docs/user-guide/pod-security-policy: list all available PSP fields #3012
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
@pweil- Is there a way to preview this changes? Maybe generate the docs locally (I didn't search yet.) |
you can stage locally with docker: https://kubernetes.io/docs/contribute/stage-documentation-changes/ |
| | The user ID | `runAsUser` | | ||
| | Configuring allowable supplemental groups | `supplementalGroups` | | ||
| | Allocating an FSGroup that owns the pod's volumes | `fSGroup` | | ||
| | Requiring the use of a read only root file system | `readOnlyRootFilesystem` | |
There was a problem hiding this comment.
Should also include info about allowed annotations for alpha features:
// The annotation key specifying the default seccomp profile.
DefaultProfileAnnotationKey = "seccomp.security.alpha.kubernetes.io/defaultProfileName"
// The annotation key specifying the allowed seccomp profiles.
AllowedProfilesAnnotationKey = "seccomp.security.alpha.kubernetes.io/allowedProfileNames"
// SysctlsPodSecurityPolicyAnnotationKey represents the key of a whitelist of
// allowed safe and unsafe sysctls in a pod spec. It's a comma-separated list of plain sysctl
// names or sysctl patterns (which end in *). The string "*" matches all sysctls.
SysctlsPodSecurityPolicyAnnotationKey string = "security.alpha.kubernetes.io/sysctls"
// The annotation key specifying the default AppArmor profile.
DefaultProfileAnnotationKey = "apparmor.security.beta.kubernetes.io/defaultProfileName"
// The annotation key specifying the allowed AppArmor profiles.
AllowedProfilesAnnotationKey = "apparmor.security.beta.kubernetes.io/allowedProfileNames"
There was a problem hiding this comment.
(search annotation in the security/podsecuritypolicy directory to find which ones are used in strategies or providers)
php-coder
force-pushed
the
gh2116_list_psp_fields
branch
2 times, most recently
from
1c71b4b to
ea9efaa
Compare
|
PTAL @pweil- |
|
@pweil- Ping. |
|
This is waiting on update with reference to the comment on #3174 unless someone disagrees or if we have an official policy wrt the statement about annotations (which overrides my previous request for change) 😄 |
|
The code is here so I don't understand why we're not documenting it. How user will know about possible features then? |
I'm not disagreeing. Best thing to do is take the conversation to the other issue and work out the reasoning there. Leave this as-is until then. |
|
@pweil- Would you approve this PR if I remove mentions about annotations? Documentation is updating very frequently I don't want to keep this PR open for a long time. |
|
If you'd like to leave it out for now while the discussion is ongoing then this is LGTM |
This also adds a couple of improvements: - rename SELinuxContext to SELinux - improve options displaying
php-coder
force-pushed
the
gh2116_list_psp_fields
branch
from
998b869 to
002194f
Compare
|
I've adapted my changes to the latest master (where this file were moved to other place). @pweil- PTAL. |
|
@chenopis It's ready to merge. |
Fixes #2116
This change is