- 
                Notifications
    You must be signed in to change notification settings 
- Fork 15.1k
Tutorials for Pod Security Admission #30422
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
| /sig security | 
| ✔️ Deploy Preview for kubernetes-io-main-staging ready! 🔨 Explore the source changes: d1e2545 🔍 Inspect the deploy log: https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/61b03ec9cc4dd20008ce01fe 😎 Browse the preview: https://deploy-preview-30422--kubernetes-io-main-staging.netlify.app | 
a81b779    to
    53da735      
    Compare
  
    There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Structural review. I'll do a content review after we have hashed out some of the structural changes :)
Thank you for this PJ!!
| /hold Until merge timelines are aligned as per this comment: #30502 (comment) | 
886a373    to
    42eecf0      
    Compare
  
    | /sig auth | 
| [APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sftim The full list of commands accepted by this bot can be found here. The pull request process is described here 
Needs approval from an approver in each of these files:
 
 Approvers can indicate their approval by writing  | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update to a valid 1.23 kind version.
        
          
                content/en/examples/security/kind-with-cluster-level-baseline-pod-security.sh
              
                Outdated
          
            Show resolved
            Hide resolved
        
              
          
                content/en/examples/security/kind-with-namespace-level-baseline-pod-security.sh
              
                Outdated
          
            Show resolved
            Hide resolved
        
      | Thank you Jim, Tim and Shannon. Accepted all inline changes from phone app. Will do some final clean up today/tomorrow when I get on Wi-Fi. After that we should be in good shape to publish this together with the blog! | 
Refer blog post for v1.23 + suggestions from code review
Fixed nits, broken links and numbering Co-authored-by: Tim Bannister <[email protected]> Co-authored-by: Shannon Kularathna <[email protected]> Co-authored-by: Jim Angel <[email protected]>
79822c3    to
    d1e2545      
    Compare
  
    | Alright, just pushed the final changes that takes care of all the pending actionable feedback. Now that blog post PR is merged, just need someone to  Deploy previews: https://deploy-preview-30422--kubernetes-io-main-staging.netlify.app/docs/tutorials/#security | 
| /check-cla | 
| Hold from #30422 (comment) should stand until the blog article publishes. Any time after 16:05 Pacific time on the 8th of December should be good to go, as the related blog article goes live at UTC midnight on the 9th. | 
| This is ready for a technical signoff from SIG Auth. It's already been through quite a few checks, including by me, so what I'm looking for is a final read-through and a formal /lgtm providing no concerns spotted. Page previews: LGTM for SIG Docs, and #30422 (review) implies it also looks good to @shannonxtreme | 
| /remove-label tide/merge-method-squash Commits are already squashed | 
| # Until v1.23 is released, kind node image needs to be built from k/k master branch | ||
| # Ref: https://kind.sigs.k8s.io/docs/user/quick-start/#building-images | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
femtonit: the release has happened (very happy to fix this in a follow-up PR, though)
| 1. Configure the API server to consume this file during cluster creation: | ||
| ``` | ||
| cat <<EOF > /tmp/pss/cluster-config.yaml | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is /tmp a good location for cluster confit files? I'm not sure what the typical permissions there are (or if files in /tmp are subject to automated cleanup/removal)
| @@ -0,0 +1,70 @@ | |||
| #!/bin/sh | |||
| mkdir -p /tmp/pss | |||
| cat <<EOF > /tmp/pss/cluster-level-pss.yaml | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same question about using /tmp
| pod-security.kubernetes.io/warn-version=latest | ||
| ``` | ||
| 2. Multiple pod security standards can be enabled on any namespace, using labels. | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it might be worth noting that if this is an existing namespace that already contains workloads, using --dry-run=server is recommended first to determine if the new policy levels will disrupt existing workloads
| Technical content lgtm, had a non-blocking question about use of tmp and suggestion about calling out use of dry-run | 
| Thanks @liggitt Taking #30422 (comment) as We can do a follow-up PR. I agree about taking care about using  | 
| LGTM label has been added. Git tree hash: 377841f45aca39355245243a3391e41bda229ba5 | 
| LGTM too PJ, wonderful work here ❤️… On Wed., Dec. 8, 2021, 18:09 Kubernetes Prow Robot, < ***@***.***> wrote:
 LGTM label has been added.
 Git tree hash: 377841f45aca39355245243a3391e41bda229ba5
 —
 You are receiving this because you were mentioned.
 Reply to this email directly, view it on GitHub
 <#30422 (comment)>,
 or unsubscribe
 <https://github.com/notifications/unsubscribe-auth/AHH4EFXXTM47JCWCLNJRBZDUP5RJLANCNFSM5HV7LZTQ>
 .
 | 
| Blog is now published https://kubernetes.io/blog/2021/12/09/pod-security-admission-beta/ /hold remove | 
| /hold cancel | 
Creates a two part tutorial for Pod Security Admission with KinD:
/kind documentation
Notes for reviewers:
kindnode image for v1.23 is not yet available here: https://hub.docker.com/r/kindest/node/tagslatesttag(open to feedback on other ways to tackle this of course :) )
Initial slack discussion: https://kubernetes.slack.com/archives/C1J0BPD2M/p1636152420159200