This page shows how to manually rotate the certificate authority (CA) certificates. Before you begin You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:

Synopsis Display one or many contexts from the kubeconfig file. kubectl config get-contexts [(-o|--output=)name)] Examples # List all the contexts in your kubeconfig file kubectl config get-contexts # Describe one context in your kubeconfig file kubectl config get-contexts my-context Options -h, --help help for get-contexts --no-headers When using the default or custom-column output format, don't print headers (default print headers). -o, --output string Output format. One of: (name). Parent Options Inherited --as string Username to impersonate for the operation.

Collection of Pod & Container metrics via the CRI.

Production-Grade Container Orchestration

Resource Types ExecCredential ExecCredential ExecCredential is used by exec-based plugins to communicate credentials to HTTP transports. FieldDescription apiVersionstringclient.authentication.k8s.io/v1beta1 kindstringExecCredential spec [Required] ExecCredentialSpec Spec holds information passed to the plugin by the transport. status ExecCredentialStatus Status is filled in by the plugin and holds the credentials that the transport should use to contact the API. Cluster Appears in: ExecCredentialSpec Cluster contains information to allow an exec plugin to communicate with the kubernetes cluster being authenticated to.

This task outlines the steps needed to update your container runtime to containerd from Docker. It is applicable for cluster operators running Kubernetes 1.23 or earlier. This also covers an example scenario for migrating from dockershim to containerd. Alternative container runtimes can be picked from this page. Before you begin Note: This section links to third party projects that provide functionality required by Kubernetes. The Kubernetes project authors aren't responsible for these projects, which are listed alphabetically.

Note This tutorial applies only for new clusters. Pod Security is an admission controller that carries out checks against the Kubernetes Pod Security Standards when new pods are created. It is a feature GA'ed in v1.25. This tutorial shows you how to enforce the baseline Pod Security Standard at the cluster level which applies a standard configuration to all namespaces in a cluster. To apply Pod Security Standards to specific namespaces, refer to Apply Pod Security Standards at the namespace level.

Production-Grade Container Orchestration

In addition to compiled-in admission plugins, admission plugins can be developed as extensions and run as webhooks configured at runtime. This page describes how to build, configure, use, and monitor admission webhooks. What are admission webhooks? Admission webhooks are HTTP callbacks that receive admission requests and do something with them. You can define two types of admission webhooks, validating admission webhook and mutating admission webhook. Mutating admission webhooks are invoked first, and can modify objects sent to the API server to enforce custom defaults.

The CRI is a plugin interface which enables the kubelet to use a wide variety of container runtimes, without having a need to recompile the cluster components. You need a working container runtime on each Node in your cluster, so that the kubelet can launch Pods and their containers. The Container Runtime Interface (CRI) is the main protocol for the communication between the kubelet and Container Runtime. The Kubernetes Container Runtime Interface (CRI) defines the main gRPC protocol for the communication between the node components kubelet and container runtime.