[WIP Waiting for Source Code Merge] Bring StorageObjectInUseProtection feature to GA

OWNERS

@@ -2,6 +2,7 @@ reviewers:
 - tengqm
 - zhangxiaoyu-zidif
 - xiangpengzhao
+- bradtopol
 approvers:
 - heckj
 - a-mccarthy

_data/tasks.yml

@@ -32,6 +32,7 @@ toc:
   - docs/tasks/configure-pod-container/configure-pod-initialization.md
   - docs/tasks/configure-pod-container/attach-handler-lifecycle-event.md
   - docs/tasks/configure-pod-container/configure-pod-configmap.md
+  - docs/tasks/configure-pod-container/share-process-namespace.md
   - docs/tools/kompose/user-guide.md
 
 - title: Inject Data Into Applications
@@ -162,6 +163,7 @@ toc:
   - docs/tasks/administer-cluster/reserve-compute-resources.md
   - docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods.md
   - docs/tasks/administer-cluster/declare-network-policy.md
+  - docs/tasks/administer-cluster/kms-provider.md      
   - title: Install Network Policy Provider
     section:
     - docs/tasks/administer-cluster/calico-network-policy.md
@@ -183,6 +185,7 @@ toc:
   - docs/tasks/administer-cluster/dns-custom-nameservers.md
   - docs/tasks/administer-cluster/dns-debugging-resolution.md
   - docs/tasks/administer-cluster/pvc-protection.md
+  - docs/tasks/administer-cluster/storage-object-in-use-protection.md
 
 - title: Federation - Run an App on Multiple Clusters
   landing_page: /docs/tasks/federation/set-up-cluster-federation-kubefed/

case-studies/index.html

@@ -38,6 +38,12 @@ <h5>A collection of users running Kubernetes in production.</h5>
                   <!--<p class="attrib">—  Simon Lallemand, Infrastructure Engineer at BlaBlaCar</p>-->
                   <a href="/case-studies/blablacar/">Read about BlaBlaCar</a>
               </div>
+              <div class="case-study">
+                  <img src="/images/case_studies/peardeck.png" alt="peardeck">
+                  <p class="quote">"In terms of the cloud, Kubernetes and Prometheus have so much to offer."</p>
+                  <!--<p class="attrib">—  Riley Eynon-Lynch, CEO of Pear Deck</p>-->
+                  <a href="/case-studies/peardeck/">Read about Pear Deck</a>
+              </div>
             </div>
         </div>
     </main>

cn/docs/admin/kubelet-authentication-authorization.md

@@ -33,11 +33,9 @@ To enable X509 client certificate authentication to the kubelet's HTTPS endpoint
 To enable API bearer tokens (including service account tokens) to be used to authenticate to the kubelet's HTTPS endpoint:
 
 * ensure the `authentication.k8s.io/v1beta1` API group is enabled in the API server
-* start the kubelet with the `--authentication-token-webhook`, `--kubeconfig`, and `--require-kubeconfig` flags
+* start the kubelet with the `--authentication-token-webhook` and the `--kubeconfig` flags
 * the kubelet calls the `TokenReview` API on the configured API server to determine user information from bearer tokens
 
-**Note:** The flag `--require-kubeconfig` is deprecated as of Kubernetes 1.8, this will be removed in a future version. You no longer need to use `--require-kubeconfig` in Kubernetes 1.8.
-
 ## Kubelet authorization
 
 Any request that is successfully authenticated (including an anonymous request) is then authorized. The default authorization mode is `AlwaysAllow`, which allows all requests.
@@ -51,11 +49,9 @@ There are many possible reasons to subdivide access to the kubelet API:
 To subdivide access to the kubelet API, delegate authorization to the API server:
 
 * ensure the `authorization.k8s.io/v1beta1` API group is enabled in the API server
-* start the kubelet with the `--authorization-mode=Webhook`, `--kubeconfig`, and `--require-kubeconfig` flags
+* start the kubelet with the `--authorization-mode=Webhook` and the `--kubeconfig` flags
 * the kubelet calls the `SubjectAccessReview` API on the configured API server to determine whether each request is authorized
 
-**Note:** The flag `--require-kubeconfig` is deprecated as of Kubernetes 1.8, this will be removed in a future version. You no longer need to use `--require-kubeconfig` in Kubernetes 1.8.
-
 The kubelet authorizes API requests using the same [request attributes](/docs/admin/authorization/#request-attributes) approach as the apiserver.
 
 The verb is determined from the incoming request's HTTP verb:

cn/docs/admin/kubelet-tls-bootstrapping.md

@@ -190,7 +190,6 @@ When starting the kubelet, if the file specified by `--kubeconfig` does not exis
 **Note:** The following flags are required to enable this bootstrapping when starting the kubelet:
 
 ```
---require-kubeconfig
 --bootstrap-kubeconfig="/path/to/bootstrap/kubeconfig"
 ```
 

cn/docs/tasks/administer-cluster/kubelet-config-file.md

@@ -45,7 +45,7 @@ title: 通过配置文件设置 Kubelet 参数
 ## 启动通过配置文件配置的 Kubelet 进程
 
 
-启动 Kubelet，需要打开 `KubeletConfigFile` 特性开关（feature gate）并将其 `--init-config-dir` 标志设置为包含 `kubelet` 文件的文件夹路径。Kubelet 将从 `kubelet` 文件中读取由 `KubeletConfiguration` 定义的参数，而不是从参数相关的命令行标志中读取。
+启动 Kubelet 需要将其 `--init-config-dir` 标志设置为包含 `kubelet` 文件的文件夹路径。Kubelet 将从 `kubelet` 文件中读取由 `KubeletConfiguration` 定义的参数，而不是从参数相关的命令行标志中读取。
 
 {% endcapture %}
 

cn/docs/user-guide/kubectl-overview.md

@@ -93,7 +93,7 @@ Operation       | Syntax    |       Description
 `configmaps` |`cm`
 `controllerrevisions` |
 `cronjobs` |
-`customresourcedefinition` |`crd`
+`customresourcedefinition` |`crd`, `crds`
 `daemonsets` |`ds`
 `deployments` |`deploy`
 `endpoints` |`ep`

docs/admin/admission-controllers.md

@@ -31,8 +31,7 @@ controllers may modify the objects they admit; validating controllers may not.
 The admission control process proceeds in two phases. In the first phase,
 mutating admission controllers are run. In the second phase, validating
 admission controllers are run. Note again that some of the controllers are
-both. In both phases, the controllers are run in the order specified by the
-`--admission-control` flag of `kube-apiserver`.
+both.
 
 If any of the controllers in either phase reject the request, the entire
 request is rejected immediately and an error is returned to the end-user.
@@ -54,13 +53,12 @@ support all the features you expect.
 
 ## How do I turn on an admission controller?
 
-The Kubernetes API server supports a flag, `admission-control` that takes a comma-delimited,
-ordered list of admission control choices to invoke prior to modifying objects in the cluster.
-For example, the following command line turns on the `NamespaceLifecycle` and the `LimitRanger`
-admission controller:
+The Kubernetes API server flag `enable-admission-plugins` takes a comma-delimited list of admission control plugins to invoke prior to modifying objects in the cluster.
+For example, the following command line enables the `NamespaceLifecycle` and the `LimitRanger`
+admission control plugins:
 
 ```shell
-kube-apiserver --admission-control=NamespaceLifecyle,LimitRanger ...
+kube-apiserver --enable-admission-plugins=NamespaceLifecyle,LimitRanger ...
 ```
 
 **Note**: Depending on the way your Kubernetes cluster is deployed and how the
@@ -70,11 +68,19 @@ deployed as a systemd service, you may modify the manifest file for the API
 server if Kubernetes is deployed in a self-hosted way.
 {: .note}
 
+## How do I turn off an admission controller?
+
+The Kubernetes API server flag `disable-admission-plugins` takes a comma-delimited list of admission control plugins to be disabled, even if they are in the list of plugins enabled by default.
+
+```shell
+kube-apiserver --disable-admission-plugins=PodNodeSelector,AlwaysDeny ...
+```
+
 ## What does each admission controller do?
 
-### AlwaysAdmit
+### AlwaysAdmit (DEPRECATED)
 
-Use this admission controller by itself to pass-through all requests.
+Use this admission controller by itself to pass-through all requests. AlwaysAdmit is DEPRECATED as no real meaning.
 
 ### AlwaysPullImages
 
@@ -86,9 +92,9 @@ scheduled onto the right node), without any authorization check against the imag
 is enabled, images are always pulled prior to starting containers, which means valid credentials are
 required.
 
-### AlwaysDeny
+### AlwaysDeny (DEPRECATED)
 
-Rejects all requests.  Used for testing.
+Rejects all requests. AlwaysDeny is DEPRECATED as no real meaning.
 
 ### DefaultStorageClass
 
@@ -134,7 +140,7 @@ enabling this admission controller.
 
 ### EventRateLimit (alpha)
 
-This admission controller is introduced in v1.9 to mitigate the problem where the API server gets flooded by
+This admission controller mitigates the problem where the API server gets flooded by
 event requests. The cluster admin can specify event rate limits by:
 
  * Ensuring that `eventratelimit.admission.k8s.io/v1alpha1=true` is included in the
@@ -180,19 +186,15 @@ for more details.
 
 ### ExtendedResourceToleration
 
-This plug-in is introduced in v1.9 to facilitate creation of dedicated nodes with extended resources.
+This plug-in facilitates creation of dedicated nodes with extended resources.
 If operators want to create dedicated nodes with extended resources (like GPUs, FPGAs etc.), they are expected to
 taint the node with the extended resource name as the key. This admission controller, if enabled, automatically
 adds tolerations for such taints to pods requesting extended resources, so users don't have to manually
 add these tolerations.
 
 ### ImagePolicyWebhook
 
-The ImagePolicyWebhook admission controller allows a backend webhook to make admission decisions. You enable this admission controller by setting the admission-control option as follows:
-
-```shell
---admission-control=ImagePolicyWebhook
-```
+The ImagePolicyWebhook admission controller allows a backend webhook to make admission decisions. 
 
 #### Configuration File Format
 
@@ -314,7 +316,6 @@ In any case, the annotations are provided by the user and are not validated by K
 
 ### Initializers (alpha)
 
-This admission controller is introduced in v1.7.
 The admission controller determines the initializers of a resource based on the existing
 `InitializerConfiguration`s. It sets the pending initializers by modifying the
 metadata of the resource to be created.
@@ -331,7 +332,7 @@ The annotations added contain the information on what compute resources were aut
 
 See the [InitialResources proposal](https://git.k8s.io/community/contributors/design-proposals/autoscaling/initial-resources.md) for more details.
 
-### LimitPodHardAntiAffinity
+### LimitPodHardAntiAffinityTopology
 
 This admission controller denies any pod that defines `AntiAffinity` topology key other than
 `kubernetes.io/hostname` in `requiredDuringSchedulingRequiredDuringExecution`.
@@ -414,27 +415,23 @@ This admission controller also protects the access to `metadata.ownerReferences[
 of an object, so that only users with "update" permission to the `finalizers`
 subresource of the referenced *owner* can change it.
 
-### Persistent Volume Claim Protection (alpha)
-{% assign for_k8s_version="v1.9" %}{% include feature-state-alpha.md %}
-The `PVCProtection` plugin adds the `kubernetes.io/pvc-protection` finalizer to newly created Persistent Volume Claims (PVCs). In case a user deletes a PVC the PVC is not removed until the finalizer is removed from the PVC by PVC Protection Controller. Refer to the [PVC Protection](/docs/concepts/storage/persistent-volumes/#persistent-volume-claim-protection) for more detailed information.
-
-### PersistentVolumeLabel
+### PersistentVolumeLabel (DEPRECATED)
 
 This admission controller automatically attaches region or zone labels to PersistentVolumes
 as defined by the cloud provider (for example, GCE or AWS).
 It helps ensure the Pods and the PersistentVolumes mounted are in the same
 region and/or zone.
 If the admission controller doesn't support automatic labelling your PersistentVolumes, you
 may need to add the labels manually to prevent pods from mounting volumes from
-a different zone.
+a different zone. PersistentVolumeLabel is DEPRECATED and labeling persistent volumes has been taken over by [cloud controller manager](/docs/tasks/administer-cluster/running-cloud-controller/).
 
 ### PodNodeSelector
 
 This admission controller defaults and limits what node selectors may be used within a namespace by reading a namespace annotation and a global configuration.
 
 #### Configuration File Format
 
-PodNodeSelector uses a configuration file to set options for the behavior of the backend.
+`PodNodeSelector` uses a configuration file to set options for the behavior of the backend.
 Note that the configuration file format will move to a versioned file in a future release.
 This file may be json or yaml and has the following format:
 
@@ -445,7 +442,7 @@ podNodeSelectorPluginConfig:
  namespace2: <node-selectors-labels>
 ```
 
-Reference the PodNodeSelector configuration file from the file provided to the API server's command line flag `--admission-control-config-file`:
+Reference the `PodNodeSelector` configuration file from the file provided to the API server's command line flag `--admission-control-config-file`:
 
 ```yaml
 kind: AdmissionConfiguration
@@ -457,7 +454,7 @@ plugins:
 ```
 
 #### Configuration Annotation Format
-PodNodeSelector uses the annotation key `scheduler.alpha.kubernetes.io/node-selector` to assign node selectors to namespaces.
+`PodNodeSelector` uses the annotation key `scheduler.kubernetes.io/node-selector` to assign node selectors to namespaces.
 
 ```yaml
 apiVersion: v1
@@ -468,6 +465,19 @@ metadata:
   name: namespace3
 ```
 
+#### Internal Behavior
+This admission controller has the following behavior:
+  1. If the `Namespace` has an annotation with a key `scheduler.kubernetes.io/nodeSelector`, use its value as the
+     node selector.
+  1. If the namespace lacks such an annotation, use the `clusterDefaultNodeSelector` defined in the `PodNodeSelector`
+     plugin configuration file as the node selector.
+  1. Evaluate the pod's node selector against the namespace node selector for conflicts. Conflicts result in rejection.
+  1. Evaluate the pod's node selector against the namespace-specific whitelist defined the plugin configuration file.
+     Conflicts result in rejection.
+
+**Note:** `PodTolerationRestriction` is more versatile and powerful than `PodNodeSelector` and can encompass the scenarios supported by `PodNodeSelector`.
+{: .note}
+
 ### PersistentVolumeClaimResize
 
 This admission controller implements additional validations for checking incoming `PersistentVolumeClaim` resize requests.
@@ -545,8 +555,6 @@ objects in your Kubernetes deployment, you MUST use this admission controller to
 
 See the [resourceQuota design doc](https://git.k8s.io/community/contributors/design-proposals/resource-management/admission_control_resource_quota.md) and the [example of Resource Quota](/docs/concepts/policy/resource-quotas/) for more details.
 
-It is strongly encouraged that this admission controller is configured last in the sequence of admission controllers.  This is
-so that quota is not prematurely incremented only for the request to be rejected later in admission control.
 
 ### SecurityContextDeny
 
@@ -557,6 +565,9 @@ This admission controller will deny any pod that attempts to set certain escalat
 This admission controller implements automation for [serviceAccounts](/docs/user-guide/service-accounts).
 We strongly recommend using this admission controller if you intend to make use of Kubernetes `ServiceAccount` objects.
 
+### Storage Object in Use Protection
+The `StorageObjectInUseProtection` plugin adds the `kubernetes.io/pvc-protection` or `kubernetes.io/pv-protection` finalizers to newly created Persistent Volume Claims (PVCs) or Persistent Volumes (PV). In case a user deletes a PVC or PV the PVC or PV is not removed until the finalizer is removed from the PVC or PV by PVC or PV Protection Controller. Refer to the [Storage Object in Use Protection](/docs/concepts/storage/persistent-volumes/#storage-object-in-use-protection) for more detailed information.
+
 ### ValidatingAdmissionWebhook (alpha in 1.8; beta in 1.9)
 
 This admission controller calls any validating webhooks which match the request. Matching
@@ -577,7 +588,7 @@ versions >= 1.9).
 ## Is there a recommended set of admission controllers to use?
 
 Yes.
-For Kubernetes >= 1.9.0, we strongly recommend running the following set of admission controllers (order matters):
+For Kubernetes >= 1.9.0, we strongly recommend running the following set of admission controllers (order matters for 1.9 but not >1.10):
 
 ```shell
 --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota