feat: Create Advanced Pod Configuration page and restructure main Pod documentation #51519
Conversation
… Configuration Updated the Pods documentation to provide clearer examples of basic and advanced security context configurations. Added a new page for Advanced Pod Configuration covering priority classes, runtime classes, and node selection strategies, along with detailed YAML examples for each topic. This improves the clarity and usability of security settings in Kubernetes Pods.
…ate-pod-advance-config-page
k8s-ci-robot
added
cncf-cla: yes
k8s-ci-robot
added
the
size/L
|
Hello @lmktfy Kindly check this out on the pod restructuring issue |
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
lmktfy
left a comment
lmktfy
left a comment
There was a problem hiding this comment.
@Caesarsage thank you for working on this.
What you've done is a great first step, but it's not aligned enoug to our style guide for me to accept it as is.
Now, I've added a lot of suggestions. You don't have to accept any of them, but we do need the page we merge to mostly align with the style guide. All new pages should follow that style guide reasonably closely.
Would you be willing to revise this based on feedback?
| {{< /caution >}} | ||
| granular control over what a Pod or individual containers can do. | ||
|
|
||
| For basic security configuration, you can set simple security contexts: |
There was a problem hiding this comment.
I would specifically recommend meeting the Baseline Pod security standard + running as non-root.
| command: ["sh", "-c", "sleep 1h"] | ||
| ``` | ||
| For advanced security context configuration including capabilities, seccomp profiles, and detailed security options, see [Advanced Pod Configuration](/docs/concepts/workloads/pods/advanced-pod-config/#advanced-security-context-configuration). |
There was a problem hiding this comment.
Let's link to the security concepts section instead.
| object definition describes the object in detail. | ||
| * [The Distributed System Toolkit: Patterns for Composite Containers](/blog/2015/06/the-distributed-system-toolkit-patterns/) explains common layouts for Pods with more than one container. | ||
| * Read about [Pod topology spread constraints](/docs/concepts/scheduling-eviction/topology-spread-constraints/) | ||
| * Explore [Advanced Pod Configuration](/docs/concepts/workloads/pods/advanced-pod-config/) for priority classes, runtime classes, and detailed node selection strategies. |
There was a problem hiding this comment.
| * Explore [Advanced Pod Configuration](/docs/concepts/workloads/pods/advanced-pod-config/) for priority classes, runtime classes, and detailed node selection strategies. | |
| * Read [Advanced Pod Configuration](/docs/concepts/workloads/pods/advanced-pod-config/) to learn the topic in detail. | |
| That page covers aspects of Pod configuration beyond the essentials, including: | |
| * PriorityClasses | |
| * RuntimeClasses | |
| * advanced ways to configure _scheduling_: the way that Kubernetes decides which node a Pod should run on. |
| * Learn about the [lifecycle of a Pod](/docs/concepts/workloads/pods/pod-lifecycle/). | ||
| * Learn about [RuntimeClass](/docs/concepts/containers/runtime-class/) and how you can use it to | ||
| configure different Pods with different container runtime configurations. | ||
| * Read about [PodDisruptionBudget](/docs/concepts/workloads/pods/disruptions/) |
There was a problem hiding this comment.
I think we should mention this later in the list than the first mention of PriorityClass.
|
|
||
| <!-- body --> | ||
|
|
||
| ## Priority Classes |
There was a problem hiding this comment.
| ## Priority Classes | |
| ## PriorityClasses |
|
|
||
| Kubernetes provides several mechanisms to control which nodes your Pods are scheduled on. | ||
|
|
||
| ### Node Selectors |
| image: nginx | ||
| ``` | ||
|
|
||
| For more information, see [Runtime Class](/docs/concepts/containers/runtime-class/). |
There was a problem hiding this comment.
| For more information, see [Runtime Class](/docs/concepts/containers/runtime-class/). | |
| For more information, see the [RuntimeClass](/docs/concepts/containers/runtime-class/) documentation. |
|
|
||
| <!-- overview --> | ||
|
|
||
| This page covers advanced Pod configuration topics including priority classes, runtime classes, detailed security context configuration, and node selection strategies. |
There was a problem hiding this comment.
If you make the other changes I suggest, then this would work well:
This page covers advanced Pod configuration topics including [PriorityClasses]{#priorityclasses}, [RuntimeClasses]{#runtimeclasses},
[security context](#security-context) within Pods, and introduces aspects of [scheduling](/docs/concepts/scheduling-eviction/#scheduling).|
|
||
| ## Priority Classes | ||
|
|
||
| Priority classes allow you to set the importance of Pods relative to other Pods. When a Pod cannot be scheduled, the scheduler tries to preempt (evict) lower priority Pods to make scheduling of the higher priority Pod possible. |
There was a problem hiding this comment.
| Priority classes allow you to set the importance of Pods relative to other Pods. When a Pod cannot be scheduled, the scheduler tries to preempt (evict) lower priority Pods to make scheduling of the higher priority Pod possible. | |
| _PriorityClasses_ allow you to set the importance of Pods relative to other Pods. | |
| If you assign a priority class to a Pod, Kubernetes sets the `.spec.priority` field for that Pod | |
| based on the PriorityClass you specified (you cannot set `.spec.priority` directly). | |
| If or when a Pod cannot be scheduled, and the problem is due to a lack of resources, the {{< glossary_tooltip term_id="kube-scheduler" text="kube-scheduler" >}} | |
| tries to {{< glossary_tooltip text="preempt" term_id="preemption" >}} lower priority | |
| Pods, in order to make scheduling of the higher priority Pod possible. |
Thanks for the feedback. Yeah, i will revise base on the feedback and also take another look at the style guide @lmktfy |
…ng clarity on priority classes, runtime classes, and security contexts.
|
@lmktfy Thank you for your thorough reviews and detailed feedback. I have refined the pages based on your suggestions and aligned them with the Kubernetes style guide. |
lmktfy
left a comment
lmktfy
left a comment
There was a problem hiding this comment.
/lgtm
I have a few suggestions, but they are not so important that we need to wait for them to get fixed.
| * Read about [Pod Priority and Preemption](/docs/concepts/scheduling-eviction/pod-priority-preemption/) | ||
| * Read about [RuntimeClasses](/docs/concepts/containers/runtime-class/) | ||
| * Explore [Configure a Security Context for a Pod or Container](/docs/tasks/configure-pod-container/security-context/) | ||
| * [Assign Pods to Nodes](/docs/concepts/scheduling-eviction/assign-pod-node/) |
There was a problem hiding this comment.
| * [Assign Pods to Nodes](/docs/concepts/scheduling-eviction/assign-pod-node/) | |
| * Learn how Kubernetes [assigns Pods to Nodes](/docs/concepts/scheduling-eviction/assign-pod-node/) |
| command: ["sh", "-c", "sleep 1h"] | ||
| {{< /highlight >}} | ||
|
|
||
| ### Example Pod {#container-level-security-context} |
There was a problem hiding this comment.
| ### Example Pod {#container-level-security-context} | |
| ### Container-level security context {#container-level-security-context} | |
| You can specify the security context just for a specific container. | |
| Here's an example: | |
| #### Example Pod {#container-level-security-context-example} |
|
|
||
| The `Security context` field in the Pod specification provides granular control over security settings for Pods and containers. | ||
|
|
||
| ### Example Pod {#pod-level-security-context} |
There was a problem hiding this comment.
| ### Example Pod {#pod-level-security-context} | |
| ### Pod-wide `securityContext` {#pod-level-security-context} | |
| Some aspects of security apply to the whole Pod; for other aspects, | |
| you might want to set a default, without any container-level overrides. | |
| Here's an example of using `securityContext` at the Pod level: | |
| #### Example Pod {#pod-level-security-context-example} |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 26693177d96a623b7f35abcccaa36e3946c12ed7
|
|
/assign tengqm per #51519 (comment) |
| security context of the Pod spec. For details and instructions, see | ||
| [Create a Windows HostProcess Pod](/docs/tasks/configure-pod-container/create-hostprocess-pod/). | ||
| {{< /caution >}} | ||
| granular control over what a Pod or individual containers can do. |
There was a problem hiding this comment.
Since the PR removes the general overview of what general control can be done. Perhaps it's good to link to the new "advanced-pod-config" page. Something like the below suggestion
| granular control over what a Pod or individual containers can do. | |
| granular control over what a Pod or individual containers can do. See [Advanced Pod Configuration](/docs/concepts/workloads/pods/advanced-pod-config/) for more details. |
There was a problem hiding this comment.
Yeah, this is a Good suggestion @reylejano . Thanks.
k8s-ci-robot
removed
the
lgtm
|
New changes are detected. LGTM label has been removed. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
5 participants
This PR implements the feature request from issue #51423 to create a dedicated Advanced Pod Configuration page and restructure the main Pod documentation for better user experience.
Changes:
Creates /docs/concepts/workloads/pods/advanced-pod-config/ with comprehensive coverage of:
Simplifies main Pod page to focus on basic concepts
Adds cross-references between basic and advanced topics
Positions advanced page last in navigation (weight: 180)
Related Issues:
Addresses #51423: "Pod Restructuring: Create Advanced Pod Configuration page"
Supports broader Pod documentation restructuring effort (#38867)
Closes: #51423