kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update PodSecurityStandards to match PodSecurity KEP

This commit is contained in:
Tim Allclair 2021-06-23 17:42:58 -07:00
parent c5e229eea9
commit 6cc9bf8293
3 changed files with 8 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
content/en/docs/concepts/security/pod-security-standards.md
View File

@ -86,7 +86,7 @@ enforced/disallowed:
<tr> <tr>
<td>Capabilities</td> <td>Capabilities</td>
<td> <td>
Adding additional capabilities beyond the <a href="https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities">default set</a> must be disallowed.<br> Adding additional capabilities beyond the <a href="https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities">default set (excluding NET_RAW)</a> must be disallowed.<br>
<br><b>Restricted Fields:</b><br> <br><b>Restricted Fields:</b><br>
spec.containers[*].securityContext.capabilities.add<br> spec.containers[*].securityContext.capabilities.add<br>
spec.initContainers[*].securityContext.capabilities.add<br> spec.initContainers[*].securityContext.capabilities.add<br>
@ -194,7 +194,7 @@ well as lower-trust users.The following listed controls should be enforced/disal
<tr> <tr>
<td>Volume Types</td> <td>Volume Types</td>
<td> <td>
In addition to restricting HostPath volumes, the restricted profile limits usage of non-core volume types to those defined through PersistentVolumes.<br> In addition to restricting HostPath volumes, the restricted profile limits usage of non-ephemeral volume types to those defined through PersistentVolumes.<br>
<br><b>Restricted Fields:</b><br> <br><b>Restricted Fields:</b><br>
spec.volumes[*].hostPath<br> spec.volumes[*].hostPath<br>
spec.volumes[*].gcePersistentDisk<br> spec.volumes[*].gcePersistentDisk<br>
@ -216,7 +216,6 @@ well as lower-trust users.The following listed controls should be enforced/disal
spec.volumes[*].portworxVolume<br> spec.volumes[*].portworxVolume<br>
spec.volumes[*].scaleIO<br> spec.volumes[*].scaleIO<br>
spec.volumes[*].storageos<br> spec.volumes[*].storageos<br>
spec.volumes[*].csi<br>
<br><b>Allowed Values:</b> undefined/nil<br> <br><b>Allowed Values:</b> undefined/nil<br>
</td> </td>
</tr> </tr>

7
content/en/examples/policy/baseline-psp.yaml
View File

@ -11,15 +11,13 @@ metadata:
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'unconfined' seccomp.security.alpha.kubernetes.io/defaultProfileName: 'unconfined'
spec: spec:
privileged: false privileged: false
# The moby default capability set, defined here: # The moby default capability set, minus NET_RAW
# https://github.com/moby/moby/blob/0a5cec2833f82a6ad797d70acbf9cbbaf8956017/oci/caps/defaults.go#L6-L19
allowedCapabilities: allowedCapabilities:
- 'CHOWN' - 'CHOWN'
- 'DAC_OVERRIDE' - 'DAC_OVERRIDE'
- 'FSETID' - 'FSETID'
- 'FOWNER' - 'FOWNER'
- 'MKNOD' - 'MKNOD'
- 'NET_RAW'
- 'SETGID' - 'SETGID'
- 'SETUID' - 'SETUID'
- 'SETFCAP' - 'SETFCAP'
@ -67,6 +65,9 @@ spec:
runAsUser: runAsUser:
rule: 'RunAsAny' rule: 'RunAsAny'
seLinux: seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
# The PSP SELinux API cannot express the SELinux Pod Security Standards,
# so if using SELinux, you must choose a more restrictive default.
rule: 'RunAsAny' rule: 'RunAsAny'
supplementalGroups: supplementalGroups:
rule: 'RunAsAny' rule: 'RunAsAny'

3
content/en/examples/policy/restricted-psp.yaml
View File

@ -22,8 +22,9 @@ spec:
- 'projected' - 'projected'
- 'secret' - 'secret'
- 'downwardAPI' - 'downwardAPI'
# Assume that persistentVolumes set up by the cluster admin are safe to use. # Assume that CSI drivers & persistentVolumes set up by the cluster admin are safe to use.
- 'persistentVolumeClaim' - 'persistentVolumeClaim'
- 'csi'
hostNetwork: false hostNetwork: false
hostIPC: false hostIPC: false
hostPID: false hostPID: false