Skip to content

docs/user-guide/pod-security-policy: list all available PSP fields #3012

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Apr 5, 2017
Merged

docs/user-guide/pod-security-policy: list all available PSP fields #3012

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 26 additions & 19 deletions docs/concepts/policy/pod-security-policy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,15 +21,22 @@ actions that a pod can perform and what it has the ability to access. The
run with in order to be accepted into the system. They allow an
administrator to control the following:

1. Running of privileged containers.
1. Capabilities a container can request to be added.
1. The SELinux context of the container.
1. The user ID.
1. The use of host namespaces and networking.
1. Allocating an FSGroup that owns the pod's volumes
1. Configuring allowable supplemental groups
1. Requiring the use of a read only root file system
1. Controlling the usage of volume types
| Control Aspect | Field Name |
| ------------------------------------------------------------- | --------------------------------- |
| Running of privileged containers | `privileged` |
| Default set of capabilities that will be added to a container | `defaultAddCapabilities` |
| Capabilities that will be dropped from a container | `requiredDropCapabilities` |
| Capabilities a container can request to be added | `allowedCapabilities` |
| Controlling the usage of volume types | [`volumes`](#controlling-volumes) |
| The use of host networking | [`hostNetwork`](#host-network) |
| The use of host ports | `hostPorts` |
| The use of host's PID namespace | `hostPID` |
| The use of host's IPC namespace | `hostIPC` |
| The SELinux context of the container | [`seLinux`](#selinux) |
| The user ID | [`runAsUser`](#runasuser) |
| Configuring allowable supplemental groups | [`supplementalGroups`](#supplementalgroups) |
| Allocating an FSGroup that owns the pod's volumes | [`fsGroup`](#fsgroup) |
| Requiring the use of a read only root file system | `readOnlyRootFilesystem` |

_Pod Security Policies_ are comprised of settings and strategies that
control the security features a pod has access to. These settings fall
Expand All @@ -48,34 +55,34 @@ specified value falls into the set of allowable values.

### RunAsUser

- *MustRunAs* - Requires a `*range*` to be configured. Uses the first value
- *MustRunAs* - Requires a `range` to be configured. Uses the first value
of the range as the default. Validates against the configured range.
- *MustRunAsNonRoot* - Requires that the pod be submitted with a non-zero
`*runAsUser*` or have the `USER` directive defined in the image. No default
`runAsUser` or have the `USER` directive defined in the image. No default
provided.
- *RunAsAny* - No default provided. Allows any `*runAsUser*` to be specified.
- *RunAsAny* - No default provided. Allows any `runAsUser` to be specified.

### SELinuxContext
### SELinux

- *MustRunAs* - Requires `*seLinuxOptions*` to be configured if not using
pre-allocated values. Uses `*seLinuxOptions*` as the default. Validates against
`*seLinuxOptions*`.
- *RunAsAny* - No default provided. Allows any `*seLinuxOptions*` to be
- *MustRunAs* - Requires `seLinuxOptions` to be configured if not using
pre-allocated values. Uses `seLinuxOptions` as the default. Validates against
`seLinuxOptions`.
- *RunAsAny* - No default provided. Allows any `seLinuxOptions` to be
specified.

### SupplementalGroups

- *MustRunAs* - Requires at least one range to be specified. Uses the
minimum value of the first range as the default. Validates against all ranges.
- *RunAsAny* - No default provided. Allows any `*supplementalGroups*` to be
- *RunAsAny* - No default provided. Allows any `supplementalGroups` to be
specified.

### FSGroup

- *MustRunAs* - Requires at least one range to be specified. Uses the
minimum value of the first range as the default. Validates against the
first ID in the first range.
- *RunAsAny* - No default provided. Allows any `*fsGroup*` ID to be specified.
- *RunAsAny* - No default provided. Allows any `fsGroup` ID to be specified.

### Controlling Volumes

Expand Down