mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-20 18:31:15 +00:00
Production-Grade Container Scheduling and Management
6fe7f9f4b7
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Support dry run in admission plugins **What this PR does / why we need it**: Adds support for dry run to admission controllers as outlined by https://github.com/kubernetes/community/pull/2387 - [x] add IsDryRun() to admission.Attributes interface - [x] add dry run support to NamespaceAutoProvision - [x] add dry run support to ResourceQuota - [x] add dry run support to EventRateLimit The following is being done in a follow up PR: - [x] add DryRun to ```admission.k8s.io/v1beta1.AdmissionReview``` - [x] add DryRunnable to ```admissionregistration.k8s.io/v1beta1.(Valid|Mut)atingWebhookConfiguration``` - [x] add dry run support to (Valid|Mut)atingAdmissionWebhook /sig api-machinery **Release note**: ```release-note In clusters where the DryRun feature is enabled, dry-run requests will go through the normal admission chain. Because of this, ImagePolicyWebhook authors should especially make sure that their webhooks do not rely on side effects. ``` Here is a list of the admission controllers that were considered when making this PR: - AlwaysAdmit: No side effects - AlwaysPullImages: No side effects - LimitPodHardAntiAffinityTopology: No side effects - DefaultTolerationSeconds: No side effects - AlwaysDeny: No side effects - EventRateLimit: Has side possible effect of affecting the rate, skipping this entire plugin in dry-run case since it won't correspond to an actual write to etcd anyway - DenyEscalatingExec: No side effects - DenyExecOnPrivileged: Deprecated, and has no side effects - ExtendedResourceToleration: No side effects - OwnerReferencesPermissionEnforcement: No side effects - ImagePolicyWebhook: No side effects* (*this uses a webhook but it is very specialized. It only sees pod container images, for the purpose of accepting or rejecting certain image sources, so it is very unlikely that it would rely on side effects.) - LimitRanger: No side effects - NamespaceAutoProvision: Has possible side effect of creating a namespace, skipping the create in the dry-run case - NamespaceExists: No side effects - NodeRestriction: No side effects - PodNodeSelector: No side effects - PodPreset: No side effects - PodTolerationRestriction: No side effects - Priority: No side effects - ResourceQuota: Has side possible effect of taking up quota, will only check quota but skip changing quota in the dry-run case - PodSecurityPolicy: No side effects - SecurityContextDeny: No side effects - ServiceAccount: No side effects - PersistentVolumeLabel: No side effects - PersistentVolumeClaimResize: No side effects - DefaultStorageClass: No side effects - StorageObjectInUseProtection: No side effects - Initializers: No side effects - NamespaceLifecycle: No side effects - MutatingAdmissionWebhook: Same as below - ValidatingAdmissionWebhook: Has possible side effects depending on if webhook authors depend on side effects and a reconciliation mechanism. To fix this we will expose whether or not a request is dry-run to webhooks through AdmissionReview, and require that all called webhooks understand the field by checking if DryRunnable true is specified in the webhook config. This will be done in a separate PR because it requires an api-change |
||
|---|---|---|
| .github | ||
| api | ||
| build | ||
| cluster | ||
| cmd | ||
| docs | ||
| Godeps | ||
| hack | ||
| logo | ||
| pkg | ||
| plugin | ||
| staging | ||
| test | ||
| third_party | ||
| translations | ||
| vendor | ||
| .bazelrc | ||
| .generated_files | ||
| .gitattributes | ||
| .gitignore | ||
| .kazelcfg.json | ||
| BUILD.bazel | ||
| CHANGELOG-1.2.md | ||
| CHANGELOG-1.3.md | ||
| CHANGELOG-1.4.md | ||
| CHANGELOG-1.5.md | ||
| CHANGELOG-1.6.md | ||
| CHANGELOG-1.7.md | ||
| CHANGELOG-1.8.md | ||
| CHANGELOG-1.9.md | ||
| CHANGELOG-1.10.md | ||
| CHANGELOG-1.11.md | ||
| CHANGELOG-1.12.md | ||
| CHANGELOG.md | ||
| code-of-conduct.md | ||
| CONTRIBUTING.md | ||
| LICENSE | ||
| Makefile | ||
| Makefile.generated_files | ||
| OWNERS | ||
| OWNERS_ALIASES | ||
| README.md | ||
| SECURITY_CONTACTS | ||
| SUPPORT.md | ||
| WORKSPACE | ||
Kubernetes
Kubernetes is an open source system for managing containerized applications across multiple hosts; providing basic mechanisms for deployment, maintenance, and scaling of applications.
Kubernetes builds upon a decade and a half of experience at Google running production workloads at scale using a system called Borg, combined with best-of-breed ideas and practices from the community.
Kubernetes is hosted by the Cloud Native Computing Foundation (CNCF). If you are a company that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details about who's involved and how Kubernetes plays a role, read the CNCF announcement.
To start using Kubernetes
See our documentation on kubernetes.io.
Try our interactive tutorial.
Take a free course on Scalable Microservices with Kubernetes.
To start developing Kubernetes
The community repository hosts all information about building Kubernetes from source, how to contribute code and documentation, who to contact about what, etc.
If you want to build Kubernetes right away there are two options:
You have a working Go environment.
$ go get -d k8s.io/kubernetes
$ cd $GOPATH/src/k8s.io/kubernetes
$ make
You have a working Docker environment.
$ git clone https://github.com/kubernetes/kubernetes
$ cd kubernetes
$ make quick-release
For the full story, head over to the developer's documentation.
Support
If you need support, start with the troubleshooting guide, and work your way through the process that we've outlined.
That said, if you have questions, reach out to us one way or another.