Kubernetes requires PKI certificates for authentication over TLS. If you install Kubernetes with kubeadm, the certificates that your cluster requires are automatically generated. You can also generate your own certificates -- for example, to keep your private keys more secure by not storing them on the API server. This page explains the certificates that your cluster requires. How certificates are used by your cluster Kubernetes requires PKI for the following operations:

Gateway API is a family of API kinds that provide dynamic infrastructure provisioning and advanced traffic routing.

The Kubernetes API lets you query and manipulate the state of objects in Kubernetes. The core of Kubernetes' control plane is the API server and the HTTP API that it exposes. Users, the different parts of your cluster, and external components all communicate with one another through the API server.

Note: Dockershim has been removed from the Kubernetes project as of release 1.24. Read the Dockershim Removal FAQ for further details. You need to install a container runtime into each node in the cluster so that Pods can run there. This page outlines what is involved and describes related tasks for setting up nodes. Kubernetes 1.34 requires that you use a runtime that conforms with the Container Runtime Interface (CRI).

Create a production-quality Kubernetes cluster

This page provides a list of Kubernetes certified solution providers. From each provider page, you can learn how to install and setup production ready clusters.

This document describes the concept of VolumeSnapshotClass in Kubernetes. Familiarity with volume snapshots and storage classes is suggested. Introduction Just like StorageClass provides a way for administrators to describe the "classes" of storage they offer when provisioning a volume, VolumeSnapshotClass provides a way to describe the "classes" of storage when provisioning a volume snapshot. The VolumeSnapshotClass Resource Each VolumeSnapshotClass contains the fields driver, deletionPolicy, and parameters, which are used when a VolumeSnapshot belonging to the class needs to be dynamically provisioned.

A time-to-live mechanism to clean up old Jobs that have finished execution.

Field selectors let you select Kubernetes objects based on the value of one or more resource fields. Here are some examples of field selector queries: metadata.name=my-service metadata.namespace!=default status.phase=Pending This kubectl command selects all Pods for which the value of the status.phase field is Running: kubectl get pods --field-selector status.phase=Running Note:Field selectors are essentially resource filters. By default, no selectors/filters are applied, meaning that all resources of the specified type are selected.

This page provides an overview of best practices when it comes to enforcing Pod Security Standards. Using the built-in Pod Security Admission Controller FEATURE STATE: Kubernetes v1.25 [stable] The Pod Security Admission Controller intends to replace the deprecated PodSecurityPolicies. Configure all cluster namespaces Namespaces that lack any configuration at all should be considered significant gaps in your cluster security model. We recommend taking the time to analyze the types of workloads occurring in each namespace, and by referencing the Pod Security Standards, decide on an appropriate level for each of them.