Merge branch 'master' into release-1.9

Author: zacharysarah

_data/glossary/node.yaml

@@ -1,6 +1,6 @@
 id: node
 name: Node
-full-link: /docs/concepts/architecture/node
+full-link: /docs/concepts/architecture/nodes/
 aka:
 - Minion
 related:

_data/glossary/replica-set.yml

@@ -0,0 +1,13 @@
+id: replica-set
+name: ReplicaSet
+full-link: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
+related:
+- replication-controller
+tags:
+- core-object
+- architecture
+short-description: >
+  ReplicaSet is the next-generation Replication Controller.
+long-description: >
+  ReplicaSet, like ReplicationController, ensures that a specified number of pods replicas are running at one time.
+  ReplicaSet supports the new set-based selector requirements as described in the labels user guide, whereas a Replication Controller only supports equality-based selector requirements.

_data/glossary/volume.yaml

@@ -1,6 +1,6 @@
 id: volume
 name: Volume
-full-link: kubernetes.io/docs/concepts/storage/volumes/
+full-link: /docs/concepts/storage/volumes/
 related:
 - pod
 - container

_data/tools.yml

@@ -6,7 +6,7 @@ toc:
 - title: Native Tools
   section:
   - title: Kubectl
-    path: /docs/user-guide/kubectl/
+    path: /docs/reference/kubectl/overview/
   - title: Kubeadm
     path: /docs/getting-started-guides/kubeadm
   - title: Kubefed

_redirects

@@ -140,8 +140,8 @@
 /docs/contribute/style-guide/     /docs/home/contribute/style-guide/ 301
 
 /docs/contribute/write-new-topic/        /docs/home/contribute/write-new-topic/ 301
-/docs/deprecate/     /ddocs/reference/deprecation-policy/ 301
-/docs/deprecated/     /ddocs/reference/deprecation-policy/ 301
+/docs/deprecate/     /docs/reference/deprecation-policy/ 301
+/docs/deprecated/     /docs/reference/deprecation-policy/ 301
 /docs/deprecation-policy/     /docs/reference/deprecation-policy/ 301
 
 /docs/federation/api-reference/     /docs/reference/federation/v1/operations/ 301
@@ -167,6 +167,7 @@
 /docs/getting-started-guides/juju/     /docs/getting-started-guides/ubuntu/installation/ 301
 /docs/getting-started-guides/kargo/     /docs/getting-started-guides/kubespray/ 301
 /docs/getting-started-guides/kubeadm/     /docs/setup/independent/create-cluster-kubeadm/ 301
+/docs/getting-started-guides/kubectl/     /docs/reference/kubectl/overview/ 301
 /docs/getting-started-guides/logging/     /docs/concepts/cluster-administration/logging/ 301
 /docs/getting-started-guides/logging-elasticsearch/     /docs/tasks/debug-application-cluster/logging-elasticsearch-kibana/ 301
 /docs/getting-started-guides/meanstack/     https://medium.com/google-cloud/running-a-mean-stack-on-google-cloud-platform-with-kubernetes-149ca81c2b5d/ 301
@@ -235,6 +236,7 @@
 /docs/tasks/configure-pod-container/downward-api-volume-expose-pod-information/     /docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/ 301
 /docs/tasks/configure-pod-container/environment-variable-expose-pod-information/     /docs/tasks/inject-data-application/environment-variable-expose-pod-information/ 301
 /docs/tasks/configure-pod-container/limit-range/     /docs/tasks/administer-cluster/cpu-memory-limit/ 301
+/docs/tasks/configure-pod-container/opaque-integer-resource/    /docs/concepts/configuration/manage-compute-resources-container/#opaque-integer-resources-alpha-feature 301
 /docs/tasks/configure-pod-container/projected-volume/     /docs/tasks/configure-pod-container/configure-projected-volume-storage/ 301
 /docs/tasks/configure-pod-container/romana-network-policy/     /docs/tasks/administer-cluster/romana-network-policy/ 301
 /docs/tasks/configure-pod-container/weave-network-policy/     /docs/tasks/administer-cluster/weave-network-policy/ 301
@@ -343,7 +345,7 @@
 /docs/user-guide/kubectl-conventions/     /docs/reference/kubectl/conventions/
 /docs/user-guide/kubectl-cheatsheet/     /docs/reference/kubectl/cheatsheet/  
 /docs/user-guide/kubectl/1_5/*     https://v1-5.docs.kubernetes.io/docs/user-guide/kubectl/v1.5/ 301
-/docs/user-guide/kubectl/kubectl_*/     /docs/user-guide/kubectl/v1.7/#:splat 301
+/docs/user-guide/kubectl/kubectl_*/     /docs/reference/generated/kubectl/kubectl-commands#:splat 301
 /docs/user-guide/kubectl/v1.5/node_modules/*     https://v1-5.docs.kubernetes.io/docs/user-guide/kubectl/v1.5/ 301
 /docs/user-guide/kubectl/v1.6/node_modules/*     https://v1-6.docs.kubernetes.io/docs/user-guide/kubectl/v1.6/ 301
 /docs/user-guide/labels/     /docs/concepts/overview/working-with-objects/labels/ 301
@@ -422,7 +424,7 @@
 /v1.1/docs/admin/networking.html     /docs/concepts/cluster-administration/networking/     301
 /v1.1/docs/getting-started-guides/     /docs/tutorials/kubernetes-basics/ 301
 
-https://kubernetes-io-v1-7.netlify.com/*    https://v1-7.docs.kubernetes.io/"splat 301
+https://kubernetes-io-v1-7.netlify.com/*    https://v1-7.docs.kubernetes.io/:splat 301
 
 /docs/admin/cloud-controller-manager/     /docs/reference/generated/cloud-controller-manager/ 301
 /docs/admin/kube-apiserver/     /docs/reference/generated/kube-apiserver/ 301

docs/admin/authentication.md

@@ -317,7 +317,7 @@ For an identity provider to work with Kubernetes it must:
 3.  Have a CA signed certificate (even if the CA is not a commercial CA or is self signed)
 
 A note about requirement #3 above, requiring a CA signed certificate.  If you deploy your own identity provider (as opposed to one of the cloud providers like Google or Microsoft) you MUST have your identity provider's web server certificate signed by a certificate with the `CA` flag set to `TRUE`, even if it is self signed.  This is due to GoLang's TLS client implementation being very strict to the standards around certificate validation.  If you don't have a CA handy, you can use [this script](https://github.com/coreos/dex/blob/1ee5920c54f5926d6468d2607c728b71cfe98092/examples/k8s/gencert.sh) from the CoreOS team to create a simple CA and a signed certificate and key pair.
-Or you can use [this similar script](https://raw.githubusercontent.com/TremoloSecurity/openunison-qs-kubernetes/master/makecerts.sh) that generates SHA256 certs with a longer life and larger key size.
+Or you can use [this similar script](https://raw.githubusercontent.com/TremoloSecurity/openunison-qs-kubernetes/master/src/main/bash/makessl.sh) that generates SHA256 certs with a longer life and larger key size.
 
 Setup instructions for specific systems:
 

docs/concepts/cluster-administration/device-plugins.md

@@ -48,7 +48,7 @@ to advertise 2 `vendor-domain/foo`.
 Then, developers can request devices in a
 [Container](/docs/api-reference/{{page.version}}/#container-v1-core)
 specification by using the same process that is used for
-[opaque integer resources](/docs/tasks/configure-pod-container/opaque-integer-resource/).
+[opaque integer resources](/docs/concepts/configuration/manage-compute-resources-container/#opaque-integer-resources-alpha-feature).
 In version 1.8, extended resources are supported only as integer resources and must have
 `limit` equal to `request` in the Container specification.
 

docs/concepts/configuration/assign-pod-node.md

@@ -316,7 +316,7 @@ Highly Available database statefulset has one master and three replicas, one may
 |:--------------------:|:-------------------:|:------------------:|:------------------:|
 | *DB-MASTER*          | *DB-REPLICA-1*      | *DB-REPLICA-2*     | *DB-REPLICA-3*     |
 
-[Here](https://kubernetes.io/docs/tutorials/stateful-application/zookeeper/#tolerating-node-failure) is an example of zookeper statefulset configured with anti-affinity for high availability.
+[Here](https://kubernetes.io/docs/tutorials/stateful-application/zookeeper/#tolerating-node-failure) is an example of Zookeeper statefulset configured with anti-affinity for high availability.
 
 For more information on inter-pod affinity/anti-affinity, see the design doc
 [here](https://git.k8s.io/community/contributors/design-proposals/scheduling/podaffinity.md).

docs/concepts/overview/extending.md

@@ -94,13 +94,13 @@ This diagram shows the extension points in a Kubernetes system.
 
 <!-- image source diagrams: https://docs.google.com/drawings/d/1k2YdJgNTtNfW7_A8moIIkij-DmVgEhNrn3y2OODwqQQ/view -->
 
-1.   Users often interact with the Kubernetes API using `kubectl`. [Kubectl plugins](docs/tasks/extend-kubectl/kubectl-plugins) extend the kubectl binary. They only affect the individual user's local environment, and so cannot enforce site-wide policies.
-2.   The apiserver handles all requests. Several types of extension points in the apiserver allow authenticating requests, or blocking them based on their content, editing content, and handling deletion. These are described in the [API Access Extensions](docs/concepts/overview/extending#api-access-extensions) section.
-3.   The apiserver serves various kinds of *resources*. *Built-in resource kinds*, like `pods`, are defined by the Kubernetes project and can't be changed. You can also add resources that you define, or that other projects have defined, called *Custom Resources*, as explained in the [Custom Resources](docs/concepts/overview/extending#custom-resources) section. Custom Resources are often used with API Access Extensions.
-4.   The Kubernetes scheduler decides which nodes to place pods on. There are several ways to extend scheduling. These are described in the [Scheduler Extensions](docs/concepts/overview/extending#shceduler-extensions) section.
+1.   Users often interact with the Kubernetes API using `kubectl`. [Kubectl plugins](/docs/tasks/extend-kubectl/kubectl-plugins/) extend the kubectl binary. They only affect the individual user's local environment, and so cannot enforce site-wide policies.
+2.   The apiserver handles all requests. Several types of extension points in the apiserver allow authenticating requests, or blocking them based on their content, editing content, and handling deletion. These are described in the [API Access Extensions](/docs/concepts/overview/extending#api-access-extensions) section.
+3.   The apiserver serves various kinds of *resources*. *Built-in resource kinds*, like `pods`, are defined by the Kubernetes project and can't be changed. You can also add resources that you define, or that other projects have defined, called *Custom Resources*, as explained in the [Custom Resources](/docs/concepts/overview/extending#custom-resources) section. Custom Resources are often used with API Access Extensions.
+4.   The Kubernetes scheduler decides which nodes to place pods on. There are several ways to extend scheduling. These are described in the [Scheduler Extensions](/docs/concepts/overview/extending#scheduler-extensions) section.
 5.   Much of the behavior of Kubernetes is implemented by programs called Controllers which are clients of the API-Server. Controllers are often used in conjunction with Custom Resources.
-6.   The kubelet runs on servers, and helps pods appear like virtual servers with their own IPs on the cluster network. [Network Plugins](docs/concepts/overview/extending#network-plugins) allow for different implementations of pod networking.
-7.  The kubelet also mounts and unmounts volumes for containers. New types of storage can be supported via [Storage Plugins](docs/concepts/overview/extending#storage-plugins).
+6.   The kubelet runs on servers, and helps pods appear like virtual servers with their own IPs on the cluster network. [Network Plugins](/docs/concepts/overview/extending#network-plugins) allow for different implementations of pod networking.
+7.  The kubelet also mounts and unmounts volumes for containers. New types of storage can be supported via [Storage Plugins](/docs/concepts/overview/extending#storage-plugins).
 
 If you are unsure where to start, this flowchart can help. Note that some solutions may involve several types of extensions.
 
@@ -116,7 +116,7 @@ Consider adding a Custom Resource to Kubernetes if you want to define new contro
 
 Do not use a Custom Resource as data storage for application, user, or monitoring data.
 
-For more about Custom Resources, see the [Custom Resources concept guide](/docs/concepts/api-extension/custom-resources.md).
+For more about Custom Resources, see the [Custom Resources concept guide](/docs/concepts/api-extension/custom-resources/).
 
 
 ### Combining New APIs with Automation
@@ -200,11 +200,11 @@ the nodes chosen for a pod.
 {% capture whatsnext %}
 
 * Learn more about [Custom Resources](/docs/concepts/api-extension/custom-resources/)
-* Learn about [Dynamic admission control](/docs/admin/extensible-admission-controller)
+* Learn about [Dynamic admission control](/docs/admin/extensible-admission-controllers/)
 * Learn more about Infrastructure extensions
-  * [Network Plugins](/docs/concepts/cluster-administration/network-plugin)
-  * [Device Plugins](/docs/concepts/cluster-administration/device-plugins.md)
-* Learn about [kubectl plugins](/docs/tasks/extend-kubectl/kubectl-plugin)
+  * [Network Plugins](/docs/concepts/cluster-administration/network-plugins/)
+  * [Device Plugins](/docs/concepts/cluster-administration/device-plugins/)
+* Learn about [kubectl plugins](/docs/tasks/extend-kubectl/kubectl-plugins/)
 * See examples of Automation
   * [List of Operators](https://github.com/coreos/awesome-kubernetes-extensions)
 

docs/concepts/policy/pod-security-policy.md

@@ -171,8 +171,86 @@ make sure `volumes` contains the `flexVolume` volume type, no flex volume driver
 otherwise. For example:
 
 ```yaml
-apiVersion: extensions/v1beta1
-kind: PodSecurityPolicy
+# Authorize all service accounts in a namespace:
+- kind: Group
+  apiGroup: rbac.authorization.k8s.io
+  name: system:serviceaccounts
+# Or equivalently, all authenticated users in a namespace:
+- kind: Group
+  apiGroup: rbac.authorization.k8s.io
+  name: system:authenticated
+```
+
+For more examples of RBAC bindings, see [Role Binding
+Examples](/docs/admin/authorization/rbac/#role-binding-examples). For a complete
+example of authorizing a PodSecurityPolicy, see
+[below](#example).
+
+
+### Troubleshooting
+
+- The [Controller Manager](/docs/admin/kube-controller-manager/) must be run
+against [the secured API port](/docs/admin/accessing-the-api/), and must not
+have superuser permissions. Otherwise requests would bypass authentication and
+authorization modules, all PodSecurityPolicy objects would be allowed, and users
+would be able to create privileged containers. For more details on configuring
+Controller Manager authorization, see [Controller
+Roles](/docs/admin/authorization/rbac/#controller-roles).
+
+## Policy Order
+
+In addition to restricting pod creation and update, pod security policies can
+also be used to provide default values for many of the fields that it
+controls. When multiple policies are available, the pod security policy
+controller selects policies in the following order:
+
+1. If any policies successfully validate the pod without altering it, they are
+   used.
+2. Otherwise, the first valid policy in alphabetical order is used.
+
+## Example
+
+_This example assumes you have a running cluster with the PodSecurityPolicy
+admission controller enabled and you have cluster admin privileges._
+
+### Set up
+
+Set up a namespace and a service account to act as for this example. We'll use
+this service account to mock a non-admin user.
+
+```shell
+$ kubectl create namespace psp-example
+$ kubectl create serviceaccount -n psp-example fake-user
+$ kubectl create rolebinding -n psp-example fake-editor --clusterrole=edit --serviceaccount=psp-example:fake-user
+```
+
+To make it clear which user we're acting as and save some typing, create 2
+aliases:
+
+```shell
+$ alias kubectl-admin='kubectl -n psp-example'
+$ alias kubectl-user='kubectl --as=system:serviceaccount:psp-example:fake-user -n psp-example'
+```
+
+### Create a policy and a pod
+
+Define the example PodSecurityPolicy object in a file. This is a policy that
+simply prevents the creation of privileged pods.
+
+{% include code.html language="yaml" file="example-psp.yaml" ghlink="/docs/concepts/policy/example-psp.yaml" %}
+
+And create it with kubectl:
+
+```shell
+$ kubectl-admin create -f example-psp.yaml
+```
+
+Now, as the unprivileged user, try to create a simple pod:
+
+```shell
+$ kubectl-user create -f- <<EOF
+apiVersion: v1
+kind: Pod
 metadata:
   name: allow-flex-volumes
 spec:

docs/tasks/administer-cluster/access-cluster-api.md

@@ -32,7 +32,7 @@ $ kubectl config view
 ```
 
 Many of the [examples](https://github.com/kubernetes/examples/tree/{{page.githubbranch}}/) provide an introduction to using
-kubectl. Complete documentation is found in the [kubectl manual](/docs/user-guide/kubectl/index).
+kubectl. Complete documentation is found in the [kubectl manual](/docs/reference/kubectl/overview/).
 
 ### Directly accessing the REST API