From 63b8e39c5c2933cdb3f4f315e7dbc52d12599050 Mon Sep 17 00:00:00 2001 From: kairen Date: Wed, 27 Sep 2017 11:01:11 +0800 Subject: [PATCH 1/4] Link to using kubeadm page --- docs/setup/pick-right-solution.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/setup/pick-right-solution.md b/docs/setup/pick-right-solution.md index 8a624c15236e6..01f17a1dd7dd8 100644 --- a/docs/setup/pick-right-solution.md +++ b/docs/setup/pick-right-solution.md @@ -17,7 +17,7 @@ When you are ready to scale up to more machines and higher availability, a [host [Turnkey cloud solutions](#turnkey-cloud-solutions) require only a few commands to create and cover a wide range of cloud providers. -If you already have a way to configure hosting resources, use [kubeadm](/docs/getting-started-guides/kubeadm/) to easily bring up a cluster with a single command per machine. +If you already have a way to configure hosting resources, use [kubeadm](/docs/setup/independent/create-cluster-kubeadm/) to easily bring up a cluster with a single command per machine. [Custom solutions](#custom-solutions) vary from step-by-step instructions to general advice for setting up a Kubernetes cluster from scratch. @@ -88,7 +88,7 @@ If you are interested in supporting Kubernetes on a new platform, see ## Universal If you already have a way to configure hosting resources, use -[kubeadm](/docs/getting-started-guides/kubeadm/) to easily bring up a cluster +[kubeadm](/docs/setup/independent/create-cluster-kubeadm/) to easily bring up a cluster with a single command per machine. ## Cloud From 267c026201aa4483b5511ff7ddc3137dfa9bf353 Mon Sep 17 00:00:00 2001 From: chenhuan Date: Wed, 27 Sep 2017 14:40:52 +0800 Subject: [PATCH 2/4] fix the command output fix the command output --- docs/concepts/cluster-administration/manage-deployment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/concepts/cluster-administration/manage-deployment.md b/docs/concepts/cluster-administration/manage-deployment.md index c89990c04421b..90fd1ea559af9 100644 --- a/docs/concepts/cluster-administration/manage-deployment.md +++ b/docs/concepts/cluster-administration/manage-deployment.md @@ -82,7 +82,7 @@ Because `kubectl` outputs resource names in the same syntax it accepts, it's eas ```shell $ kubectl get $(kubectl create -f docs/user-guide/nginx/ -o name | grep service) NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE -my-nginx-svc 10.0.0.208 80/TCP 0s +my-nginx-svc 10.0.0.208 80/TCP 0s ``` With the above commands, we first create resources under docs/user-guide/nginx/ and print the resources created with `-o name` output format From ed94d7351a6742eb6a79ec35fc798402b1af6ae2 Mon Sep 17 00:00:00 2001 From: Matt Brown Date: Wed, 27 Sep 2017 11:52:38 -0400 Subject: [PATCH 3/4] fix typo in api/resources reference: "Worloads" --- docs/api-reference/v1.5/index.html | 2 +- docs/api-reference/v1.6/index.html | 2 +- docs/api-reference/v1.7/index.html | 2 +- docs/resources-reference/v1.5/index.html | 2 +- docs/resources-reference/v1.6/index.html | 2 +- docs/resources-reference/v1.7/index.html | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/api-reference/v1.5/index.html b/docs/api-reference/v1.5/index.html index de6a3b57dacce..b7365b0e7c95f 100644 --- a/docs/api-reference/v1.5/index.html +++ b/docs/api-reference/v1.5/index.html @@ -74,7 +74,7 @@

Additional Operations

Read / Write Status: Read or Update the Status for a resource object. The Status can only changed through these update operations.

WORKLOADS

-

Worloads resources are responsible for managing and running your containers on the cluster. Containers are created +

Workloads resources are responsible for managing and running your containers on the cluster. Containers are created by Controllers through Pods. Pods run Containers and provide environmental dependencies such as shared or persistent storage Volumes and Configuration or Secret data injected into the container.

diff --git a/docs/api-reference/v1.6/index.html b/docs/api-reference/v1.6/index.html index 37d5d7f9c26af..aa9b0133a84cb 100644 --- a/docs/api-reference/v1.6/index.html +++ b/docs/api-reference/v1.6/index.html @@ -74,7 +74,7 @@

Additional Operations

Read / Write Status: Read or Update the Status for a resource object. The Status can only changed through these update operations.

WORKLOADS

-

Worloads resources are responsible for managing and running your containers on the cluster. Containers are created +

Workloads resources are responsible for managing and running your containers on the cluster. Containers are created by Controllers through Pods. Pods run Containers and provide environmental dependencies such as shared or persistent storage Volumes and Configuration or Secret data injected into the container.

diff --git a/docs/api-reference/v1.7/index.html b/docs/api-reference/v1.7/index.html index 575999d8cdf2d..32f37051b1e00 100644 --- a/docs/api-reference/v1.7/index.html +++ b/docs/api-reference/v1.7/index.html @@ -74,7 +74,7 @@

Additional Operations

Read / Write Status: Read or Update the Status for a resource object. The Status can only changed through these update operations.

WORKLOADS

-

Worloads resources are responsible for managing and running your containers on the cluster. Containers are created +

Workloads resources are responsible for managing and running your containers on the cluster. Containers are created by Controllers through Pods. Pods run Containers and provide environmental dependencies such as shared or persistent storage Volumes and Configuration or Secret data injected into the container.

diff --git a/docs/resources-reference/v1.5/index.html b/docs/resources-reference/v1.5/index.html index 186d452d46250..36a50de98e268 100644 --- a/docs/resources-reference/v1.5/index.html +++ b/docs/resources-reference/v1.5/index.html @@ -15,7 +15,7 @@
  • example

WORKLOADS

-

Worloads resources are responsible for managing and running your containers on the cluster. Containers are created +

Workloads resources are responsible for managing and running your containers on the cluster. Containers are created by Controllers through Pods. Pods run Containers and provide environmental dependencies such as shared or persistent storage Volumes and Configuration or Secret data injected into the container.

diff --git a/docs/resources-reference/v1.6/index.html b/docs/resources-reference/v1.6/index.html index 563418f892221..fa2c13c0c93e8 100644 --- a/docs/resources-reference/v1.6/index.html +++ b/docs/resources-reference/v1.6/index.html @@ -15,7 +15,7 @@
  • example

WORKLOADS

-

Worloads resources are responsible for managing and running your containers on the cluster. Containers are created +

Workloads resources are responsible for managing and running your containers on the cluster. Containers are created by Controllers through Pods. Pods run Containers and provide environmental dependencies such as shared or persistent storage Volumes and Configuration or Secret data injected into the container.

diff --git a/docs/resources-reference/v1.7/index.html b/docs/resources-reference/v1.7/index.html index da873a072418d..9b6e2306406d2 100644 --- a/docs/resources-reference/v1.7/index.html +++ b/docs/resources-reference/v1.7/index.html @@ -15,7 +15,7 @@
  • example

WORKLOADS

-

Worloads resources are responsible for managing and running your containers on the cluster. Containers are created +

Workloads resources are responsible for managing and running your containers on the cluster. Containers are created by Controllers through Pods. Pods run Containers and provide environmental dependencies such as shared or persistent storage Volumes and Configuration or Secret data injected into the container.

From 09b250e6393f25a521ae536033b1e390c3afccc8 Mon Sep 17 00:00:00 2001 From: Jacob Simpson Date: Tue, 26 Sep 2017 09:48:03 -0700 Subject: [PATCH 4/4] Add documentation for certificate rotation. --- _data/tasks.yml | 1 + docs/tasks/tls/certificate-rotation.md | 81 ++++++++++++++++++++++++++ 2 files changed, 82 insertions(+) create mode 100644 docs/tasks/tls/certificate-rotation.md diff --git a/_data/tasks.yml b/_data/tasks.yml index fce07a3f5dd6a..b880465dbbdb7 100644 --- a/_data/tasks.yml +++ b/_data/tasks.yml @@ -110,6 +110,7 @@ toc: - title: TLS section: - docs/tasks/tls/managing-tls-in-a-cluster.md + - docs/tasks/tls/certificate-rotation.md - title: Administer a Cluster section: diff --git a/docs/tasks/tls/certificate-rotation.md b/docs/tasks/tls/certificate-rotation.md new file mode 100644 index 0000000000000..63e54b910b9ac --- /dev/null +++ b/docs/tasks/tls/certificate-rotation.md @@ -0,0 +1,81 @@ +--- +approvers: +- jcbsmpsn +- mikedanese +title: Certificate Rotation +--- + +{% capture overview %} +This page shows how to enable and configure certificate rotation for the kubelet. +{% endcapture %} + +{% capture prerequisites %} + +* Kubernetes version 1.8.0 or later is required + +* Kubelet certificate rotation is beta in 1.8.0 which means it may change without notice. + +{% endcapture %} + +{% capture steps %} + +## Overview + +The kubelet uses certificates for authenticating to the Kubernetes API. By +default, these certificates are issued with one year expiration so that they do +not need to be renewed too frequently. + +Kubernetes 1.8 contains [kubelet certificate +rotation](/docs/tasks/administer-cluster/certificate-rotation/), a beta feature +that will automatically generate a new key and request a new certificate from +the Kubernetes API as the current certificate approaches expiration. Once the +new certificate is available, it will be used for authenticating connections to +the Kubernetes API. + +## Enabling client certificate rotation + +The `kubelet` process accepts an argument `--rotate-certificates` that controls +if the kubelet will automatically request a new certificate as the expiration of +the certificate currently in use approaches. Since certificate rotation is a +beta feature, the feature flag must also be enabled with +`--feature-gates=RotateKubeletClientCertificate=true`. + + +The `kube-controller-manager` process accepts an argument +`--experimental-cluster-signing-duration` that controls how long certificates +will be issued for. + +## Understanding the certificate rotation configuration + +When a kubelet starts up, if it is configured to bootstrap (using the +`--bootstrap-kubeconfig` flag), it will use its initial certificate to connect +to the Kubernetes API and issue a certificate signing request. You can view the +status of certificate signing requests using: + +```sh +kubectl get csr +``` + +Initially a certificate signing request from the kubelet on a node will have a +status of `Pending`. If the certificate signing requests meets specific +criteria, it will be auto approved by the controller manager, then it will have +a status of `Approved`. Next, the controller manager will sign a certificate, +issued for the duration specified by the +`--experimental-cluster-signing-duration` parameter, and the signed certificate +will be attached to the certificate signing requests. + +The kubelet will retrieve the signed certificate from the Kubernetes API and +write that to disk, in the location specified by `--cert-dir`. Then the kubelet +will use the new certificate to connect to the Kubernetes API. + +As the expiration of the signed certificate approaches, the kubelet will +automatically issue a new certificate signing request, using the Kubernetes +API. Again, the controller manager will automatically approve the certificate +request and attach a signed certificate to the certificate signing request. The +kubelet will retrieve the new signed certificate from the Kubernetes API and +write that to disk. Then it will update the connections it has to the +Kubernetes API to reconnect using the new certificate. + +{% endcapture %} + +{% include templates/task.md %}