Fixed the incorrect links in kubespray/docs (#10159)
parent
3ced391fab
commit
a2f03c559a
|
@ -99,4 +99,4 @@ For the moment, only Cinder v3 is supported by the CSI Driver.
|
||||||
|
|
||||||
## More info
|
## More info
|
||||||
|
|
||||||
For further information about the Cinder CSI Driver, you can refer to this page: [Cloud Provider OpenStack](https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/using-cinder-csi-plugin.md).
|
For further information about the Cinder CSI Driver, you can refer to this page: [Cloud Provider OpenStack](https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/cinder-csi-plugin/using-cinder-csi-plugin.md).
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# K8s DNS stack by Kubespray
|
# K8s DNS stack by Kubespray
|
||||||
|
|
||||||
For K8s cluster nodes, Kubespray configures a [Kubernetes DNS](https://kubernetes.io/docs/admin/dns/)
|
For K8s cluster nodes, Kubespray configures a [Kubernetes DNS](https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/)
|
||||||
[cluster add-on](https://releases.k8s.io/master/cluster/addons/README.md)
|
[cluster add-on](https://releases.k8s.io/master/cluster/addons/README.md)
|
||||||
to serve as an authoritative DNS server for a given ``dns_domain`` and its
|
to serve as an authoritative DNS server for a given ``dns_domain`` and its
|
||||||
``svc, default.svc`` default subdomains (a total of ``ndots: 5`` max levels).
|
``svc, default.svc`` default subdomains (a total of ``ndots: 5`` max levels).
|
||||||
|
|
|
@ -118,7 +118,7 @@ Let's take a deep look to the resultant **kubernetes** configuration:
|
||||||
* The `enable-admission-plugins` has not the `PodSecurityPolicy` admission plugin. This because it is going to be definitely removed from **kubernetes** `v1.25`. For this reason we decided to set the newest `PodSecurity` (for more details, please take a look here: <https://kubernetes.io/docs/concepts/security/pod-security-admission/>). Then, we set the `EventRateLimit` plugin, providing additional configuration files (that are automatically created under the hood and mounted inside the `kube-apiserver` container) to make it work.
|
* The `enable-admission-plugins` has not the `PodSecurityPolicy` admission plugin. This because it is going to be definitely removed from **kubernetes** `v1.25`. For this reason we decided to set the newest `PodSecurity` (for more details, please take a look here: <https://kubernetes.io/docs/concepts/security/pod-security-admission/>). Then, we set the `EventRateLimit` plugin, providing additional configuration files (that are automatically created under the hood and mounted inside the `kube-apiserver` container) to make it work.
|
||||||
* The `encryption-provider-config` provide encryption at rest. This means that the `kube-apiserver` encrypt data that is going to be stored before they reach `etcd`. So the data is completely unreadable from `etcd` (in case an attacker is able to exploit this).
|
* The `encryption-provider-config` provide encryption at rest. This means that the `kube-apiserver` encrypt data that is going to be stored before they reach `etcd`. So the data is completely unreadable from `etcd` (in case an attacker is able to exploit this).
|
||||||
* The `rotateCertificates` in `KubeletConfiguration` is set to `true` along with `serverTLSBootstrap`. This could be used in alternative to `tlsCertFile` and `tlsPrivateKeyFile` parameters. Additionally it automatically generates certificates by itself. By default the CSRs are approved automatically via [kubelet-csr-approver](https://github.com/postfinance/kubelet-csr-approver). You can customize approval configuration by modifying Helm values via `kubelet_csr_approver_values`.
|
* The `rotateCertificates` in `KubeletConfiguration` is set to `true` along with `serverTLSBootstrap`. This could be used in alternative to `tlsCertFile` and `tlsPrivateKeyFile` parameters. Additionally it automatically generates certificates by itself. By default the CSRs are approved automatically via [kubelet-csr-approver](https://github.com/postfinance/kubelet-csr-approver). You can customize approval configuration by modifying Helm values via `kubelet_csr_approver_values`.
|
||||||
See <https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/> for more information on the subject.
|
See <https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/> for more information on the subject.
|
||||||
* If you are installing **kubernetes** in an AppArmor-based OS (eg. Debian/Ubuntu) you can enable the `AppArmor` feature gate uncommenting the lines with the comment `# AppArmor-based OS` on top.
|
* If you are installing **kubernetes** in an AppArmor-based OS (eg. Debian/Ubuntu) you can enable the `AppArmor` feature gate uncommenting the lines with the comment `# AppArmor-based OS` on top.
|
||||||
* The `kubelet_systemd_hardening`, both with `kubelet_secure_addresses` setup a minimal firewall on the system. To better understand how these variables work, here's an explanatory image:
|
* The `kubelet_systemd_hardening`, both with `kubelet_secure_addresses` setup a minimal firewall on the system. To better understand how these variables work, here's an explanatory image:
|
||||||
![kubelet hardening](img/kubelet-hardening.png)
|
![kubelet hardening](img/kubelet-hardening.png)
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
Distributed system such as Kubernetes are designed to be resilient to the
|
Distributed system such as Kubernetes are designed to be resilient to the
|
||||||
failures. More details about Kubernetes High-Availability (HA) may be found at
|
failures. More details about Kubernetes High-Availability (HA) may be found at
|
||||||
[Building High-Availability Clusters](https://kubernetes.io/docs/admin/high-availability/)
|
[Building High-Availability Clusters](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/)
|
||||||
|
|
||||||
To have a simple view the most of the parts of HA will be skipped to describe
|
To have a simple view the most of the parts of HA will be skipped to describe
|
||||||
Kubelet<->Controller Manager communication only.
|
Kubelet<->Controller Manager communication only.
|
||||||
|
|
|
@ -120,7 +120,7 @@ following default cluster parameters:
|
||||||
alpha/experimental Kubeadm features. (defaults is `[]`)
|
alpha/experimental Kubeadm features. (defaults is `[]`)
|
||||||
|
|
||||||
* *authorization_modes* - A list of [authorization mode](
|
* *authorization_modes* - A list of [authorization mode](
|
||||||
https://kubernetes.io/docs/admin/authorization/#using-flags-for-your-authorization-module)
|
https://kubernetes.io/docs/reference/access-authn-authz/authorization/#using-flags-for-your-authorization-module)
|
||||||
that the cluster should be configured for. Defaults to `['Node', 'RBAC']`
|
that the cluster should be configured for. Defaults to `['Node', 'RBAC']`
|
||||||
(Node and RBAC authorizers).
|
(Node and RBAC authorizers).
|
||||||
Note: `Node` and `RBAC` are enabled by default. Previously deployed clusters can be
|
Note: `Node` and `RBAC` are enabled by default. Previously deployed clusters can be
|
||||||
|
|
Loading…
Reference in New Issue