FEATURE STATE: Kubernetes v1.30 [alpha] (enabled by default: false) Kubernetes relies on API data being actively re-written, to support some maintenance activities related to at rest storage. Two prominent examples are the versioned schema of stored resources (that is, the preferred storage schema changing from v1 to v2 for a given resource) and encryption at rest (that is, rewriting stale data based on a change in how the data should be encrypted).

To report a security issue, please follow the Kubernetes security disclosure process. Work on Kubernetes code and public issues are tracked using GitHub Issues. Official list of known CVEs (security vulnerabilities) that have been announced by the Security Response Committee CVE-related GitHub issues Security-related announcements are sent to the kubernetes-security-announce@googlegroups.com mailing list.

All of the APIs in Kubernetes that let you write persistent API resource data support at-rest encryption. For example, you can enable at-rest encryption for Secrets. This at-rest encryption is additional to any system-level encryption for the etcd cluster or for the filesystem(s) on hosts where you are running the kube-apiserver. This page shows how to switch from encryption of API data at rest, so that API data are stored unencrypted.

This page shows how to create a Pod that uses a Secret to pull an image from a private container image registry or repository. There are many private registries in use. This task uses Docker Hub as an example registry. 🛇 This item links to a third party project or product that is not part of Kubernetes itself. More information Before you begin You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster.

This page shows how to configure Pods so that they will be assigned particular Quality of Service (QoS) classes. Kubernetes uses QoS classes to make decisions about evicting Pods when Node resources are exceeded. When Kubernetes creates a Pod it assigns one of these QoS classes to the Pod: Guaranteed Burstable BestEffort Before you begin You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster.

This page shows you how to run a single-instance stateful application in Kubernetes using a PersistentVolume and a Deployment. The application is MySQL. Objectives Create a PersistentVolume referencing a disk in your environment. Create a MySQL Deployment. Expose MySQL to other pods in the cluster at a known DNS name. Before you begin You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster.

This page shows how a Pod can use environment variables to expose information about itself to containers running in the Pod, using the downward API. You can use environment variables to expose Pod fields, container fields, or both. In Kubernetes, there are two ways to expose Pod and container fields to a running container: Environment variables, as explained in this task Volume files Together, these two ways of exposing Pod and container fields are called the downward API.

Use kubectl patch to update Kubernetes API objects in place. Do a strategic merge patch or a JSON merge patch.

FEATURE STATE: Kubernetes v1.21 [stable] This page shows how to limit the number of concurrent disruptions that your application experiences, allowing for higher availability while permitting the cluster administrator to manage the clusters nodes. Before you begin Your Kubernetes server must be at or later than version v1.21. To check the version, enter kubectl version. You are the owner of an application running on a Kubernetes cluster that requires high availability.

This topic discusses multiple ways to interact with clusters. Accessing for the first time with kubectl When accessing the Kubernetes API for the first time, we suggest using the Kubernetes CLI, kubectl. To access a cluster, you need to know the location of the cluster and have credentials to access it. Typically, this is automatically set-up when you work through a Getting started guide, or someone else set up the cluster and provided you with credentials and a location.