From 60ee2c2d14f84ef12f48f68d864f85dc0b9f03ef Mon Sep 17 00:00:00 2001
From: mtardy <mahe5397@hotmail.fr>
Date: Tue, 28 Jun 2022 21:11:59 +0200
Subject: [PATCH 1/7] Add the documentation on the kubernetes.io/psp annotation

---
 .../en/docs/reference/labels-annotations-taints/_index.md   | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/content/en/docs/reference/labels-annotations-taints/_index.md b/content/en/docs/reference/labels-annotations-taints/_index.md
index 4b74774ea7..6af0587283 100644
--- a/content/en/docs/reference/labels-annotations-taints/_index.md
+++ b/content/en/docs/reference/labels-annotations-taints/_index.md
@@ -618,6 +618,12 @@ or updating objects that contain Pod templates, such as Deployments, Jobs, State
 See [Enforcing Pod Security at the Namespace Level](/docs/concepts/security/pod-security-admission)
 for more information.
 
+### kubernetes.io/psp (deprecated) {#kubernetes-io-psp}
+
+Example: `kubernetes.io/psp: restricted`
+
+Value is the name of the [PodSecurityPolicy](/docs/concepts/security/pod-security-policy/) that was validated against the ressource.
+
 ### seccomp.security.alpha.kubernetes.io/pod (deprecated) {#seccomp-security-alpha-kubernetes-io-pod}
 
 This annotation has been deprecated since Kubernetes v1.19 and will become non-functional in v1.25.

From 453f4e61f6255c43ad8de6c65cce7e161922d919 Mon Sep 17 00:00:00 2001
From: mtardy <mahe5397@hotmail.fr>
Date: Tue, 28 Jun 2022 21:12:30 +0200
Subject: [PATCH 2/7] Reference the kubernetes.io/psp annotation on the
 PodSecurityPolicy concept page

---
 .../docs/concepts/security/pod-security-policy.md   | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/content/en/docs/concepts/security/pod-security-policy.md b/content/en/docs/concepts/security/pod-security-policy.md
index cc0acc410d..6b061b830e 100644
--- a/content/en/docs/concepts/security/pod-security-policy.md
+++ b/content/en/docs/concepts/security/pod-security-policy.md
@@ -214,6 +214,9 @@ controller selects policies according to the following criteria:
 2. If the pod must be defaulted or mutated, the first PodSecurityPolicy
    (ordered by name) to allow the pod is selected.
 
+When a Pod is validated against a PodSecurityPolicy, [a `kubernetes.io/psp` annotation](/docs/reference/labels-annotations-taints/#kubernetes-io-psp)
+is added with its name as its value.
+
 {{< note >}}
 During update operations (during which mutations to pod specs are disallowed)
 only non-mutating PodSecurityPolicies are used to validate the pod.
@@ -332,7 +335,15 @@ The output is similar to this
 pod "pause" created
 ```
 
-It works as expected! But any attempts to create a privileged pod should still
+It works as expected! You can verify that the pod was validated against the
+newly created PodSecurityPolicy:
+
+```shell
+kubectl-user get pod pause -o yaml | grep kubernetes.io/psp
+kubernetes.io/psp: example
+```
+
+But any attempts to create a privileged pod should still
 be denied:
 
 ```shell

From 9ffd24b78d841fd7e0b2ba3e492618ed369a8f63 Mon Sep 17 00:00:00 2001
From: mtardy <mahe5397@hotmail.fr>
Date: Tue, 28 Jun 2022 21:20:08 +0200
Subject: [PATCH 3/7] Use absolute URL in the tuto for the example PSP

---
 content/en/docs/concepts/security/pod-security-policy.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/docs/concepts/security/pod-security-policy.md b/content/en/docs/concepts/security/pod-security-policy.md
index 6b061b830e..329382482e 100644
--- a/content/en/docs/concepts/security/pod-security-policy.md
+++ b/content/en/docs/concepts/security/pod-security-policy.md
@@ -258,7 +258,7 @@ The name of a PodSecurityPolicy object must be a valid
 And create it with kubectl:
 
 ```shell
-kubectl-admin create -f example-psp.yaml
+kubectl-admin create -f https://k8s.io/examples/policy/example-psp.yaml
 ```
 
 Now, as the unprivileged user, try to create a simple pod:

From 3b8a2a01fab70424aa4b3ed05069e65c15feeff6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mah=C3=A9?= <mahe5397@hotmail.fr>
Date: Wed, 29 Jun 2022 09:26:06 +0200
Subject: [PATCH 4/7] Clarify the reference to the psp annotation in the
 concept page

Co-authored-by: Tim Bannister <tim@scalefactory.com>
---
 content/en/docs/concepts/security/pod-security-policy.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/docs/concepts/security/pod-security-policy.md b/content/en/docs/concepts/security/pod-security-policy.md
index 329382482e..59215c3380 100644
--- a/content/en/docs/concepts/security/pod-security-policy.md
+++ b/content/en/docs/concepts/security/pod-security-policy.md
@@ -215,7 +215,7 @@ controller selects policies according to the following criteria:
    (ordered by name) to allow the pod is selected.
 
 When a Pod is validated against a PodSecurityPolicy, [a `kubernetes.io/psp` annotation](/docs/reference/labels-annotations-taints/#kubernetes-io-psp)
-is added with its name as its value.
+is added to the Pod, with the name of the PodSecurityPolicy as the annotation value.
 
 {{< note >}}
 During update operations (during which mutations to pod specs are disallowed)

From 23eea7e12262779e4558692ce34c68c09502efa0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mah=C3=A9?= <mahe5397@hotmail.fr>
Date: Wed, 29 Jun 2022 09:27:42 +0200
Subject: [PATCH 5/7] Add more context in the annotation page

Co-authored-by: Tim Bannister <tim@scalefactory.com>
---
 .../en/docs/reference/labels-annotations-taints/_index.md   | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/content/en/docs/reference/labels-annotations-taints/_index.md b/content/en/docs/reference/labels-annotations-taints/_index.md
index 6af0587283..d132642e2c 100644
--- a/content/en/docs/reference/labels-annotations-taints/_index.md
+++ b/content/en/docs/reference/labels-annotations-taints/_index.md
@@ -622,7 +622,11 @@ for more information.
 
 Example: `kubernetes.io/psp: restricted`
 
-Value is the name of the [PodSecurityPolicy](/docs/concepts/security/pod-security-policy/) that was validated against the ressource.
+This annotation is only relevant if you are using [PodSecurityPolicies](/docs/concepts/security/pod-security-policy/).
+
+When the PodSecurityPolicy admission controller admits a Pod, the admission controller
+modifies the Pod to have this annotation.
+The value of the annotation is the name of the PodSecurityPolicy that was used for validation.
 
 ### seccomp.security.alpha.kubernetes.io/pod (deprecated) {#seccomp-security-alpha-kubernetes-io-pod}
 

From 8a4e62fb766e8efc296ca91823b210941fb24bcd Mon Sep 17 00:00:00 2001
From: mtardy <mahe5397@hotmail.fr>
Date: Wed, 29 Jun 2022 09:36:11 +0200
Subject: [PATCH 6/7] Separate commands from their outputs

---
 .../concepts/security/pod-security-policy.md  | 27 +++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/content/en/docs/concepts/security/pod-security-policy.md b/content/en/docs/concepts/security/pod-security-policy.md
index 59215c3380..b43bfd4c5e 100644
--- a/content/en/docs/concepts/security/pod-security-policy.md
+++ b/content/en/docs/concepts/security/pod-security-policy.md
@@ -287,6 +287,11 @@ pod's service account nor `fake-user` have permission to use the new policy:
 
 ```shell
 kubectl-user auth can-i use podsecuritypolicy/example
+```
+
+The output is similar to this:
+
+```
 no
 ```
 
@@ -303,14 +308,27 @@ kubectl-admin create role psp:unprivileged \
     --verb=use \
     --resource=podsecuritypolicy \
     --resource-name=example
-role "psp:unprivileged" created
+```
 
+```
+role "psp:unprivileged" created
+```
+
+```shell
 kubectl-admin create rolebinding fake-user:psp:unprivileged \
     --role=psp:unprivileged \
     --serviceaccount=psp-example:fake-user
-rolebinding "fake-user:psp:unprivileged" created
+```
 
+```
+rolebinding "fake-user:psp:unprivileged" created
+```
+
+```shell
 kubectl-user auth can-i use podsecuritypolicy/example
+```
+
+```
 yes
 ```
 
@@ -340,6 +358,11 @@ newly created PodSecurityPolicy:
 
 ```shell
 kubectl-user get pod pause -o yaml | grep kubernetes.io/psp
+```
+
+The output is similar to this
+
+```
 kubernetes.io/psp: example
 ```
 

From 1d55061a5a748bd9cd953470c847ac012cc2cf8f Mon Sep 17 00:00:00 2001
From: mtardy <mahe5397@hotmail.fr>
Date: Wed, 29 Jun 2022 09:37:23 +0200
Subject: [PATCH 7/7] Remove the part about defining a PSP in a file

---
 content/en/docs/concepts/security/pod-security-policy.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/content/en/docs/concepts/security/pod-security-policy.md b/content/en/docs/concepts/security/pod-security-policy.md
index b43bfd4c5e..c296f31cc2 100644
--- a/content/en/docs/concepts/security/pod-security-policy.md
+++ b/content/en/docs/concepts/security/pod-security-policy.md
@@ -248,8 +248,7 @@ alias kubectl-user='kubectl --as=system:serviceaccount:psp-example:fake-user -n
 
 ### Create a policy and a pod
 
-Define the example PodSecurityPolicy object in a file. This is a policy that
-prevents the creation of privileged pods.
+This is a policy that prevents the creation of privileged pods.
 The name of a PodSecurityPolicy object must be a valid
 [DNS subdomain name](/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).