diff --git a/_data/concepts.yml b/_data/concepts.yml index f165490883ad8..bf6f8b53e842e 100644 --- a/_data/concepts.yml +++ b/_data/concepts.yml @@ -43,7 +43,6 @@ toc: section: - docs/concepts/cluster-administration/network-plugins.md - docs/concepts/cluster-administration/device-plugins.md - - docs/concepts/cluster-administration/sysctl-cluster.md - docs/concepts/service-catalog/index.md - title: Containers diff --git a/_data/tasks.yml b/_data/tasks.yml index b633aa5eeaa59..4c1175e47fe24 100644 --- a/_data/tasks.yml +++ b/_data/tasks.yml @@ -144,6 +144,7 @@ toc: - docs/tasks/administer-cluster/access-cluster-api.md - docs/tasks/administer-cluster/access-cluster-services.md - docs/tasks/administer-cluster/securing-a-cluster.md + - docs/tasks/administer-cluster/sysctl-cluster.md - docs/tasks/administer-cluster/encrypt-data.md - docs/tasks/administer-cluster/configure-upgrade-etcd.md - docs/tasks/administer-cluster/static-pod.md diff --git a/_includes/partner-script.js b/_includes/partner-script.js index e66253d3f4133..307e6bf5c3b63 100644 --- a/_includes/partner-script.js +++ b/_includes/partner-script.js @@ -208,7 +208,7 @@ name: 'Spotinst', logo: 'spotinst', link: 'http://blog.spotinst.com/2016/08/04/elastigroup-kubernetes-minions-steroids/', - blurb: 'Spotinst uses a prediction algorithm in the Amazon EC2 Spot allowing k8s clusters to increase performance and lower the infrastructure costs' + blurb: 'Your Kubernetes For 80% Less. Run K8s workloads on Spot Instances with 100% availability to save 80% + autoscale your Kubernetes with maximum efficiency in heterogenous environments.' }, { type: 2, @@ -217,12 +217,12 @@ link: 'http://www.inwinstack.com/index.php/en/solutions-en/', blurb: 'Our container service leverages OpenStack-based infrastructure and its container orchestration engine Magnum to manage Kubernetes clusters.' }, - { - type: 3, - name: 'InwinSTACK', - logo: 'inwinstack', - link: 'https://github.com/inwinstack/kube-ansible', - blurb: 'inwinSTACK - kube-ansible' + { + type: 3, + name: 'InwinSTACK', + logo: 'inwinstack', + link: 'https://github.com/inwinstack/kube-ansible', + blurb: 'inwinSTACK - kube-ansible' }, { type: 1, @@ -281,11 +281,11 @@ blurb: 'CloudPlex enables operations teams to visually deploy, orchestrate, manage, and monitor infrastructure, applications, and services in public or private cloud.' }, { - type: 1, + type: 2, name: 'Kumina', logo: 'kumina', link: 'https://www.kumina.nl/managed_kubernetes', - blurb: 'Kumina creates Kubernetes solutions on your choice of infrastructure with around-the-clock management and unlimited support.' + blurb: 'Kumina combines the power of Kubernetes with 10+ years of experience in IT operations. We create, build and support fully managed Kubernetes solutions on your choice of infrastructure. We also provide consulting and training.' }, { type: 0, @@ -360,7 +360,7 @@ { type: 0, name: 'Mashape, Inc.', - logo: 'mashape', + logo: 'kong', link: 'https://getkong.org/install/kubernetes/', blurb: 'Kong is a scalable open source API layer that runs in front of any RESTful API and can be provisioned to a Kubernetes cluster.' }, @@ -728,6 +728,13 @@ link: 'https://cloud.google.com/kubernetes-engine/', blurb: 'Google - Google Kubernetes Engine' }, + { + type: 1, + name: 'Superorbital', + logo: 'superorbital', + link: 'https://superorbit.al/workshops/kubernetes/', + blurb: 'Helping companies navigate the Cloud Native waters through Kubernetes consulting and training.' + }, { type: 3, name: 'Apprenda', @@ -1071,6 +1078,13 @@ link: 'http://www.alauda.cn/product/detail/id/68.html', blurb: 'Alauda - Alauda EE' }, + { + type: 2, + name: 'Alauda', + logo: 'alauda', + link: 'www.alauda.io', + blurb: 'Alauda provides Kubernetes-Centric Enterprise Platform-as-a-Service offerings with a razor focus on delivering Cloud Native capabilities and DevOps best practices to enterprise customers across industries in China.' + }, { type: 3, name: 'EasyStack', @@ -1243,7 +1257,7 @@ type: 1, name: 'Kloia', logo: 'kloia', - link: 'https://devops-as-a-service.kloia.com/', + link: 'https://kloia.com/kubernetes/', blurb: 'Kloia is DevOps and Microservices Consultancy company that helps its customers to migrate their environment to cloud platforms for enabling more scalable and secure environments. We use Kubernetes to provide our customers all-in-one solutions in an cloud-agnostic way.' }, { @@ -1274,13 +1288,6 @@ link: 'https://www.bloombase.com/go/kubernetes', blurb: 'Bloombase provides high bandwidth, defense-in-depth data-at-rest encryption to lock down Kubernetes crown-jewels at scale.' }, - { - type: 0, - name: 'Kloia', - logo: 'kloia', - link: 'https://docs.codefresh.io/docs/codefresh-kubernetes-integration-beta', - blurb: 'Kloia is DevOps and Microservices Consultancy company that helps its customers to migrate their environment to cloud platforms for enabling more scalable and secure environments. We use Kubernetes to provide our customers all-in-one solutions in an cloud-agnostic way.' - }, { type: 0, name: 'Kasten', @@ -1344,13 +1351,104 @@ link: 'http://harmonycloud.cn/products/rongqiyun/', blurb: 'Harmonycloud - Harmonycloud Container Platform' }, + { + type: 3, + name: 'Woqutech', + logo: 'woqutech', + link: 'http://www.woqutech.com/product/product-16-247.html#sss', + blurb: 'Woqutech - QFusion' + }, + { + type: 3, + name: 'Baidu', + logo: 'baidu', + link: 'https://cloud.baidu.com/product/cce.html', + blurb: 'Baidu Cloud - Baidu Cloud Container Engine' + }, { type: 3, name: 'ZTE', logo: 'zte', - link: 'https://sdnfv.zte.com.cn/zh-CN/home', + link: 'https://sdnfv.zte.com.cn/en/home', blurb: 'ZTE - TECS OpenPalette' }, + { + type: 1, + name: 'Automatic Server AG', + logo: 'asag', + link: 'http://www.automatic-server.com/paas.html', + blurb: 'We install and operate Kubernetes in big enterprises, create deployment workflows and help to migrate.' + }, + { + type: 1, + name: 'Circulo Siete', + logo: 'circulo', + link: 'https://circulosiete.com/consultoria/kubernetes/', + blurb: 'We are a Mexico based company offering training, consulting and support to migrate your workloads to Kubernetes, Cloud Native Microservices & Devops.' + }, + { + type: 1, + name: 'DevOpsGuru', + logo: 'devopsguru', + link: 'http://devopsguru.ca/workshop', + blurb: 'DevOpsGuru work with small business to transform from physical to virtual to containerization.' + }, + { + type: 1, + name: 'EIN Intelligence Co., Ltd', + logo: 'ein', + link: 'https://ein.io', + blurb: 'Startups and agile enterprises in South Korea.' + }, + { + type: 0, + name: 'GuardiCore', + logo: 'guardicore', + link: 'https://www.guardicore.com/', + blurb: 'GuardiCore provided process level visibility and network policy enforcement on containerized assets on the Kubernetes platform.' + }, + { + type: 0, + name: 'Hedvig', + logo: 'hevig', + link: 'https://www.hedviginc.com/blog/provisioning-hedvig-storage-with-kubernetes', + blurb: 'Hedvig is software-defined storage that uses NFS or iSCSI for persistent volumes for provisioning shared storage for pods and containers.' + }, + { + type: 0, + name: 'Hewlett Packard Enterprise', + logo: 'hpe', + link: ' https://www.hpe.com/us/en/storage/containers.html', + blurb: 'Persistent Storage that makes data as easy to manage as containers: dynamic provisioning, policy-based performance & protection, QoS, & more.' + }, + { + type: 0, + name: 'JetBrains', + logo: 'jetbrains', + link: 'https://blog.jetbrains.com/teamcity/2017/10/teamcity-kubernetes-support-plugin/', + blurb: 'Run TeamCity cloud build agents in a Kubernetes cluster. Provides Helm support as a build step.' + }, + { + type: 2, + name: 'Opensense', + logo: 'opensense', + link: 'http://www.opensense.fr/en/kubernetes-en/', + blurb: 'We provide Kubernetes services (integration, operation, training) as well as development of banking microservices based on our extended experience with cloud of containers, microservices, data management and financial sector.' + }, + { + type: 2, + name: 'SAP SE', + logo: 'sap', + link: 'https://cloudplatform.sap.com', + blurb: 'The SAP Cloud Platform provides in-memory capabilities and unique business services for building and extending applications. With open sourced Project Gardener, SAP utilizes the power of Kubernetes to enable an open, robust, multi-cloud experience for our customers. You can use simple, modern cloud native design principles and leverage skills your organization already has to deliver agile and transformative applications, while integrating with the latest SAP Leonardo business features.' + }, + { + type: 1, + name: 'Mobilise Cloud Services Limited', + logo: 'mobilise', + link: 'http://www.mobilise.cloud/services/serverless-application-delivery', + blurb: 'Mobilise helps organisations adopt Kubernetes and integrate with their CI/CD tooling.' + }, { type: 0, name: 'Logdna', diff --git a/_redirects b/_redirects index 3d5c08fe03db3..48d26e389267d 100644 --- a/_redirects +++ b/_redirects @@ -50,7 +50,7 @@ /docs/admin/resourcequota/limitstorageconsumption/ /docs/tasks/administer-cluster/limit-storage-consumption/ 301 /docs/admin/resourcequota/walkthrough/ /docs/tasks/administer-cluster/quota-api-object/ 301 /docs/admin/static-pods/ /docs/tasks/administer-cluster/static-pod/ 301 -/docs/admin/sysctls/ /docs/concepts/cluster-administration/sysctl-cluster/ 301 +/docs/admin/sysctls/ /docs/tasks/administer-cluster/sysctl-cluster/ 301 /docs/admin/upgrade-1-6/ /docs/tasks/administer-cluster/upgrade-1-6/ 301 /docs/admin/resource-quota/ /docs/concepts/policy/resource-quotas/ 301 @@ -97,6 +97,7 @@ /docs/concepts/cluster-administration/multiple-clusters/ /docs/concepts/cluster-administration/federation/ 301 /docs/concepts/cluster-administration/out-of-resource/ /docs/tasks/administer-cluster/out-of-resource/ 301 /docs/concepts/cluster-administration/resource-usage-monitoring /docs/tasks/debug-application-cluster/resource-usage-monitoring/ 301 +/docs/concepts/cluster-administration/sysctl-cluster/ /docs/tasks/administer-cluster/sysctl-cluster/ 301 /docs/concepts/cluster-administration/static-pod/ /docs/tasks/administer-cluster/static-pod/ 301 /docs/concepts/clusters/logging/ /docs/concepts/cluster-administration/logging/ 301 /docs/concepts/configuration/container-command-arg/ /docs/tasks/inject-data-application/define-command-argument-container/ 301 diff --git a/docs/concepts/overview/working-with-objects/labels.md b/docs/concepts/overview/working-with-objects/labels.md index c391026c7c7f4..0ab6a3deeea45 100644 --- a/docs/concepts/overview/working-with-objects/labels.md +++ b/docs/concepts/overview/working-with-objects/labels.md @@ -58,6 +58,7 @@ An empty label selector (that is, one with zero requirements) selects every obje A null label selector (which is only possible for optional selector fields) selects no objects. **Note**: the label selectors of two controllers must not overlap within a namespace, otherwise they will fight with each other. +{: .note} ### _Equality-based_ requirement diff --git a/docs/reference/kubectl/docker-cli-to-kubectl.md b/docs/reference/kubectl/docker-cli-to-kubectl.md index ce91046c2d3d1..1b02e68a7cd20 100644 --- a/docs/reference/kubectl/docker-cli-to-kubectl.md +++ b/docs/reference/kubectl/docker-cli-to-kubectl.md @@ -6,16 +6,16 @@ approvers: title: kubectl for Docker Users --- -In this doc, we introduce the Kubernetes command line for interacting with the api to docker-cli users. The tool, kubectl, is designed to be familiar to docker-cli users but there are a few necessary differences. Each section of this doc highlights a docker subcommand explains the kubectl equivalent. +You can use the Kubernetes command line tool kubectl to interact with the api. You can use kubectl if you are familiar with docker-cli. However, there are a few differences in the docker-cli commands and the kubectl commands. Each of the following section details a docker subcommand and explains the kubectl equivalent. * TOC {:toc} #### docker run -How do I run an nginx Deployment and expose it to the world? Checkout [kubectl run](/docs/user-guide/kubectl/{{page.version}}/#run). +To run an nginx Deployment and expose the Deployment, see [kubectl run](/docs/reference/generated/kubectl/kubectl-commands/{{page.version}}/#run). -With docker: +docker: ```shell $ docker run -d --restart=always -e DOMAIN=cluster --name nginx-app -p 80:80 nginx @@ -26,7 +26,7 @@ CONTAINER ID IMAGE COMMAND CREATED 55c103fa1296 nginx "nginx -g 'daemon of…" 9 seconds ago Up 9 seconds 0.0.0.0:80->80/tcp nginx-app ``` -With kubectl: +kubectl: ```shell # start the pod running nginx @@ -34,9 +34,8 @@ $ kubectl run --image=nginx nginx-app --port=80 --env="DOMAIN=cluster" deployment "nginx-app" created ``` -`kubectl run` creates a Deployment named "nginx-app" on Kubernetes cluster >= v1.2. If you are running older versions, it creates replication controllers instead. -If you want to obtain the old behavior, use `--generator=run/v1` to create replication controllers. See [`kubectl run`](/docs/user-guide/kubectl/{{page.version}}/#run) for more details. -Note that `kubectl` commands will print the type and name of the resource created or mutated, which can then be used in subsequent commands. Now, we can expose a new Service with the deployment created above: +**Note:** `kubectl` commands print the type and name of the resource created or mutated, which can then be used in subsequent commands. You can expose a new Service after a Deployment is created. +{: .note} ```shell # expose a port through with a service @@ -44,26 +43,25 @@ $ kubectl expose deployment nginx-app --port=80 --name=nginx-http service "nginx-http" exposed ``` -With kubectl, we create a [Deployment](/docs/concepts/workloads/controllers/deployment/) which will make sure that N pods are running nginx (where N is the number of replicas stated in the spec, which defaults to 1). We also create a [service](/docs/user-guide/services) with a selector that matches the Deployment's selector. See the [Quick start](/docs/user-guide/quick-start) for more information. +By using kubectl, you can create a [Deployment](/docs/concepts/workloads/controllers/deployment/) to ensure that N pods are running nginx, where N is the number of replicas stated in the spec and defaults to 1. You can also create a [service](/docs/concepts/services-networking/service/) with a selector that matches the pod labels. For more information, see [Use a Service to Access an Application in a Cluster](/docs/tasks/access-application-cluster/service-access-application-cluster). -By default images are run in the background, similar to `docker run -d ...`, if you want to run things in the foreground, use: +By default images run in the background, similar to `docker run -d ...`. To run things in the foreground, use: ```shell kubectl run [-i] [--tty] --attach --image= ``` -Unlike `docker run ...`, if `--attach` is specified, we attach to `stdin`, `stdout` and `stderr`, there is no ability to control which streams are attached (`docker -a ...`). -To detach from the container, you can type the escape sequence which is Ctrl+P -followed by Ctrl+Q. +Unlike `docker run ...`, if you specify `--attach`, then you attach `stdin`, `stdout` and `stderr`. You cannot control which streams are attached (`docker -a ...`). +To detach from the container, you can type the escape sequence Ctrl+P followed by Ctrl+Q. -Because we start a Deployment for your container, it will be restarted if you terminate the attached process (e.g. `ctrl-c`), this is different from `docker run -it`. -To destroy the Deployment (and its pods) you need to run `kubectl delete deployment `. +Because the kubectl run command starts a Deployment for the container, the Deployment restarts if you terminate the attached process by using Ctrl+C, unlike `docker run -it`. +To destroy the Deployment and its pods you need to run `kubectl delete deployment `. #### docker ps -How do I list what is currently running? Checkout [kubectl get](/docs/user-guide/kubectl/{{page.version}}/#get). +To list what is currently running, see [kubectl get](/docs/reference/generated/kubectl/kubectl-commands/{{page.version}}/#get). -With docker: +docker: ```shell $ docker ps -a @@ -72,7 +70,7 @@ CONTAINER ID IMAGE COMMAND CREATED 55c103fa1296 nginx "nginx -g 'daemon of…" About a minute ago Up About a minute 0.0.0.0:80->80/tcp nginx-app ``` -With kubectl: +kubectl: ```shell $ kubectl get po -a @@ -83,9 +81,9 @@ ubuntu 0/1 Completed 0 20s #### docker attach -How do I attach to a process that is already running in a container? Checkout [kubectl attach](/docs/user-guide/kubectl/{{page.version}}/#attach). +To attach a process that is already running in a container, see [kubectl attach](/docs/reference/generated/kubectl/kubectl-commands/{{page.version}}/#attach). -With docker: +docker: ```shell $ docker ps @@ -96,7 +94,7 @@ $ docker attach 55c103fa1296 ... ``` -With kubectl: +kubectl: ```shell $ kubectl get pods @@ -107,14 +105,13 @@ $ kubectl attach -it nginx-app-5jyvm ... ``` -To detach from the container, you can type the escape sequence which is Ctrl+P -followed by Ctrl+Q. +To detach from the container, you can type the escape sequence Ctrl+P followed by Ctrl+Q. #### docker exec -How do I execute a command in a container? Checkout [kubectl exec](/docs/user-guide/kubectl/{{page.version}}/#exec). +To execute a command in a container, see [kubectl exec](/docs/reference/generated/kubectl/kubectl-commands/{{page.version}}/#exec). -With docker: +docker: ```shell $ docker ps @@ -125,7 +122,7 @@ $ docker exec 55c103fa1296 cat /etc/hostname 55c103fa1296 ``` -With kubectl: +kubectl: ```shell $ kubectl get po @@ -136,31 +133,31 @@ $ kubectl exec nginx-app-5jyvm -- cat /etc/hostname nginx-app-5jyvm ``` -What about interactive commands? +To use interactive commands. -With docker: +docker: ```shell $ docker exec -ti 55c103fa1296 /bin/sh # exit ``` -With kubectl: +kubectl: ```shell $ kubectl exec -ti nginx-app-5jyvm -- /bin/sh # exit ``` -For more information see [Getting a Shell to a Running Container](/docs/tasks/debug-application-cluster/get-shell-running-container/). +For more information, see [Get a Shell to a Running Container](/docs/tasks/debug-application-cluster/get-shell-running-container/). #### docker logs -How do I follow stdout/stderr of a running process? Checkout [kubectl logs](/docs/user-guide/kubectl/{{page.version}}/#logs). +To follow stdout/stderr of a process that is running, see [kubectl logs](/docs/reference/generated/kubectl/kubectl-commands/{{page.version}}/#logs). -With docker: +docker: ```shell $ docker logs -f a9e @@ -168,7 +165,7 @@ $ docker logs -f a9e 192.168.9.1 - - [14/Jul/2015:01:04:03 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.35.0" "-" ``` -With kubectl: +kubectl: ```shell $ kubectl logs -f nginx-app-zibvs @@ -176,7 +173,7 @@ $ kubectl logs -f nginx-app-zibvs 10.240.63.110 - - [14/Jul/2015:01:09:02 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.26.0" "-" ``` -Now's a good time to mention slight difference between pods and containers; by default pods will not terminate if their processes exit. Instead it will restart the process. This is similar to the docker run option `--restart=always` with one major difference. In docker, the output for each invocation of the process is concatenated, but for Kubernetes, each invocation is separate. To see the output from a previous run in Kubernetes, do this: +There is a slight difference between pods and containers; by default pods do not terminate if their processes exit. Instead the pods restart the process. This is similar to the docker run option `--restart=always` with one major difference. In docker, the output for each invocation of the process is concatenated, but for Kubernetes, each invocation is separate. To see the output from a previous run in Kubernetes, do this: ```shell $ kubectl logs --previous nginx-app-zibvs @@ -184,13 +181,13 @@ $ kubectl logs --previous nginx-app-zibvs 10.240.63.110 - - [14/Jul/2015:01:09:02 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.26.0" "-" ``` -See [Logging and Monitoring Cluster Activity](/docs/concepts/cluster-administration/logging/) for more information. +For more information, see [Logging Architecture](docs/concepts/cluster-administration/logging/). #### docker stop and docker rm -How do I stop and delete a running process? Checkout [kubectl delete](/docs/user-guide/kubectl/{{page.version}}/#delete). +To stop and delete a running process, see [kubectl delete](/docs/reference/generated/kubectl/kubectl-commands/{{page.version}}/#delete). -With docker: +docker: ```shell $ docker ps @@ -204,7 +201,7 @@ $ docker rm a9ec34d98787 a9ec34d98787 ``` -With kubectl: +kubectl: ```shell $ kubectl get deployment nginx-app @@ -222,7 +219,8 @@ $ kubectl get po -l run=nginx-app # Return nothing ``` -Notice that we don't delete the pod directly. With kubectl we want to delete the Deployment that owns the pod. If we delete the pod directly, the Deployment will recreate the pod. +**Note:** When you use kubectl, you don't delete the pod directly.You have to fiirst delete the Deployment that owns the pod. If you delete the pod directly, the Deployment recreates the pod. +{: .note} #### docker login @@ -230,9 +228,9 @@ There is no direct analog of `docker login` in kubectl. If you are interested in #### docker version -How do I get the version of my client and server? Checkout [kubectl version](/docs/user-guide/kubectl/{{page.version}}/#version). +To get the version of client and server, see [kubectl version](/docs/reference/generated/kubectl/kubectl-commands{{page.version}}/#version). -With docker: +docker: ```shell $ docker version @@ -248,7 +246,7 @@ Git commit (server): 0baf609 OS/Arch (server): linux/amd64 ``` -With kubectl: +kubectl: ```shell $ kubectl version @@ -258,9 +256,9 @@ Server Version: version.Info{Major:"1", Minor:"6", GitVersion:"v1.6.9+a3d1dfa6f4 #### docker info -How do I get miscellaneous info about my environment and configuration? Checkout [kubectl cluster-info](/docs/user-guide/kubectl/{{page.version}}/#cluster-info). +To get miscellaneous information about the environment and configuration, see [kubectl cluster-info](/docs/reference/generated/kubectl/kubectl-commands/{{page.version}}/#cluster-info). -With docker: +docker: ```shell $ docker info @@ -282,7 +280,7 @@ ID: ADUV:GCYR:B3VJ:HMPO:LNPQ:KD5S:YKFQ:76VN:IANZ:7TFV:ZBF4:BYJO WARNING: No swap limit support ``` -With kubectl: +kubectl: ```shell $ kubectl cluster-info diff --git a/docs/concepts/cluster-administration/sysctl-cluster.md b/docs/tasks/administer-cluster/sysctl-cluster.md similarity index 81% rename from docs/concepts/cluster-administration/sysctl-cluster.md rename to docs/tasks/administer-cluster/sysctl-cluster.md index 796c735bb2871..9c8a8fcc49b46 100644 --- a/docs/concepts/cluster-administration/sysctl-cluster.md +++ b/docs/tasks/administer-cluster/sysctl-cluster.md @@ -1,15 +1,24 @@ --- +title: Using Sysctls in a Kubernetes Cluster reviewers: - sttts -title: Using Sysctls in a Kubernetes Cluster --- -* TOC -{:toc} +{% capture overview %} This document describes how sysctls are used within a Kubernetes cluster. -## What is a Sysctl? +{% endcapture %} + +{% capture prerequisites %} + +{% include task-tutorial-prereqs.md %} + +{% endcapture %} + +{% capture steps %} + +## Listing all Sysctl Parameters In Linux, the sysctl interface allows an administrator to modify kernel parameters at runtime. Parameters are available via the `/proc/sys/` virtual @@ -23,35 +32,11 @@ process file system. The parameters cover various subsystems such as: To get a list of all parameters, you can run -``` +```shell $ sudo sysctl -a ``` -## Namespaced vs. Node-Level Sysctls - -A number of sysctls are _namespaced_ in today's Linux kernels. This means that -they can be set independently for each pod on a node. Being namespaced is a -requirement for sysctls to be accessible in a pod context within Kubernetes. - -The following sysctls are known to be _namespaced_: - -- `kernel.shm*`, -- `kernel.msg*`, -- `kernel.sem`, -- `fs.mqueue.*`, -- `net.*`. - -Sysctls which are not namespaced are called _node-level_ and must be set -manually by the cluster admin, either by means of the underlying Linux -distribution of the nodes (e.g. via `/etc/sysctls.conf`) or using a DaemonSet -with privileged containers. - -**Note**: it is good practice to consider nodes with special sysctl settings as -_tainted_ within a cluster, and only schedule pods onto them which need those -sysctl settings. It is suggested to use the Kubernetes [_taints and toleration_ -feature](/docs/user-guide/kubectl/{{page.version}}/#taint) to implement this. - -## Safe vs. Unsafe Sysctls +## Enabling Unsafe Sysctls Sysctls are grouped into _safe_ and _unsafe_ sysctls. In addition to proper namespacing a _safe_ sysctl must be properly _isolated_ between pods on the same @@ -63,8 +48,7 @@ node. This means that setting a _safe_ sysctl for one pod of a pod. By far, most of the _namespaced_ sysctls are not necessarily considered _safe_. - -For Kubernetes 1.4, the following sysctls are supported in the _safe_ set: +The following sysctls are supported in the _safe_ set: - `kernel.shm_rmid_forced`, - `net.ipv4.ip_local_port_range`, @@ -82,31 +66,45 @@ All _unsafe_ sysctls are disabled by default and must be allowed manually by the cluster admin on a per-node basis. Pods with disabled unsafe sysctls will be scheduled, but will fail to launch. -**Warning**: Due to their nature of being _unsafe_, the use of _unsafe_ sysctls -is at-your-own-risk and can lead to severe problems like wrong behavior of -containers, resource shortage or complete breakage of a node. - -## Enabling Unsafe Sysctls - With the warning above in mind, the cluster admin can allow certain _unsafe_ sysctls for very special situations like e.g. high-performance or real-time application tuning. _Unsafe_ sysctls are enabled on a node-by-node basis with a flag of the kubelet, e.g.: ```shell -$ kubelet --experimental-allowed-unsafe-sysctls 'kernel.msg*,net.ipv4.route.min_pmtu' ... +$ kubelet --experimental-allowed-unsafe-sysctls \ + 'kernel.msg*,net.ipv4.route.min_pmtu' ... ``` + For minikube, this can be done via the `extra-config` flag: ```shell $ minikube start --extra-config="kubelet.AllowedUnsafeSysctls=kernel.msg*,net.ipv4.route.min_pmtu"... ``` + Only _namespaced_ sysctls can be enabled this way. ## Setting Sysctls for a Pod -The sysctl feature is an alpha API in Kubernetes 1.4. Therefore, sysctls are set -using annotations on pods. They apply to all containers in the same pod. +A number of sysctls are _namespaced_ in today's Linux kernels. This means that +they can be set independently for each pod on a node. Being namespaced is a +requirement for sysctls to be accessible in a pod context within Kubernetes. + +The following sysctls are known to be _namespaced_: + +- `kernel.shm*`, +- `kernel.msg*`, +- `kernel.sem`, +- `fs.mqueue.*`, +- `net.*`. + +Sysctls which are not namespaced are called _node-level_ and must be set +manually by the cluster admin, either by means of the underlying Linux +distribution of the nodes (e.g. via `/etc/sysctls.conf`) or using a DaemonSet +with privileged containers. + +The sysctl feature is an alpha API. Therefore, sysctls are set using annotations +on pods. They apply to all containers in the same pod. Here is an example, with different annotations for _safe_ and _unsafe_ sysctls: @@ -121,11 +119,25 @@ metadata: spec: ... ``` +{% endcapture %} + +{% capture discussion %} -**Note**: a pod with the _unsafe_ sysctls specified above will fail to launch on -any node which has not enabled those two _unsafe_ sysctls explicitly. As with -_node-level_ sysctls it is recommended to use [_taints and toleration_ -feature](/docs/user-guide/kubectl/{{page.version}}/#taint) or [taints on nodes](/docs/concepts/configuration/taint-and-toleration/) +**Warning**: Due to their nature of being _unsafe_, the use of _unsafe_ sysctls +is at-your-own-risk and can lead to severe problems like wrong behavior of +containers, resource shortage or complete breakage of a node. +{: .warning} + +It is good practice to consider nodes with special sysctl settings as +_tainted_ within a cluster, and only schedule pods onto them which need those +sysctl settings. It is suggested to use the Kubernetes [_taints and toleration_ +feature](/docs/user-guide/kubectl/{{page.version}}/#taint) to implement this. + +A pod with the _unsafe_ sysctls will fail to launch on any node which has not +enabled those two _unsafe_ sysctls explicitly. As with _node-level_ sysctls it +is recommended to use +[_taints and toleration_ feature](/docs/user-guide/kubectl/{{page.version}}/#taint) or +[taints on nodes](/docs/concepts/configuration/taint-and-toleration/) to schedule those pods onto the right nodes. ## PodSecurityPolicy Annotations @@ -148,3 +160,7 @@ metadata: spec: ... ``` + +{% endcapture %} + +{% include templates/task.md %} diff --git a/docs/tasks/configure-pod-container/configure-pod-configmap.md b/docs/tasks/configure-pod-container/configure-pod-configmap.md index 5175ae9829060..16ed639254b8e 100644 --- a/docs/tasks/configure-pod-container/configure-pod-configmap.md +++ b/docs/tasks/configure-pod-container/configure-pod-configmap.md @@ -502,6 +502,9 @@ special.level special.type ``` +**Caution:** If there are some files in the `/etc/config/` directory, they will be deleted. +{: .caution} + ### Add ConfigMap data to a specific path in the Volume Use the `path` field to specify the desired file path for specific ConfigMap items. diff --git a/images/square-logos/asag.png b/images/square-logos/asag.png new file mode 100644 index 0000000000000..a0eb75e61c10e Binary files /dev/null and b/images/square-logos/asag.png differ diff --git a/images/square-logos/baidu.png b/images/square-logos/baidu.png new file mode 100644 index 0000000000000..7a95a47ed5f3e Binary files /dev/null and b/images/square-logos/baidu.png differ diff --git a/images/square-logos/circulo.png b/images/square-logos/circulo.png new file mode 100644 index 0000000000000..9108e0a1442a2 Binary files /dev/null and b/images/square-logos/circulo.png differ diff --git a/images/square-logos/componentsoft.png b/images/square-logos/componentsoft.png index df326a3ff3a57..a86ede2b7453b 100644 Binary files a/images/square-logos/componentsoft.png and b/images/square-logos/componentsoft.png differ diff --git a/images/square-logos/devopsguru.png b/images/square-logos/devopsguru.png new file mode 100644 index 0000000000000..5d9f621d9b63f Binary files /dev/null and b/images/square-logos/devopsguru.png differ diff --git a/images/square-logos/ein.png b/images/square-logos/ein.png new file mode 100644 index 0000000000000..144b749d1fc41 Binary files /dev/null and b/images/square-logos/ein.png differ diff --git a/images/square-logos/google.png b/images/square-logos/google.png index 685c32cc2c2c2..99eed95928aa7 100644 Binary files a/images/square-logos/google.png and b/images/square-logos/google.png differ diff --git a/images/square-logos/guardicore.png b/images/square-logos/guardicore.png new file mode 100644 index 0000000000000..b0b82839db14e Binary files /dev/null and b/images/square-logos/guardicore.png differ diff --git a/images/square-logos/hedvig.png b/images/square-logos/hedvig.png new file mode 100644 index 0000000000000..6ef09d7c7aa8b Binary files /dev/null and b/images/square-logos/hedvig.png differ diff --git a/images/square-logos/hpe.png b/images/square-logos/hpe.png new file mode 100644 index 0000000000000..5d2965a6da3ea Binary files /dev/null and b/images/square-logos/hpe.png differ diff --git a/images/square-logos/jetbrains.png b/images/square-logos/jetbrains.png new file mode 100644 index 0000000000000..f9303abccdac9 Binary files /dev/null and b/images/square-logos/jetbrains.png differ diff --git a/images/square-logos/kong.png b/images/square-logos/kong.png new file mode 100644 index 0000000000000..0cd5e29c70d70 Binary files /dev/null and b/images/square-logos/kong.png differ diff --git a/images/square-logos/mobilise.png b/images/square-logos/mobilise.png new file mode 100644 index 0000000000000..0a20f4b3bbcad Binary files /dev/null and b/images/square-logos/mobilise.png differ diff --git a/images/square-logos/opensense.png b/images/square-logos/opensense.png new file mode 100644 index 0000000000000..f7d0439c37f73 Binary files /dev/null and b/images/square-logos/opensense.png differ diff --git a/images/square-logos/spotinst.png b/images/square-logos/spotinst.png index 2faf7113506ac..14ea926d0b1c1 100644 Binary files a/images/square-logos/spotinst.png and b/images/square-logos/spotinst.png differ diff --git a/images/square-logos/superorbital.png b/images/square-logos/superorbital.png new file mode 100644 index 0000000000000..f28bae65c8e81 Binary files /dev/null and b/images/square-logos/superorbital.png differ diff --git a/images/square-logos/woqutech.png b/images/square-logos/woqutech.png new file mode 100644 index 0000000000000..d96fa45f0d0df Binary files /dev/null and b/images/square-logos/woqutech.png differ