A container image represents binary data that encapsulates an application and all its software dependencies. Container images are executable software bundles that can run standalone and that make very well defined assumptions about their runtime environment. You typically create a container image of your application and push it to a registry before referring to it in a Pod. This page provides an outline of the container image concept. Note:If you are looking for the container images for a Kubernetes release (such as v1.

Learn about ServiceAccount objects in Kubernetes.

kube-state-metrics, an add-on agent to generate and expose cluster-level metrics.

This document describes the concept of cloning existing CSI Volumes in Kubernetes. Familiarity with Volumes is suggested. Introduction The CSI Volume Cloning feature adds support for specifying existing PVCs in the dataSource field to indicate a user would like to clone a Volume. A Clone is defined as a duplicate of an existing Kubernetes Volume that can be consumed as any standard Volume would be. The only difference is that upon provisioning, rather than creating a "new" empty Volume, the back end device creates an exact duplicate of the specified Volume.

An overview of the Pod Security Admission Controller, which can enforce the Pod Security Standards.

Core Dynamic Resource Allocation with structured parameters: FEATURE STATE: Kubernetes v1.30 [alpha] (enabled by default: false) Dynamic Resource Allocation with control plane controller: FEATURE STATE: Kubernetes v1.26 [alpha] (enabled by default: false) Dynamic resource allocation is an API for requesting and sharing resources between pods and containers inside a pod. It is a generalization of the persistent volumes API for generic resources. Typically those resources are devices like GPUs.

FEATURE STATE: Kubernetes v1.27 [beta] System component traces record the latency of and relationships between operations in the cluster. Kubernetes components emit traces using the OpenTelemetry Protocol with the gRPC exporter and can be collected and routed to tracing backends using an OpenTelemetry Collector. Trace Collection Kubernetes components have built-in gRPC exporters for OTLP to export traces, either with an OpenTelemetry Collector, or without an OpenTelemetry Collector. For a complete guide to collecting traces and using the collector, see Getting Started with the OpenTelemetry Collector.

Kubernetes is a portable, extensible, open source platform for managing containerized workloads and services, that facilitates both declarative configuration and automation. It has a large, rapidly growing ecosystem. Kubernetes services, support, and tools are widely available.

This page provides an overview of best practices when it comes to enforcing Pod Security Standards. Using the built-in Pod Security Admission Controller FEATURE STATE: Kubernetes v1.25 [stable] The Pod Security Admission Controller intends to replace the deprecated PodSecurityPolicies. Configure all cluster namespaces Namespaces that lack any configuration at all should be considered significant gaps in your cluster security model. We recommend taking the time to analyze the types of workloads occurring in each namespace, and by referencing the Pod Security Standards, decide on an appropriate level for each of them.

Field selectors let you select Kubernetes objects based on the value of one or more resource fields. Here are some examples of field selector queries: metadata.name=my-service metadata.namespace!=default status.phase=Pending This kubectl command selects all Pods for which the value of the status.phase field is Running: kubectl get pods --field-selector status.phase=Running Note:Field selectors are essentially resource filters. By default, no selectors/filters are applied, meaning that all resources of the specified type are selected.