-
Notifications
You must be signed in to change notification settings - Fork 14.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update docs/admin/kubeadm.md for 1.8 #5440
Update docs/admin/kubeadm.md for 1.8 #5440
Conversation
Deploy preview ready! Built with commit 897bac7 https://deploy-preview-5440--kubernetes-io-vnext-staging.netlify.com |
Rendered changes are here: https://deploy-preview-5440--kubernetes-io-vnext-staging.netlify.com/docs/admin/kubeadm/ Edit: also, I'm not able to set the milestone, but this should be in 1.8. |
5a416e1
to
be79635
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Made a couple of suggestions----I'm not sure how your bandwidth is, so let me know if you'd prefer for me to help fix the formatting or if you can handle based on my comments :) Most of these are nice-to-haves so if you're pressed for time it's ok.
docs/admin/kubeadm.md
Outdated
@@ -27,7 +27,7 @@ following steps: | |||
dropping it in the cert directory (configured via `--cert-dir`, by default | |||
`/etc/kubernetes/pki`), this step is skipped. | |||
|
|||
1. Outputting a kubeconfig file for the kubelet to use to connect to the API | |||
1. kubeadm outputs a kubeconfig file for the kubelet to use to connect to the API |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
would it be possible to better clarify the difference between the two? Is it that one replaces ~/.kube/config
and the other becomes a new file in ~/.kube
? (I'm not sure what exactly it means)
docs/admin/kubeadm.md
Outdated
|
||
### `kubeadm join` | ||
### `kubeadm join` {#kubeadm-join} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fyi I don't actually think the anchor is necessary---markdown will naturally convert any line prefixed with #
into header elements (h1-h5, as appropriate). In this case it already looks like <h3 id="kubeadm-join">
even without the change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, good call.
docs/admin/kubeadm.md
Outdated
via an HTTPS URL. The forms are `kubeadm join --discovery-token | ||
abcdef.1234567890abcdef 1.2.3.4:6443`, `kubeadm join --discovery-file | ||
path/to/file.conf` or `kubeadm join --discovery-file https://url/file.conf`. | ||
with the IP address of the API server and a hash of the root CA key. The second |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it's not too much of a hassle, it might actually be clearer to format this with bullet points:
There are 2 main schemes for discovery:
Providing a shared token, along with the IP address...
kubeadm join --discovery-token abcdef.1234567890abcdef --discovery-token-ca-cert-hash sha256:1234..cdef 1.2.3.4:6443
Providing a file (a subset...)
kubeadm join --discovery-file path/to/file.conf
OR
kubeadm join --discovery-file https://url/file.conf
Only one form...
docs/admin/kubeadm.md
Outdated
@@ -216,7 +223,7 @@ can be used instead of specifying the each token individually. | |||
|
|||
Here's an example on how to use it: | |||
|
|||
`kubeadm join --token=abcdef.1234567890abcdef 192.168.1.1:6443` | |||
`kubeadm join --token=abcdef.1234567890abcdef --discovery-token-ca-cert-hash sha256:1234..cdef 192.168.1.1:6443` | |||
|
|||
Specific options: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you mind bolding this for visibility? Also, while we're here, would be awesome if you could s/a/are in the line below :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, that's strange that it's not a header or anything.
docs/admin/kubeadm.md
Outdated
default, the hash value is returned in the `kubeadm join` command printed at the | ||
end of `kubeadm init`. It is in a standard format (see | ||
[RFC7469](https://tools.ietf.org/html/rfc7469#section-2.4)) and can also be | ||
calculated out of band by 3rd party tools or orchestration systems. For example, in OpenSSL: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggestion: "out of band" might be a bit more obscure of an expression (I had to look it up), is there a more colloquial term you could use? would "separately calculated" or "reproducibly calculated" work? (not sure if I'm interpreting correctly)
And for explicitness, could you say "For example, the OpenSSL key hash can be calculated from:" (or some such phrase)
docs/admin/kubeadm.md
Outdated
Note that this style of bootstrap has some relaxed security guarantees because | ||
it does not allow the root CA hash to be validated with | ||
`--discovery-token-ca-cert-hash` (since it's not generated when the nodes are | ||
provisioned). For details, see the [security model](#security-model) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: missing period after "security model"
docs/admin/kubeadm.md
Outdated
security expectations you have about your network and node lifecycles. | ||
|
||
### Token-based discovery with CA pinning | ||
This is the default mode in Kubernetes 1.8. It allows bootstrapping nodes to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
italicize first sentence?
docs/admin/kubeadm.md
Outdated
difficult to build automated provisioning tools that use kubeadm. | ||
|
||
### Token-based discovery without CA pinning | ||
This was the default in Kubernetes 1.7 and earlier, but comes with some |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
italicize first phrase until "earlier,"
docs/admin/kubeadm.md
Outdated
`--discovery-token-ca-cert-hash` (since it's not generated when the nodes are | ||
provisioned). For details, see the [security model](#security-model) | ||
|
||
## Security model {#security-model} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggestion, but only if you think it's helpful (since formatting might take a while): Might be better for visibility if you broke each of the three sections into "Advantages" and "Disadvantages", e.g.:
Token-based discovery with CA pinning
This is the default mode in Kubernetes 1.8.
Advantages
- It allows bootstrapping nodes...
- It's also convenient to execute manually...
Disadvantages
- The CA hash is not normally known...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! I took a shot at this in the latest commit (just pushed).
@@ -27,7 +27,7 @@ following steps: | |||
dropping it in the cert directory (configured via `--cert-dir`, by default | |||
`/etc/kubernetes/pki`), this step is skipped. | |||
|
|||
1. Outputting a kubeconfig file for the kubelet to use to connect to the API |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Two unrelated changes, not sure where to put:
(1) Can you copy and paste the following at the top of this file? This doc is kinda long so a table of contents would help.
* TOC
{:toc}
(2) I noticed that this is one of the only pages that drops the navigation sidebar---I looked into it, and to fix it, you need to change the following in _data/reference.yml
:
replace
- title: Kubeadm
path: /docs/admin/kubeadm/
with
- docs/admin/kubeadm.md
(The *.md is important since the sidebar nav does a loopy thing that needs to match the filename exactly)
83d7b19
to
03847c7
Compare
@mattmoyer, Two small things: In the text, cloudprovider should be cloud provider. And crashloop should probably be crash loop. Otherwise, docs lgtm. |
@steveperry-53 thanks! Just fixed up those two things and another formatting issue I saw. |
- `kubeadm join --discovery-file https://url/file.conf` (remote HTTPS URL) | ||
|
||
**Advantages:** | ||
- Allows bootstrapping nodes to securely discover a root of trust for the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice! last nit: you'll want to put an extra space here (and in the next bullet point below), otherwise the formatting won't register
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. I had just tried to fix that but I missed this one.
thank you for the changes! other than the last comment LGTM :) |
- Made a couple of minor wording changes (not strictly 1.8 related). - Did some reformatting (not strictly 1.8 related). - Updated references to the default token TTL (was infinite, now 24 hours). - Documented the new `--discovery-token-ca-cert-hash` and `--discovery-token-unsafe-skip-ca-verification` flags for `kubeadm join`. - Added references to the new `--discovery-token-ca-cert-hash` flag in all the default examples. - Added a new _Security model_ section that describes the security tradeoffs of the various discovery modes. - Documented the new `--groups` flag for `kubeadm token create`. - Added a note of caution under _Automating kubeadm_ that references the _Security model_ section. - Updated the component version table to drop 1.6 and add 1.8. - Update `_data/reference.yml` to try to get the sidebar fixed up and more consistent with `kubefed`.
17b2126
to
897bac7
Compare
Thanks @mattmoyer! |
I updated this doc yesterday and I was absolutely sure I fixed this, but I just saw that this commit got lost somehow. This was introduced recently in kubernetes#5440.
I updated this doc yesterday and I was absolutely sure I fixed this, but I just saw that this commit got lost somehow. This was introduced recently in kubernetes#5440.
I updated this doc yesterday and I was absolutely sure I fixed this, but I just saw that this commit got lost somehow. This was introduced recently in #5440.
* GC now supports non-core resources * Add two examples about how to analysis audits of kube-apiserver (#4264) * Deprecate system:nodes binding * [1.8] StatefulSet `initialized` annotation is now ignored. * inits the kubeadm upgrade docs addresses /issues/4689 * adds kubeadm upgrade cmd to ToC addresses /issues/4689 * add workload placement docs * ScaleIO - document udpate for 1.8 * Add documentation on storageClass.mountOptions and PV.mountOptions (#5254) * Add documentation on storageClass.mountOptions and PV.mountOptions * convert notes into callouts * Add docs for CustomResource validation add info about supported fields * advanced audit beta features (#5300) * Update job workload doc with backoff failure policy (#5319) Add to the Jobs documentation how to use the new backoffLimit field that limit the number of Pod failure before considering the Job as failed. * Documented additional AWS Service annotations (#4864) * Add device plugin doc under concepts/cluster-administration. (#5261) * Add device plugin doc under concepts/cluster-administration. * Update device-plugins.md * Update device-plugins.md Add meta description. Fix typo. Change bare metal deployment to manual deployment. * Update device-plugins.md Fix typo again. * Update page.version. (#5341) * Add documentation on storageClass.reclaimPolicy (#5171) * [Advanced audit] use new herf for audit-api (#5349) This tag contains all the changes in v1beta1 version. Update it now. * Added documentation around creating the InitializerConfiguration for the persistent volume label controller in the cloud-controller-manager (#5255) * Documentation for kubectl plugins (#5294) * Documentation for kubectl plugins * Update kubectl-plugins.md * Update kubectl-plugins.md * Updated CPU manager docs to match implementation. (#5332) * Noted limitation of alpha static cpumanager. * Updated CPU manager docs to match implementation. - Removed references to CPU pressure node condition and evictions. - Added note about new --cpu-manager-reconcile-period flag. - Added note about node allocatable requirements for static policy. - Noted limitation of alpha static cpumanager. * Move cpu-manager task link to rsc mgmt section. * init containers annotation removed in 1.8 (#5390) * Add documentation for TaintNodesByCondition (#5352) * Add documentation for TaintNodesByCondition * Update nodes.md * Update taint-and-toleration.md * Update daemonset.md * Update nodes.md * Update taint-and-toleration.md * Update daemonset.md * Fix deployments (#5421) * Document extended resources and OIR deprecation. (#5399) * Document extended resources and OIR deprecation. * Updated extended resources doc per reviews. * reverts extra spacing in _data/tasks.yml * addresses `kubeadm upgrade` review comments Feedback from @chenopis, @luxas, and @steveperry-53 addressed with this commit * HugePages documentation (#5419) * Update cpu-management-policies.md (#5407) Fixed the bad link. Modified "cpu" to "CPU". Added more 'yaml' as supplement. * Update RBAC docs for v1 (#5445) * Add user docs for pod priority and preemption (#5328) * Add user docs for pod priority and preemption * Update pod-priority-preemption.md * More updates * Update docs/admin/kubeadm.md for 1.8 (#5440) - Made a couple of minor wording changes (not strictly 1.8 related). - Did some reformatting (not strictly 1.8 related). - Updated references to the default token TTL (was infinite, now 24 hours). - Documented the new `--discovery-token-ca-cert-hash` and `--discovery-token-unsafe-skip-ca-verification` flags for `kubeadm join`. - Added references to the new `--discovery-token-ca-cert-hash` flag in all the default examples. - Added a new _Security model_ section that describes the security tradeoffs of the various discovery modes. - Documented the new `--groups` flag for `kubeadm token create`. - Added a note of caution under _Automating kubeadm_ that references the _Security model_ section. - Updated the component version table to drop 1.6 and add 1.8. - Update `_data/reference.yml` to try to get the sidebar fixed up and more consistent with `kubefed`. * Update StatefulSet Basics for 1.8 release (#5398) * addresses `kubeadm upgrade` review comments 2nd iteration review comments by @luxas * adds kubelet upgrade section to kubeadm upgrade * Fix a bulleted list on docs/admin/kubeadm.md. (#5458) I updated this doc yesterday and I was absolutely sure I fixed this, but I just saw that this commit got lost somehow. This was introduced recently in #5440. * Clarify the API to check for device plugins * Moving Flexvolume to separate out-of-tree section * addresses `kubeadm upgrade` review comments CC: @luxas * fixes kubeadm upgrade index * Update Stackdriver Logging documentation (#5495) * Re-update WordPress and MySQL PV doc to use apps/v1beta2 APIs (#5526) * Update statefulset concepts doc to use apps/v1beta2 APIs (#5420) * add document on kubectl's behavior regarding initializers (#5505) * Update docs/admin/kubeadm.md to cover self-hosting in 1.8. (#5497) This is a new beta feature in 1.8. * Update kubectl patch doc to use apps/v1beta2 APIs (#5422) * [1.8] Update "Run Applications" tasks to apps/v1beta2. (#5525) * Update replicated stateful application task for 1.8. * Update single instance stateful app task for 1.8. * Update stateless app task for 1.8. * Update kubectl patch task for 1.8. * fix the link of persistent storage (#5515) * update the admission-controllers.md index.md what-is-kubernetes.md link * fix the link of persistent storage * Add quota support for local ephemeral storage (#5493) * Add quota support for local ephemeral storage update the doc to this alpha feature * Update resource-quotas.md * Updated Deployments concepts doc (#5491) * Updated Deployments concepts doc * Addressed comments * Addressed more comments * Modify allocatable storage to ephemeral-storage (#5490) Update the doc to use ephemeral-storage instead of storage * Revamped concepts doc for ReplicaSet (#5463) * Revamped concepts doc for ReplicaSet * Minor changes to call out specific versions for selector defaulting and immutability * Addressed doc review comments * Remove petset documentations (#5395) * Update docs to use batch/v1beta1 cronjobs (#5475) * add federation job doc (#5485) * add federation job doc * Update job.md Edits for clarity and consistency * Update job.md Fixed a typo * update DaemonSet concept for 1.8 release (#5397) * update DaemonSet concept for 1.8 release * Update daemonset.md Fix typo. than -> then * Update bootstrap tokens doc for 1.8. (#5479) * Update bootstrap tokens doc for 1.8. This has some changes I missed when I was updating the main kubeadm documention: - Bootstrap tokens are now beta, not alpha (kubernetes/enhancements#130) - The apiserver flag to enable the authenticator changedin 1.8 (kubernetes/kubernetes#51198) - Added `auth-extra-groups` documentaion (kubernetes/kubernetes#50933) - Updated the _Token Management with `kubeadm`_ section to link to the main kubeadm docs, since it was just duplicated information. * Update bootstrap-tokens.md * Updated the Cassandra tutorial to use apps/v1beta2 (#5548) * add docs for AllowPrivilegeEscalation (#5448) Signed-off-by: Jess Frazelle <acidburn@microsoft.com> * Add local ephemeral storage alpha feature in managing compute resource (#5522) * Add local ephemeral storage alpha feature in managing compute resource Since 1.8, we add the local ephemeral storage alpha feature as one resource type to manage. Add this feature into the doc. * Update manage-compute-resources-container.md * Update manage-compute-resources-container.md * Update manage-compute-resources-container.md * Update manage-compute-resources-container.md * Update manage-compute-resources-container.md * Update manage-compute-resources-container.md * Added documentation for Metrics Server (#5560) * authorization: improve authorization debugging docs (#5549) * Document mount propagation (#5544) * Update /docs/setup/independent/create-cluster-kubeadm.md for 1.8. (#5524) This introduction needed a couple of small tweaks to cover the `--discovery-token-ca-cert-hash` flag added in kubernetes/kubernetes#49520 and some version bumps. * Add task doc for alpha dynamic kubelet configuration (#5523) * Fix input/output of selfsubjectaccess review (#5593) * Add docs for implementing resize (#5528) * Add docs for implementing resize * Update admission-controllers.md * Added link to PVC section * minor typo fixes * Update NetworkPolicy concept guide with egress and CIDR changes (#5529) * update zookeeper tutorial for 1.8 release * add doc for hostpath type (#5503) * Federated Hpa feature doc (#5487) * Federated Hpa feature doc * Federated Hpa feature doc review fixes * Update hpa.md * Update hpa.md * update cloud controller manager docs for v1.8 * Update cronjob with defaults information (#5556) * Kubernetes 1.8 reference docs (#5632) * Kubernetes 1.8 reference docs * Kubectl reference docs for 1.8 * Update side bar with 1.8 kubectl and api ref docs links * remove petset.md * update on state of HostAlias in 1.8 with hostNetwork Pod support (#5644) * Fix cron job deletion section (#5655) * update imported docs (#5656) * Add documentation for certificate rotation. (#5639) * Link to using kubeadm page * fix the command output fix the command output * fix typo in api/resources reference: "Worloads" * Add documentation for certificate rotation. * Create TOC entry for cloud controller manager. (#5662) * Updates for new versions of API types * Followup 5655: fix link to garbage collection (#5666) * Temporarily redirect resources-reference to api-reference. (#5668) * Update config for 1.8 release. (#5661) * Update config for 1.8 release. * Address reviewer comments. * Switch references in HPA docs from alpha to beta (#5671) The HPA docs still referenced the alpha version. This switches them to talk about v2beta1, which is the appropriate version for Kubernetes 1.8 * Deprecate openstack heat (#5670) * Fix typo in pod preset conflict example Move container port definition to the correct line. * Highlight openstack-heat provider deprecation The openstack-heat provider for kube-up is being deprecated and will be removed in a future release. * Temporarily fix broken links by redirecting. (#5672) * Fix broken links. (#5675) * Fix render of code block (#5674) * Fix broken links. (#5677) * Add a small note about auto-bootstrapped CSR ClusterRoles (#5660) * Update kubeadm install doc for v1.8 (#5676) * add draft workloads api content for 1.8 (#5650) * add draft workloads api content for 1.8 * edits per review, add tables, for 1.8 workloads api doc * fix typo * Minor fixes to kubeadm 1.8 upgrade guide. (#5678) - The kubelet upgrade instructions should be done on every host, not just worker nodes. - We should just upgrade all packages, instead of calling out kubelet specifically. This will also upgrade kubectl, kubeadm, and kubernetes-cni, if installed. - Draining nodes should also ignore daemonsets, and master errors can be ignored. - Make sure that the new kubeadm download is chmoded correctly. - Add a step to run `kubeadm version` to verify after downloading. - Manually approve new kubelet CSRs if rotation is enabled (known issue). * Release 1.8 (#5680) * Fix versions for 1.8 API ref docs * Updates for 1.8 kubectl reference docs * Kubeadm /docs/admin/kubeadm.md cleanup, editing. (#5681) * Update docs/admin/kubeadm.md (mostly 1.8 related). This is Fabrizio's work, which I'm committing along with my edits (in a commit on top of this). * A few of my own edits to clarify and clean up some Markdown.
--discovery-token-ca-cert-hash
and--discovery-token-unsafe-skip-ca-verification
flags forkubeadm join
.--discovery-token-ca-cert-hash
flag in all the default examples.--groups
flag forkubeadm token create
._data/reference.yml
to try to get the sidebar fixed up and more consistent withkubefed
.cc @kubernetes/sig-cluster-lifecycle-misc @luxas @mhausenblas
This change is