FEATURE STATE: Kubernetes v1.33 [beta](enabled by default) This page shows how to configure a user namespace for pods. This allows you to isolate the user running inside the container from the one in the host. A process running as root in a container can run as a different (non-root) user in the host; in other words, the process has full privileges for operations inside the user namespace, but is unprivileged for operations outside the namespace.

Namespaces can be labeled to enforce the Pod Security Standards. The three policies privileged, baseline and restricted broadly cover the security spectrum and are implemented by the Pod Security admission controller. Before you begin Pod Security Admission was available by default in Kubernetes v1.23, as a beta. From version 1.25 onwards, Pod Security Admission is generally available. To check the version, enter kubectl version. Requiring the baseline Pod Security Standard with namespace labels This manifest defines a Namespace my-baseline-namespace that:

FEATURE STATE: Kubernetes v1.31 [stable](enabled by default) This document shows you how to use the Pod failure policy, in combination with the default Pod backoff failure policy, to improve the control over the handling of container- or Pod-level failure within a Job. The definition of Pod failure policy may help you to: better utilize the computational resources by avoiding unnecessary Pod retries. avoid Job failures due to Pod disruptions (such preemption, API-initiated eviction or taint-based eviction).

Deploy the web UI (Kubernetes Dashboard) and access it.

This page shows how to delete Pods which are part of a stateful set, and explains the considerations to keep in mind when doing so. Before you begin This is a fairly advanced task and has the potential to violate some of the properties inherent to StatefulSet. Before proceeding, make yourself familiar with the considerations enumerated below. StatefulSet considerations In normal operation of a StatefulSet, there is never a need to force delete a StatefulSet Pod.

This page contains an overview of the client libraries for using the Kubernetes API from various programming languages. To write applications using the Kubernetes REST API, you do not need to implement the API calls and request/response types yourself. You can use a client library for the programming language you are using. Client libraries often handle common tasks such as authentication for you. Most client libraries can discover and use the Kubernetes Service Account to authenticate if the API client is running inside the Kubernetes cluster, or can understand the kubeconfig file format to read the credentials and the API Server address.

FEATURE STATE: Kubernetes v1.30 [stable] This page provides an overview of Validating Admission Policy. What is Validating Admission Policy? Validating admission policies offer a declarative, in-process alternative to validating admission webhooks. Validating admission policies use the Common Expression Language (CEL) to declare the validation rules of a policy. Validation admission policies are highly configurable, enabling policy authors to define policies that can be parameterized and scoped to resources as needed by cluster administrators.

FEATURE STATE: Kubernetes v1.11 [stable] crictl is a command-line interface for CRI-compatible container runtimes. You can use it to inspect and debug container runtimes and applications on a Kubernetes node. crictl and its source are hosted in the cri-tools repository. Before you begin crictl requires a Linux operating system with a CRI runtime. Installing crictl You can download a compressed archive crictl from the cri-tools release page, for several different architectures.

This page describes the process of migrating from PodSecurityPolicies to the built-in PodSecurity admission controller. This can be done effectively using a combination of dry-run and audit and warn modes, although this becomes harder if mutating PSPs are used. Before you begin Your Kubernetes server must be at or later than version v1.22. To check the version, enter kubectl version. If you are currently running a version of Kubernetes other than 1.

This page shows how to use a Volume to communicate between two Containers running in the same Pod. See also how to allow processes to communicate by sharing process namespace between containers. Before you begin You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts.