This page shows how to configure quotas for API objects, including PersistentVolumeClaims and Services. A quota restricts the number of objects, of a particular type, that can be created in a namespace. You specify quotas in a ResourceQuota object. Before you begin You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts.

The Kubernetes API is a resource-based (RESTful) programmatic interface provided via HTTP. It supports retrieving, creating, updating, and deleting primary resources via the standard HTTP verbs (POST, PUT, PATCH, DELETE, GET). For some resources, the API includes additional subresources that allow fine-grained authorization (such as separate views for Pod details and log retrievals), and can accept and serve those resources in different representations for convenience or efficiency. Kubernetes supports efficient change notifications on resources via watches: in the Kubernetes API, watch is a verb that is used to track changes to an object in Kubernetes as a stream.

Objectives Learn about Kubernetes Pods. Learn about Kubernetes Nodes. Troubleshoot deployed applications. Kubernetes Pods A Pod is a group of one or more application containers (such as Docker) and includes shared storage (volumes), IP address and information about how to run them. When you created a Deployment in Module 2, Kubernetes created a Pod to host your application instance. A Pod is a Kubernetes abstraction that represents a group of one or more application containers (such as Docker), and some shared resources for those containers.

This tutorial demonstrates running Apache Zookeeper on Kubernetes using StatefulSets, PodDisruptionBudgets, and PodAntiAffinity. Before you begin Before starting this tutorial, you should be familiar with the following Kubernetes concepts: Pods Cluster DNS Headless Services PersistentVolumes PersistentVolume Provisioning StatefulSets PodDisruptionBudgets PodAntiAffinity kubectl CLI You must have a cluster with at least four nodes, and each node requires at least 2 CPUs and 4 GiB of memory. In this tutorial you will cordon and drain the cluster's nodes.

FEATURE STATE: Kubernetes v1.31 [stable] (enabled by default: true) This page shows you how to load AppArmor profiles on your nodes and enforce those profiles in Pods. To learn more about how Kubernetes can confine Pods using AppArmor, see Linux kernel security constraints for Pods and containers. Objectives See an example of how to load a profile on a Node Learn how to enforce the profile on a Pod Learn how to check that the profile is loaded See what happens when a profile is violated See what happens when a profile cannot be loaded Before you begin AppArmor is an optional kernel module and Kubernetes feature, so verify it is supported on your Nodes before proceeding:

Production-Grade Container Orchestration

As the Kubernetes API evolves, APIs are periodically reorganized or upgraded. When APIs evolve, the old API is deprecated and eventually removed. This page contains information you need to know when migrating from deprecated API versions to newer and more stable API versions. Removed APIs by release v1.32 The v1.32 release stopped serving the following deprecated API versions: Flow control resources The flowcontrol.apiserver.k8s.io/v1beta3 API version of FlowSchema and PriorityLevelConfiguration is no longer served as of v1.

Production-Grade Container Orchestration

Node authorization is a special-purpose authorization mode that specifically authorizes API requests made by kubelets. Overview The Node authorizer allows a kubelet to perform API operations. This includes: Read operations: services endpoints nodes pods secrets, configmaps, persistent volume claims and persistent volumes related to pods bound to the kubelet's node FEATURE STATE: Kubernetes v1.34 [stable] (enabled by default: true) Kubelets are limited to reading their own Node objects, and only reading pods bound to their node.

FEATURE STATE: Kubernetes v1.27 [beta] This is a community maintained list of official CVEs announced by the Kubernetes Security Response Committee. See Kubernetes Security and Disclosure Information for more details. The Kubernetes project publishes a programmatically accessible feed of published security issues in JSON feed and RSS feed formats. You can access it by executing the following commands: JSON feed RSS feed Link to JSON format curl -Lv https://k8s.io/docs/reference/issues-security/official-cve-feed/index.json Link to RSS format