This page describes security considerations and best practices specific to the Linux operating system. Protection for Secret data on nodes On Linux nodes, memory-backed volumes (such as secret volume mounts, or emptyDir with medium: Memory) are implemented with a tmpfs filesystem. If you have swap configured and use an older Linux kernel (or a current kernel and an unsupported configuration of Kubernetes), memory backed volumes can have data written to persistent storage.

This page explains how to upgrade a Kubernetes cluster created with kubeadm from version 1.34.x to version 1.35.x, and from version 1.35.x to 1.35.y (where y > x). Skipping MINOR versions when upgrading is unsupported. For more details, please visit Version Skew Policy. To see information about upgrading clusters created using older versions of kubeadm, please refer to following pages instead: Upgrading a kubeadm cluster from 1.33 to 1.34 Upgrading a kubeadm cluster from 1.

Production-Grade Container Orchestration

Production-Grade Container Orchestration

This page serves as a reference for the audit annotations of the kubernetes.io namespace. These annotations apply to Event object from API group audit.k8s.io. Note:The following annotations are not used within the Kubernetes API. When you enable auditing in your cluster, audit event data is written using Event from API group audit.k8s.io. The annotations apply to audit events. Audit events are different from objects in the Event API (API group events.

etcd is a consistent and highly-available key value store used as Kubernetes' backing store for all cluster data. If your Kubernetes cluster uses etcd as its backing store, make sure you have a back up plan for the data. You can find in-depth information about etcd in the official documentation. Before you begin Before you follow steps in this page to deploy, manage, back up or restore etcd, you need to understand the typical expectations for operating an etcd cluster.

FEATURE STATE: Kubernetes v1.26 [beta] Before you begin You will need to have the following tools installed: cosign (install guide) curl (often provided by your operating system) jq (download jq) Verifying binary signatures The Kubernetes release process signs all binary artifacts (tarballs, SPDX files, standalone binaries) by using cosign's keyless signing. To verify a particular binary, retrieve it together with its signature and certificate: URL=https://dl.k8s.io/release/v1.35.0/bin/linux/amd64 BINARY=kubectl FILES=( "$BINARY" "$BINARY.sig" "$BINARY.

This page shows you how to specify the type of cascading deletion to use in your cluster during garbage collection. Before you begin You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:

Objectives Learn what a Kubernetes cluster is. Learn what Minikube is. Start a Kubernetes cluster on your computer. Kubernetes Clusters Kubernetes is a production-grade, open-source platform that orchestrates the placement (scheduling) and execution of application containers within and across computer clusters. Kubernetes coordinates a highly available cluster of computers that are connected to work as a single unit. The abstractions in Kubernetes allow you to deploy containerized applications to a cluster without tying them specifically to individual machines.

This page describes good practices when configuring a Kubernetes cluster utilizing Dynamic Resource Allocation (DRA). These instructions are for cluster administrators. Separate permissions to DRA related APIs DRA is orchestrated through a number of different APIs. Use authorization tools (like RBAC, or another solution) to control access to the right APIs depending on the persona of your user. In general, DeviceClasses and ResourceSlices should be restricted to admins and the DRA drivers.