istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

update psp (#4977)

This commit is contained in:
Yangmin Zhu 2019-09-18 08:40:38 -07:00 committed by Martin Taillefer
parent 12e19aa38c
commit 9dae69638c
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
content/en/docs/tasks/security/auth-sds/index.md
View File

@ -86,16 +86,16 @@ $ kubectl exec -it $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..me
As you can see there is no secret file mounted at `/etc/certs` folder.
## Increasing security with pod security policies
## Securing SDS with pod security policies
The Istio Secret Discovery Service (SDS) uses the Citadel agent to distribute the certificate to the
Envoy sidecar via a Unix domain socket. All pods running in the same Kubernetes node share the Citadel
agent and Unix domain socket.
To prevent malicious modifications to the Unix domain socket, enable the [pod security policy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/)
to restrict the pod's permission on the Unix domain socket. Otherwise, a malicious pod could hijack the
Unix domain socket to break the SDS service or steal the identity credentials from other pods running
on the same Kubernetes node.
To prevent unexpected modifications to the Unix domain socket, enable the [pod security policy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/)
to restrict the pod's permission on the Unix domain socket. Otherwise, a malicious user who has the
permission to modify the deployment could hijack the Unix domain socket to break the SDS service or
steal the identity credentials from other pods running on the same Kubernetes node.
To enable the pod security policy, perform the following steps: