Tutorials for Pod Security Admission #30422
Conversation
k8s-ci-robot
added
kind/documentation
k8s-ci-robot
added
the
sig/docs
k8s-ci-robot
requested review from
reylejano,
savitharaghunathan and
shannonxtreme
|
/sig security |
k8s-ci-robot
added
the
sig/security
PushkarJ
changed the title
k8s-ci-robot
added
the
do-not-merge/work-in-progress
|
✔️ Deploy Preview for kubernetes-io-main-staging ready! 🔨 Explore the source changes: d1e2545 🔍 Inspect the deploy log: https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/61b03ec9cc4dd20008ce01fe 😎 Browse the preview: https://deploy-preview-30422--kubernetes-io-main-staging.netlify.app |
PushkarJ
force-pushed
the
psa-tutorial
branch
3 times, most recently
from
a81b779
to
53da735
Compare
PushkarJ
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
/hold Until merge timelines are aligned as per this comment: #30502 (comment) |
k8s-ci-robot
added
the
do-not-merge/hold
PushkarJ
force-pushed
the
psa-tutorial
branch
from
886a373
to
42eecf0
Compare
Fixed nits, broken links and numbering Co-authored-by: Tim Bannister <tim@scalefactory.com> Co-authored-by: Shannon Kularathna <ax3shannonkularathna@gmail.com> Co-authored-by: Jim Angel <jimangel@users.noreply.github.com>
PushkarJ
force-pushed
the
psa-tutorial
branch
from
79822c3
to
d1e2545
Compare
|
Alright, just pushed the final changes that takes care of all the pending actionable feedback. Now that blog post PR is merged, just need someone to Deploy previews: https://deploy-preview-30422--kubernetes-io-main-staging.netlify.app/docs/tutorials/#security |
|
/check-cla |
|
Hold from #30422 (comment) should stand until the blog article publishes. Any time after 16:05 Pacific time on the 8th of December should be good to go, as the related blog article goes live at UTC midnight on the 9th. |
|
This is ready for a technical signoff from SIG Auth. It's already been through quite a few checks, including by me, so what I'm looking for is a final read-through and a formal /lgtm providing no concerns spotted. Page previews: LGTM for SIG Docs, and #30422 (review) implies it also looks good to @shannonxtreme |
|
/remove-label tide/merge-method-squash Commits are already squashed |
k8s-ci-robot
removed
the
tide/merge-method-squash
| # Until v1.23 is released, kind node image needs to be built from k/k master branch | ||
| # Ref: https://kind.sigs.k8s.io/docs/user/quick-start/#building-images |
There was a problem hiding this comment.
femtonit: the release has happened (very happy to fix this in a follow-up PR, though)
| 1. Configure the API server to consume this file during cluster creation: | ||
|
|
||
| ``` | ||
| cat <<EOF > /tmp/pss/cluster-config.yaml |
There was a problem hiding this comment.
is /tmp a good location for cluster confit files? I'm not sure what the typical permissions there are (or if files in /tmp are subject to automated cleanup/removal)
| @@ -0,0 +1,70 @@ | |||
| #!/bin/sh | |||
| mkdir -p /tmp/pss | |||
| cat <<EOF > /tmp/pss/cluster-level-pss.yaml | |||
| pod-security.kubernetes.io/warn-version=latest | ||
| ``` | ||
|
|
||
| 2. Multiple pod security standards can be enabled on any namespace, using labels. |
There was a problem hiding this comment.
it might be worth noting that if this is an existing namespace that already contains workloads, using --dry-run=server is recommended first to determine if the new policy levels will disrupt existing workloads
|
Technical content lgtm, had a non-blocking question about use of tmp and suggestion about calling out use of dry-run |
|
Thanks @liggitt Taking #30422 (comment) as We can do a follow-up PR. I agree about taking care about using |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 377841f45aca39355245243a3391e41bda229ba5
|
|
LGTM too PJ, wonderful work here ❤️
…On Wed., Dec. 8, 2021, 18:09 Kubernetes Prow Robot, < ***@***.***> wrote:
LGTM label has been added.
Git tree hash: 377841f45aca39355245243a3391e41bda229ba5
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#30422 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHH4EFXXTM47JCWCLNJRBZDUP5RJLANCNFSM5HV7LZTQ>
.
|
|
Blog is now published https://kubernetes.io/blog/2021/12/09/pod-security-admission-beta/ /hold remove |
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
Creates a two part tutorial for Pod Security Admission with KinD:
/kind documentation
Notes for reviewers:
kindnode image for v1.23 is not yet available here: https://hub.docker.com/r/kindest/node/tagslatesttag(open to feedback on other ways to tackle this of course :) )
Initial slack discussion: https://kubernetes.slack.com/archives/C1J0BPD2M/p1636152420159200