This page describes the lifecycle of a Pod. Pods follow a defined lifecycle, starting in the Pending phase, moving through Running if at least one of its primary containers starts OK, and then through either the Succeeded or Failed phases depending on whether any container in the Pod terminated in failure. Like individual application containers, Pods are considered to be relatively ephemeral (rather than durable) entities. Pods are created, assigned a unique ID (UID), and scheduled to run on nodes where they remain until termination (according to restart policy) or deletion.

Create a production-quality Kubernetes cluster

This page provides an overview of best practices when it comes to enforcing Pod Security Standards. Using the built-in Pod Security Admission Controller FEATURE STATE: Kubernetes v1.25 [stable] The Pod Security Admission Controller intends to replace the deprecated PodSecurityPolicies. Configure all cluster namespaces Namespaces that lack any configuration at all should be considered significant gaps in your cluster security model. We recommend taking the time to analyze the types of workloads occurring in each namespace, and by referencing the Pod Security Standards, decide on an appropriate level for each of them.

Kubernetes requires PKI certificates for authentication over TLS. If you install Kubernetes with kubeadm, the certificates that your cluster requires are automatically generated. You can also generate your own certificates -- for example, to keep your private keys more secure by not storing them on the API server. This page explains the certificates that your cluster requires. How certificates are used by your cluster Kubernetes requires PKI for the following operations:

A time-to-live mechanism to clean up old Jobs that have finished execution.

Set up Kubernetes tools on your computer.

This page shows how to define environment variables for a container in a Kubernetes Pod. Before you begin You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:

This page shows how to securely inject sensitive data, such as passwords and encryption keys, into Pods. Before you begin You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:

Before you begin Some steps in this page use the jq tool. If you don't have jq, you can install it via your operating system's software sources, or fetch it from https://jqlang.github.io/jq/. Some steps also involve installing curl, which can be installed via your operating system's software sources. A subset of the kubelet's configuration parameters may be set via an on-disk config file, as a substitute for command-line flags. Providing parameters via a config file is the recommended approach because it simplifies node deployment and configuration management.

User impersonation is a method of allowing authenticated users to act as another user, group, or service account through HTTP headers. A user can act as another user through impersonation headers. These let requests manually override the user info a request authenticates as. For example, an admin could use this feature to debug an authorization policy by temporarily impersonating another user and seeing if a request was denied. Impersonation requests first authenticate as the requesting user, then switch to the impersonated user info.