A security context defines privilege and access control settings for a Pod or Container. Security context settings include, but are not limited to: Discretionary Access Control: Permission to access an object, like a file, is based on user ID (UID) and group ID (GID). Security Enhanced Linux (SELinux): Objects are assigned security labels. Running as privileged or unprivileged. Linux Capabilities: Give a process some privileges, but not all the privileges of the root user.

This page shows how to specify extended resources for a Node. Extended resources allow cluster administrators to advertise node-level resources that would otherwise be unknown to Kubernetes. Before you begin You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts.

This page shows how to enable or disable an API version from your cluster's control plane. Specific API versions can be turned on or off by passing --runtime-config=api/<version> as a command line argument to the API server. The values for this argument are a comma-separated list of API versions. Later values override earlier values. The runtime-config command line argument also supports 2 special keys: api/all, representing all known APIs api/legacy, representing only legacy APIs.

FEATURE STATE: Kubernetes v1.11 [beta] The cloud-controller-manager is a Kubernetes control plane component that embeds cloud-specific control logic. The cloud controller manager lets you link your cluster into your cloud provider's API, and separates out the components that interact with that cloud platform from components that only interact with your cluster. By decoupling the interoperability logic between Kubernetes and the underlying cloud infrastructure, the cloud-controller-manager component enables cloud providers to release features at a different pace compared to the main Kubernetes project.

FEATURE STATE: Kubernetes v1.32 [alpha] (enabled by default: false) This page shows how to specify CPU and memory resources for a Pod at pod-level in addition to container-level resource specifications. A Kubernetes node allocates resources to a pod based on the pod's resource requests. These requests can be defined at the pod level or individually for containers within the pod. When both are present, the pod-level requests take precedence.

Restrict how many Pods you can create within a namespace.

Production-Grade Container Orchestration

FEATURE STATE: Kubernetes v1.22 [alpha] This document describes how to run Kubernetes Node components such as kubelet, CRI, OCI, and CNI without root privileges, by using a user namespace. This technique is also known as rootless mode. Note:This document describes how to run Kubernetes Node components (and hence pods) as a non-root user. If you are just looking for how to run a pod as a non-root user, see SecurityContext.

This page shows how to create a Pod that uses a Secret to pull an image from a private container image registry or repository. There are many private registries in use. This task uses Docker Hub as an example registry. 🛇 This item links to a third party project or product that is not part of Kubernetes itself. More information Before you begin You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster.

This page shows how to use Romana for NetworkPolicy. Before you begin Complete steps 1, 2, and 3 of the kubeadm getting started guide. Installing Romana with kubeadm Follow the containerized installation guide for kubeadm. Applying network policies To apply network policies use one of the following: Romana network policies. Example of Romana network policy. The NetworkPolicy API. What's next Once you have installed Romana, you can follow the Declare Network Policy to try out Kubernetes NetworkPolicy.