kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Clarify Pod Security Policy Ordering (#13484)

This commit is contained in:
Tammer Saleh 2019-06-24 20:46:34 -07:00 committed by Kubernetes Prow Robot
parent 00864d9988
commit 7f90c73a01
1 changed files with 10 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
content/en/docs/concepts/policy/pod-security-policy.md
View File

@ -158,12 +158,16 @@ also be used to provide default values for many of the fields that it
controls. When multiple policies are available, the pod security policy controls. When multiple policies are available, the pod security policy
controller selects policies according to the following criteria: controller selects policies according to the following criteria:
1. If any policies successfully validate the pod without altering it, they are 1. PodSecurityPolicies which allow the pod as-is, without changing defaults or
used. mutating the pod, are preferred. The order of these non-mutating
2. If it is a pod creation request, then the first valid policy in alphabetical PodSecurityPolicies doesn't matter.
order is used. 2. If the pod must be defaulted or mutated, the first PodSecurityPolicy
3. Otherwise, if it is a pod update request, an error is returned, because pod mutations (ordered by name) to allow the pod is selected.
are disallowed during update operations.
{{< note >}}
During update operations (during which mutations to pod specs are disallowed)
only non-mutating PodSecurityPolicies are used to validate the pod.
{{< /note >}}
## Example ## Example