kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #40885 from niranjandarshann/podsecurity/standard 

Fix broken link in Pod Security Standards
pull/40822/head
Kubernetes Prow Robot 2023-05-01 16:36:11 -07:00 committed by GitHub
parent 195034c0fd 057766eed7
commit 1dabb8339e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
content/en/docs/concepts/security/pod-security-standards.md
View File

@ -326,7 +326,7 @@ fail validation.
<tr> <tr>
<td style="white-space: nowrap">Privilege Escalation (v1.8+)</td> <td style="white-space: nowrap">Privilege Escalation (v1.8+)</td>
<td> <td>
<p>Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed. <em><a href="#policies-specific-to-linux">This is Linux only policy</a> in v1.25+ <code>(spec.os.name != windows)</code></em></p> <p>Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed. <em><a href="#os-specific-policy-controls">This is Linux only policy</a> in v1.25+ <code>(spec.os.name != windows)</code></em></p>
<p><strong>Restricted Fields</strong></p> <p><strong>Restricted Fields</strong></p>
<ul> <ul>
<li><code>spec.containers[*].securityContext.allowPrivilegeEscalation</code></li> <li><code>spec.containers[*].securityContext.allowPrivilegeEscalation</code></li>
@ -367,7 +367,7 @@ fail validation.
<p><strong>Restricted Fields</strong></p> <p><strong>Restricted Fields</strong></p>
<ul> <ul>
<li><code>spec.securityContext.runAsUser</code></li> <li><code>spec.securityContext.runAsUser</code></li>
<li><code>spec.containers[*].securityContext.runAsUser</code></li> <li><code>spec.containers[*].securityContext.runAsUser</code></li>
<li><code>spec.initContainers[*].securityContext.runAsUser</code></li> <li><code>spec.initContainers[*].securityContext.runAsUser</code></li>
<li><code>spec.ephemeralContainers[*].securityContext.runAsUser</code></li> <li><code>spec.ephemeralContainers[*].securityContext.runAsUser</code></li>
</ul> </ul>
@ -381,7 +381,7 @@ fail validation.
<tr> <tr>
<td style="white-space: nowrap">Seccomp (v1.19+)</td> <td style="white-space: nowrap">Seccomp (v1.19+)</td>
<td> <td>
<p>Seccomp profile must be explicitly set to one of the allowed values. Both the <code>Unconfined</code> profile and the <em>absence</em> of a profile are prohibited. <em><a href="#policies-specific-to-linux">This is Linux only policy</a> in v1.25+ <code>(spec.os.name != windows)</code></em></p> <p>Seccomp profile must be explicitly set to one of the allowed values. Both the <code>Unconfined</code> profile and the <em>absence</em> of a profile are prohibited. <em><a href="#os-specific-policy-controls">This is Linux only policy</a> in v1.25+ <code>(spec.os.name != windows)</code></em></p>
<p><strong>Restricted Fields</strong></p> <p><strong>Restricted Fields</strong></p>
<ul> <ul>
<li><code>spec.securityContext.seccompProfile.type</code></li> <li><code>spec.securityContext.seccompProfile.type</code></li>
@ -407,7 +407,7 @@ fail validation.
<td> <td>
<p> <p>
Containers must drop <code>ALL</code> capabilities, and are only permitted to add back Containers must drop <code>ALL</code> capabilities, and are only permitted to add back
the <code>NET_BIND_SERVICE</code> capability. <em><a href="#policies-specific-to-linux">This is Linux only policy</a> in v1.25+ <code>(.spec.os.name != "windows")</code></em> the <code>NET_BIND_SERVICE</code> capability. <em><a href="#os-specific-policy-controls">This is Linux only policy</a> in v1.25+ <code>(.spec.os.name != "windows")</code></em>
</p> </p>
<p><strong>Restricted Fields</strong></p> <p><strong>Restricted Fields</strong></p>
<ul> <ul>