This document describes projected volumes in Kubernetes. Familiarity with volumes is suggested. Introduction A projected volume maps several existing volume sources into the same directory. Currently, the following types of volume sources can be projected: secret downwardAPI configMap serviceAccountToken clusterTrustBundle All sources are required to be in the same namespace as the Pod. For more details, see the all-in-one volume design document. Example configuration with a secret, a downwardAPI, and a configMap pods/storage/projected-secret-downwardapi-configmap.

A ReplicaSet's purpose is to maintain a stable set of replica Pods running at any given time. Usually, you define a Deployment and let that Deployment manage ReplicaSets automatically.

This page describes the maximum number of volumes that can be attached to a Node for various cloud providers. Cloud providers like Google, Amazon, and Microsoft typically have a limit on how many volumes can be attached to a Node. It is important for Kubernetes to respect those limits. Otherwise, Pods scheduled on a Node could get stuck waiting for volumes to attach. Kubernetes default limits The Kubernetes scheduler has default limits on the number of volumes that can be attached to a Node:

Security architecture information relating to the API server and other components

Production-Grade Container Orchestration

Node affinity is a property of Pods that attracts them to a set of nodes (either as a preference or a hard requirement). Taints are the opposite -- they allow a node to repel a set of pods. Tolerations are applied to pods. Tolerations allow the scheduler to schedule pods with matching taints. Tolerations allow scheduling but don't guarantee scheduling: the scheduler also evaluates other parameters as part of its function.

Baseline checklist for ensuring security in Kubernetes clusters.

Define a range of valid memory resource limits for a namespace, so that every new Pod in that namespace falls within the range you configure.

Define a default memory resource limit for a namespace, so that every new Pod in that namespace has a memory resource limit configured.

This page shows how to use Weave Net for NetworkPolicy. Before you begin You need to have a Kubernetes cluster. Follow the kubeadm getting started guide to bootstrap one. Install the Weave Net addon Follow the Integrating Kubernetes via the Addon guide. The Weave Net addon for Kubernetes comes with a Network Policy Controller that automatically monitors Kubernetes for any NetworkPolicy annotations on all namespaces and configures iptables rules to allow or block traffic as directed by the policies.