Skip to content

Commit 5fe8c3c

Browse files
committed
move setup konnectivity svc
move api-access to extend-kubernetes
1 parent d4f302e commit 5fe8c3c

File tree

23 files changed

+82
-103
lines changed

23 files changed

+82
-103
lines changed

content/en/docs/concepts/architecture/control-plane-node-communication.md

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -31,9 +31,11 @@ The control plane components also communicate with the cluster apiserver over th
3131
As a result, the default operating mode for connections from the nodes and pods running on the nodes to the control plane is secured by default and can run over untrusted and/or public networks.
3232

3333
## Control Plane to node
34+
3435
There are two primary communication paths from the control plane (apiserver) to the nodes. The first is from the apiserver to the kubelet process which runs on each node in the cluster. The second is from the apiserver to any node, pod, or service through the apiserver's proxy functionality.
3536

3637
### apiserver to kubelet
38+
3739
The connections from the apiserver to the kubelet are used for:
3840

3941
* Fetching logs for pods.
@@ -61,9 +63,10 @@ This tunnel ensures that the traffic is not exposed outside of the network in wh
6163
SSH tunnels are currently deprecated so you shouldn't opt to use them unless you know what you are doing. The Konnectivity service is a replacement for this communication channel.
6264

6365
### Konnectivity service
66+
6467
{{< feature-state for_k8s_version="v1.18" state="beta" >}}
6568

66-
As a replacement to the SSH tunnels, the Konnectivity service provides TCP level proxy for the control plane to Cluster communication. The Konnectivity consists of two parts, the Konnectivity server and the Konnectivity agents, running in the control plane network and the nodes network respectively. The Konnectivity agents initiate connections to the Konnectivity server and maintain the connections.
67-
All control plane to nodes traffic then goes through these connections.
69+
As a replacement to the SSH tunnels, the Konnectivity service provides TCP level proxy for the control plane to cluster communication. The Konnectivity service consists of two parts: the Konnectivity server and the Konnectivity agents, running in the control plane network and the nodes network respectively. The Konnectivity agents initiate connections to the Konnectivity server and maintain the network connections.
70+
After enabling the Konnectivity service, all control plane to nodes traffic goes through these connections.
6871

69-
See [Konnectivity Service Setup](/docs/tasks/setup-konnectivity/) on how to set it up in your cluster.
72+
Follow the [Konnectivity service task](/docs/tasks/extend-kubernetes/setup-konnectivity/) to set up the Konnectivity service in your cluster.

content/en/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -39,9 +39,9 @@ to disable the timeout restriction. This deprecated feature gate will be removed
3939
## {{% heading "whatsnext" %}}
4040

4141

42-
* To get the aggregator working in your environment, [configure the aggregation layer](/docs/tasks/access-kubernetes-api/configure-aggregation-layer/).
43-
* Then, [setup an extension api-server](/docs/tasks/access-kubernetes-api/setup-extension-api-server/) to work with the aggregation layer.
44-
* Also, learn how to [extend the Kubernetes API using Custom Resource Definitions](/docs/tasks/access-kubernetes-api/extend-api-custom-resource-definitions/).
42+
* To get the aggregator working in your environment, [configure the aggregation layer](/docs/tasks/extend-kubernetes/configure-aggregation-layer/).
43+
* Then, [setup an extension api-server](/docs/tasks/extend-kubernetes/setup-extension-api-server/) to work with the aggregation layer.
44+
* Also, learn how to [extend the Kubernetes API using Custom Resource Definitions](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/).
4545
* Read the specification for [APIService](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#apiservice-v1-apiregistration-k8s-io)
4646

4747

content/en/docs/concepts/extend-kubernetes/api-extension/custom-resources.md

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -128,7 +128,7 @@ Regardless of how they are installed, the new resources are referred to as Custo
128128

129129
## CustomResourceDefinitions
130130

131-
The [CustomResourceDefinition](/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/)
131+
The [CustomResourceDefinition](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/)
132132
API resource allows you to define custom resources.
133133
Defining a CRD object creates a new custom resource with a name and schema that you specify.
134134
The Kubernetes API serves and handles the storage of your custom resource.
@@ -178,17 +178,17 @@ Aggregated APIs offer more advanced API features and customization of other feat
178178

179179
| Feature | Description | CRDs | Aggregated API |
180180
| ------- | ----------- | ---- | -------------- |
181-
| Validation | Help users prevent errors and allow you to evolve your API independently of your clients. These features are most useful when there are many clients who can't all update at the same time. | Yes. Most validation can be specified in the CRD using [OpenAPI v3.0 validation](/docs/tasks/access-kubernetes-api/extend-api-custom-resource-definitions/#validation). Any other validations supported by addition of a [Validating Webhook](/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook-alpha-in-1-8-beta-in-1-9). | Yes, arbitrary validation checks |
182-
| Defaulting | See above | Yes, either via [OpenAPI v3.0 validation](/docs/tasks/access-kubernetes-api/extend-api-custom-resource-definitions/#defaulting) `default` keyword (GA in 1.17), or via a [Mutating Webhook](/docs/reference/access-authn-authz/admission-controllers/#mutatingadmissionwebhook) (though this will not be run when reading from etcd for old objects). | Yes |
183-
| Multi-versioning | Allows serving the same object through two API versions. Can help ease API changes like renaming fields. Less important if you control your client versions. | [Yes](/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definition-versioning) | Yes |
181+
| Validation | Help users prevent errors and allow you to evolve your API independently of your clients. These features are most useful when there are many clients who can't all update at the same time. | Yes. Most validation can be specified in the CRD using [OpenAPI v3.0 validation](/docs/tasks/extend-kubernetes/extend-api-custom-resource-definitions/#validation). Any other validations supported by addition of a [Validating Webhook](/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook-alpha-in-1-8-beta-in-1-9). | Yes, arbitrary validation checks |
182+
| Defaulting | See above | Yes, either via [OpenAPI v3.0 validation](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#defaulting) `default` keyword (GA in 1.17), or via a [Mutating Webhook](/docs/reference/access-authn-authz/admission-controllers/#mutatingadmissionwebhook) (though this will not be run when reading from etcd for old objects). | Yes |
183+
| Multi-versioning | Allows serving the same object through two API versions. Can help ease API changes like renaming fields. Less important if you control your client versions. | [Yes](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning) | Yes |
184184
| Custom Storage | If you need storage with a different performance mode (for example, a time-series database instead of key-value store) or isolation for security (for example, encryption of sensitive information, etc.) | No | Yes |
185185
| Custom Business Logic | Perform arbitrary checks or actions when creating, reading, updating or deleting an object | Yes, using [Webhooks](/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks). | Yes |
186-
| Scale Subresource | Allows systems like HorizontalPodAutoscaler and PodDisruptionBudget interact with your new resource | [Yes](/docs/tasks/access-kubernetes-api/extend-api-custom-resource-definitions/#scale-subresource) | Yes |
187-
| Status Subresource | Allows fine-grained access control where user writes the spec section and the controller writes the status section. Allows incrementing object Generation on custom resource data mutation (requires separate spec and status sections in the resource) | [Yes](/docs/tasks/access-kubernetes-api/extend-api-custom-resource-definitions/#status-subresource) | Yes |
186+
| Scale Subresource | Allows systems like HorizontalPodAutoscaler and PodDisruptionBudget interact with your new resource | [Yes](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#scale-subresource) | Yes |
187+
| Status Subresource | Allows fine-grained access control where user writes the spec section and the controller writes the status section. Allows incrementing object Generation on custom resource data mutation (requires separate spec and status sections in the resource) | [Yes](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#status-subresource) | Yes |
188188
| Other Subresources | Add operations other than CRUD, such as "logs" or "exec". | No | Yes |
189189
| strategic-merge-patch | The new endpoints support PATCH with `Content-Type: application/strategic-merge-patch+json`. Useful for updating objects that may be modified both locally, and by the server. For more information, see ["Update API Objects in Place Using kubectl patch"](/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/) | No | Yes |
190190
| Protocol Buffers | The new resource supports clients that want to use Protocol Buffers | No | Yes |
191-
| OpenAPI Schema | Is there an OpenAPI (swagger) schema for the types that can be dynamically fetched from the server? Is the user protected from misspelling field names by ensuring only allowed fields are set? Are types enforced (in other words, don't put an `int` in a `string` field?) | Yes, based on the [OpenAPI v3.0 validation](/docs/tasks/access-kubernetes-api/extend-api-custom-resource-definitions/#validation) schema (GA in 1.16). | Yes |
191+
| OpenAPI Schema | Is there an OpenAPI (swagger) schema for the types that can be dynamically fetched from the server? Is the user protected from misspelling field names by ensuring only allowed fields are set? Are types enforced (in other words, don't put an `int` in a `string` field?) | Yes, based on the [OpenAPI v3.0 validation](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#validation) schema (GA in 1.16). | Yes |
192192

193193
### Common Features
194194

@@ -253,6 +253,6 @@ When you add a custom resource, you can access it using:
253253

254254
* Learn how to [Extend the Kubernetes API with the aggregation layer](/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/).
255255

256-
* Learn how to [Extend the Kubernetes API with CustomResourceDefinition](/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/).
256+
* Learn how to [Extend the Kubernetes API with CustomResourceDefinition](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/).
257257

258258

content/en/docs/concepts/overview/kubernetes-api.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -136,10 +136,10 @@ There are several API groups in a cluster:
136136

137137
There are two paths to extending the API with [custom resources](/docs/concepts/api-extension/custom-resources/):
138138

139-
1. [CustomResourceDefinition](/docs/tasks/access-kubernetes-api/extend-api-custom-resource-definitions/)
139+
1. [CustomResourceDefinition](/docs/tasks/extend-kubernetes/custom-resource-definitions/)
140140
lets you declaratively define how the API server should provide your chosen resource API.
141-
1. You can also [implement your own extension API server](/docs/tasks/access-kubernetes-api/setup-extension-api-server/)
142-
and use the [aggregator](/docs/tasks/access-kubernetes-api/configure-aggregation-layer/)
141+
1. You can also [implement your own extension API server](/docs/tasks/extend-kubernetes/setup-extension-api-server/)
142+
and use the [aggregator](/docs/tasks/extend-kubernetes/configure-aggregation-layer/)
143143
to make it seamless for clients.
144144

145145
## Enabling or disabling API groups

content/en/docs/contribute/style/write-new-topic.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -37,12 +37,12 @@ consistency among topics of a given type.
3737
Choose a title that has the keywords you want search engines to find.
3838
Create a filename that uses the words in your title separated by hyphens.
3939
For example, the topic with title
40-
[Using an HTTP Proxy to Access the Kubernetes API](/docs/tasks/access-kubernetes-api/http-proxy-access-api/)
40+
[Using an HTTP Proxy to Access the Kubernetes API](/docs/tasks/extend-kubernetes/http-proxy-access-api/)
4141
has filename `http-proxy-access-api.md`. You don't need to put
4242
"kubernetes" in the filename, because "kubernetes" is already in the
4343
URL for the topic, for example:
4444

45-
/docs/tasks/access-kubernetes-api/http-proxy-access-api/
45+
/docs/tasks/extend-kubernetes/http-proxy-access-api/
4646

4747
## Adding the topic title to the front matter
4848

content/en/docs/reference/glossary/aggregation-layer.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,6 @@ tags:
1414
---
1515
The aggregation layer lets you install additional Kubernetes-style APIs in your cluster.
1616

17-
<!--more-->
17+
<!--more-->
1818

19-
When you've configured the {{< glossary_tooltip text="Kubernetes API Server" term_id="kube-apiserver" >}} to [support additional APIs](/docs/tasks/access-kubernetes-api/configure-aggregation-layer/), you can add `APIService` objects to "claim" a URL path in the Kubernetes API.
19+
When you've configured the {{< glossary_tooltip text="Kubernetes API Server" term_id="kube-apiserver" >}} to [support additional APIs](/docs/tasks/extend-kubernetes/configure-aggregation-layer/), you can add `APIService` objects to "claim" a URL path in the Kubernetes API.

content/en/docs/reference/glossary/customresourcedefinition.md

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
title: CustomResourceDefinition
33
id: CustomResourceDefinition
44
date: 2018-04-12
5-
full_link: /docs/tasks/access-kubernetes-api/extend-api-custom-resource-definitions/
5+
full_link: /docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/
66
short_description: >
77
Custom code that defines a resource to add to your Kubernetes API server without building a complete custom server.
88
@@ -14,7 +14,6 @@ tags:
1414
---
1515
Custom code that defines a resource to add to your Kubernetes API server without building a complete custom server.
1616

17-
<!--more-->
18-
19-
Custom Resource Definitions let you extend the Kubernetes API for your environment if the publicly supported API resources can't meet your needs.
17+
<!--more-->
2018

19+
Custom Resource Definitions let you extend the Kubernetes API for your environment if the publicly supported API resources can't meet your needs.

content/en/docs/reference/using-api/api-overview.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -86,7 +86,7 @@ Currently, there are several API groups in use:
8686

8787
The two paths that support extending the API with [custom resources](/docs/concepts/api-extension/custom-resources/) are:
8888

89-
- [CustomResourceDefinition](/docs/tasks/access-kubernetes-api/extend-api-custom-resource-definitions/)
89+
- [CustomResourceDefinition](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/)
9090
for basic CRUD needs.
9191
- [aggregator](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/aggregated-api-servers.md) for a full set of Kubernetes API semantics to implement their own apiserver.
9292

content/en/docs/setup/best-practices/certificates.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,7 @@ Kubernetes requires PKI for the following operations:
3131
* Client and server certificates for the [front-proxy][proxy]
3232

3333
{{< note >}}
34-
`front-proxy` certificates are required only if you run kube-proxy to support [an extension API server](/docs/tasks/access-kubernetes-api/setup-extension-api-server/).
34+
`front-proxy` certificates are required only if you run kube-proxy to support [an extension API server](/docs/tasks/extend-kubernetes/setup-extension-api-server/).
3535
{{< /note >}}
3636

3737
etcd also implements mutual TLS to authenticate clients and peers.
@@ -162,6 +162,6 @@ These files are used as follows:
162162

163163
[usage]: https://godoc.org/k8s.io/api/certificates/v1beta1#KeyUsage
164164
[kubeadm]: /docs/reference/setup-tools/kubeadm/kubeadm/
165-
[proxy]: /docs/tasks/access-kubernetes-api/configure-aggregation-layer/
165+
[proxy]: /docs/tasks/extend-kubernetes/configure-aggregation-layer/
166166

167167

content/en/docs/tasks/configure-pod-container/configure-gmsa.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ In Kubernetes, GMSA credential specs are configured at a Kubernetes cluster-wide
2020
You need to have a Kubernetes cluster and the `kubectl` command-line tool must be configured to communicate with your cluster. The cluster is expected to have Windows worker nodes. This section covers a set of initial steps required once for each cluster:
2121

2222
### Install the GMSACredentialSpec CRD
23-
A [CustomResourceDefinition](/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/)(CRD) for GMSA credential spec resources needs to be configured on the cluster to define the custom resource type `GMSACredentialSpec`. Download the GMSA CRD [YAML](https://github.com/kubernetes-sigs/windows-gmsa/blob/master/admission-webhook/deploy/gmsa-crd.yml) and save it as gmsa-crd.yaml.
23+
A [CustomResourceDefinition](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/)(CRD) for GMSA credential spec resources needs to be configured on the cluster to define the custom resource type `GMSACredentialSpec`. Download the GMSA CRD [YAML](https://github.com/kubernetes-sigs/windows-gmsa/blob/master/admission-webhook/deploy/gmsa-crd.yml) and save it as gmsa-crd.yaml.
2424
Next, install the CRD with `kubectl apply -f gmsa-crd.yaml`
2525

2626
### Install webhooks to validate GMSA users

0 commit comments

Comments
 (0)