kubernetes
/
community
mirror of https://github.com/kubernetes/community.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

update scc doc about the intent of psp

This commit is contained in:
xilabao 2016-12-05 16:41:26 +08:00
parent eb94ecf057
commit 0d55cef953
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
contributors/design-proposals/security-context-constraints.md
View File

@ -1,7 +1,8 @@
## Abstract
PodSecurityPolicy allows cluster administrators to control the creation and validation of a security
context for a pod and containers.
context for a pod and containers. The intent of PodSecurityPolicy is to protect the cluster from the
pod and containers, not to protect a pod or containers from a user.
## Motivation
@ -221,7 +222,9 @@ const (
As reusable objects in the root scope, PodSecurityPolicy follows the lifecycle of the
cluster itself. Maintenance of constraints such as adding, assigning, or changing them is the
responsibility of the cluster administrator.
responsibility of the cluster administrator. Deleting is not considered in PodSecurityPolicy,
It's important for controllers without the ability to use psps (like the namespace controller)
to be able to delete pods.
Creating a new user within a namespace should not require the cluster administrator to
define the user's PodSecurityPolicy. They should receive the default set of policies