-
Notifications
You must be signed in to change notification settings - Fork 14.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Pod Security Standards documentation #28903
Conversation
👷 Deploy Preview for kubernetes-io-vnext-staging processing. 🔨 Explore the source changes: e0d4b53 🔍 Inspect the deploy log: https://app.netlify.com/sites/kubernetes-io-vnext-staging/deploys/60f83e74a325df0008b1495d |
/assign @liggitt @tabbysable (per convo w/ @tallclair) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm concerned about seeing this PR propose to delete https://k8s.io/docs/concepts/security/pod-security-standards/
External projects (the likes of Kyverno) refer to these Pod security standards. It's not just in-project code that relies on them. We should keep the URL of those standards where possible: cool URIs don't change.
It's OK to document a new in-tree mechanism for enforcing that Pods follow these standards. It's important to leave a path to distinguish between the standards themselves on the one hand, and the in-tree enforcement code on the other.
/sig auth |
@sftim Very good point - reverted. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking at this PR I recommend some more work on it.
- it looks like it's still draft. If that's true, please mark it draft to help reviewers. For example, ask prow to
/retitle WIP: Add Pod Security Standards documentation
- I would like to see two new pages in the Task section, that each link to each other in their introduction:
- Enforcing PodSecurity using the built-in admission controller
- Enforcing PodSecurity using a webhook
- Be sure to describe the new feature gate in https://k8s.io/docs/reference/command-line-tools-reference/feature-gates/
- We must also add PodSecurity into https://k8s.io/docs/reference/access-authn-authz/admission-controllers/
If the webhook isn't available, let's leave room to add that documentation later.
nits:
- within the page (but not the page title), write headings in sentence case
- if you can, use glossary tooltips for any first mention of concepts, unless you're confident that readers know what these mean
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another page we must update: https://kubernetes.io/docs/reference/labels-annotations-taints/
#28903 (comment) is my only outstanding comment, then technical content lgtm |
/approve for technical content |
LGTM label has been added. Git tree hash: 704b45b3b56a84dfa0fcb606584940d39eeb0660
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Really good work.
/lgtm
I'll leave the release folks to approve this.
/assign @PI-Victor |
content/en/docs/setup/best-practices/enforcing-pod-security-standards.md
Outdated
Show resolved
Hide resolved
re-applying lgtm after link to opa gatekeeper repo was fixed |
LGTM label has been added. Git tree hash: c2f10c36f7958065382a78014912c042127b482c
|
had to give this a proper read myself, thank you all for the work! /approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liggitt, PI-Victor The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This PR adds documentation for Pod Security Standards.
Fixes #28721, fixes #28820, fixes #28866
This PR
Follow-up tasks
privileged
baseline
restricted
)Related issues