Kubernetes API Requirements

This document describes the requirements Yaook imposes on the Kubernetes API of a cluster. In contrast to Kubernetes Cluster Requirements, this document is focused on the Kubernetes API itself and discusses feature flags and version requirements. For requirements on the services offered inside the Kubernetes cluster, such as Ingress controllers, please see Kubernetes Cluster Requirements instead.

Kubernetes Versions

Yaook supports all Kubernetes versions between 1.19 and 1.22. Yaook is automatically tested with Kubernetes 1.21.

API Features

Pod security policies

Pod security policies are NOT supported. They MUST NOT be enabled in a cluster in order for Yaook to work.

NodeRestriction admission controller

The NodeRestriction admission controller SHOULD be enabled for all Yaook clusters and is REQUIRED for SecuStack clusters.

Yaook relies on the NodeRestriction admission controller in order to control the distribution of secrets.

Immutable Secrets and ConfigMaps

The ImmutableEphemeralVolumes feature gate MUST be enabled, as the operators make extensive use of immutable data.

It is enabled by default starting with Kubernetes 1.19.