kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Avoid creating local manifest for PSA tutorials 

The kubectl tool includes a client for fetching manifests using HTTP,
and we usually rely on that for tutorials. Switch to an approach where
we don't create a manifest on the filesystem and then apply that.
This commit is contained in:
Tim Bannister 2022-10-29 15:50:16 +01:00
parent 5fd1a9d321
commit c38e5c00fb
5 changed files with 25 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
content/en/docs/tutorials/security/cluster-level-pss.md
View File

@ -286,31 +286,16 @@ following:
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'. To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
``` ```
1. Create the following Pod specification for a minimal configuration in the default namespace: 1. Create a Pod in the default namespace:
```
cat <<EOF > /tmp/pss/nginx-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
EOF
```
1. Create the Pod in the cluster:
```shell ```shell
kubectl apply -f /tmp/pss/nginx-pod.yaml kubectl apply -f https://k8s.io/examples/security/example-baseline-pod.yaml
``` ```
The output is similar to this: The output is similar to this:
``` ```
Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
pod/nginx created pod/nginx created
``` ```
## Clean up ## Clean up

25
content/en/docs/tutorials/security/ns-level-pss.md
View File

@ -109,27 +109,10 @@ namespace/example created
## Verify the Pod Security Standards ## Verify the Pod Security Standards
1. Create a minimal pod in `example` namespace: 1. Create a baseline Pod in the `example` namespace:
```shell ```shell
cat <<EOF > /tmp/pss/nginx-pod.yaml kubectl apply -n example -f https://k8s.io/examples/security/example-baseline-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
EOF
```
1. Apply the pod spec to the cluster in `example` namespace:
```shell
kubectl apply -n example -f /tmp/pss/nginx-pod.yaml
``` ```
The output is similar to this: The output is similar to this:
@ -138,10 +121,10 @@ namespace/example created
pod/nginx created pod/nginx created
``` ```
1. Apply the pod spec to the cluster in `default` namespace: 1. Create a baseline Pod in the `default` namespace:
```shell ```shell
kubectl apply -n default -f /tmp/pss/nginx-pod.yaml kubectl apply -n default -f https://k8s.io/examples/security/example-baseline-pod.yaml
``` ```
Output is similar to this: Output is similar to this:

10
content/en/examples/security/example-baseline-pod.yaml Normal file
View File

@ -0,0 +1,10 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80

4
content/en/examples/security/kind-with-cluster-level-baseline-pod-security.sh
View File

@ -55,7 +55,7 @@ kind create cluster --name psa-with-cluster-pss --image kindest/node:v1.23.0 --c
kubectl cluster-info --context kind-psa-with-cluster-pss kubectl cluster-info --context kind-psa-with-cluster-pss
# Wait for 15 seconds (arbitrary) ServiceAccount Admission Controller to be available # Wait for 15 seconds (arbitrary) ServiceAccount Admission Controller to be available
sleep 15 sleep 15
cat <<EOF > /tmp/pss/nginx-pod.yaml cat <<EOF |
apiVersion: v1 apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
@ -67,4 +67,4 @@ spec:
ports: ports:
- containerPort: 80 - containerPort: 80
EOF EOF
kubectl apply -f /tmp/pss/nginx-pod.yaml kubectl apply -f -

6
content/en/examples/security/kind-with-namespace-level-baseline-pod-security.sh
View File

@ -13,7 +13,9 @@ kubectl label --overwrite ns example \
pod-security.kubernetes.io/warn-version=latest \ pod-security.kubernetes.io/warn-version=latest \
pod-security.kubernetes.io/audit=restricted \ pod-security.kubernetes.io/audit=restricted \
pod-security.kubernetes.io/audit-version=latest pod-security.kubernetes.io/audit-version=latest
cat <<EOF > /tmp/pss/nginx-pod.yaml
# Try running a Pod
cat <<EOF |
apiVersion: v1 apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
@ -25,4 +27,4 @@ spec:
ports: ports:
- containerPort: 80 - containerPort: 80
EOF EOF
kubectl apply -n example -f /tmp/pss/nginx-pod.yaml kubectl apply -n example -f -