kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Minor cleanup of standardized pod security

This commit is contained in:
Tim Allclair 2020-06-04 11:22:52 -07:00
parent 44db1a13c9
commit 9065e168f0
1 changed files with 14 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
content/en/docs/concepts/security/pod-security-standards.md
View File

@ -115,7 +115,7 @@ enforced/disallowed:
<tr> <tr>
<td>AppArmor <em>(optional)</em></td> <td>AppArmor <em>(optional)</em></td>
<td> <td>
On supported hosts, the `runtime/default` AppArmor profile is applied by default. The default policy should prevent overriding or disabling the policy, or restrict overrides to a whitelisted set of profiles.<br> On supported hosts, the 'runtime/default' AppArmor profile is applied by default. The default policy should prevent overriding or disabling the policy, or restrict overrides to a whitelisted set of profiles.<br>
<br><b>Restricted Fields:</b><br> <br><b>Restricted Fields:</b><br>
metadata.annotations['container.apparmor.security.beta.kubernetes.io/*']<br> metadata.annotations['container.apparmor.security.beta.kubernetes.io/*']<br>
<br><b>Allowed Values:</b> 'runtime/default', undefined<br> <br><b>Allowed Values:</b> 'runtime/default', undefined<br>
@ -146,7 +146,7 @@ enforced/disallowed:
<td>Sysctls</td> <td>Sysctls</td>
<td> <td>
Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for a whitelisted "safe" subset. Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for a whitelisted "safe" subset.
A sysctl is considered safe if it is namespaced in the container or the pod, and it is isolated from other pods or processes on the same node.<br> A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node.<br>
<br><b>Restricted Fields:</b><br> <br><b>Restricted Fields:</b><br>
spec.securityContext.sysctls<br> spec.securityContext.sysctls<br>
<br><b>Allowed Values:</b><br> <br><b>Allowed Values:</b><br>
@ -249,12 +249,12 @@ well as lower-trust users.The following listed controls should be enforced/disal
<tr> <tr>
<td>Seccomp</td> <td>Seccomp</td>
<td> <td>
The runtime/default seccomp profile must be required, or allow additional whitelisted values.<br> The 'runtime/default' seccomp profile must be required, or allow additional whitelisted values.<br>
<br><b>Restricted Fields:</b><br> <br><b>Restricted Fields:</b><br>
metadata.annotations['seccomp.security.alpha.kubernetes.io/pod']<br> metadata.annotations['seccomp.security.alpha.kubernetes.io/pod']<br>
metadata.annotations['container.seccomp.security.alpha.kubernetes.io/*']<br> metadata.annotations['container.seccomp.security.alpha.kubernetes.io/*']<br>
<br><b>Allowed Values:</b><br> <br><b>Allowed Values:</b><br>
runtime/default<br> 'runtime/default'<br>
undefined (container annotation)<br> undefined (container annotation)<br>
</td> </td>
</tr> </tr>