This tutorial demonstrates running Apache Zookeeper on Kubernetes using StatefulSets, PodDisruptionBudgets, and PodAntiAffinity. Before you begin Before starting this tutorial, you should be familiar with the following Kubernetes concepts: Pods Cluster DNS Headless Services PersistentVolumes PersistentVolume Provisioning StatefulSets PodDisruptionBudgets PodAntiAffinity kubectl CLI You must have a cluster with at least four nodes, and each node requires at least 2 CPUs and 4 GiB of memory. In this tutorial you will cordon and drain the cluster's nodes.

FEATURE STATE: Kubernetes v1.4 [beta] This page shows you how to load AppArmor profiles on your nodes and enforce those profiles in Pods. To learn more about how Kubernetes can confine Pods using AppArmor, see Linux kernel security constraints for Pods and containers. Objectives See an example of how to load a profile on a Node Learn how to enforce the profile on a Pod Learn how to check that the profile is loaded See what happens when a profile is violated See what happens when a profile cannot be loaded Before you begin AppArmor is an optional kernel module and Kubernetes feature, so verify it is supported on your Nodes before proceeding:

GETTING STARTED create clusterrole clusterrolebinding configmap cronjob deployment ingress job namespace poddisruptio...

This page shows how to assign a Kubernetes Pod to a particular node using Node Affinity in a Kubernetes cluster. Before you begin You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:

This page shows how to safely drain a node, optionally respecting the PodDisruptionBudget you have defined. Before you begin This task assumes that you have met the following prerequisites: You do not require your applications to be highly available during the node drain, or You have read about the PodDisruptionBudget concept, and have configured PodDisruptionBudgets for applications that need them. (Optional) Configure a disruption budget To ensure that your workloads remain available during maintenance, you can configure a PodDisruptionBudget.

When using the kubelet's --config-dir flag to specify a drop-in directory for configuration, there is some specific behavior on how different types are merged. Here are some examples of how different data types behave during configuration merging: Structure Fields There are two types of structure fields in a YAML structure: singular (or a scalar type) and embedded (structures that contain scalar types). The configuration merging process handles the overriding of singular and embedded struct fields to create a resulting kubelet configuration.

FEATURE STATE: Kubernetes v1.27 [beta] This is a community maintained list of official CVEs announced by the Kubernetes Security Response Committee. See Kubernetes Security and Disclosure Information for more details. The Kubernetes project publishes a programmatically accessible feed of published security issues in JSON feed and RSS feed formats. You can access it by executing the following commands: JSON feed RSS feed Link to JSON format curl -Lv https://k8s.io/docs/reference/issues-security/official-cve-feed/index.json Link to RSS format

FEATURE STATE: Kubernetes v1.25 [alpha] Checkpointing a container is the functionality to create a stateful copy of a running container. Once you have a stateful copy of a container, you could move it to a different computer for debugging or similar purposes. If you move the checkpointed container data to a computer that's able to restore it, that restored container continues to run at exactly the same point it was checkpointed.

FEATURE STATE: Kubernetes v1.29 [stable] By default, Kubernetes 1.30 publishes Service Level Indicator (SLI) metrics for each Kubernetes component binary. This metric endpoint is exposed on the serving HTTPS port of each component, at the path /metrics/slis. The ComponentSLIs feature gate defaults to enabled for each Kubernetes component as of v1.27. SLI Metrics With SLI metrics enabled, each Kubernetes component exposes two metrics, labeled per healthcheck: a gauge (which represents the current state of the healthcheck) a counter (which records the cumulative counts observed for each healthcheck state) You can use the metric information to calculate per-component availability statistics.

This page describes Kubernetes security and disclosure information. Security Announcements Join the kubernetes-security-announce group for emails about security and major API announcements. Report a Vulnerability We're extremely grateful for security researchers and users that report vulnerabilities to the Kubernetes Open Source Community. All reports are thoroughly investigated by a set of community volunteers. To make a report, submit your vulnerability to the Kubernetes bug bounty program. This allows triage and handling of the vulnerability with standardized response times.