reference (#5968) * Clarification of failureThreshold of probes (#5963) * Mention usage of block storage version param (#5925) Mention usage of block storage version (bs-version) parameter to workaround attachment issues using older K8S versions on an OpenStack cloud with path-based endpoints. Resolves: #5924 * Update sysctl-cluster.md (#5894) Include guide on enabling unsafe sysctls in minikube * Avoid Latin phrases & format note (#5889) * Avoid Latin phrases & format note according the Documentation Style Guide * Update scratch.md * Update scratch.md * resolves jekyll rendering error (#5976) - chinese isn't understood for keys in YAML frontmatter in jekyll, so replaced it with the english equivalent that doesn't throw the following error on rendering: Error reading file src/kubernetes.github.io/cn/docs/concepts/cluster-administration/device-plugins.md: (<unknown>): could not find expected ':' while scanning a simple key at line 4 column 1 * Change VM to pod. (#6022) * Add link to custom metrics. (#6023) * Rephrase core group. (#6024) * Added explanation on context to when joining (#6018) * Update create-cluster-kubeadm.md (#5761) Update Canal version in pod network apply commands * Fixes issue #5620 (#5869) * Fixes issue #5620 Signed-off-by: Brad Topol <btopol@us.ibm.com> * Restructured so that review process is for both current and upcoming releases. Added content describing the use of tech reviewers. * Removed incorrect Kubernetes reviewer link. * Fixed tech reviewer URL to now use website * Update pod-priority-preemption.md fix-wrong-link-to-pod-preemption * pod-security-policy.md: add links to the page about admission plugins. * Adding all files for BlaBlaCar case study (#5857) * Adding all files for BlaBlaCar case study * Update blablacar.html * Fix changed URL for google containers * Add /docs/reference/auto-generated directory * correct the downwardapi redirect * Remove links using "here" * Rename to /docs/reference/generated directory * add Concept template * Change title to just Ingress * Link mistake (#6038) * link mistake * link mistake * skip title check for skip_title_check.txt * skip title check for skip_title_check.txt * remove doesn't exist link. * Fix podpreset task (#5705) * Add a simple pod manifest to pod overview (#5986) * Split PodPreset concept out from task doc (#5984) * Add selector spec description (#5789) * Add selector spec description * Fix selector field explanation * Put orphaned topics in TOC. (#6051) * static-pod example bad format in the final page (#6050) * static-pod example bad format in the final page * static-pod example bad format in the final page * static-pod example bad format in the final page * static-pod example bad format in the final page * static-pod example bad format in the final page * Fix `backoffLimit` field misplacement (#6042) It should be placed in JobSpec according to: https://github.com/kubernetes/kubernetes/blob/master/api/swagger-spec/batch_v1.json#L1488-L1514 * Update addons.md (#6061) * add info about VMware NSX-T CNI plugin (#5987) * add info about VMware NSX-T CNI plugin Hello, I'm VMware Networking and Security Architect and would like to include short information about our CNI plugin implementation similar to what other vendors did Best regards Emil Gagala * Update networking.md * Update networking.md * Update networking.md * Update: Using universal zsh configuration (#5669) * Update install-kubectl.md Zsh is not only oh-my-zsh, so I added universal configuration for zsh that also can be used in prezto. * fix merge error after rebase * Operating etcd cluster for Kubernetes bad format in the final page (#6056) * Operating etcd cluster for Kubernetes bad format in the final page * Update configure-upgrade-etcd.md * Update configure-upgrade-etcd.md * Usage note and warning tags. (#6053) * Usage note and warning tags. * Update configure-upgrade-etcd.md * Update configure-upgrade-etcd.md * Document jekyll includes snippets * Add jekyll includes to docs home toc - Remove extra kubernetes home in toc * document docker cgroupdriver req (#5937) * Update test blacklists (#6063) * Update toc check blacklist * Update title check blacklist * wip * wip * Fix typo * Document unconfined apparmor profile * Revert "Document the unconfined profile for AppArmor" (#6268) * CRD Validation: remove alpha warning, change enable instructions to (#6066) disable * Documented service annotation for AWS ELB SSL policy * kubeadm: add a note about the new `--print-join-command` flag. This is a new flag for the `kubeadm token create` command. * Add a note to PDB page * Improve Kubeadm reference doc (#6103) * automatically-generated kubeadm reference doc * user-mantained kubeadm reference doc * Documentation for CSIPersistentVolume * change replicaset documentation to use apps/v1 APIs * Update service.md ipvs alpha version -> beta version * Updated Deployment concept docs (#6494) * Updated Deployment concept docs * Addressed comments * Documentation for volume scheduling alpha feature * Update admission control docs for webhooks * Improve DNS documentation (#6479) * update ds for 1.9 * Update service.md * Update service.md * Revert "begin updating webhook documentation" (#6575) * Update version numbers to include 1.9 (#6518) * Update site versions for 1.9 * Removed 1.4 docs * Update _config.yml * Update _config.yml * updates for raw block devices * rbac: docs for aggregated cluster roles (#6474) * Added IPv6 information for Kubelet arguments (#6498) * Added IPv6 info to kube-proxy arguments * Added IPv6 information for argument for kubelet * Update PVC resizing documentation (#6487) * Updates for Windows Server version 1709 with K8s v1.8 (#6180) * Updated for WSv1709 and K8s v1.8 * Updated picture and CNI config * Fixed formatting on CNI Config * Updated docs to reference Microsoft/SDN GitHub docs * fix typo * Workaround for Jekyllr frontmatter * Added section on features and limitations, with example yaml files. * Update index.md * Added kubeadm section, few other small fixes * Few minor grammar fixes * Update access-cluster.md with a comment that for IPv6 the user should use [::1] for the localhost * Addressed a number of issues brought up against the base PR * Fixed windows-host-setup link * Rewrite PodSecurityPolicy guide * Update index.md Signed-off-by: Alin Balutoiu <abalutoiu@cloudbasesolutions.com> Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org> * Spelling correction and sentence capitalization. - Corrected the spelling error for storing, was put in as 'stoing'. - Capitalized list items. - Added '.' at end of sentences in the list items. * Update index.md * Update index.md * Addressed comments and rebased * Fixed formatting * Fixed formatting * Updated header link * Updated hyperlinks * Updated warning * formatting * formatting * formatting * Revert "Update access-cluster.md with a comment that for IPv6" This reverts commit 31e4dbd. * Revert "fix typo" This reverts commit c056787. * Revert "Workaround for Jekyllr frontmatter" This reverts commit b84ac59. * Fixed grammatical issues and reverted non-related commits * Revert "Rewrite PodSecurityPolicy guide" This reverts commit 5d39cfe. * Revert "Spelling correction and sentence capitalization." This reverts commit 47eed43. * Fixed auto-numbering * Minor formatting updates * CoreDNS feature documentation (#6463) * Initial placeholder PR for CoreDNS feature documentation * Remove from admin, add content * Fix missing endcapture * Add to tasks.yml * Review feedback * Postpone Deletion of a Persistent Volume Claim in case It Is Used by a Pod (#6415) * Postpone Deletion of a Persistent Volume Claim in case It Is Used by a Pod A new feature PVC Protection was added into K8s 1.9 that's why this documentation change is needed. * Added tag at the top of each new area. * Fix typo * Fix: switched on in (all kubelets) -> (all K8s components). * Added link to admission controller * Moved PVC Protection configuration into Before you begin section. * Added steps how to verify PVC Protection feature. * Fixes for admission controller plugin description and for PVC Protection description in PVC lifecycle. * Testing official rendering of enumerations (1., 2., 3., etc.) * Re-write to address comments from review. * Fixed definition when a PVC is in active use by a pod. * Change auditing docs page for 1.9 release (#6427) * Change auditing docs page for 1.9 release Signed-off-by: Mik Vyatskov <vmik@google.com> * Address review comments Signed-off-by: Mik Vyatskov <vmik@google.com> * Address review comments Signed-off-by: Mik Vyatskov <vmik@google.com> * Address review comments Signed-off-by: Mik Vyatskov <vmik@google.com> * Fix broken link Signed-off-by: Mik Vyatskov <vmik@google.com> * short circuit deny docs (#6536) * line wrap * short circuit deny * address comments * Add kubeadm 1.9 upgrade docs (#6485) * kubeadm: Improve kubeadm documentation for v1.9 (#6645) * Update admission control docs for webhooks (re-send #6368) (#6650) * Update admission control docs for webhooks * update in response to comments * Revamp rkt and add CRI-O as alternative runtime (#6371) Signed-off-by: Lorenzo Fontana <lo@linux.com> * Documented NLB for Kubernetes 1.9 (#6260) * Added IPV6 information to setup cluster using kubeadm (#6465) * Added IPV6 information to setup cluster using kubeadm * Updated kubeadm.md & create-cluster-kubeadm.md with IPv6 related information * Added IPv6 options for kubeadm --init & automated address binding for kube-proxy based on version of IP configured for API server) * Changes to kubeadm.md as per comments * Modified kubeadm.md and create-cluster-kubeadm.md * Implemented changes requested by zacharysarah * Removed autogenerated kubeadm.md changes * StatefulSet 1.9 updates. (#6550) * updates sts concept and tutorials to use 1.9 apps/v1 * Update statefulset.md * clarify pod name label * Garbage collection updates for 1.9 (#6555) * 1.9 gc policy update * carify deletion * Couple nits for dnsConfig doc (#6652) * Add doc for AllowedFlexVolume (#6563) * Update OpenStack Cloud Provider API support for v1.9 (#6638) * Flex volume is GA. Remove alpha notation. (#6666) * Update generated ref docs for Kubernetes and Federation components. (#6658) * Update generated ref docs for Kubernetes and Federation components. * Rename kubectl-options to kubectl. * Add title to kubectl. * Fix double synopsis. * Update Federation API ref docs for 1.9. (#6636) * Update federation API ref docs. * Move and redirect. * Move generated Federation docs to the generated directory. * Fix titles. * Type * Fix titles * Update auto-generated Kubernetes APi ref docs. (#6646) * Update kubectl commands for 1.9 (#6635) * add ExtendedResourceToleration admission controller (#6618) * Update API reference paths for v1.9 (#6681)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Docs PR for the API Audit Logging feature
Doesn't contain much new information, mostly refactoring and making sure new auditing mechanism is viewed as a default.
/cc @sttts @tallclair @CaoShuFeng @ericchiang
This change is