Chore(docs): Update the psp docs with adding the missing fields and comments on each field (#3791)

* Chore(docs): Update the psp docs with comments on each field

Signed-off-by: Udit Gaurav <udit.gaurav@harness.io>

* Chore(docs): Update the psp docs with comments on each field

Signed-off-by: Udit Gaurav <udit.gaurav@harness.io>

* fix volume to add hostPath in it

Signed-off-by: Udit Gaurav <udit.gaurav@harness.io>

Signed-off-by: Udit Gaurav <udit.gaurav@harness.io>
This commit is contained in:
Udit Gaurav 2022-10-13 17:30:11 +05:30 committed by GitHub
parent b010cc3e67
commit afcc4bd1fe
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 0 deletions

View File

@ -29,13 +29,20 @@ opting for the default ["restricted"](https://kubernetes.io/docs/concepts/policy
allowPrivilegeEscalation: true allowPrivilegeEscalation: true
# Allow core volume types. # Allow core volume types.
volumes: volumes:
# To mount script files/templates like ssm-docs in experiment
- 'configMap' - 'configMap'
# Used for chaos injection like io chaos
- 'emptyDir' - 'emptyDir'
- 'projected' - 'projected'
# To authenticate with different cloud providers
- 'secret' - 'secret'
# To derive the experiment pod name in the experimemnt
- 'downwardAPI' - 'downwardAPI'
# Assume that persistentVolumes set up by the cluster admin are safe to use. # Assume that persistentVolumes set up by the cluster admin are safe to use.
- 'persistentVolumeClaim' - 'persistentVolumeClaim'
# To mount the socket path directory used to perform container runtime operations
- 'hostPath'
allowedHostPaths: allowedHostPaths:
# substitutes this path with an appropriate socket path # substitutes this path with an appropriate socket path
# ex: '/var/run/docker.sock', '/run/containerd/containerd.sock', '/run/crio/crio.sock' # ex: '/var/run/docker.sock', '/run/containerd/containerd.sock', '/run/crio/crio.sock'
@ -43,11 +50,17 @@ opting for the default ["restricted"](https://kubernetes.io/docs/concepts/policy
# substitutes this path with an appropriate container path # substitutes this path with an appropriate container path
# ex: '/var/lib/docker/containers', '/var/lib/containerd/io.containerd.runtime.v1.linux/k8s.io', '/var/lib/containers/storage/overlay/' # ex: '/var/lib/docker/containers', '/var/lib/containerd/io.containerd.runtime.v1.linux/k8s.io', '/var/lib/containers/storage/overlay/'
- pathPrefix: "/var/lib/docker/containers" - pathPrefix: "/var/lib/docker/containers"
allowedCapabilities: allowedCapabilities:
# NET_ADMIN & SYS_ADMIN: used in network chaos experiments to perform
# network operations (running tc command in network ns of target container).
- "NET_ADMIN" - "NET_ADMIN"
# SYS_ADMIN: used in stress chaos experiment to perform cgroup operations.
- "SYS_ADMIN" - "SYS_ADMIN"
hostNetwork: false hostNetwork: false
hostIPC: false hostIPC: false
# To run fault injection on a target container using pid namespace.
# It is used in stress, network, dns and http experiments.
hostPID: true hostPID: true
seLinux: seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux. # This policy assumes the nodes are using AppArmor rather than SELinux.