Skip to content

Commit

Permalink
Merge pull request #45226 from Princesso/merged-main-dev-1.30
Browse files Browse the repository at this point in the history
Merge main branch into dev-1.30
  • Loading branch information
k8s-ci-robot authored Feb 20, 2024
2 parents 08fb708 + e1465e0 commit fe2efe0
Show file tree
Hide file tree
Showing 81 changed files with 1,819 additions and 904 deletions.
5 changes: 5 additions & 0 deletions .well-known/security.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
Contact: mailto:[email protected]
Expires: 2031-01-11T06:30:00.000Z
Preferred-Languages: en
Canonical: https://kubernetes.io/.well-known/security.txt
Policy: https://github.com/kubernetes/website/blob/main/SECURITY.md
16 changes: 16 additions & 0 deletions content/de/docs/reference/glossary/cadvisor.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
---
title: cAdvisor
id: cadvisor
date: 2021-12-09
full_link: https://github.com/google/cadvisor/
short_description: >
Werkzeug, um Ressourcenverbrauch und Performance Charakteristiken von Container besser zu verstehen
aka:
tags:
- tool
---
cAdvisor (Container Advisor) ermöglicht Benutzer von Container ein besseres Verständnis des Ressourcenverbrauchs und der Performance Charakteristiken ihrer laufenden {{< glossary_tooltip text="Container" term_id="container" >}}.

<!--more-->

Es ist ein laufender Daemon, der Informationen über laufende Container sammelt, aggregiert, verarbeitet, und exportiert. Genauer gesagt, speichert es für jeden Container die Ressourcenisolationsparameter, den historischen Ressourcenverbrauch, die Histogramme des kompletten historischen Ressourcenverbrauchs und die Netzwerkstatistiken. Diese Daten werden pro Container und maschinenweit exportiert.
18 changes: 18 additions & 0 deletions content/de/docs/reference/glossary/certificate.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
---
title: Zertifikat
id: certificate
date: 2018-04-12
full_link: /docs/tasks/tls/managing-tls-in-a-cluster/
short_description: >
Eine kryptographisch sichere Datei, die verwendet wird um den Zugriff auf das Kubernetes Cluster zu validieren.
aka:
tags:
- security
---
Eine kryptographisch sichere Datei, die verwendet wird um den Zugriff auf das Kubernetes Cluster zu bestätigen.

<!--more-->

Zertfikate ermöglichen es Anwendungen in einem Kubernetes Cluster sicher auf die Kubernetes API zuzugreifen. Zertfikate bestätigen, dass Clients die Erlaubnis haben auf die API zuzugreifen.

18 changes: 18 additions & 0 deletions content/de/docs/reference/glossary/cidr.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
---
title: CIDR
id: cidr
date: 2019-11-12
full_link:
short_description: >
CIDR ist eine Notation, um Blöcke von IP Adressen zu beschreiben und wird viel verwendet in verschiedenen Netzwerkkonfigurationen.
aka:
tags:
- networking
---
CIDR (Classless Inter-Domain Routing) ist eine Notation, um Blöcke von IP Adressen zu beschreiben und wird viel verwendet in verschiedenen Netzwerkkonfigurationen.

<!--more-->

Im Kubernetes Kontext, erhält jeder {{< glossary_tooltip text="Knoten" term_id="node" >}} eine Reihe von IP Adressen durch die Startadresse und eine Subnetzmaske unter Verwendung von CIDR. Dies erlaubt Knoten jedem {{< glossary_tooltip text="Pod" term_id="pod" >}} eine eigene IP Adresse zuzuweisen. Obwohl es ursprünglich ein Konzept für IPv4 ist, wurde CIDR erweitert um auch IPv6 einzubinden.

18 changes: 18 additions & 0 deletions content/de/docs/reference/glossary/cla.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
---
title: CLA (Contributor License Agreement)
id: cla
date: 2018-04-12
full_link: https://github.com/kubernetes/community/blob/master/CLA.md
short_description: >
Bedingungen unter denen ein Mitwirkender eine Lizenz an ein Open Source Projekt erteilt für seine Mitwirkungen.
aka:
tags:
- community
---
Bedingungen unter denen ein {{< glossary_tooltip text="Mitwirkender" term_id="contributor" >}} eine Lizenz an ein Open Source Projekt erteilt für seine Mitwirkungen.

<!--more-->

CLAs helfen dabei rechtliche Streitigkeiten rund um Mitwirkungen und geistigem Eigentum (IP) zu lösen.

Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,7 @@ until disk usage reaches the `LowThresholdPercent` value.

#### Garbage collection for unused container images {#image-maximum-age-gc}

{{< feature-state for_k8s_version="v1.29" state="alpha" >}}
{{< feature-state feature_gate_name="ImageMaximumGCAge" >}}

As an alpha feature, you can specify the maximum time a local image can be unused for,
regardless of disk usage. This is a kubelet setting that you configure for each node.
Expand Down
2 changes: 1 addition & 1 deletion content/en/docs/concepts/architecture/leases.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ instances are on stand-by.

## API server identity

{{< feature-state for_k8s_version="v1.26" state="beta" >}}
{{< feature-state feature_gate_name="APIServerIdentity" >}}

Starting in Kubernetes v1.26, each `kube-apiserver` uses the Lease API to publish its identity to the
rest of the system. While not particularly useful on its own, this provides a mechanism for clients to
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ weight: 220

<!-- overview -->

{{< feature-state state="alpha" for_k8s_version="v1.28" >}}
{{< feature-state feature_gate_name="UnknownVersionInteroperabilityProxy" >}}

Kubernetes {{< skew currentVersion >}} includes an alpha feature that lets an
{{< glossary_tooltip text="API Server" term_id="kube-apiserver" >}}
Expand Down
10 changes: 5 additions & 5 deletions content/en/docs/concepts/architecture/nodes.md
Original file line number Diff line number Diff line change
Expand Up @@ -280,7 +280,7 @@ If you want to explicitly reserve resources for non-Pod processes, see

## Node topology

{{< feature-state state="stable" for_k8s_version="v1.27" >}}
{{< feature-state feature_gate_name="TopologyManager" >}}

If you have enabled the `TopologyManager`
[feature gate](/docs/reference/command-line-tools-reference/feature-gates/), then
Expand All @@ -290,7 +290,7 @@ for more information.

## Graceful node shutdown {#graceful-node-shutdown}

{{< feature-state state="beta" for_k8s_version="v1.21" >}}
{{< feature-state feature_gate_name="GracefulNodeShutdown" >}}

The kubelet attempts to detect node system shutdown and terminates pods running on the node.

Expand Down Expand Up @@ -374,7 +374,7 @@ Message: Pod was terminated in response to imminent node shutdown.

### Pod Priority based graceful node shutdown {#pod-priority-graceful-node-shutdown}

{{< feature-state state="beta" for_k8s_version="v1.24" >}}
{{< feature-state feature_gate_name="GracefulNodeShutdownBasedOnPodPriority" >}}

To provide more flexibility during graceful node shutdown around the ordering
of pods during shutdown, graceful node shutdown honors the PriorityClass for
Expand Down Expand Up @@ -471,7 +471,7 @@ are emitted under the kubelet subsystem to monitor node shutdowns.

## Non-graceful node shutdown handling {#non-graceful-node-shutdown}

{{< feature-state state="stable" for_k8s_version="v1.28" >}}
{{< feature-state feature_gate_name="NodeOutOfServiceVolumeDetach" >}}

A node shutdown action may not be detected by kubelet's Node Shutdown Manager,
either because the command does not trigger the inhibitor locks mechanism used by
Expand Down Expand Up @@ -515,7 +515,7 @@ During a non-graceful shutdown, Pods are terminated in the two phases:

## Swap memory management {#swap-memory}

{{< feature-state state="beta" for_k8s_version="v1.28" >}}
{{< feature-state feature_gate_name="NodeSwap" >}}

To enable swap on a node, the `NodeSwap` feature gate must be enabled on
the kubelet, and the `--fail-swap-on` command line flag or `failSwapOn`
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -238,7 +238,7 @@ The `logrotate` tool rotates logs daily, or once the log size is greater than 10

## Log query

{{< feature-state for_k8s_version="v1.27" state="alpha" >}}
{{< feature-state feature_gate_name="NodeLogQuery" >}}

To help with debugging issues on nodes, Kubernetes v1.27 introduced a feature that allows viewing logs of services
running on the node. To use the feature, ensure that the `NodeLogQuery`
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ For more information about the `TracingConfiguration` struct, see

### kubelet traces

{{< feature-state for_k8s_version="v1.27" state="beta" >}}
{{< feature-state feature_gate_name="KubeletTracing" >}}

The kubelet CRI interface and authenticated http servers are instrumented to generate
trace spans. As with the apiserver, the endpoint and sampling rate are configurable.
Expand Down
2 changes: 1 addition & 1 deletion content/en/docs/concepts/containers/images.md
Original file line number Diff line number Diff line change
Expand Up @@ -161,7 +161,7 @@ which is 300 seconds (5 minutes).

### Image pull per runtime class

{{< feature-state for_k8s_version="v1.29" state="alpha" >}}
{{< feature-state feature_gate_name="RuntimeClassInImageCriApi" >}}
Kubernetes includes alpha support for performing image pulls based on the RuntimeClass of a Pod.

If you enable the `RuntimeClassInImageCriApi` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/),
Expand Down
4 changes: 2 additions & 2 deletions content/en/docs/concepts/overview/components.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ as well as detecting and responding to cluster events (for example, starting up
`{{< glossary_tooltip text="replicas" term_id="replica" >}}` field is unsatisfied).

Control plane components can be run on any machine in the cluster. However,
for simplicity, set up scripts typically start all control plane components on
for simplicity, setup scripts typically start all control plane components on
the same machine, and do not run user containers on this machine. See
[Creating Highly Available clusters with kubeadm](/docs/setup/production-environment/tools/kubeadm/high-availability/)
for an example control plane setup that runs across multiple machines.
Expand Down Expand Up @@ -150,4 +150,4 @@ Learn more about the following:
* Etcd's official [documentation](https://etcd.io/docs/).
* Several [container runtimes](/docs/setup/production-environment/container-runtimes/) in Kubernetes.
* Integrating with cloud providers using [cloud-controller-manager](/docs/concepts/architecture/cloud-controller/).
* [kubectl](/docs/reference/generated/kubectl/kubectl-commands) commands.
* [kubectl](/docs/reference/generated/kubectl/kubectl-commands) commands.
4 changes: 2 additions & 2 deletions content/en/docs/concepts/overview/kubernetes-api.md
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ packages that define the API objects.

### OpenAPI V3

{{< feature-state state="stable" for_k8s_version="v1.27" >}}
{{< feature-state feature_gate_name="OpenAPIV3" >}}

Kubernetes supports publishing a description of its APIs as OpenAPI v3.

Expand Down Expand Up @@ -167,7 +167,7 @@ cluster.

### Aggregated Discovery

{{< feature-state state="beta" for_k8s_version="v1.27" >}}
{{< feature-state feature_gate_name="AggregatedDiscoveryEndpoint" >}}

Kubernetes offers beta support for aggregated discovery, publishing
all resources supported by a cluster through two endpoints (`/api` and
Expand Down
35 changes: 18 additions & 17 deletions content/en/docs/concepts/scheduling-eviction/assign-pod-node.md
Original file line number Diff line number Diff line change
Expand Up @@ -360,7 +360,7 @@ null `namespaceSelector` matches the namespace of the Pod where the rule is defi

#### matchLabelKeys

{{< feature-state for_k8s_version="v1.29" state="alpha" >}}
{{< feature-state feature_gate_name="MatchLabelKeysInPodAffinity" >}}

{{< note >}}
<!-- UPDATE THIS WHEN PROMOTING TO BETA -->
Expand Down Expand Up @@ -391,26 +391,27 @@ metadata:
...
spec:
template:
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- database
topologyKey: topology.kubernetes.io/zone
# Only Pods from a given rollout are taken into consideration when calculating pod affinity.
# If you update the Deployment, the replacement Pods follow their own affinity rules
# (if there are any defined in the new Pod template)
matchLabelKeys:
- pod-template-hash
spec:
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- database
topologyKey: topology.kubernetes.io/zone
# Only Pods from a given rollout are taken into consideration when calculating pod affinity.
# If you update the Deployment, the replacement Pods follow their own affinity rules
# (if there are any defined in the new Pod template)
matchLabelKeys:
- pod-template-hash
```

#### mismatchLabelKeys

{{< feature-state for_k8s_version="v1.29" state="alpha" >}}
{{< feature-state feature_gate_name="MatchLabelKeysInPodAffinity" >}}

{{< note >}}
<!-- UPDATE THIS WHEN PROMOTING TO BETA -->
Expand Down
123 changes: 123 additions & 0 deletions content/en/docs/concepts/security/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,127 @@ title: "Security"
weight: 85
description: >
Concepts for keeping your cloud-native workload secure.
simple_list: true
---

This section of the Kubernetes documentation aims to help you learn to run
workloads more securely, and about the essential aspects of keeping a
Kubernetes cluster secure.

Kubernetes is based on a cloud-native architecture, and draws on advice from the
{{< glossary_tooltip text="CNCF" term_id="cncf" >}} about good practice for
cloud native information security.

Read [Cloud Native Security and Kubernetes](/docs/concepts/security/cloud-native-security/)
for the broader context about how to secure your cluster and the applications that
you're running on it.

## Kubernetes security mechanisms {#security-mechanisms}

Kubernetes includes several APIs and security controls, as well as ways to
define [policies](#policies) that can form part of how you manage information security.

### Control plane protection

A key security mechanism for any Kubernetes cluster is to
[control access to the Kubernetes API](/docs/concepts/security/controlling-access).

Kubernetes expects you to configure and use TLS to provide
[data encryption in transit](/docs/tasks/tls/managing-tls-in-a-cluster/)
within the control plane, and between the control plane and its clients.
You can also enable [encryption at rest](/docs/tasks/administer-cluster/encrypt-data/)
for the data stored within Kubernetes control plane; this is separate from using
encryption at rest for your own workloads' data, which might also be a good idea.

### Secrets

The [Secret](/docs/concepts/configuration/secret/) API provides basic protection for
configuration values that require confidentiality.

### Workload protection

Enforce [Pod security standards](/docs/concepts/security/pod-security-standards/) to
ensure that Pods and their containers are isolated appropriately. You can also use
[RuntimeClasses](/docs/concepts/containers/runtime-class) to define custom isolation
if you need it.

[Network policies](/docs/concepts/services-networking/network-policies/) let you control
network traffic between Pods, or between Pods and the network outside your cluster.

You can deploy security controls from the wider ecosystem to implement preventative
or detective controls around Pods, their containers, and the images that run in them.

### Auditing

Kubernetes [audit logging](/docs/tasks/debug/debug-cluster/audit/) provides a
security-relevant, chronological set of records documenting the sequence of actions
in a cluster. The cluster audits the activities generated by users, by applications
that use the Kubernetes API, and by the control plane itself.

## Cloud provider security

{{% thirdparty-content vendor="true" %}}

If you are running a Kubernetes cluster on your own hardware or a different cloud provider,
consult your documentation for security best practices.
Here are links to some of the popular cloud providers' security documentation:

{{< table caption="Cloud provider security" >}}

IaaS Provider | Link |
-------------------- | ------------ |
Alibaba Cloud | https://www.alibabacloud.com/trust-center |
Amazon Web Services | https://aws.amazon.com/security |
Google Cloud Platform | https://cloud.google.com/security |
Huawei Cloud | https://www.huaweicloud.com/intl/en-us/securecenter/overallsafety |
IBM Cloud | https://www.ibm.com/cloud/security |
Microsoft Azure | https://docs.microsoft.com/en-us/azure/security/azure-security |
Oracle Cloud Infrastructure | https://www.oracle.com/security |
VMware vSphere | https://www.vmware.com/security/hardening-guides |

{{< /table >}}

## Policies

You can define security policies using Kubernetes-native mechanisms,
such as [NetworkPolicy](/docs/concepts/services-networking/network-policies/)
(declarative control over network packet filtering) or
[ValidatingAdmisisonPolicy](/docs/reference/access-authn-authz/validating-admission-policy/) (declarative restrictions on what changes
someone can make using the Kubernetes API).

However, you can also rely on policy implementations from the wider
ecosystem around Kubernetes. Kubernetes provides extension mechanisms
to let those ecosystem projects implement their own policy controls
on source code review, container image approval, API access controls,
networking, and more.

For more information about policy mechanisms and Kubernetes,
read [Policies](/docs/concepts/policy/).

## {{% heading "whatsnext" %}}

Learn about related Kubernetes security topics:

* [Securing your cluster](/docs/tasks/administer-cluster/securing-a-cluster/)
* [Known vulnerabilities](/docs/reference/issues-security/official-cve-feed/)
in Kubernetes (and links to further information)
* [Data encryption in transit](/docs/tasks/tls/managing-tls-in-a-cluster/) for the control plane
* [Data encryption at rest](/docs/tasks/administer-cluster/encrypt-data/)
* [Controlling Access to the Kubernetes API](/docs/concepts/security/controlling-access)
* [Network policies](/docs/concepts/services-networking/network-policies/) for Pods
* [Secrets in Kubernetes](/docs/concepts/configuration/secret/)
* [Pod security standards](/docs/concepts/security/pod-security-standards/)
* [RuntimeClasses](/docs/concepts/containers/runtime-class)

Learn the context:

<!-- if changing this, also edit the front matter of content/en/docs/concepts/security/cloud-native-security.md to match; check the no_list setting -->
* [Cloud Native Security and Kubernetes](/docs/concepts/security/cloud-native-security/)

Get certified:

* [Certified Kubernetes Security Specialist](https://training.linuxfoundation.org/certification/certified-kubernetes-security-specialist/)
certification and official training course.

Read more in this section:

Loading

0 comments on commit fe2efe0

Please sign in to comment.