Get Started

Ready to get your hands dirty? Build a simple Kubernetes cluster that runs "Hello World" for Node.js.

Documentation

Learn how to use Kubernetes with the use of walkthroughs, samples, and reference documentation. You can even help contribute to the docs!

Community

If you need help, you can connect with other Kubernetes users and the Kubernetes authors, attend community events, and watch video presentations from around the web.

Blog

Read the latest news for Kubernetes and the containers space in general, and get technical how-tos hot off the presses.

Interested in hacking on the core Kubernetes code base?

View On Github

Explore the community

Reference Documentation

Design docs, concept definitions, and references for APIs and CLIs.

Documentation for Kubernetes v1.8 is no longer actively maintained. The version you are currently viewing is a static snapshot. For up-to-date documentation, see the latest version.

Standardized Glossary

Using the API

Kubernetes API Overview

Client Libraries

Accessing the API

Controlling Access to the Kubernetes API

Authenticating

Authenticating with Bootstrap Tokens

Using Admission Controllers

Dynamic Admission Control

Managing Service Accounts

Authorization

Overview

ABAC Mode

Using RBAC Authorization

Using Node Authorization

Webhook Mode

Kubernetes Deprecation Policy

Workloads API changes in versions 1.8 and 1.9

API Reference

v1.8

Well-Known Labels, Annotations and Taints

OpenAPI and Swagger

Federation API

extensions/v1beta1 Operations

extensions/v1beta1 Model Definitions

kubectl CLI

Overview of kubectl

kubectl

kubectl Commands

kubectl for Docker Users

kubectl Usage Conventions

JSONPath Support

kubectl Cheat Sheet

Setup Tools Reference

Kubefed

Command-line Tools Reference

kubelet

Kubelet authentication/authorization

kube-apiserver

kube-controller-manager

kube-proxy

kube-scheduler

TLS bootstrapping

cloud-controller-manager

federation-apiserver

federation-controller-manager

Kubernetes Design Docs

Kubernetes Architecture

Kubernetes Design Overview

Kubernetes Identity and Access Management

Kubernetes OpenVSwitch GRE/VxLAN networking

Security Contexts

Security in Kubernetes

Kubernetes Issues and Security

Kubernetes Issue Tracker on GitHub

Kubernetes Security and Disclosure Information

Edit This Page

Standardized Glossary

This glossary is intended to be a comprehensive, standardized list of Kubernetes terminology. It includes technical terms that are specific to K8s, as well as more general terms that provide useful context.

Filter terms according to their tags:

Click on the [+] indicators below to get a longer explanation for any particular term.

AnnotationLINK

A key-value pair that is used to attach arbitrary non-identifying metadata to objects.
[+]

The metadata in an annotation can be small or large, structured or unstructured, and can include characters not permitted by labels. Clients such as tools and libraries can retrieve this metadata.
Application ArchitectLINK

A person responsible for the high-level design of an application.
[+]

An architect ensures that an app’s implementation allows it to interact with its surrounding components in a scalable, maintainable way. Surrounding components include databases, logging infrastructure, and other microservices.
Application DeveloperLINK

A person who writes an application that runs in a Kubernetes cluster.
[+]

An application developer focuses on one part of an application. The scale of their focus may vary significantly in size.
ApproverLINK

A person who can review and approve Kubernetes code contributions.
[+]

While code review is focused on code quality and correctness, approval is focused on the holistic acceptance of a contribution. Holistic acceptance includes backwards/forwards compatibility, adhering to API and flag conventions, subtle performance and correctness issues, interactions with other parts of the system, and others. Approver status is scoped to a part of the codebase.
CLA (Contributor License Agreement)LINK

Terms under which a contributorSomeone who donates code, documentation, or their time to help the Kubernetes project or community. grants a license to an open source project for their contributions.
[+]

CLAs help resolve legal disputes involving contributed material and intellectual property (IP).
ClusterLINK

A set of machines, called nodes, that run containerized applications managed by Kubernetes.
[+]

A cluster has several worker nodes and at least one master node.
Cluster ArchitectLINK

A person who designs infrastructure that involves one or more Kubernetes clusters.
[+]

Cluster architects are concerned with best practices for distributed systems, for example: high availability and security.
Cluster OperatorLINK
Also known as: Cluster Administrator

A person who configures, controls, and monitors clusters.
[+]

Their primary responsibility is keeping a cluster up and running, which may involve periodic maintenance activities or upgrades.

NOTE: Cluster operators are different from the Operator pattern that extends the Kubernetes API.
Code ContributorLINK
Also known as: Community Developer

A person who develops and contributes code to the Kubernetes open source codebase.
[+]

They are also an active community memberA continuously active contributor in the K8s community. who participates in one or more Special Interest Groups (SIGs)Community members who collectively manage an ongoing piece or aspect of the larger Kubernetes open source project..
ConfigMapLINK

An API object used to store non-confidential data in key-value pairs. Can be consumed as environment variables, command-line arguments, or config files in a volumeA directory containing data, accessible to the containers in a pod..
[+]

Allows you to decouple environment-specific configuration from your container imagesA lightweight and portable executable image that contains software and all of its dependencies., so that your applications are easily portable. When storing confidential data use a Secret.
ContainerLINK

A lightweight and portable executable image that contains software and all of its dependencies.
[+]

Containers decouple applications from underlying host infrastructure to make deployment easier in different cloud or OS environments, and for easier scaling.
ContributorLINK

Someone who donates code, documentation, or their time to help the Kubernetes project or community.
[+]

Contributions include pull requests (PRs), issues, feedback, special interest groups (SIG)Community members who collectively manage an ongoing piece or aspect of the larger Kubernetes open source project. participation, or organizing community events.
CronJobLINK

Manages a Job that runs on a periodic schedule.
[+]

Similar to a line in a crontab file, a Cronjob object specifies a schedule using the Cron format.
DaemonSetLINK

Ensures a copy of a PodThe smallest and simplest Kubernetes object. A Pod represents a set of running containers on your cluster. is running across a set of nodes in a ClusterA set of machines, called nodes, that run containerized applications managed by Kubernetes..
[+]

Used to deploy system daemons such as log collectors and monitoring agents that typically must run on every NodeA node is a worker machine in Kubernetes..
DeploymentLINK

An API object that manages a replicated application.
[+]

Each replica is represented by a PodThe smallest and simplest Kubernetes object. A Pod represents a set of running containers on your cluster., and the Pods are distributed among the nodes of a cluster.
Developer (disambiguation)LINK
Also known as: Kubernetes Developer

May refer to: Application DeveloperA person who writes an application that runs in a Kubernetes cluster., Code ContributorA person who develops and contributes code to the Kubernetes open source codebase., or Platform DeveloperA person who customizes the Kubernetes platform to fit the needs of their project..
[+]

This overloaded term may have different meanings depending on the context
Downstream (disambiguation)LINK

May refer to: code in the Kubernetes ecosystem that depends upon the core Kubernetes codebase or a forked repo.
[+]
- In the Kubernetes Community: Conversations often use downstream to mean the ecosystem, code, or third-party tools that rely on the core Kubernetes codebase. For example, a new feature in Kubernetes may be adopted by applications downstream to improve their functionality.
- In GitHub or git: The convention is to refer to a forked repo as downstream, whereas the source repo is considered upstream.
Helm ChartLINK

A package of pre-configured Kubernetes resources that can be managed with the Helm tool.
[+]

Charts provide a reproducible way of creating and sharing Kubernetes applications. A single chart can be used to deploy something simple, like a memcached Pod, or something complex, like a full web app stack with HTTP servers, databases, caches, and so on.
Horizontal Pod AutoscalerLINK
Also known as: HPA

An API resource that automatically scales the number of pod replicas based on targeted CPU utilization or custom metric targets.
[+]

HPA is typically used with replication controllers, deployments or replica sets and cannot be applied to objects that cannot be scaled, for example DaemonSets.
ImageLINK

Stored instance of a container that holds a set of software needed to run an application.
[+]

A way of packaging software that allows it to be stored in a container registry, pulled to a local system, and run as an application. Meta data is included in the image that can indicate what executable to run, who built it, and other information.
IngressLINK
Also known as: Ingress controller

An API object that manages external access to the services in a cluster, typically HTTP.
[+]

Ingress can provide load balancing, SSL termination and name-based virtual hosting.
IstioLINK

An open platform (not Kubernetes-specific) that provides a uniform way to integrate microservices, manage traffic flow, enforce policies, and aggregate telemetry data.
[+]

Adding Istio does not require changing application code. It is a layer of infrastructure between a service and the network, which when combined with service deployments, is commonly referred to as a service mesh. Istio’s control plane abstracts away the underlying cluster management platform, which may be Kubernetes, Mesosphere, etc.
JobLINK

A finite or batch task that runs to completion.
[+]

Creates one or more PodThe smallest and simplest Kubernetes object. A Pod represents a set of running containers on your cluster. objects and ensures that a specified number of them successfully terminate. As Pods successfully complete, the Job tracks the successful completions.
KopsLINK

A CLI tool that helps you create, destroy, upgrade and maintain production-grade, highly available, Kubernetes clusters. NOTE: Officially supports AWS only, with GCE and VMware vSphere in alpha.
[+]
kops provisions your cluster with:
- Fully automated installation
- DNS-based cluster identification
- Self-healing: everything runs in Auto-Scaling Groups
- Limited OS support (Debian preferred, Ubuntu 16.04 supported, early support for CentOS & RHEL)
- High availability (HA) support
- The ability to directly provision, or generate terraform manifests
You can also build your own cluster using KubeadmA tool for quickly installing Kubernetes and setting up a secure cluster. as a building block. kops builds on the kubeadm work.
KubeadmLINK

A tool for quickly installing Kubernetes and setting up a secure cluster.
[+]

You can use kubeadm to install both the control plane and the worker node components.
KubectlLINK

A command line tool for communicating with a Kubernetes APIThe application that serves Kubernetes functionality through a RESTful interface and stores the state of the cluster. server.
[+]

You can use kubectl to create, inspect, update, and delete Kubernetes objects.
KubeletLINK

An agent that runs on each node in the cluster. It makes sure that containers are running in a pod.
[+]

The kubelet takes a set of PodSpecs that are provided through various mechanisms and ensures that the containers described in those PodSpecs are running and healthy. The kubelet doesn’t manage containers which were not created by Kubernetes.
Kubernetes APILINK

The application that serves Kubernetes functionality through a RESTful interface and stores the state of the cluster.
[+]

Kubernetes resources and “records of intent” are all stored as API objects, and modified via RESTful calls to the API. The API allows configuration to be managed in a declarative way. Users can interact with the Kubernetes API directly, or via tools like kubectl. The core Kubernetes API is flexible and can also be extended to support custom resources.
LabelsLINK

Used to tag objects with identifying attributes that are meaningful and relevant to users.
[+]

Labels are key/value pairs that are attached to objects, such as pods. They can be used to organize and to select subsets of objects.
MaintainerLINK

A highly experienced contributorSomeone who donates code, documentation, or their time to help the Kubernetes project or community., active in multiple areas of Kubernetes, who has cross-area ownership and write access to a project’s GitHub repository.
[+]

Maintainers work holistically across the project to maintain its health and success and have made substantial contributions, both through code development and broader organizational efforts.
Managed ServiceLINK

A software offering maintained by a third-party provider.
[+]

Some examples of Managed Services are AWS EC2, Azure SQL Database, and GCP Pub/Sub, but they can be any software offering that can be used by an application. Service Catalog provides a way to list, provision, and bind with Managed Services offered by Service BrokersAn endpoint for a set of Managed Services offered and maintained by a third-party..
MemberLINK

A continuously active contributorSomeone who donates code, documentation, or their time to help the Kubernetes project or community. in the K8s community.
[+]

Members can have issues and PRs assigned to them and participate in special interest groups (SIGs)Community members who collectively manage an ongoing piece or aspect of the larger Kubernetes open source project. through GitHub teams. Pre-submit tests are automatically run for members’ PRs. A member is expected to remain an active contributor to the community.
MinikubeLINK

A tool for running Kubernetes locally.
[+]

Minikube runs a single-node cluster inside a VM on your computer.
NamespaceLINK

An abstraction used by Kubernetes to support virtual clusters on the same physical ClusterA set of machines, called nodes, that run containerized applications managed by Kubernetes..
[+]

Namespaces are used to organize objects in a cluster and provide a way to divide cluster resources. Names of resources need to be unique within a namespace, but not across namespaces.
Network PolicyLINK
Also known as: NetworkPolicy

A specification of how groups of Pods are allowed to communicate with each other and with other network endpoints.
[+]

Network Policies help you declaratively configure which Pods are allowed to connect to each other, which namespaces are allowed to communicate, and more specifically which port numbers to enforce each policy on. NetworkPolicy resources use labels to select Pods and define rules which specify what traffic is allowed to the selected Pods. Network Policies are implemented by a supported network plugin provided by a network provider. Be aware that creating a network resource without a controller to implement it will have no effect.
NodeLINK
Also known as: Minion

A node is a worker machine in Kubernetes.
[+]

A worker machine may be a VM or physical machine, depending on the cluster. It has the ServicesAn API object that describes how to access applications, such as a set of Pods, and can describe ports and load-balancers. necessary to run PodsThe smallest and simplest Kubernetes object. A Pod represents a set of running containers on your cluster. and is managed by the master components. The ServicesAn API object that describes how to access applications, such as a set of Pods, and can describe ports and load-balancers. on a node include Docker, kubelet and kube-proxy.
Platform DeveloperLINK
Also known as: Kubernetes Developer, Extension Developer

A person who customizes the Kubernetes platform to fit the needs of their project.
[+]

A platform developer may, for example, use Custom Resources or Extend the Kubernetes API with the aggregation layer to add functionality to their instance of Kubernetes, specifically for their application. Some Platform Developers are also contributorsSomeone who donates code, documentation, or their time to help the Kubernetes project or community. and develop extensions which are contributed to the Kubernetes community. Others develop closed-source commercial or site-specific extensions.
PodLINK

The smallest and simplest Kubernetes object. A Pod represents a set of running containersA lightweight and portable executable image that contains software and all of its dependencies. on your cluster.
[+]

A Pod is typically set up to run a single primary container. It can also run optional sidecar containers that add supplementary features like logging. Pods are commonly managed by a DeploymentAn API object that manages a replicated application..
Pod Security PolicyLINK

Enables fine-grained authorization of PodThe smallest and simplest Kubernetes object. A Pod represents a set of running containers on your cluster. creation and updates.
[+]

A cluster-level resource that controls security sensitive aspects of the Pod specification. The PodSecurityPolicy objects define a set of conditions that a Pod must run with in order to be accepted into the system, as well as defaults for the related fields. Pod Security Policy control is implemented as an optional admission controller.
RBAC (Role-Based Access Control)LINK

Manages authorization decisions, allowing admins to dynamically configure access policies through the Kubernetes APIThe application that serves Kubernetes functionality through a RESTful interface and stores the state of the cluster..
[+]

RBAC utilizes roles, which contain permission rules, and role bindings, which grant the permissions defined in a role to a set of users.
ReplicaSetLINK

ReplicaSet is the next-generation Replication Controller.
[+]

ReplicaSet, like ReplicationController, ensures that a specified number of pods replicas are running at one time. ReplicaSet supports the new set-based selector requirements as described in the labels user guide, whereas a Replication Controller only supports equality-based selector requirements.
Replication ControllerLINK

Kubernetes service that ensures a specific number of instances of a pod are always running.
[+]

Will automatically add or remove running instances of a pod, based on a set value for that pod. Allows the pod to return to the defined number of instances if pods are deleted or if too many are started by mistake.
Resource QuotasLINK

Provides constraints that limit aggregate resource consumption per NamespaceAn abstraction used by Kubernetes to support virtual clusters on the same physical {% glossary_tooltip term_id=”cluster” %}..
[+]

Limits the quantity of objects that can be created in a namespace by type, as well as the total amount of compute resources that may be consumed by resources in that project.
ReviewerLINK

A person who reviews code for quality and correctness on some part of the project.
[+]

Reviewers are knowledgeable about both the codebase and software engineering principles. Reviewer status is scoped to a part of the codebase.
SIG (special interest group)LINK

Community membersA continuously active contributor in the K8s community. who collectively manage an ongoing piece or aspect of the larger Kubernetes open source project.
[+]

Members within a SIG have a shared interest in advancing a specific area, such as architecture, API machinery, or documentation. SIGs must follow the SIG Governance guidelines but can have their own contribution policy and channels of communication.

For more information, see the kubernetes/community repo and the current list of SIGs and Working Groups.
SecretLINK

Stores sensitive information, such as passwords, OAuth tokens, and ssh keys.
[+]

Allows for more control over how sensitive information is used and reduces the risk of accidental exposure, including encryption at rest. A PodThe smallest and simplest Kubernetes object. A Pod represents a set of running containers on your cluster. references the secret as a file in a volume mount or by the kubelet pulling images for a pod. Secrets are great for confidential data and ConfigMaps for non-confidential data.
Security ContextLINK

The securityContext field defines privilege and access control settings for a Pod or Container, including the runtime UID and GID.
[+]

The securityContext field in a PodThe smallest and simplest Kubernetes object. A Pod represents a set of running containers on your cluster. (applying to all containers) or container is used to set the user (runAsUser) and group (fsGroup), capabilities, privilege settings, and security policies (SELinux/AppArmor/Seccomp) that container processes use.
ServiceLINK

An API object that describes how to access applications, such as a set of PodsThe smallest and simplest Kubernetes object. A Pod represents a set of running containers on your cluster., and can describe ports and load-balancers.
[+]

The access point can be internal or external to the cluster.
Service AccountLINK

Provides an identity for processes that run in a Pod PodsThe smallest and simplest Kubernetes object. A Pod represents a set of running containers on your cluster..
[+]

When processes inside Pods access the cluster, they are authenticated by the API server as a particular service account, for example, default. When you create a Pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace NamespaceAn abstraction used by Kubernetes to support virtual clusters on the same physical {% glossary_tooltip term_id=”cluster” %}..
Service BrokerLINK

An endpoint for a set of Managed ServicesA software offering maintained by a third-party provider. offered and maintained by a third-party.
[+]

Service BrokersAn endpoint for a set of Managed Services offered and maintained by a third-party. implement the Open Service Broker API spec and provide a standard interface for applications to use their Managed Services. Service Catalog provides a way to list, provision, and bind with Managed Services offered by Service Brokers.
Service CatalogLINK

An extension API that enables applications running in Kubernetes clusters to easily use external managed software offerings, such as a datastore service offered by a cloud provider.
[+]

Service Catalog provides a way to list, provision, and bind with external Managed ServicesA software offering maintained by a third-party provider. from Service BrokersAn endpoint for a set of Managed Services offered and maintained by a third-party. without needing detailed knowledge about how those services are created or managed.
StatefulSetLINK
Also known as: PetSet

Manages the deployment and scaling of a set of PodsThe smallest and simplest Kubernetes object. A Pod represents a set of running containers on your cluster., and provides guarantees about the ordering and uniqueness of these Pods.
[+]

Like a DeploymentAn API object that manages a replicated application., a StatefulSet manages Pods that are based on an identical container spec. Unlike a Deployment, a StatefulSet maintains a sticky identity for each of their Pods. These pods are created from the same spec, but are not interchangeable: each has a persistent identifier that it maintains across any rescheduling.

A StatefulSet operates under the same pattern as any other Controller. You define your desired state in a StatefulSet object, and the StatefulSet controller makes any necessary updates to get there from the current state.
Upstream (disambiguation)LINK

May refer to: core Kubernetes or the source repo from which a repo was forked.
[+]
- In the Kubernetes Community: Conversations often use upstream to mean the core Kubernetes codebase, which the general ecosystem, other code, or third-party tools relies upon. For example, community members may suggest that a feature is moved upstream so that it is in the core codebase instead of in a plugin or third-party tool.
- In GitHub or git: The convention is to refer to a source repo as upstream, whereas the forked repo is considered downstream.
VolumeLINK

A directory containing data, accessible to the containers in a podThe smallest and simplest Kubernetes object. A Pod represents a set of running containers on your cluster..
[+]

A Kubernetes volume lives as long as the podThe smallest and simplest Kubernetes object. A Pod represents a set of running containers on your cluster. that encloses it. Consequently, a volume outlives any containersA lightweight and portable executable image that contains software and all of its dependencies. that run within the podThe smallest and simplest Kubernetes object. A Pod represents a set of running containers on your cluster., and data is preserved across containerA lightweight and portable executable image that contains software and all of its dependencies. restarts.
WG (working group)LINK

Facilitates the discussion and/or implementation of a short-lived, narrow, or decoupled project for a committee, SIGCommunity members who collectively manage an ongoing piece or aspect of the larger Kubernetes open source project., or cross-SIG effort.
[+]

Working groups are a way of organizing people to accomplish a discrete task, and are relatively easy to create and deprecate when inactive.

For more information, see the kubernetes/community repo and the current list of SIGs and working groups.

Create an Issue