3c5fa979a4
Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com>
1.5 KiB
Pod Security Policies
enable fine-grained authorization of pod creation and updates.
control access to security sensitive aspects of Pod specifications such as running of privileged containers, use of host filesystem, running as root, etc. define a set of conditions that a pod must run with, in order to be accepted into the system, as well as defaults for the related fields. are assigned to users through Kubernetes RoleBindings. See https://kubernetes.io/docs/concepts/policy/pod-security-policy/ for details.
When enabled, Pod security policy checking will authorize all Kubernetes API commands against the which the issuer of the command has access to. If there are no defined in the system or the issuer does not have access to any , the Pod security policy checking will fail to authorize the command.
provides a system service-parameter to enable Pod security policy checking. In addition to enabling Pod security policy checking, setting this service parameter also creates two (privileged and restricted) such that users with cluster-admin role (which has access to all resources) has to authorize against. It also creates two corresponding roles for specifying access to these (privileged-psp-user and restricted-psp-user), for binding to other non-admin type subjects.