Promote sysctls to Beta #8804
Merged
Promote sysctls to Beta #8804
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
do-not-merge/work-in-progress
|
Deploy preview for kubernetes-io-master-staging ready! Built with commit 025c86b https://deploy-preview-8804--kubernetes-io-master-staging.netlify.com |
20 tasks
k8s-ci-robot
added
size/L
k8s-ci-robot
added
size/M
mdlinville
reviewed
May 29, 2018
| @@ -105,20 +105,25 @@ manually by the cluster admin, either by means of the underlying Linux | |||
| distribution of the nodes (e.g. via `/etc/sysctls.conf`) or using a DaemonSet | |||
| with privileged containers. | |||
|
|
|||
| The sysctl feature is an alpha API. Therefore, sysctls are set using annotations | |||
| The sysctl feature is a beta API. The sysctls are set through pod security context | |||
There was a problem hiding this comment.
Can you use the feature shortcode for this instead of just having it in a paragraph? Syntax is like:
{{< feature-state for_k8s_version="v1.11" state="beta" >}}
This is lots easier to maintain than having to hunt through the Markdown files for mentions of "alpha", "beta" etc in the flow of the text.
mdlinville
reviewed
May 29, 2018
| - name: kernel.shm_rmid_forced | ||
| value: 1 | ||
| - name: net.ipv4.route.min_pmtu | ||
| value: 1000, |
There was a problem hiding this comment.
I think the comma might be spurious
mdlinville
reviewed
May 29, 2018
| - name: net.ipv4.route.min_pmtu | ||
| value: 1000, | ||
| - name: kernel.msgmax | ||
| value: 1 2 3 |
There was a problem hiding this comment.
Is this a placeholder? Doesn't look right.
|
Deploy preview for kubernetes-io-vnext-staging processing. Built with commit 8156163 https://app.netlify.com/sites/kubernetes-io-vnext-staging/deploys/5b2338eb3672df657e45285e |
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
/hold |
k8s-ci-robot
added
the
do-not-merge/hold
php-coder
reviewed
May 30, 2018
| @@ -213,6 +214,7 @@ Each feature gate is designed for enabling/disabling a specific feature: | |||
| - `SupportIPVSProxyMode`: Enable providing in-cluster service load balancing using IPVS. | |||
| See [service proxies](/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies) for more details. | |||
| - `SupportPodPidsLimit`: Enable the support to limiting PIDs in Pods. | |||
| - `Sysctls`: Comma-separated whitelist of unsafe sysctls or unsafe sysctl patterns (ending in `*`) | |||
There was a problem hiding this comment.
Looks like copy&pasted text. I'd expect it to briefly explain what support will be enabled by activating this gate.
There was a problem hiding this comment.
Agree to @php-coder, we'd better:
- briefly explain the differences this feature gate has made to the system;
- provide a link to the
docs/tasks/administer-cluster/sysctl-cluster/doc
There was a problem hiding this comment.
Changed to:
- `Sysctls`: Enable the sysctl support for tunning kernel parameters to better isolate resources of container.
See [sysctls](/docs/tasks/administer-cluster/sysctl-cluster/) for more details.
tengqm
reviewed
May 31, 2018
| or sysctl patterns (which end in `*`). The string `*` matches all sysctls. | ||
|
|
||
| The `allowedUnsafeSysctls` field excludes sysctls from the whitelist (`*` means | ||
| no safe sysctls allowed). |
There was a problem hiding this comment.
*means no safe sysctls allowed
This is confusing... If there is a foo in this field, I'm expecting foo as an unsafe sysctl is allowed. If there is a * in the list, I'm expecting that all unsafe sysctls are allowed. This has nothing to do with safe sysctls, right?
There was a problem hiding this comment.
Right, allowedUnsafeSysctls <-> forbiddenSysctls. Thanks for noticing that.
tengqm
reviewed
May 31, 2018
| The `allowedUnsafeSysctls` field excludes sysctls from the whitelist (`*` means | ||
| no safe sysctls allowed). | ||
| Any sysctl specified by the `forbiddenSysctls` is on the other hand allowed (`*` | ||
| means all unsafe sysctls allowed). |
There was a problem hiding this comment.
IIUC, this field doesn't distinguish whether a sysctl is safe or not, a * means no sysctls can be set in a Pod's spec.securityContext.sysctls. Please clarify.
tengqm
reviewed
May 31, 2018
|
|
||
| {{< note >}} | ||
| **Note**: Even though the `allowedUnsafeSysctls` allows certain unsafe sysctls, | ||
| if they are not allowed on the kubelet side, the pod fails to start. |
There was a problem hiding this comment.
Should we mention the --experimental-allowed-unsafe-sysctls flag of kubelet here?
k8s-ci-robot
added
the
lgtm
mdlinville
reviewed
May 31, 2018
| @@ -105,20 +105,28 @@ manually by the cluster admin, either by means of the underlying Linux | |||
| distribution of the nodes (e.g. via `/etc/sysctls.conf`) or using a DaemonSet | |||
| with privileged containers. | |||
|
|
|||
| The sysctl feature is an alpha API. Therefore, sysctls are set using annotations | |||
| on pods. They apply to all containers in the same pod. | |||
| The sysctl feature is a {{< feature-state for_k8s_version="v1.11" state="beta" >}} API. | |||
There was a problem hiding this comment.
This is not the correct way to use this shortcode. It isn't used in the flow of a paragraph, but on its own as a block-level element. Suggest just changing this sentence to only be the shortcode itself.
sttts
reviewed
Jun 11, 2018
| {{< warning >}} | ||
| **Warning**: If you use the `--allowed-unsafe-sysctls` flag when starting the | ||
| pod and the value of the flag conflicts with the contents of the | ||
| `allowedUnsafeSysctls` field in the PodSecurityPolicy, the pod will fail to |
There was a problem hiding this comment.
what does "conflicts with the contents of the allowedUnsafeSysctls field" mean? The is no directly relation between the two. This would be correct: If you whitelist unsafe sysctls via the allowedUnsafeSysctls field in a PSP, any pod using such a sysctl will fail to start if the sysctl is not whitelisted via the --allowed-unsafe-sysctls kubelet flag as well on that node.
mdlinville
reviewed
Jun 12, 2018
|
|
||
| The sysctl feature is an alpha API. Therefore, sysctls are set using annotations | ||
| on pods. They apply to all containers in the same pod. | ||
| In general, use the pod security context on pods to configure sysctls. |
There was a problem hiding this comment.
Maybe "When possible, use the pod security context to configure sysctls on pods. This context applies to all containers on a given pod."
There was a problem hiding this comment.
"when possible" is misleading. The pod security context is the way to configure sysctls. There is no alternative.
mdlinville
reviewed
Jun 12, 2018
|
|
||
| Here is an example, it authorizes binding user creating pod with corresponding sysctls. | ||
| It's not allowed to configure these two fields such that there is overlap. |
There was a problem hiding this comment.
s/It's not allowed/Do not
What happens if you do? Is there an error?
There was a problem hiding this comment.
I think that my question is answered by the warning below. Maybe this sentence belongs as part of the warning.
There was a problem hiding this comment.
I still think the warning here is wrong. An overlap is simply not allowed by validation. Such a PSP is rejected. Nothing bad happens if you try.
There was a problem hiding this comment.
The warning and this sentence are unrelated. The warning is about pods which will be unable to launch even though the PSP allows them, but the kubelet does not. This sentence here is about the overlap of both fields in the PSP.
|
I just pushed another copyedit commit. PTAL @sttts @ingvagabund and lift the hold if this is now good to go. /hold |
sttts
reviewed
Jun 14, 2018
|
|
||
| The following sysctls are known to be _namespaced_: | ||
| The following sysctls are _namespaced_: |
There was a problem hiding this comment.
this list might change from kernel to kernel. This was the reason for the "known to be".
There was a problem hiding this comment.
Thanks for the clarification. I misunderstood the intent.
sttts
reviewed
Jun 14, 2018
| with privileged containers. | ||
| Sysctls with no namespace are called _node-level_ sysctls. If you need to set | ||
| them, you must manually configure them on each node's operating system, or by | ||
| using a DaemonSet with privileged containers. |
sttts
reviewed
Jun 14, 2018
|
|
||
| The sysctl feature is an alpha API. Therefore, sysctls are set using annotations | ||
| on pods. They apply to all containers in the same pod. | ||
| For namespaced sysctls, use the pod securityContext to configure sysctls. They |
sttts
reviewed
Jun 14, 2018
| ## PodSecurityPolicy Annotations | ||
| ## PodSecurityPolicy | ||
|
|
||
| To control which sysctls can be set in pods, specify the |
sttts
reviewed
Jun 14, 2018
| To control which sysctls can be set in pods, specify the | ||
| `forbiddenSysctls` and/or `allowedUnsafeSysctls` fields in the PodSecurityPolicy. | ||
|
|
||
| By default, all safe sysctls in the whitelist are allowed. |
There was a problem hiding this comment.
nit: the whitelist defines the safe sysctls. "in the whitelist" is redundant.
sttts
reviewed
Jun 14, 2018
|
|
||
| The use of sysctl in pods can be controlled via annotation on the PodSecurityPolicy. | ||
| The `forbiddenSysctls` field excludes specific sysctls, and can include a |
There was a problem hiding this comment.
nit: excludes vs. include is confusing. Better use a different word for "include".
sttts
reviewed
Jun 14, 2018
| not present in the `forbiddenSysctls` field, that sysctl can be used in Pods under | ||
| this PodSecurityPolicy. In order to allow all unsafe sysctls in the PodSecurityPolicy | ||
| to be set (except for those explicitly forbidden by `forbiddenSysctls`), | ||
| use `*` on its own. |
There was a problem hiding this comment.
unfortunately this does not work: you cannot use * and forbid some in forbiddenSysctls at the same time. Just drop the parenthesis.
sttts
reviewed
Jun 14, 2018
| **Warning**: If you whitelist unsafe sysctls via the `allowedUnsafeSysctls` field | ||
| in a PodSecurityPolicy, any pod using such a sysctl will fail to start | ||
| if the sysctl is not whitelisted via the `--allowed-unsafe-sysctls` kubelet | ||
| flag as well on that node. |
|
@mistyhacks left some remaining comments. Overall, it looks much better now. |
|
Addressed remaining feedback. |
k8s-ci-robot
added
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mistyhacks The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
mdlinville
pushed a commit
that referenced
this pull request
Jun 20, 2018
* Promote sysctls to Beta * Copyedits Signed-off-by: Misty Stanley-Jones <mistyhacks@google.com> * Review comments * Address feedback * More feedback
mdlinville
pushed a commit
that referenced
this pull request
Jun 27, 2018
* Promote sysctls to Beta * Copyedits Signed-off-by: Misty Stanley-Jones <mistyhacks@google.com> * Review comments * Address feedback * More feedback
mdlinville
pushed a commit
that referenced
this pull request
Jun 27, 2018
* Promote sysctls to Beta * Copyedits Signed-off-by: Misty Stanley-Jones <mistyhacks@google.com> * Review comments * Address feedback * More feedback
k8s-ci-robot
pushed a commit
that referenced
this pull request
Jun 27, 2018
* Seperate priority and preemption (#8144) * Doc about PID pressure condition. (#8211) * Doc about PID pressure condition. Signed-off-by: Da K. Ma <klaus1982.cn@gmail.com> * "so" -> "too" * Update version selector for 1.11 * StorageObjectInUseProtection is GA (#8291) * Feature gate: StorageObjectInUseProtection is GA Update feature gate reference for 1.11 * Trivial commit to re-trigger Netlify * CRIContainerLogRotation is Beta in 1.11 (#8665) * Seperate priority and preemption (#8144) * CRIContainerLogRotation is Beta in 1.11 xref: kubernetes/kubernetes#64046 * Bring StorageObjectInUseProtection feature to GA (#8159) * StorageObjectInUseProtection is GA (#8291) * Feature gate: StorageObjectInUseProtection is GA Update feature gate reference for 1.11 * Trivial commit to re-trigger Netlify * Bring StorageObjectInUseProtection feature to GA StorageObjectInUseProtection is Beta in K8s 1.10. It's brought to GA in K8s 1.11. * Fixed typo and added feature state tags. * Remove KUBE_API_VERSIONS doc (#8292) The support to the KUBER_API_VERSIONS environment variable is completely dropped (no deprecation). This PR removes the related doc in release-1.11. xref: kubernetes/kubernetes#63165 * Remove InitialResources from admission controllers (#8293) The feature (was experimental) is dropped in 1.11. xref: kubernetes/kubernetes#58784 * Remove docs related to in-tree support to GPU (#8294) * Remove docs related to in-tree support to GPU The in-tree support to GPU is completely removed in release 1.11. This PR removes the related docs in release-1.11 branch. xref: kubernetes/kubernetes#61498 * Update content updated by PR to Hugo syntax Signed-off-by: Misty Stanley-Jones <mistyhacks@google.com> * Update the doc about extra volume in kubeadm config (#8453) Signed-off-by: Xianglin Gao <xianglin.gxl@alibaba-inc.com> * Update CRD Subresources for 1.11 (#8519) * coredns: update notes in administer-cluster/coredns.md (#8697) CoreDNS is installed by default in 1.11. Add notes on how to install kube-dns instead. Update notes about CoreDNS->CoreDNS upgrades as in 1.11 the Corefile is retained. Add example on upgrading from kube-dns to CoreDNS. * kubeadm-alpha: CoreDNS related changes (#8727) Update note about CoreDNS feature gate. This change also updates a tab as a kubeadm sub-command will change. It looks for a new generated file: generated/kubeadm_alpha_phase_addon_coredns.md instead of: generated/kubeadm_alpha_phase_addon_kube-dns.md * Update cloud controller manager docs to beta 1.11 (#8756) * Update cloud controller manager docs to beta 1.11 * Use Hugo shortcode for feature state * kubeadm-upgrade: include new command `kubeadm upgrade diff` (#8617) Also: - Include note that this was added in 1.11. - Modify the note about upgrade guidance. * independent: update CoreDNS mentions for kubeadm (#8753) Give CoreDNS instead of kube-dns examples in: - docs/setup/independent/create-cluster-kubeadm.md - docs/setup/independent/troubleshooting-kubeadm.md * update 1.11 --server-print info (#8870) * update 1.11 --server-print info * Copyedit * Mark ExpandPersistentVolumes feature to beta (#8778) * Update version selector for 1.11 * Mark ExpandPersistentVolumes Beta xref: kubernetes/kubernetes#64288 * fix shortcode, add placeholder files to fix deploy failures (#8874) * declare ipvs ga (#8850) * kubeadm: update info about CoreDNS in kubeadm-init.md (#8728) Add info to install kube-dns instead of CoreDNS, as CoreDNS is the default DNS server in 1.11. Add notes that kubeadm config images can be used to list and pull the required images in 1.11. * kubeadm: update implementation-details.md about CoreDNS (#8829) - Replace examples from kube-dns to CoreDNS - Add notes about the CoreDNS feature gate status in 1.11 - Add note that the service name for CoreDNS is also called `kube-dns` * Update block device support for 1.11 (#8895) * Update block device support for 1.11 * Copyedits * Fix typo 'fiber channel' (#8957) Signed-off-by: Misty Stanley-Jones <mistyhacks@google.com> * kubeadm-upgrade: add the 'node [config]' sub-command (#8960) - Add includes for the generated pages - Include placeholder generated pages * kubeadm-init: update the example for the MasterConfiguration (#8958) - include godocs link for MasterConfiguration - include example MasterConfiguration - add note that `kubeadm config print-default` can be used * kubeadm-config: include new commands (#8862) Add notes and includes for these new commands in 1.11: - kubeadm config print-default - kubeadm config migrate - kubeadm config images list - kubeadm config images pull Include placeholder generated files for the above. * administer-cluster/coredns: include more changes (#8985) It was requested that for this page a couple of methods should be outlined: - manual installation for CoreDNS explained at the Kubernetes section of the GitHub project for CoreDNS - installation and upgrade via kubeadm Make the above changes and also add a section "About CoreDNS". This commit also lowercases a section title. * Update CRD subresources doc for 1.11 (#8918) * Add docs for volume expansion and online resizing (#8896) * Add docs for volume expansion going beta * Copyedit * Address feedback * Update exec plugin docs with TLS credentials (#8826) * Update exec plugin docs with TLS credentials kubernetes/kubernetes#61803 implements TLS client credential support for 1.11. * Copyedit * More copyedits for clarification * Additional copyedit * Change token->credential * NodeRestriction admission prevents kubelet taint removal (#8911) * dns-custom-namerserver: break down the page into mutliple sections (#8900) * dns-custom-namerserver: break down the page into mutliple sections This page is currently about kube-dns and is a bit outdated. Introduce the heading `# Customizing kube-dns`. Introduce a separate section about CoreDNS. * Copyedits, fix headings for customizing DNS Hey Lubomir, I coypedited pretty heavily because this workflow is so much easier for docs and because I'm trying to help improve everything touching kubeadm as much as possible. But there's one outstanding issue wrt headings and intro content: you can't add a heading 1 to a topic to do what you wanted to do. The page title in the front matter is rendered as a heading 1 and everything else has to start at heading 2. (We still need to doc this better in the docs contributing content, I know.) Instead, I think we need to rewrite the top-of-page intro content to explain better the relationship between kube-dns and CoreDNS. I'm happy to write something, but I thought I'd push this commit first so you can see what I'm doing. Hope it's all clear -- ping here or on Slack with any questions ~ Jennifer * Interim fix for talking about CoreDNS * Fix CoreDNS details * PSP readOnly hostPath (#8898) * Add documentation for crictl (#8880) * Add documentation for crictl * Copyedit Signed-off-by: Misty Stanley-Jones <mistyhacks@google.com> * Final copyedit * VolumeSubpathEnvExpansion alpha feature (#8835) * Note that Heapster is deprecated (#8827) * Note that Heapster is deprecated This notes that Heapster is deprecated, and migrates the relevant docs to talk about metrics-server or other solutions by default. * Copyedits and improvements Signed-off-by: Misty Stanley-Jones <mistyhacks@google.com> * Address feedback * fix shortcode to troubleshoot deploy (#9057) * update dynamic kubelet config docs for v1.11 (#8766) * update dynamic kubelet config docs for v1.11 * Substantial copyedit * Address feedback * Reference doc for kubeadm (release-1.11) (#9044) * Reference doc for kubeadm (release-1.11) * fix shortcode to troubleshoot deploy (#9057) * Reference doc for kube-components (release-1.11) (#9045) * Reference doc for kube-components (release-1.11) * Update cloud-controller-manager.md * fix shortcode to troubleshoot deploy (#9057) * Documentation on lowercasing kubeadm init apiserver SANs (#9059) * Documentation on lowercasing kubeadm init apiserver SANs * fix shortcode to troubleshoot deploy (#9057) * Clarification in dynamic Kubelet config doc (#9061) * Promote sysctls to Beta (#8804) * Promote sysctls to Beta * Copyedits Signed-off-by: Misty Stanley-Jones <mistyhacks@google.com> * Review comments * Address feedback * More feedback * kubectl reference docs for 1.11 (#9080) * Update Kubernetes API 1.11 ref docs (#8977) * Update v1alpha1 to v1beta1. * Adjust left nav for 1.11 ref docs. * Trim list of old ref docs. * Update Federation API ref docs for 1.11. (#9064) * Update Federation API ref docs for 1.11. * Add titles. * Update definitions.html * CRD versioning Public Documentation (#8834) * CRD versioning Public Documentation * Copyedit Signed-off-by: Misty Stanley-Jones <mistyhacks@google.com> * Address feedback * More rewrites * Address feedback * Update main CRD page in light of versioning * Reorg CRD docs * Further reorg * Tweak title * CSI documentation update for raw block volume support (#8927) * CSI documetation update for raw block volume support * minor edits for "CSI raw block volume support" Some small grammar and style nits. * minor CSIBlockVolume edits * Update kubectl component ref page for 1.11. (#9094) * Update kubectl component ref page for 1.11. * Add title. Replace stevepe with username. * crd versioning doc: fix nits (#9142) * Update `DynamicKubeletConfig` feature to beta (#9110) xref: kubernetes/kubernetes#64275 * Documentation for dynamic volume limits based on node type (#8871) * add cos for storage limits * Update docs specific for aws and gce * fix some minor things * Update storage-limits.md * Add k8s version to feature-state shortcode * The Doc update for ScheduleDaemonSetPods (#8842) Signed-off-by: Da K. Ma <klaus1982.cn@gmail.com> * Update docs related to PersistentVolumeLabel admission control (#9109) The said admission controller is disabled by default in 1.11 (kubernetes/kubernetes#64326) and scheduled to be removed in future release. * client exec auth: updates for 1.11 (#9154) * Updates HA kubeadm docs (#9066) * Updates HA kubeadm docs Signed-off-by: Chuck Ha <ha.chuck@gmail.com> * kubeadm HA - Add stacked control plane steps * ssh instructions and some typos in the bash scripts Signed-off-by: Chuck Ha <ha.chuck@gmail.com> * Fix typos and copypasta errors * Fix rebase issues * Integrate more changes Signed-off-by: Chuck Ha <ha.chuck@gmail.com> * copyedits, layout and formatting fixes * final copyedits * Adds a sanity check for load balancer connection Signed-off-by: Chuck Ha <ha.chuck@gmail.com> * formatting fixes, copyedits * fix typos, formatting * Document the Pod Ready++ feature (#9180) Closes: #9107 Xref: kubernetes/kubernetes#64057 * Mention 'KubeletPluginsWatcher' feature (#9177) * Mention 'KubeletPluginsWatcher' feature This feature is more developers oriented than users oriented, so simply mention it in the feature gate should be fine. In future, when the design doc is migrated from Google doc to the kubernetes/community repo, we can add links to it for users who want to dig deeper. Closes: #9108 Xref: kubernetes/kubernetes#63328, kubernetes/kubernetes#64605 * Copyedit * Amend dynamic volume list docs (#9181) The dynamic volume list feature has been documented but the feature gate related was not there yet. Closes: #9105 * Document for service account projection (#9182) This adds docs for the service account projection feature. Xref: kubernetes/kubernetes#63819, kubernetes/community#1973 Closes: #9102 * Update pod priority and preemption user docs (#9172) * Update pod priority and preemption user docs * Copyedit * Documentation on setting node name with Kubeadm (#8925) * Documentation on setting node name with Kubeadm * copyedit * Add kubeadm upgrade docs for 1.11 (#9089) * Add kubeadm upgrade docs for 1.11 * Initial docs review feedback * Add 1-11 to outline * Fix formatting on tab blocks * Move file to correct location * Add `kubeadm upgrade node config` step * Overzealous ediffing * copyedit, fix lists and headings * clarify --force flag for fixing bad state * Get TOML ready for 1.11 release * Blog post for 1.11 release (#9254) * Blog post for 1.11 release * Update 2018-06-26-kubernetes-1.11-release-announcement.md * Update 2018-06-26-kubernetes-1.11-release-announcement.md * Update 2018-06-26-kubernetes-1.11-release-announcement.md
Merged
dims
pushed a commit
to dims/website
that referenced
this pull request
Jan 23, 2023
* Update the 3.4 doc about the known issue of v2 to v3 migration * Remove v2 migration doc from 3.5 and 3.6 Fixes kubernetes#8804 Signed-off-by: Hongbin Lu <hongbinlu@microsoft.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Blocked until kubernetes/kubernetes#63717 gets merged
Edit: kubernetes/kubernetes#63717 merged