Correction: sysctl entries aren't annotations (#14796)
* Correction: sysctl entries aren't annotations First, thank you for your work on this documentation. It means so much to so many users. I found that the sysctl documentation linked here explains that sysctl pod security policy entries are in the spec field, not done via annotation. This corrects it, using as much of the original language as possible from the linked sysctl documentation. * Update pod-security-policy.md
This commit is contained in:
Jay Beale
Qiming
parent
654db85168
commit
8f4fe15e14
|
|
@ -44,7 +44,7 @@ administrator to control the following:
|
|||
| The Allowed Proc Mount types for the container | [`allowedProcMountTypes`](#allowedprocmounttypes) |
|
||||
| The AppArmor profile used by containers | [annotations](#apparmor) |
|
||||
| The seccomp profile used by containers | [annotations](#seccomp) |
|
||||
| The sysctl profile used by containers | [annotations](#sysctl) |
|
||||
| The sysctl profile used by containers | [`forbiddenSysctls`,`allowedUnsafeSysctls`](#sysctl) |
|
||||
|
||||
|
||||
## Enabling Pod Security Policies
|
||||
|
|
@ -608,7 +608,12 @@ default cannot be changed.
|
|||
|
||||
### Sysctl
|
||||
|
||||
Controlled via annotations on the PodSecurityPolicy. Refer to the [Sysctl documentation](
|
||||
By default, all safe sysctls are allowed.
|
||||
|
||||
- `forbiddenSysctls` - excludes specific sysctls. You can forbid a combination of safe and unsafe sysctls in the list. To forbid setting any sysctls, use `*` on its own.
|
||||
- `allowedUnsafeSysctls` - allows specific sysctls that had been disallowed by the default list, so long as these are not listed in `forbiddenSysctls`.
|
||||
|
||||
Refer to the [Sysctl documentation](
|
||||
/docs/concepts/cluster-administration/sysctl-cluster/#podsecuritypolicy).
|
||||
|
||||
{{% /capture %}}
|
||||
|
|
|
|||
Loading…
Reference in New Issue