Avoid creating local manifest for PSA tutorials

The kubectl tool includes a client for fetching manifests using HTTP, and we usually rely on that for tutorials. Switch to an approach where we don't create a manifest on the filesystem and then apply that.
2022-10-29 15:50:16 +01:00 · 2022-10-29 15:50:16 +01:00 · c38e5c00fb
parent 5fd1a9d321
commit c38e5c00fb
5 changed files with 25 additions and 45 deletions
--- a/content/en/docs/tutorials/security/cluster-level-pss.md
+++ b/content/en/docs/tutorials/security/cluster-level-pss.md
@ -286,31 +286,16 @@ following:
  
   To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
   ```
-1. Create the following Pod specification for a minimal configuration in the default namespace:
-
-   ```
-   cat <<EOF > /tmp/pss/nginx-pod.yaml
-   apiVersion: v1
-   kind: Pod
-   metadata:
-     name: nginx
-   spec:
-     containers:
-       - image: nginx
-         name: nginx
-         ports:
-           - containerPort: 80
-   EOF
-   ```
-1. Create the Pod in the cluster:
+1. Create a Pod in the default namespace:

   ```shell
-   kubectl apply -f /tmp/pss/nginx-pod.yaml
+   kubectl apply -f https://k8s.io/examples/security/example-baseline-pod.yaml
   ```
+
   The output is similar to this:
   ```
-    Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
-    pod/nginx created
+   Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
+   pod/nginx created
   ```

 ## Clean up
--- a/content/en/docs/tutorials/security/ns-level-pss.md
+++ b/content/en/docs/tutorials/security/ns-level-pss.md
@ -109,27 +109,10 @@ namespace/example created

 ## Verify the Pod Security Standards

-1. Create a minimal pod in `example` namespace:
+1. Create a baseline Pod in the `example` namespace:

   ```shell
-   cat <<EOF > /tmp/pss/nginx-pod.yaml
-   apiVersion: v1
-   kind: Pod
-   metadata:
-     name: nginx
-   spec:
-     containers:
-       - image: nginx
-         name: nginx
-         ports:
-           - containerPort: 80
-   EOF
-   ```
-
-1. Apply the pod spec to the cluster in `example` namespace:
-
-   ```shell
-   kubectl apply -n example -f /tmp/pss/nginx-pod.yaml
+   kubectl apply -n example -f https://k8s.io/examples/security/example-baseline-pod.yaml
   ```
   The output is similar to this:

@ -138,10 +121,10 @@ namespace/example created
   pod/nginx created
   ```

-1. Apply the pod spec to the cluster in `default` namespace:
+1. Create a baseline Pod in the `default` namespace:

   ```shell
-   kubectl apply -n default -f /tmp/pss/nginx-pod.yaml
+   kubectl apply -n default -f https://k8s.io/examples/security/example-baseline-pod.yaml
   ```
   Output is similar to this:

--- a/content/en/examples/security/example-baseline-pod.yaml
+++ b/content/en/examples/security/example-baseline-pod.yaml
@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+    - image: nginx
+      name: nginx
+      ports:
+        - containerPort: 80
--- a/content/en/examples/security/kind-with-cluster-level-baseline-pod-security.sh
+++ b/content/en/examples/security/kind-with-cluster-level-baseline-pod-security.sh
@ -55,7 +55,7 @@ kind create cluster --name psa-with-cluster-pss --image kindest/node:v1.23.0 --c
 kubectl cluster-info --context kind-psa-with-cluster-pss
 # Wait for 15 seconds (arbitrary) ServiceAccount Admission Controller to be available
 sleep 15
-cat <<EOF > /tmp/pss/nginx-pod.yaml
+cat <<EOF |
 apiVersion: v1
 kind: Pod
 metadata:
@ -67,4 +67,4 @@ spec:
      ports:
        - containerPort: 80
 EOF
-kubectl apply -f /tmp/pss/nginx-pod.yaml
+kubectl apply -f -
--- a/content/en/examples/security/kind-with-namespace-level-baseline-pod-security.sh
+++ b/content/en/examples/security/kind-with-namespace-level-baseline-pod-security.sh
@ -13,7 +13,9 @@ kubectl label --overwrite ns example \
  pod-security.kubernetes.io/warn-version=latest \
  pod-security.kubernetes.io/audit=restricted \
  pod-security.kubernetes.io/audit-version=latest
-cat <<EOF > /tmp/pss/nginx-pod.yaml
+
+# Try running a Pod
+cat <<EOF |
 apiVersion: v1
 kind: Pod
 metadata:
@ -25,4 +27,4 @@ spec:
      ports:
        - containerPort: 80
 EOF
-kubectl apply -n example -f /tmp/pss/nginx-pod.yaml
+kubectl apply -n example -f -