Merge "Added Note for Kata Containers Support"

doc/source/planning/kubernetes/container-security-df8a251ec03f.rst

@@ -5,7 +5,7 @@ Container Security Planning
 ===========================
 
 The following container security best practices are recommended as part of your
-network security planning. 
+network security planning.
 
 Restrict Direct (SSH) Access to Kubernetes Nodes
 ------------------------------------------------
@@ -18,7 +18,7 @@ Use Role-based Access Control (RBAC)
 ------------------------------------
 
 Define RBAC policies to exercise strict control over permissions granted to
-non-admin users. Restrict non-admin users to the minimum level of privileges. 
+non-admin users. Restrict non-admin users to the minimum level of privileges.
 
 Use Namespaces
 --------------
@@ -51,7 +51,7 @@ Specify Minimal-Required Security Context for Pods
 --------------------------------------------------
 
 Explicitly specify the minimal-required security context for pods, containers
-and volumes through pod security policies, for example: 
+and volumes through pod security policies, for example:
 
 -   runAsNonRoot
 
@@ -63,11 +63,15 @@ and volumes through pod security policies, for example:
 Kata Containers
 ---------------
 
+.. note::
+
+    Kata Containers will not be supported in |prod-long| |prod-ver|.
+
 Kata containers are an optional capability on |prod| that provide a secure
 container runtime with lightweight virtual machines that feel and perform like
 containers, but provide stronger workload isolation. For improved performance
 with relation to isolation, Kata containers leverages hardware-enforced isolation
-with virtualization VT extensions.   
+with virtualization VT extensions.
 
 For more information, see :ref:`starlingx-kubernetes-user-tutorials-overview`.
 
@@ -80,14 +84,14 @@ of security-sensitive aspects of Pod security. PodSecurityPolicies (PSP) define
 different levels of access to security-sensitive aspects of the pod. RBAC
 [Cluster]Roles can then be created for these PSPs, with RBAC
 [Cluster]RoleBindings of these roles to a ‘subject’ (i.e. users, groups,
-serviceaccounts, etc.). 
+serviceaccounts, etc.).
 
-The following considerations apply to PodSecurityPolicies (PSPs): 
+The following considerations apply to PodSecurityPolicies (PSPs):
 
 -   includes enabling or disabling options such as running as root, access to
     host filesystem, access to host networking, etc.
 
--   are disabled by default  
+-   are disabled by default
 
 -   can be enable by the System Administrator via **system service-parameter-add
     kubernetes kube_apiserver admission_plugins=PodSecurityPolicy**
@@ -105,8 +109,8 @@ usage:
     -    authenticated users can only perform a restricted set of
          security-sensitive options on Pods and only in namespaces the user
          is allowed to access
-    
+
-Administrator can then: 
+Administrator can then:
 
 -    create other custom PodSecurityPolicies and associated RBAC Roles
 
@@ -114,7 +118,7 @@ Administrator can then:
 
 
 ------------------------------------
-Container Image Signature Validation 
+Container Image Signature Validation
 ------------------------------------
 
 The Portieris admission controller allows you to enforce image security polices

doc/source/shared/abbrevs.txt

@@ -24,6 +24,7 @@
 .. |eBPF| replace:: :abbr:`eBPF (Extended Berkeley Packet Filter)`
 .. |CA| replace:: :abbr:`CA (Certificate Authority)`
 .. |CAs| replace:: :abbr:`CAs (Certificate Authorities)`
+.. |CDI| replace:: :abbr:`CDI (Containerized Data Importer)`
 .. |CLI| replace:: :abbr:`CLI (Command Line Interface)`
 .. |CLIs| replace:: :abbr:`CLIs (Command Line Interfaces)`
 .. |CNI| replace:: :abbr:`CNI (Container Networking Interface)`
@@ -67,6 +68,7 @@
 .. |IPMI| replace:: :abbr:`IPMI (Intelligent Platform Management Interface)`
 .. |IOPS| replace:: :abbr:`IOPS (I/O operations per second)`
 .. |IRQ| replace:: :abbr:`IRQ (Interrupt Request)`
+.. |ISA| replace:: :abbr:`ISA (Instruction Set Architecture)`
 .. |KVM| replace:: :abbr:`KVM (Kernel-based Virtual Machine)`
 .. |LACP| replace:: :abbr:`LACP (Link Aggregation Control Protocol)`
 .. |LAG| replace:: :abbr:`LAG (Link Aggregation)`
@@ -141,6 +143,7 @@
 .. |SRIOVs| replace:: :abbr:`SR-IOVs (Single Root I/O Virtualizations)`
 .. |SSD| replace:: :abbr:`SSD (Solid State Drive)`
 .. |SSDs| replace:: :abbr:`SSDs (Solid State Drives)`
+.. |SSSD| replace:: :abbr:`SSSD (System Security Services Daemon)`
 .. |SSH| replace:: :abbr:`SSH (Secure Shell)`
 .. |SSL| replace:: :abbr:`SSL (Secure Socket Layer)`
 .. |STP| replace:: :abbr:`STP (Spanning Tree Protocol)`

doc/source/usertasks/kubernetes/kata-containers-overview.rst

@@ -6,7 +6,9 @@
 Kata Containers Overview
 ========================
 
-|prod| supports Kata Containers.
+.. note::
+
+    Kata Containers will not be supported in |prod-long| |prod-ver|.
 
 |prod| uses a **containerd** :abbr:`CRI (Container Runtime Interface)` that supports
 both runc and Kata Container runtimes. The default runtime is runc. If you want

doc/source/usertasks/kubernetes/known-limitations.rst

@@ -6,6 +6,10 @@
 Known Kata Container Limitations
 ================================
 
+.. note::
+
+    Kata Containers will not be supported in |prod-long| |prod-ver|.
+
 This section describes the known limitations when using Kata containers.
 
 .. _known-limitations-section-tsh-tl1-zlb:

doc/source/usertasks/kubernetes/specifying-kata-container-runtime-in-pod-spec.rst

@@ -6,6 +6,10 @@
 Specify Kata Container Runtime in Pod Spec
 ==========================================
 
+.. note::
+
+    Kata Containers will not be supported in |prod-long| |prod-ver|.
+
 You can specify the use of Kata Container runtime in your pod specification by
 runtime class or by annotation.