Skip to content

Commit 1234867

Browse files
tallclairtallclair
committed
cleanup
1 parent 5cc74c2 commit 1234867

File tree

1 file changed

+13
-4
lines changed
  • keps/sig-auth/2579-pod-isolation-policy

1 file changed

+13
-4
lines changed

keps/sig-auth/2579-pod-isolation-policy/README.md

Lines changed: 13 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
# KEP-2579: Pod Isolation Policy
22

33
<<[UNRESOLVED]>>
4+
45
The name of this feature / policy is open to discussion. Other options considered:
56
- Pod Policy Check
67
- Pod Security Standards
@@ -12,6 +13,7 @@ The name of this feature / policy is open to discussion. Other options considere
1213
- Namespace Security Labels
1314
- ~~Pod Security Defaults~~ (policy is non-mutating)
1415
- Pod Security Policy v2
16+
1517
<<[/UNRESOLVED]>>
1618

1719
<!-- toc -->
@@ -194,9 +196,9 @@ inconsistency with audit & warn less obvious, but doesn't help the user experien
194196

195197
### Validation
196198

197-
The following restrictions are placed (by the admission plugin) on the pod security namespace labels:
199+
The following restrictions are placed (by the admission plugin) on the policy namespace labels:
198200

199-
1. Unknown labels with the pod security prefix (TBD) are rejected, e.g. `prefix/foo-bar`
201+
1. Unknown labels with the pod security prefix (TBD) are rejected, e.g. `podisolationpolicy.kubernetes.io/foo-bar`
200202
2. Policy level must be one of: `privileged`, `baseline`, `restricted`
201203
3. Version values must be match `(latest|v[0-9]+\.[0-9]+`. That is, one of:
202204
1. `latest`
@@ -282,7 +284,7 @@ CRDs that wish to take advantage of this functionality should instead have an ob
282284
v1/PodTemplate resource. We will publish a guide (documentation and/or examples) that demonstrate
283285
this pattern.
284286

285-
### Allow Update Warnings
287+
### Namespace policy update warnings
286288

287289
When an allow policy (or version) label is added or changed, the admission plugin will test each pod
288290
in the namespace against the new policy. Violations are returned to the user as warnings. These
@@ -299,6 +301,13 @@ checking for breakages before updating a policy, for example:
299301
kubectl label --dry-run=server --overwrite ns --all podisolationpolicy.kubernetes.io/allow=baseline
300302
```
301303

304+
<<[UNRESOLVED]>>
305+
306+
- What should the timout be for pod update warnings?
307+
- What should the pod limit be set to?
308+
309+
<<[/UNRESOLVED]>>
310+
302311

303312
### Admission Configuration
304313

@@ -346,7 +355,7 @@ the admission controller (allow, audit and warn). Exemption dimensions include:
346355

347356
- Usernames: requests from users with an exempt authenticated (or impersonated) username are ignored.
348357
- RuntimeClassNames: pods and [templated pods] with specifying an exempt runtime class name are ignored.
349-
- Namespace: pods and [templated pods] in an exempt namespace are ignored.
358+
- Namespaces: pods and [templated pods] in an exempt namespace are ignored.
350359

351360
<<[UNRESOLVED]>>
352361

0 commit comments

Comments
 (0)