kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #44156 from saschagrunert/dev-1.29-user-namespaces-pss-update 

Dev 1.29 user namespaces pss update
pull/44177/head
Kubernetes Prow Robot 2023-11-30 14:11:56 +01:00 committed by GitHub
parent 00e0202f76 8dc08062a7
commit 41135adb1f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
content/en/docs/concepts/security/pod-security-standards.md
View File

@ -485,6 +485,12 @@ Restrictions on the following controls are only required if `.spec.os.name` is n
- Seccomp
- Linux Capabilities
## User namespaces
User Namespaces are a Linux-only feature to run workloads with increased
isolation. How they work together with Pod Security Standards is described in
the [documentation](/docs/concepts/workloads/pods/user-namespaces#integration-with-pod-security-admission-checks) for Pods that use user namespaces.
## FAQ
### Why isn't there a profile between privileged and baseline?

4
content/en/docs/reference/command-line-tools-reference/feature-gates.md
View File

@ -811,7 +811,7 @@ Each feature gate is designed for enabling/disabling a specific feature:
- `UserNamespacesPodSecurityStandards`: Enable Pod Security Standards policies relaxation for pods
that run with namespaces. You must set the value of this feature gate consistently across all nodes in
your cluster, and you must also enable `UserNamespacesSupport` to use this feature.
See [User Namespaces](/docs/concepts/workloads/pods/user-namespaces/#integration-with-pod-security-standards) for more details.
See [User Namespaces](/docs/concepts/workloads/pods/user-namespaces/#integration-with-pod-security-admission-checks) for more details.
- `UserNamespacesSupport`: Enable user namespace support for Pods.
Before Kubernetes v1.28, this feature gate was named `UserNamespacesStatelessPodsSupport`.
- `ValidatingAdmissionPolicy`: Enable [ValidatingAdmissionPolicy](/docs/reference/access-authn-authz/validating-admission-policy/)
@ -835,4 +835,4 @@ Each feature gate is designed for enabling/disabling a specific feature:
feature, you will also need to enable any associated API resources.
For example, to enable a particular resource like
`storage.k8s.io/v1beta1/csistoragecapacities`, set `--runtime-config=storage.k8s.io/v1beta1/csistoragecapacities`.
See [API Versioning](/docs/reference/using-api/#api-versioning) for more details on the command line flags.
See [API Versioning](/docs/reference/using-api/#api-versioning) for more details on the command line flags.