From 01b2e275805059b4a3389e3d6cf98759a4bf41a4 Mon Sep 17 00:00:00 2001 From: WanLinghao Date: Wed, 28 Feb 2018 03:15:46 +0800 Subject: [PATCH] fix privileged description miss (#7515) modified: docs/concepts/policy/pod-security-policy.md --- docs/concepts/policy/pod-security-policy.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/docs/concepts/policy/pod-security-policy.md b/docs/concepts/policy/pod-security-policy.md index 24d7c7dd6e..3bd22cf3d1 100644 --- a/docs/concepts/policy/pod-security-policy.md +++ b/docs/concepts/policy/pod-security-policy.md @@ -23,7 +23,7 @@ administrator to control the following: | Control Aspect | Field Names | | ----------------------------------------------------| ------------------------------------------- | -| Running of privileged containers | `privileged` | +| Running of privileged containers | [`privileged`](#privileged) | | Usage of the root namespaces | [`hostPID`, `hostIPC`](#host-namespaces) | | Usage of host networking and ports | [`hostNetwork`, `hostPorts`](#host-namespaces) | | Usage of volume types | [`volumes`](#volumes-and-file-systems) | @@ -354,6 +354,15 @@ several security mechanisms. ## Policy Reference +### Privileged + +**Privileged** - determines if any container in a pod can enable privileged mode. +By default a container is not allowed to access any devices on the host, but a +"privileged" container is given access to all devices on the host. This allows +the container nearly all the same access as processes running on the host. +This is useful for containers that want to use linux capabilities like +manipulating the network stack and accessing devices. + ### Host namespaces **HostPID** - Controls whether the pod containers can share the host process ID