Add blog article about zpages #53030
Conversation
k8s-ci-robot
added
area/blog
k8s-ci-robot
added
size/XS
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
Not yet ready for review, so: |
k8s-ci-robot
added
the
do-not-merge/work-in-progress
k8s-ci-robot
added
size/L
richabanker
force-pushed
the
zpages
branch
6 times, most recently
from
3e5aaa1 to
77b8c8a
Compare
richabanker
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
Ready for a first pass now @sftim , thanks! |
lmktfy
left a comment
lmktfy
left a comment
There was a problem hiding this comment.
Thanks. I do have quite a lot of feedback on it I'm afraid.
| The new structured responses are opt-in. Without specifying an `Accept` header, the endpoints continue to return the familiar plain text format: | ||
|
|
||
| ``` | ||
| $ curl -k --cert /etc/kubernetes/pki/apiserver-kubelet-client.crt \ |
There was a problem hiding this comment.
Even in a blog article, I strongly don't recommend teaching / tacitly endorsing curl -k.
Either suggest an example using a plain HTTP port, or give the example without the security bypass and then mention the *long" flag name in a comment. In other words, make people think before they bypass the check.
There was a problem hiding this comment.
sounds good, updated examples to not use the -k flag and added a note regarding bypassing cert authn
|
|
||
| ```bash | ||
| # Get structured statusz response | ||
| curl -k \ |
There was a problem hiding this comment.
See earlier comment about the security check bypass.
| https://localhost:6443/statusz | jq . | ||
|
|
||
| # Get structured flagz response | ||
| curl -k \ |
There was a problem hiding this comment.
See earlier comment about the security check bypass.
|
|
||
| z-pages expose internal component information and require proper access controls. Here are the key security considerations: | ||
|
|
||
| **RBAC authorization**: Access to z-page endpoints is restricted to members of the `system:monitoring` group, which follows the same authorization model as other debugging endpoints like `/healthz`, `/livez`, and `/readyz`. This ensures that only authorized users and service accounts can access debugging information. |
There was a problem hiding this comment.
nit: not all clusters use RBAC for authz
There was a problem hiding this comment.
Clarified to say - "if you use RBAC ..."
|
|
||
| ## What are z-pages? | ||
|
|
||
| z-pages are special debugging endpoints exposed by Kubernetes control plane components. Introduced as an alpha feature in Kubernetes 1.32, these endpoints provide runtime diagnostics for components like kube-apiserver, kube-controller-manager, kube-scheduler, kubelet and kube-proxy. The name "z-pages" comes from the convention of using `/z*` paths for debugging endpoints. |
There was a problem hiding this comment.
nit: The wildcard doesn't look quite right here.
|
|
||
| Currently, Kubernetes supports two primary z-page endpoints: | ||
|
|
||
| - **`/statusz`**: Displays high-level component information including version information, start time, uptime, and available debug paths |
There was a problem hiding this comment.
nit: this could be a Markdown description list (and I recommend using one)
| Currently, Kubernetes supports two primary z-page endpoints: | ||
|
|
||
| - **`/statusz`**: Displays high-level component information including version information, start time, uptime, and available debug paths | ||
| - **`/flagz`**: Shows all command-line flags and their values used to start the component (with confidential values redacted for security) |
There was a problem hiding this comment.
| - **`/flagz`**: Shows all command-line flags and their values used to start the component (with confidential values redacted for security) | |
| - **`/flagz`**: Shows all command-line arguments and their values used to start the component (with confidential values redacted for security) |
Despite the URL path, we actually list command line arguments that take non-boolean values
(the Go ecosystem uses "flag" to describe all command line options, but the wider world of IT usually doesn't; argv for example rather than flagv)
| "startTime": "2025-10-29T00:30:01Z", | ||
| "uptimeSeconds": 856, | ||
| "goVersion": "go1.23.2", | ||
| "binaryVersion": "1.35.0-alpha.0.1595+b288caa2c26536-dirty", |
There was a problem hiding this comment.
nit: could make this look like a released version
| "flags": { | ||
| "advertise-address": "192.168.8.4", | ||
| "allow-privileged": "true", | ||
| "authorization-mode": "[Node,RBAC]", |
There was a problem hiding this comment.
This is odd; does this mean that the string value is an embedded JSON document, or a Go literal? If we did one day serve a CBOR response, would the field value be CBOR bytes?
Maybe we should highlight this as a detail that isn't yet settled and that may change before beta?
There was a problem hiding this comment.
The value is a string representation of how the authorization-mode flag was set on the command line, so for CBOR, I am guessing it would print out a string "CBOR" likely ..?
richabanker
force-pushed
the
zpages
branch
2 times, most recently
from
ed89867 to
eea460e
Compare
|
|
||
| ### Example: Getting structured responses | ||
|
|
||
| Here's an example using `curl` to retrieve structured JSON responses: |
There was a problem hiding this comment.
Mention that this is a curl request and JSON responses from kube-apiserver?
There was a problem hiding this comment.
oh right, done thanks!
Serenity611
left a comment
Serenity611
left a comment
There was a problem hiding this comment.
Reviewed from a general proofreading/style guide alignment perspective and made a few small suggestions :) Looks great!
Also wanted to note that as a non-technical person, I found this article very easy to follow and understand. It's laid out clearly and concisely, really enjoyable to read!
Co-authored-by: Susan Sica <90214772+Serenity611@users.noreply.github.com>
|
Hi @richabanker 👋 v1.35 Communications team here, @macsko as author of #53012, I'd like you to be a writing buddy for @richabanker on this PR. Please:
|
|
Hi @richabanker 👋 -- this is Graziano (@graz-dev) from the v1.35 Communications Team! Just a friendly reminder that we are approaching the feature blog "ready for review" deadline: Friday 21st November. We ask you to have the blog in non-draft state, and all write-up to be complete, so that we can start the blog review from SIG Docs Blog team. If you have any questions or need help, please don't hesitate to reach out to me or any of the Communications Team members. We are here to help you! |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. DetailsGit tree hash: 69693bf934697aa198eaaff34aaff49c489c55cc |
|
@graz-dev this isn't (directly) a change to the live docs, so you can approve this one yourself. Feel free to do so. |
|
Nice /lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: graz-dev The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
cc @bowei |
7 participants
Description
Adds a blog for Kubernetes component zpages
Issues
kubernetes/enhancements#4827
kubernetes/enhancements#4828