This page shows how to use Romana for NetworkPolicy. Before you begin Complete steps 1, 2, and 3 of the kubeadm getting started guide. Installing Romana with kubeadm Follow the containerized installation guide for kubeadm. Applying network policies To apply network policies use one of the following: Romana network policies. Example of Romana network policy. The NetworkPolicy API. What's next Once you have installed Romana, you can follow the Declare Network Policy to try out Kubernetes NetworkPolicy.

This page shows how to create a Pod that uses a Secret to pull an image from a private container image registry or repository. There are many private registries in use. This task uses Docker Hub as an example registry. 🛇 This item links to a third party project or product that is not part of Kubernetes itself. More information Before you begin You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster.

The kubectl command-line tool supports several different ways to create and manage Kubernetes objects. This document provides an overview of the different approaches. Read the Kubectl book for details of managing objects by Kubectl. Management techniques Warning:A Kubernetes object should be managed using only one technique. Mixing and matching techniques for the same object results in undefined behavior. Management technique Operates on Recommended environment Supported writers Learning curve Imperative commands Live objects Development projects 1+ Lowest Imperative object configuration Individual files Production projects 1 Moderate Declarative object configuration Directories of files Production projects 1+ Highest Imperative commands When using imperative commands, a user operates directly on live objects in a cluster.

An overview of the key components that make up a Kubernetes cluster.

FEATURE STATE: Kubernetes v1.28 [alpha](disabled by default) Kubernetes 1.35 includes an alpha feature that lets an API Server proxy resource requests to other peer API servers. It also lets clients get a holistic view of resources served across the entire cluster through discovery. This is useful when there are multiple API servers running different versions of Kubernetes in one cluster (for example, during a long-lived rollout to a new release of Kubernetes).

This page covers advanced Pod configuration topics including PriorityClasses, RuntimeClasses, security context within Pods, and introduces aspects of scheduling. PriorityClasses PriorityClasses allow you to set the importance of Pods relative to other Pods. If you assign a priority class to a Pod, Kubernetes sets the .spec.priority field for that Pod based on the PriorityClass you specified (you cannot set .spec.priority directly). If or when a Pod cannot be scheduled, and the problem is due to a lack of resources, the kube-scheduler tries to preempt lower priority Pods, in order to make scheduling of the higher priority Pod possible.

Kubernetes is designed with self-healing capabilities that help maintain the health and availability of workloads. It automatically replaces failed containers, reschedules workloads when nodes become unavailable, and ensures that the desired state of the system is maintained. Self-Healing capabilities Container-level restarts: If a container inside a Pod fails, Kubernetes restarts it based on the restartPolicy. Replica replacement: If a Pod in a Deployment or StatefulSet fails, Kubernetes creates a replacement Pod to maintain the specified number of replicas.

The EndpointSlice API is the mechanism that Kubernetes uses to let your Service scale to handle large numbers of backends, and allows the cluster to update its list of healthy backends efficiently.

This page outlines the differences in how resources are managed between Linux and Windows. On Linux nodes, cgroups are used as a pod boundary for resource control. Containers are created within that boundary for network, process and file system isolation. The Linux cgroup APIs can be used to gather CPU, I/O, and memory use statistics. In contrast, Windows uses a job object per container with a system namespace filter to contain all processes in a container and provide logical isolation from the host.

Overview of Linux kernel security modules and constraints that you can use to harden your Pods and containers.