kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Minor cleanup of standardized pod security

This commit is contained in:
Tim Allclair 2020-06-04 11:22:52 -07:00
parent 44db1a13c9
commit 9065e168f0
1 changed files with 14 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
content/en/docs/concepts/security/pod-security-standards.md
View File

@ -56,8 +56,8 @@ developers of non-critical applications. The following listed controls should be
enforced/disallowed: enforced/disallowed:
<table> <table>
<caption style="display:none">Baseline policy specification</caption> <caption style="display:none">Baseline policy specification</caption>
<tbody> <tbody>
<tr> <tr>
<td><strong>Control</strong></td> <td><strong>Control</strong></td>
<td><strong>Policy</strong></td> <td><strong>Policy</strong></td>
@ -115,7 +115,7 @@ enforced/disallowed:
<tr> <tr>
<td>AppArmor <em>(optional)</em></td> <td>AppArmor <em>(optional)</em></td>
<td> <td>
On supported hosts, the `runtime/default` AppArmor profile is applied by default. The default policy should prevent overriding or disabling the policy, or restrict overrides to a whitelisted set of profiles.<br> On supported hosts, the 'runtime/default' AppArmor profile is applied by default. The default policy should prevent overriding or disabling the policy, or restrict overrides to a whitelisted set of profiles.<br>
<br><b>Restricted Fields:</b><br> <br><b>Restricted Fields:</b><br>
metadata.annotations['container.apparmor.security.beta.kubernetes.io/*']<br> metadata.annotations['container.apparmor.security.beta.kubernetes.io/*']<br>
<br><b>Allowed Values:</b> 'runtime/default', undefined<br> <br><b>Allowed Values:</b> 'runtime/default', undefined<br>
@ -146,14 +146,14 @@ enforced/disallowed:
<td>Sysctls</td> <td>Sysctls</td>
<td> <td>
Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for a whitelisted "safe" subset. Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for a whitelisted "safe" subset.
A sysctl is considered safe if it is namespaced in the container or the pod, and it is isolated from other pods or processes on the same node.<br> A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node.<br>
<br><b>Restricted Fields:</b><br> <br><b>Restricted Fields:</b><br>
spec.securityContext.sysctls<br> spec.securityContext.sysctls<br>
<br><b>Allowed Values:</b><br> <br><b>Allowed Values:</b><br>
kernel.shm_rmid_forced<br> kernel.shm_rmid_forced<br>
net.ipv4.ip_local_port_range<br> net.ipv4.ip_local_port_range<br>
net.ipv4.tcp_syncookies<br> net.ipv4.tcp_syncookies<br>
net.ipv4.ping_group_range<br> net.ipv4.ping_group_range<br>
undefined/empty<br> undefined/empty<br>
</td> </td>
</tr> </tr>
@ -168,7 +168,7 @@ well as lower-trust users.The following listed controls should be enforced/disal
<table> <table>
<caption style="display:none">Restricted policy specification</caption> <caption style="display:none">Restricted policy specification</caption>
<tbody> <tbody>
<tr> <tr>
<td><strong>Control</strong></td> <td><strong>Control</strong></td>
@ -209,7 +209,7 @@ well as lower-trust users.The following listed controls should be enforced/disal
<tr> <tr>
<td>Privilege Escalation</td> <td>Privilege Escalation</td>
<td> <td>
Privilege escalation to root should not be allowed.<br> Privilege escalation to root should not be allowed.<br>
<br><b>Restricted Fields:</b><br> <br><b>Restricted Fields:</b><br>
spec.containers[*].securityContext.privileged<br> spec.containers[*].securityContext.privileged<br>
spec.initContainers[*].securityContext.privileged<br> spec.initContainers[*].securityContext.privileged<br>
@ -219,7 +219,7 @@ well as lower-trust users.The following listed controls should be enforced/disal
<tr> <tr>
<td>Running as Non-root</td> <td>Running as Non-root</td>
<td> <td>
Containers must be required to run as non-root users.<br> Containers must be required to run as non-root users.<br>
<br><b>Restricted Fields:</b><br> <br><b>Restricted Fields:</b><br>
spec.securityContext.runAsNonRoot<br> spec.securityContext.runAsNonRoot<br>
spec.containers[*].securityContext.runAsNonRoot<br> spec.containers[*].securityContext.runAsNonRoot<br>
@ -230,7 +230,7 @@ well as lower-trust users.The following listed controls should be enforced/disal
<tr> <tr>
<td>Non-root groups <em>(optional)</em></td> <td>Non-root groups <em>(optional)</em></td>
<td> <td>
Containers should be forbidden from running with a root primary or supplementary GID.<br> Containers should be forbidden from running with a root primary or supplementary GID.<br>
<br><b>Restricted Fields:</b><br> <br><b>Restricted Fields:</b><br>
spec.securityContext.runAsGroup<br> spec.securityContext.runAsGroup<br>
spec.securityContext.supplementalGroups[*]<br> spec.securityContext.supplementalGroups[*]<br>
@ -249,12 +249,12 @@ well as lower-trust users.The following listed controls should be enforced/disal
<tr> <tr>
<td>Seccomp</td> <td>Seccomp</td>
<td> <td>
The runtime/default seccomp profile must be required, or allow additional whitelisted values.<br> The 'runtime/default' seccomp profile must be required, or allow additional whitelisted values.<br>
<br><b>Restricted Fields:</b><br> <br><b>Restricted Fields:</b><br>
metadata.annotations['seccomp.security.alpha.kubernetes.io/pod']<br> metadata.annotations['seccomp.security.alpha.kubernetes.io/pod']<br>
metadata.annotations['container.seccomp.security.alpha.kubernetes.io/*']<br> metadata.annotations['container.seccomp.security.alpha.kubernetes.io/*']<br>
<br><b>Allowed Values:</b><br> <br><b>Allowed Values:</b><br>
runtime/default<br> 'runtime/default'<br>
undefined (container annotation)<br> undefined (container annotation)<br>
</td> </td>
</tr> </tr>