Skip to content

Commit

Permalink
Merge pull request #44997 from drewhagen/merged-main-dev-1.30
Browse files Browse the repository at this point in the history 
Merge main branch into dev-1.30
  • Loading branch information
@k8s-ci-robot
k8s-ci-robot authored Feb 2, 2024
2 parents 74aea81 + e4da56e commit 06c921f
Show file tree
Hide file tree
Showing 30 changed files with 2,279 additions and 157 deletions.
6 changes: 3 additions & 3 deletions content/en/docs/concepts/security/rbac-good-practices.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ In cases where a workload requires powerful permissions, consider the following
[Taints and Toleration](/docs/concepts/scheduling-eviction/taint-and-toleration/),
[NodeAffinity](/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity), or
[PodAntiAffinity](/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity)
to ensure pods don't run alongside untrusted or less-trusted Pods. Pay especial attention to
to ensure pods don't run alongside untrusted or less-trusted Pods. Pay special attention to
situations where less-trustworthy Pods are not meeting the **Restricted** Pod Security Standard.

### Hardening
Expand Down Expand Up @@ -130,8 +130,8 @@ reading data from other containers, and abusing the credentials of system servic

You should only allow access to create PersistentVolume objects for:

- users (cluster operators) that need this access for their work, and who you trust,
- the Kubernetes control plane components which creates PersistentVolumes based on PersistentVolumeClaims
- Users (cluster operators) that need this access for their work, and who you trust.
- The Kubernetes control plane components which creates PersistentVolumes based on PersistentVolumeClaims
that are configured for automatic provisioning.
This is usually setup by the Kubernetes provider or by the operator when installing a CSI driver.

Expand Down
2 changes: 1 addition & 1 deletion content/en/docs/concepts/services-networking/dns-pod-service.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -213,7 +213,7 @@ When you set `setHostnameAsFQDN: true` in the Pod spec, the kubelet writes the P
{{< note >}}
In Linux, the hostname field of the kernel (the `nodename` field of `struct utsname`) is limited to 64 characters.

If a Pod enables this feature and its FQDN is longer than 64 character, it will fail to start. The Pod will remain in `Pending` status (`ContainerCreating` as seen by `kubectl`) generating error events, such as Failed to construct FQDN from Pod hostname and cluster domain, FQDN `long-FQDN` is too long (64 characters is the max, 70 characters requested). One way of improving user experience for this scenario is to create an [admission webhook controller](/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks) to control FQDN size when users create top level objects, for example, Deployment.
If a Pod enables this feature and its FQDN is longer than 64 character, it will fail to start. The Pod will remain in `Pending` status (`ContainerCreating` as seen by `kubectl`) generating error events, such as Failed to construct FQDN from Pod hostname and cluster domain, FQDN `long-FQDN` is too long (64 characters is the max, 70 characters requested). One way of improving user experience for this scenario is to create an [admission webhook controller](/docs/reference/access-authn-authz/extensible-admission-controllers/#what-are-admission-webhooks) to control FQDN size when users create top level objects, for example, Deployment.
{{< /note >}}

### Pod's DNS Policy
Expand Down
4 changes: 4 additions & 0 deletions content/en/docs/contribute/new-content/blogs-case-studies.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,10 @@ Submissions need to be in Markdown format to be used by the [Hugo](https://gohug
for the blog. There are [many resources available](https://gohugo.io/documentation/) on how to use
this technology stack.

For illustrations, diagrams or charts, the [figure shortcode](https://gohugo.io/content-management/shortcodes/#figure)
can be used. For other images, we strongly encourage use of alt attributes; if an image doesn't
need any alt attrribute, maybe it's not needed in the article at all.

We recognize that this requirement makes the process more difficult for less-familiar folks to
submit, and we're constantly looking at solutions to lower this bar. If you have ideas on how to
lower the barrier, please volunteer to help out.
Expand Down
13 changes: 8 additions & 5 deletions ...ne-tools-reference/feature-gates/default-host-network-ports-in-pod-templates.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,12 @@ stages:
defaultValue: false
fromVersion: "1.28"
---
Changes when the default value of
`PodSpec.containers[*].ports[*].hostPort`
is assigned. The default is to only set a default value in Pods.
This feature gate controls the point at which a default value for
`.spec.containers[*].ports[*].hostPort`
is assigned, for Pods using `hostNetwork: true`. The default since Kubernetes v1.28 is to only set a default
value in Pods.

Enabling this means a default will be assigned even to embedded
PodSpecs (e.g. in a Deployment), which is the historical default.
Enabling this means a default will be assigned even to the `.spec` of an embedded
[PodTemplate](/docs/concepts/workloads/pods/#pod-templates) (for example, in a Deployment),
which is the way that older releases of Kubernetes worked.
You should migrate your code so that it does not rely on the legacy behavior.
80 changes: 59 additions & 21 deletions content/en/docs/reference/using-api/cel.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,27 +65,21 @@ Example CEL expressions:

CEL is configured with the following options, libraries and language features, introduced at the specified Kubernetes versions:

| CEL option, library or language feature | Included | Availablity |
| --------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- | -------------------------- |
| [Standard macros](stdmacros) | `has`, `all`, `exists`, `exists_one`, `map`, `filter` | All Kubernetes versions |
| [Standard functions](stdlib) | See [official list of standard definitions](stdlib) | All Kubernetes versions |
| [Homogeneous Aggregate Literals](opt1) | | All Kubernetes versions |
| [Default UTC Time Zone](opt2) | | All Kubernetes versions |
| [Eagerly Validate Declarations](opt3) | | All Kubernetes versions |
| [extended strings library](stringsgodoc), Version 1 | `charAt`, `indexOf`, `lastIndexOf`, `lowerAscii`, `upperAscii`, `replace`, `split`, `join`, `substring`, `trim` | All Kubernetes versions |
| Kubernetes list library | See [Kubernetes list library](#kubernetes-list-library) | All Kubernetes versions |
| Kubernetes regex library | See [Kubernetes regex library](#kubernetes-regex-library) | All Kubernetes versions |
| Kubernetes URL library | See [Kubernetes URL library](#kubernetes-url-library) | All Kubernetes versions |
| Kubernetes authorizer library | See [Kubernetes authorizer library](#kubernetes-authorizer-library) | All Kubernetes versions |

[stdmacros]: https://github.com/google/cel-spec/blob/v0.7.0/doc/langdef.md#macros
[stdlib]: https://github.com/google/cel-spec/blob/master/doc/langdef.md#list-of-standard-definitions
[stringsgodoc]: https://pkg.go.dev/github.com/google/cel-go/ext#Strings
[opt1]: https://pkg.go.dev/github.com/google/[email protected]/cel#HomogeneousAggregateLiterals
[opt2]: https://pkg.go.dev/github.com/google/[email protected]/cel#DefaultUTCTimeZone
[opt3]: https://pkg.go.dev/github.com/google/[email protected]/cel#EagerlyValidateDeclarations
[opt4]: https://pkg.go.dev/github.com/google/[email protected]/cel#OptionalTypes
[opt5]: https://pkg.go.dev/github.com/google/[email protected]/cel#CrossTypeNumericComparisons
| CEL option, library or language feature | Included | Availablity |
|------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|
| [Standard macros](https://github.com/google/cel-spec/blob/v0.7.0/doc/langdef.md#macros) | `has`, `all`, `exists`, `exists_one`, `map`, `filter` | All Kubernetes versions |
| [Standard functions](https://github.com/google/cel-spec/blob/master/doc/langdef.md#list-of-standard-definitions) | See [official list of standard definitions](https://github.com/google/cel-spec/blob/master/doc/langdef.md#list-of-standard-definitions) | All Kubernetes versions |
| [Homogeneous Aggregate Literals](https://pkg.go.dev/github.com/google/[email protected]/cel#HomogeneousAggregateLiterals) | | All Kubernetes versions |
| [Default UTC Time Zone](https://pkg.go.dev/github.com/google/[email protected]/cel#DefaultUTCTimeZone) | | All Kubernetes versions |
| [Eagerly Validate Declarations](https://pkg.go.dev/github.com/google/[email protected]/cel#EagerlyValidateDeclarations) | | All Kubernetes versions |
| [extended strings library](https://pkg.go.dev/github.com/google/cel-go/ext#Strings), Version 1 | `charAt`, `indexOf`, `lastIndexOf`, `lowerAscii`, `upperAscii`, `replace`, `split`, `join`, `substring`, `trim` | All Kubernetes versions |
| Kubernetes list library | See [Kubernetes list library](#kubernetes-list-library) | All Kubernetes versions |
| Kubernetes regex library | See [Kubernetes regex library](#kubernetes-regex-library) | All Kubernetes versions |
| Kubernetes URL library | See [Kubernetes URL library](#kubernetes-url-library) | All Kubernetes versions |
| Kubernetes authorizer library | See [Kubernetes authorizer library](#kubernetes-authorizer-library) | All Kubernetes versions |
| Kubernetes quantity library | See [Kubernetes quantity library](#kubernetes-quantity-library) | Kubernetes versions 1.29+ |
| CEL optional types | See [CEL optional types](https://pkg.go.dev/github.com/google/[email protected]/cel#OptionalTypes) | Kubernetes versions 1.29+ |
| CEL CrossTypeNumericComparisons | See [CEL CrossTypeNumericComparisons](https://pkg.go.dev/github.com/google/[email protected]/cel#CrossTypeNumericComparisons) | Kubernetes versions 1.29+ |

CEL functions, features and language settings support Kubernetes control plane
rollbacks. For example, _CEL Optional Values_ was introduced at Kubernetes 1.29
Expand Down Expand Up @@ -207,6 +201,50 @@ To perform an authorization check for a service account:
See the [Kubernetes Authz library](https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz)
godoc for more information.

### Kubernetes quantity library

Kubernetes 1.28 adds support for manipulating quantity strings (ex 1.5G, 512k, 20Mi)

- `isQuantity(string)` checks if a string is a valid Quantity according to [Kubernetes'
resource.Quantity](https://pkg.go.dev/k8s.io/apimachinery/pkg/api/resource#Quantity).
- `quantity(string) Quantity` converts a string to a Quantity or results in an error if the
string is not a valid quantity.

Once parsed via the `quantity` function, the resulting Quantity object has the
following library of member functions:

{{< table caption="Available member functions of a Quantity" >}}
| Member Function | CEL Return Value | Description |
|-------------------------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `isInteger()` | bool | returns true if and only if asInteger is safe to call without an error |
| `asInteger()` | int | returns a representation of the current value as an int64 if possible or results in an error if conversion would result in overflow or loss of precision. |
| `asApproximateFloat()` | float | returns a float64 representation of the quantity which may lose precision. If the value of the quantity is outside the range of a float64 +Inf/-Inf will be returned. |
| `sign()` | int | Returns `1` if the quantity is positive, `-1` if it is negative. `0` if it is zero |
| `add(<Quantity>)` | Quantity | Returns sum of two quantities |
| `add(<int>)` | Quantity | Returns sum of quantity and an integer |
| `sub(<Quantity>)` | Quantity | Returns difference between two quantities |
| `sub(<int>)` | Quantity | Returns difference between a quantity and an integer |
| `isLessThan(<Quantity>)` | bool | Returns true if and only if the receiver is less than the operand |
| `isGreaterThan(<Quantity>)` | bool | Returns true if and only if the receiver is greater than the operand |
| `compareTo(<Quantity>)` | int | Compares receiver to operand and returns 0 if they are equal, 1 if the receiver is greater, or -1 if the receiver is less than the operand |
{{< /table >}}

Examples:

{{< table caption="Examples of CEL expressions using URL library functions" >}}
| CEL Expression | Purpose |
|---------------------------------------------------------------------------|-------------------------------------------------------|
| `quantity("500000G").isInteger()` | Test if conversion to integer would throw an error |
| `quantity("50k").asInteger()` | Precise conversion to integer |
| `quantity("9999999999999999999999999999999999999G").asApproximateFloat()` | Lossy conversion to float |
| `quantity("50k").add("20k")` | Add two quantities |
| `quantity("50k").sub(20000)` | Subtract an integer from a quantity |
| `quantity("50k").add(20).sub(quantity("100k")).sub(-50000)` | Chain adding and subtracting integers and quantities |
| `quantity("200M").compareTo(quantity("0.2G"))` | Compare two quantities |
| `quantity("150Mi").isGreaterThan(quantity("100Mi"))` | Test if a quantity is greater than the receiver |
| `quantity("50M").isLessThan(quantity("100M"))` | Test if a quantity is less than the receiver |
{{< /table >}}

## Type checking

CEL is a [gradually typed language](https://github.com/google/cel-spec/blob/master/doc/langdef.md#gradual-type-checking).
Expand Down
4 changes: 2 additions & 2 deletions content/en/docs/tasks/manage-gpus/scheduling-gpus.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,12 +95,13 @@ You also need a plugin for NFD that adds appropriate labels to your nodes; these
labels or they could be vendor specific. Your GPU vendor may provide a third party
plugin for NFD; check their documentation for more details.

{{< highlight yaml "linenos=false,hl_lines=6-18" >}}
{{< highlight yaml "linenos=false,hl_lines=7-18" >}}
apiVersion: v1
kind: Pod
metadata:
name: example-vector-add
spec:
restartPolicy: OnFailure
# You can use Kubernetes node affinity to schedule this Pod onto a node
# that provides the kind of GPU that its container needs in order to work
affinity:
Expand All @@ -113,7 +114,6 @@ spec:
values: ["40535"]
- key: "feature.node.kubernetes.io/pci-10.present" # NFD Feature label
values: ["true"] # (optional) only schedule on nodes with PCI device 10
restartPolicy: OnFailure
containers:
- name: example-vector-add
image: "registry.example/example-vector-add:v42"
Expand Down
2 changes: 1 addition & 1 deletion content/ja/docs/concepts/services-networking/ingress-controllers.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ Ingressリソースが動作するためには、クラスターでIngressコン
* [Skipper](https://opensource.zalando.com/skipper/kubernetes/ingress-controller/)は、カスタムプロキシーを構築するためのライブラリーとして設計された、Kubernetes Ingressなどのユースケースを含む、サービス構成用のHTTPルーターとリバースプロキシーです。
* [Traefik Kubernetes Ingress provider](https://doc.traefik.io/traefik/providers/kubernetes-ingress/)は、[Traefik](https://traefik.io/traefik/) proxy向けのIngressコントローラーです。
* [Tyk Operator](https://github.com/TykTechnologies/tyk-operator)はAPI管理機能をIngressに持たせるためにCustom ResourcesでAPIを拡張します。Tyk OperatorはOpen Source Tyk GatewayとTyk Cloudコントロールプレーンで動作します。
* [Voyager](https://appscode.com/products/voyager)は、[HAProxy](https://www.haproxy.org/#desc)向けのIngressコントローラーです。
* [Voyager](https://voyagermesh.com)は、[HAProxy](https://www.haproxy.org/#desc)向けのIngressコントローラーです。
* [Wallarm Ingress Controller](https://www.wallarm.com/solutions/waf-for-kubernetes)はWAAP(WAF)やAPIセキュリティ機能を提供するIngressコントローラーです。

## 複数のIngressコントローラーの使用 {#using-multiple-ingress-controllers}
Expand Down
Loading

0 comments on commit 06c921f

Please sign in to comment.