kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix error in sample code for allowedFlexVolumes (#7048)

This commit is contained in:
Qiming 2018-02-16 01:20:39 +08:00 committed by k8s-ci-robot
parent ddc0637f19
commit 90746e7e9e
1 changed files with 17 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
docs/concepts/policy/pod-security-policy.md
View File

@ -28,7 +28,7 @@ administrator to control the following:
| Usage of host networking and ports | [`hostNetwork`, `hostPorts`](#host-namespaces) |
| Usage of volume types | [`volumes`](#volumes-and-file-systems) |
| Usage of the host filesystem | [`allowedHostPaths`](#volumes-and-file-systems) |
| Usage of FlexVolume drivers | [`allowedFlexVolumes`](#flexvolume-drivers) |
| White list of FlexVolume drivers | [`allowedFlexVolumes`](#flexvolume-drivers) |
| Allocating an FSGroup that owns the pod's volumes | [`fsGroup`](#volumes-and-file-systems) |
| Requiring the use of a read only root file system | [`readOnlyRootFilesystem`](#volumes-and-file-systems) |
| The user and group IDs of the container | [`runAsUser`, `supplementalGroups`](#users-and-groups) |
@ -420,16 +420,25 @@ root filesystem (i.e. no writeable layer).
### FlexVolume drivers
When the [`Volumes`](#volumes-and-file-systems) field contains `flexVolume` in
its list value, the cluster admin can further specify which driver(s) is permitted
by setting the `allowedFlexVolumes` field.
This specifies a whiltelist of flex volume drivers that are allowed to be used
by flexVolume. An empty list or nil means there is no restriction on the drivers.
Please make sure [`volumes`](#volumes-and-file-systems) field contains the
`flexVolume` volume type, no FlexVolume driver is allowed otherwise.
**AllowedFlexVolumes** - Provides a whitelist of allowed FlexVolumes. Empty or
nil indicates that all FlexVolume drivers may be used. For example, the following
setting only permits the `examle/fast_cache` driver to be used on nodes:
For example:
```yaml
allowedFlexVolumes: [ "example/fast_cache" ]
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: allow-flex-volumes
spec:
# ... other spec fields
volumes:
- flexVolume
allowedFlexVolumes:
- driver: example/lvm
- driver: example/cifs
```
### Users and groups