From 44db1a13c97c7f70b8afac105bcdb2e04d5d12bb Mon Sep 17 00:00:00 2001 From: Tim Allclair Date: Tue, 2 Jun 2020 17:13:12 -0700 Subject: [PATCH] Add missing PSP restrictions to standard security profiles --- .../security/pod-security-standards.md | 27 ++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/content/en/docs/concepts/security/pod-security-standards.md b/content/en/docs/concepts/security/pod-security-standards.md index 1adf042c91..60cc021ae6 100644 --- a/content/en/docs/concepts/security/pod-security-standards.md +++ b/content/en/docs/concepts/security/pod-security-standards.md @@ -118,7 +118,7 @@ enforced/disallowed: On supported hosts, the `runtime/default` AppArmor profile is applied by default. The default policy should prevent overriding or disabling the policy, or restrict overrides to a whitelisted set of profiles.

Restricted Fields:
metadata.annotations['container.apparmor.security.beta.kubernetes.io/*']
-
Allowed Values: runtime/default, undefined
+
Allowed Values: 'runtime/default', undefined
@@ -132,6 +132,31 @@ enforced/disallowed:
Allowed Values: undefined/nil
+ + /proc Mount Type + + The default /proc masks are set up to reduce attack surface, and should be required.
+
Restricted Fields:
+ spec.containers[*].securityContext.procMount
+ spec.initContainers[*].securityContext.procMount
+
Allowed Values: undefined/nil, 'Default'
+ + + + Sysctls + + Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for a whitelisted "safe" subset. + A sysctl is considered safe if it is namespaced in the container or the pod, and it is isolated from other pods or processes on the same node.
+
Restricted Fields:
+ spec.securityContext.sysctls
+
Allowed Values:
+ kernel.shm_rmid_forced
+ net.ipv4.ip_local_port_range
+ net.ipv4.tcp_syncookies
+ net.ipv4.ping_group_range
+ undefined/empty
+ +