This page describes security considerations and best practices specific to the Windows operating system. Protection for Secret data on nodes On Windows, data from Secrets are written out in clear text onto the node's local storage (as compared to using tmpfs / in-memory filesystems on Linux). As a cluster operator, you should take both of the following additional measures: Use file ACLs to secure the Secrets' file location. Apply volume-level encryption using BitLocker.

This document highlights and consolidates configuration best practices that are introduced throughout the user guide, Getting Started documentation, and examples. This is a living document. If you think of something that is not on this list but might be useful to others, please don't hesitate to file an issue or submit a PR. General Configuration Tips When defining configurations, specify the latest stable API version. Configuration files should be stored in version control before being pushed to the cluster.

On Linux, control groups constrain resources that are allocated to processes. The kubelet and the underlying container runtime need to interface with cgroups to enforce resource management for pods and containers which includes cpu/memory requests and limits for containerized workloads. There are two versions of cgroups in Linux: cgroup v1 and cgroup v2. cgroup v2 is the new generation of the cgroup API. What is cgroup v2? FEATURE STATE: Kubernetes v1.

A detailed look at the different policy levels defined in the Pod Security Standards.

Dynamic volume provisioning allows storage volumes to be created on-demand. Without dynamic provisioning, cluster administrators have to manually make calls to their cloud or storage provider to create new storage volumes, and then create PersistentVolume objects to represent them in Kubernetes. The dynamic provisioning feature eliminates the need for cluster administrators to pre-provision storage. Instead, it automatically provisions storage when users create PersistentVolumeClaim objects. Background The implementation of dynamic volume provisioning is based on the API object StorageClass from the API group storage.

This page describes security considerations and best practices specific to the Linux operating system. Protection for Secret data on nodes On Linux nodes, memory-backed volumes (such as secret volume mounts, or emptyDir with medium: Memory) are implemented with a tmpfs filesystem. If you have swap configured and use an older Linux kernel (or a current kernel and an unsupported configuration of Kubernetes), memory backed volumes can have data written to persistent storage.

This page provides an overview of controlling access to the Kubernetes API. Users access the Kubernetes API using kubectl, client libraries, or by making REST requests. Both human users and Kubernetes service accounts can be authorized for API access. When a request reaches the API, it goes through several stages, illustrated in the following diagram: Transport security By default, the Kubernetes API server listens on port 6443 on the first non-localhost network interface, protected by TLS.

With autoscaling, you can automatically update your workloads in one way or another. This allows your cluster to react to changes in resource demand more elastically and efficiently.

Garbage collection is a collective term for the various mechanisms Kubernetes uses to clean up cluster resources. This allows the clean up of resources like the following: Terminated pods Completed Jobs Objects without owner references Unused containers and container images Dynamically provisioned PersistentVolumes with a StorageClass reclaim policy of Delete Stale or expired CertificateSigningRequests (CSRs) Nodes deleted in the following scenarios: On a cloud when the cluster uses a cloud controller manager On-premises when the cluster uses an addon similar to a cloud controller manager Node Lease objects Owners and dependents Many objects in Kubernetes link to each other through owner references.

Legacy API for managing workloads that can scale horizontally. Superseded by the Deployment and ReplicaSet APIs.