Merge pull request #44311 from apeabody/patch-1
consistency updates for pod security standards documentation
This commit is contained in:
Kubernetes Prow Robot
GitHub
commit
856df61cb3
|
|
@ -29,9 +29,9 @@ This guide outlines the requirements of each policy.
|
||||||
**The _Privileged_ policy is purposely-open, and entirely unrestricted.** This type of policy is
|
**The _Privileged_ policy is purposely-open, and entirely unrestricted.** This type of policy is
|
||||||
typically aimed at system- and infrastructure-level workloads managed by privileged, trusted users.
|
typically aimed at system- and infrastructure-level workloads managed by privileged, trusted users.
|
||||||
|
|
||||||
The Privileged policy is defined by an absence of restrictions. Allow-by-default
|
The Privileged policy is defined by an absence of restrictions. If you define a Pod where the Privileged
|
||||||
mechanisms (such as gatekeeper) may be Privileged by default. In contrast, for a deny-by-default mechanism (such as Pod
|
security policy applies, the Pod you define is able to bypass typical container isolation mechanisms.
|
||||||
Security Policy) the Privileged policy should disable all restrictions.
|
For example, you can define a Pod that has access to the node's host network.
|
||||||
|
|
||||||
### Baseline
|
### Baseline
|
||||||
|
|
||||||
|
|
@ -57,7 +57,7 @@ fail validation.
|
||||||
<tr>
|
<tr>
|
||||||
<td style="white-space: nowrap">HostProcess</td>
|
<td style="white-space: nowrap">HostProcess</td>
|
||||||
<td>
|
<td>
|
||||||
<p>Windows pods offer the ability to run <a href="/docs/tasks/configure-pod-container/create-hostprocess-pod">HostProcess containers</a> which enables privileged access to the Windows node. Privileged access to the host is disallowed in the baseline policy. {{< feature-state for_k8s_version="v1.26" state="stable" >}}</p>
|
<p>Windows Pods offer the ability to run <a href="/docs/tasks/configure-pod-container/create-hostprocess-pod">HostProcess containers</a> which enables privileged access to the Windows host machine. Privileged access to the host is disallowed in the Baseline policy. {{< feature-state for_k8s_version="v1.26" state="stable" >}}</p>
|
||||||
<p><strong>Restricted Fields</strong></p>
|
<p><strong>Restricted Fields</strong></p>
|
||||||
<ul>
|
<ul>
|
||||||
<li><code>spec.securityContext.windowsOptions.hostProcess</code></li>
|
<li><code>spec.securityContext.windowsOptions.hostProcess</code></li>
|
||||||
|
|
@ -303,7 +303,7 @@ applications, as well as lower-trust users. The following listed controls should
|
||||||
enforced/disallowed:
|
enforced/disallowed:
|
||||||
|
|
||||||
{{< note >}}
|
{{< note >}}
|
||||||
In this table, wildcards (`*`) indicate all elements in a list. For example,
|
In this table, wildcards (`*`) indicate all elements in a list. For example,
|
||||||
`spec.containers[*].securityContext` refers to the Security Context object for _all defined
|
`spec.containers[*].securityContext` refers to the Security Context object for _all defined
|
||||||
containers_. If any of the listed containers fails to meet the requirements, the entire pod will
|
containers_. If any of the listed containers fails to meet the requirements, the entire pod will
|
||||||
fail validation.
|
fail validation.
|
||||||
|
|
@ -317,12 +317,12 @@ fail validation.
|
||||||
<td><strong>Policy</strong></td>
|
<td><strong>Policy</strong></td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td colspan="2"><em>Everything from the baseline profile.</em></td>
|
<td colspan="2"><em>Everything from the Baseline policy</em></td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td style="white-space: nowrap">Volume Types</td>
|
<td style="white-space: nowrap">Volume Types</td>
|
||||||
<td>
|
<td>
|
||||||
<p>The restricted policy only permits the following volume types.</p>
|
<p>The Restricted policy only permits the following volume types.</p>
|
||||||
<p><strong>Restricted Fields</strong></p>
|
<p><strong>Restricted Fields</strong></p>
|
||||||
<ul>
|
<ul>
|
||||||
<li><code>spec.volumes[*]</code></li>
|
<li><code>spec.volumes[*]</code></li>
|
||||||
|
|
@ -473,7 +473,7 @@ of individual policies are not defined here.
|
||||||
|
|
||||||
{{% thirdparty-content %}}
|
{{% thirdparty-content %}}
|
||||||
|
|
||||||
Other alternatives for enforcing policies are being developed in the Kubernetes ecosystem, such as:
|
Other alternatives for enforcing policies are being developed in the Kubernetes ecosystem, such as:
|
||||||
|
|
||||||
- [Kubewarden](https://github.com/kubewarden)
|
- [Kubewarden](https://github.com/kubewarden)
|
||||||
- [Kyverno](https://kyverno.io/policies/pod-security/)
|
- [Kyverno](https://kyverno.io/policies/pod-security/)
|
||||||
|
|
@ -488,15 +488,14 @@ workloads. Specifically, many of the Pod `securityContext` fields
|
||||||
[have no effect on Windows](/docs/concepts/windows/intro/#compatibility-v1-pod-spec-containers-securitycontext).
|
[have no effect on Windows](/docs/concepts/windows/intro/#compatibility-v1-pod-spec-containers-securitycontext).
|
||||||
|
|
||||||
{{< note >}}
|
{{< note >}}
|
||||||
Kubelets prior to v1.24 don't enforce the pod OS field, and if a cluster has nodes on versions earlier than v1.24 the restricted policies should be pinned to a version prior to v1.25.
|
Kubelets prior to v1.24 don't enforce the pod OS field, and if a cluster has nodes on versions earlier than v1.24 the Restricted policies should be pinned to a version prior to v1.25.
|
||||||
{{< /note >}}
|
{{< /note >}}
|
||||||
|
|
||||||
### Restricted Pod Security Standard changes
|
### Restricted Pod Security Standard changes
|
||||||
Another important change, made in Kubernetes v1.25 is that the _restricted_ Pod security
|
Another important change, made in Kubernetes v1.25 is that the _Restricted_ policy
|
||||||
has been updated to use the `pod.spec.os.name` field. Based on the OS name, certain policies that are specific
|
has been updated to use the `pod.spec.os.name` field. Based on the OS name, certain policies that are specific
|
||||||
to a particular OS can be relaxed for the other OS.
|
to a particular OS can be relaxed for the other OS.
|
||||||
|
|
||||||
|
|
||||||
#### OS-specific policy controls
|
#### OS-specific policy controls
|
||||||
Restrictions on the following controls are only required if `.spec.os.name` is not `windows`:
|
Restrictions on the following controls are only required if `.spec.os.name` is not `windows`:
|
||||||
- Privilege Escalation
|
- Privilege Escalation
|
||||||
|
|
@ -511,10 +510,10 @@ the [documentation](/docs/concepts/workloads/pods/user-namespaces#integration-wi
|
||||||
|
|
||||||
## FAQ
|
## FAQ
|
||||||
|
|
||||||
### Why isn't there a profile between privileged and baseline?
|
### Why isn't there a profile between Privileged and Baseline?
|
||||||
|
|
||||||
The three profiles defined here have a clear linear progression from most secure (restricted) to least
|
The three profiles defined here have a clear linear progression from most secure (Restricted) to least
|
||||||
secure (privileged), and cover a broad set of workloads. Privileges required above the baseline
|
secure (Privileged), and cover a broad set of workloads. Privileges required above the Baseline
|
||||||
policy are typically very application specific, so we do not offer a standard profile in this
|
policy are typically very application specific, so we do not offer a standard profile in this
|
||||||
niche. This is not to say that the privileged profile should always be used in this case, but that
|
niche. This is not to say that the privileged profile should always be used in this case, but that
|
||||||
policies in this space need to be defined on a case-by-case basis.
|
policies in this space need to be defined on a case-by-case basis.
|
||||||
|
|
@ -528,9 +527,9 @@ Containers at runtime. Security contexts are defined as part of the Pod and cont
|
||||||
in the Pod manifest, and represent parameters to the container runtime.
|
in the Pod manifest, and represent parameters to the container runtime.
|
||||||
|
|
||||||
Security profiles are control plane mechanisms to enforce specific settings in the Security Context,
|
Security profiles are control plane mechanisms to enforce specific settings in the Security Context,
|
||||||
as well as other related parameters outside the Security Context. As of July 2021,
|
as well as other related parameters outside the Security Context. As of July 2021,
|
||||||
[Pod Security Policies](/docs/concepts/security/pod-security-policy/) are deprecated in favor of the
|
[Pod Security Policies](/docs/concepts/security/pod-security-policy/) are deprecated in favor of the
|
||||||
built-in [Pod Security Admission Controller](/docs/concepts/security/pod-security-admission/).
|
built-in [Pod Security Admission Controller](/docs/concepts/security/pod-security-admission/).
|
||||||
|
|
||||||
|
|
||||||
### What about sandboxed Pods?
|
### What about sandboxed Pods?
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue