kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #39103 from windsonsea/lvlpss 

Fix indentations in cluster-level-pss.md
This commit is contained in:
Kubernetes Prow Robot 2023-01-27 02:44:26 -08:00 committed by GitHub
parent da7374b112 bfc82d5f9f
commit 24cde2766a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 142 additions and 142 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

284
content/en/docs/tutorials/security/cluster-level-pss.md
View File

@ -41,56 +41,55 @@ that are most appropriate for your configuration, do the following:
1. Create a cluster with no Pod Security Standards applied: 1. Create a cluster with no Pod Security Standards applied:
```shell ```shell
kind create cluster --name psa-wo-cluster-pss --image kindest/node:v1.24.0 kind create cluster --name psa-wo-cluster-pss --image kindest/node:v1.24.0
``` ```
The output is similar to this: The output is similar to this:
``` ```
Creating cluster "psa-wo-cluster-pss" ... Creating cluster "psa-wo-cluster-pss" ...
✓ Ensuring node image (kindest/node:v1.24.0) 🖼 ✓ Ensuring node image (kindest/node:v1.24.0) 🖼
✓ Preparing nodes 📦 ✓ Preparing nodes 📦
✓ Writing configuration 📜 ✓ Writing configuration 📜
✓ Starting control-plane 🕹️ ✓ Starting control-plane 🕹️
✓ Installing CNI 🔌 ✓ Installing CNI 🔌
✓ Installing StorageClass 💾 ✓ Installing StorageClass 💾
Set kubectl context to "kind-psa-wo-cluster-pss" Set kubectl context to "kind-psa-wo-cluster-pss"
You can now use your cluster with: You can now use your cluster with:
kubectl cluster-info --context kind-psa-wo-cluster-pss kubectl cluster-info --context kind-psa-wo-cluster-pss
Thanks for using kind! 😊 Thanks for using kind! 😊
```
```
1. Set the kubectl context to the new cluster: 1. Set the kubectl context to the new cluster:
```shell ```shell
kubectl cluster-info --context kind-psa-wo-cluster-pss kubectl cluster-info --context kind-psa-wo-cluster-pss
``` ```
The output is similar to this: The output is similar to this:
``` ```
Kubernetes control plane is running at https://127.0.0.1:61350 Kubernetes control plane is running at https://127.0.0.1:61350
CoreDNS is running at https://127.0.0.1:61350/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy CoreDNS is running at https://127.0.0.1:61350/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'. To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
``` ```
1. Get a list of namespaces in the cluster: 1. Get a list of namespaces in the cluster:
```shell ```shell
kubectl get ns kubectl get ns
``` ```
The output is similar to this: The output is similar to this:
``` ```
NAME STATUS AGE NAME STATUS AGE
default Active 9m30s default Active 9m30s
kube-node-lease Active 9m32s kube-node-lease Active 9m32s
kube-public Active 9m32s kube-public Active 9m32s
kube-system Active 9m32s kube-system Active 9m32s
local-path-storage Active 9m26s local-path-storage Active 9m26s
``` ```
1. Use `--dry-run=server` to understand what happens when different Pod Security Standards 1. Use `--dry-run=server` to understand what happens when different Pod Security Standards
are applied: are applied:
@ -100,7 +99,7 @@ that are most appropriate for your configuration, do the following:
kubectl label --dry-run=server --overwrite ns --all \ kubectl label --dry-run=server --overwrite ns --all \
pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/enforce=privileged
``` ```
The output is similar to this: The output is similar to this:
``` ```
namespace/default labeled namespace/default labeled
namespace/kube-node-lease labeled namespace/kube-node-lease labeled
@ -113,7 +112,7 @@ that are most appropriate for your configuration, do the following:
kubectl label --dry-run=server --overwrite ns --all \ kubectl label --dry-run=server --overwrite ns --all \
pod-security.kubernetes.io/enforce=baseline pod-security.kubernetes.io/enforce=baseline
``` ```
The output is similar to this: The output is similar to this:
``` ```
namespace/default labeled namespace/default labeled
namespace/kube-node-lease labeled namespace/kube-node-lease labeled
@ -127,11 +126,11 @@ that are most appropriate for your configuration, do the following:
``` ```
3. Restricted 3. Restricted
```shell ```shell
kubectl label --dry-run=server --overwrite ns --all \ kubectl label --dry-run=server --overwrite ns --all \
pod-security.kubernetes.io/enforce=restricted pod-security.kubernetes.io/enforce=restricted
``` ```
The output is similar to this: The output is similar to this:
``` ```
namespace/default labeled namespace/default labeled
namespace/kube-node-lease labeled namespace/kube-node-lease labeled
@ -179,72 +178,72 @@ following:
1. Create a configuration file that can be consumed by the Pod Security 1. Create a configuration file that can be consumed by the Pod Security
Admission Controller to implement these Pod Security Standards: Admission Controller to implement these Pod Security Standards:
``` ```
mkdir -p /tmp/pss mkdir -p /tmp/pss
cat <<EOF > /tmp/pss/cluster-level-pss.yaml cat <<EOF > /tmp/pss/cluster-level-pss.yaml
apiVersion: apiserver.config.k8s.io/v1 apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration kind: AdmissionConfiguration
plugins: plugins:
- name: PodSecurity - name: PodSecurity
configuration: configuration:
apiVersion: pod-security.admission.config.k8s.io/v1 apiVersion: pod-security.admission.config.k8s.io/v1
kind: PodSecurityConfiguration kind: PodSecurityConfiguration
defaults: defaults:
enforce: "baseline" enforce: "baseline"
enforce-version: "latest" enforce-version: "latest"
audit: "restricted" audit: "restricted"
audit-version: "latest" audit-version: "latest"
warn: "restricted" warn: "restricted"
warn-version: "latest" warn-version: "latest"
exemptions: exemptions:
usernames: [] usernames: []
runtimeClasses: [] runtimeClasses: []
namespaces: [kube-system] namespaces: [kube-system]
EOF EOF
``` ```
{{< note >}} {{< note >}}
`pod-security.admission.config.k8s.io/v1` configuration requires v1.25+. `pod-security.admission.config.k8s.io/v1` configuration requires v1.25+.
For v1.23 and v1.24, use [v1beta1](https://v1-24.docs.kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/). For v1.23 and v1.24, use [v1beta1](https://v1-24.docs.kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/).
For v1.22, use [v1alpha1](https://v1-22.docs.kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/). For v1.22, use [v1alpha1](https://v1-22.docs.kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/).
{{< /note >}} {{< /note >}}
1. Configure the API server to consume this file during cluster creation: 1. Configure the API server to consume this file during cluster creation:
``` ```
cat <<EOF > /tmp/pss/cluster-config.yaml cat <<EOF > /tmp/pss/cluster-config.yaml
kind: Cluster kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4 apiVersion: kind.x-k8s.io/v1alpha4
nodes: nodes:
- role: control-plane - role: control-plane
kubeadmConfigPatches: kubeadmConfigPatches:
- | - |
kind: ClusterConfiguration kind: ClusterConfiguration
apiServer: apiServer:
extraArgs: extraArgs:
admission-control-config-file: /etc/config/cluster-level-pss.yaml admission-control-config-file: /etc/config/cluster-level-pss.yaml
extraVolumes: extraVolumes:
- name: accf - name: accf
hostPath: /etc/config hostPath: /etc/config
mountPath: /etc/config mountPath: /etc/config
readOnly: false readOnly: false
pathType: "DirectoryOrCreate" pathType: "DirectoryOrCreate"
extraMounts: extraMounts:
- hostPath: /tmp/pss - hostPath: /tmp/pss
containerPath: /etc/config containerPath: /etc/config
# optional: if set, the mount is read-only. # optional: if set, the mount is read-only.
# default false # default false
readOnly: false readOnly: false
# optional: if set, the mount needs SELinux relabeling. # optional: if set, the mount needs SELinux relabeling.
# default false # default false
selinuxRelabel: false selinuxRelabel: false
# optional: set propagation mode (None, HostToContainer or Bidirectional) # optional: set propagation mode (None, HostToContainer or Bidirectional)
# see https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation # see https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation
# default None # default None
propagation: None propagation: None
EOF EOF
``` ```
{{<note>}} {{<note>}}
If you use Docker Desktop with KinD on macOS, you can If you use Docker Desktop with KinD on macOS, you can
@ -256,56 +255,57 @@ following:
these Pod Security Standards: these Pod Security Standards:
```shell ```shell
kind create cluster --name psa-with-cluster-pss --image kindest/node:v1.24.0 --config /tmp/pss/cluster-config.yaml kind create cluster --name psa-with-cluster-pss --image kindest/node:v1.24.0 --config /tmp/pss/cluster-config.yaml
``` ```
The output is similar to this: The output is similar to this:
``` ```
Creating cluster "psa-with-cluster-pss" ... Creating cluster "psa-with-cluster-pss" ...
✓ Ensuring node image (kindest/node:v1.24.0) 🖼 ✓ Ensuring node image (kindest/node:v1.24.0) 🖼
✓ Preparing nodes 📦 ✓ Preparing nodes 📦
✓ Writing configuration 📜 ✓ Writing configuration 📜
✓ Starting control-plane 🕹️ ✓ Starting control-plane 🕹️
✓ Installing CNI 🔌 ✓ Installing CNI 🔌
✓ Installing StorageClass 💾 ✓ Installing StorageClass 💾
Set kubectl context to "kind-psa-with-cluster-pss" Set kubectl context to "kind-psa-with-cluster-pss"
You can now use your cluster with: You can now use your cluster with:
kubectl cluster-info --context kind-psa-with-cluster-pss kubectl cluster-info --context kind-psa-with-cluster-pss
Have a question, bug, or feature request? Let us know! https://kind.sigs.k8s.io/#community 🙂 Have a question, bug, or feature request? Let us know! https://kind.sigs.k8s.io/#community 🙂
``` ```
1. Point kubectl to the cluster 1. Point kubectl to the cluster:
```shell ```shell
kubectl cluster-info --context kind-psa-with-cluster-pss kubectl cluster-info --context kind-psa-with-cluster-pss
``` ```
The output is similar to this: The output is similar to this:
``` ```
Kubernetes control plane is running at https://127.0.0.1:63855 Kubernetes control plane is running at https://127.0.0.1:63855
CoreDNS is running at https://127.0.0.1:63855/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
CoreDNS is running at https://127.0.0.1:63855/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'. To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
``` ```
1. Create the following Pod specification for a minimal configuration in the default namespace: 1. Create the following Pod specification for a minimal configuration in the default namespace:
``` ```
cat <<EOF > /tmp/pss/nginx-pod.yaml cat <<EOF > /tmp/pss/nginx-pod.yaml
apiVersion: v1 apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
name: nginx name: nginx
spec: spec:
containers: containers:
- image: nginx - image: nginx
name: nginx name: nginx
ports: ports:
- containerPort: 80 - containerPort: 80
EOF EOF
``` ```
1. Create the Pod in the cluster: 1. Create the Pod in the cluster:
```shell ```shell
kubectl apply -f /tmp/pss/nginx-pod.yaml kubectl apply -f /tmp/pss/nginx-pod.yaml
``` ```
The output is similar to this: The output is similar to this:
``` ```