Update PodSecurityStandards to match PodSecurity KEP

2021-06-23 17:42:58 -07:00 · 2021-06-23 17:42:58 -07:00 · 6cc9bf8293
parent c5e229eea9
commit 6cc9bf8293
3 changed files with 8 additions and 7 deletions
--- a/content/en/docs/concepts/security/pod-security-standards.md
+++ b/content/en/docs/concepts/security/pod-security-standards.md
@ -86,7 +86,7 @@ enforced/disallowed:
 		<tr>
 			<td>Capabilities</td>
 			<td>
-				Adding additional capabilities beyond the <a href="https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities">default set</a> must be disallowed.<br>
+				Adding additional capabilities beyond the <a href="https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities">default set (excluding NET_RAW)</a> must be disallowed.<br>
 				<br><b>Restricted Fields:</b><br>
 				spec.containers[*].securityContext.capabilities.add<br>
 				spec.initContainers[*].securityContext.capabilities.add<br>
@ -194,7 +194,7 @@ well as lower-trust users.The following listed controls should be enforced/disal
 		<tr>
 			<td>Volume Types</td>
 			<td>
-				In addition to restricting HostPath volumes, the restricted profile limits usage of non-core volume types to those defined through PersistentVolumes.<br>
+				In addition to restricting HostPath volumes, the restricted profile limits usage of non-ephemeral volume types to those defined through PersistentVolumes.<br>
 				<br><b>Restricted Fields:</b><br>
 				spec.volumes[*].hostPath<br>
 				spec.volumes[*].gcePersistentDisk<br>
@ -216,7 +216,6 @@ well as lower-trust users.The following listed controls should be enforced/disal
 				spec.volumes[*].portworxVolume<br>
 				spec.volumes[*].scaleIO<br>
 				spec.volumes[*].storageos<br>
-				spec.volumes[*].csi<br>
 				<br><b>Allowed Values:</b> undefined/nil<br>
 			</td>
 		</tr>
--- a/content/en/examples/policy/baseline-psp.yaml
+++ b/content/en/examples/policy/baseline-psp.yaml
@ -11,15 +11,13 @@ metadata:
    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'unconfined'
 spec:
  privileged: false
-  # The moby default capability set, defined here:
-  # https://github.com/moby/moby/blob/0a5cec2833f82a6ad797d70acbf9cbbaf8956017/oci/caps/defaults.go#L6-L19
+  # The moby default capability set, minus NET_RAW
  allowedCapabilities:
    - 'CHOWN'
    - 'DAC_OVERRIDE'
    - 'FSETID'
    - 'FOWNER'
    - 'MKNOD'
-    - 'NET_RAW'
    - 'SETGID'
    - 'SETUID'
    - 'SETFCAP'
@ -67,6 +65,9 @@ spec:
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
+    # This policy assumes the nodes are using AppArmor rather than SELinux.
+    # The PSP SELinux API cannot express the SELinux Pod Security Standards,
+    # so if using SELinux, you must choose a more restrictive default.
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
--- a/content/en/examples/policy/restricted-psp.yaml
+++ b/content/en/examples/policy/restricted-psp.yaml
@ -22,8 +22,9 @@ spec:
    - 'projected'
    - 'secret'
    - 'downwardAPI'
-    # Assume that persistentVolumes set up by the cluster admin are safe to use.
+    # Assume that CSI drivers & persistentVolumes set up by the cluster admin are safe to use.
    - 'persistentVolumeClaim'
+    - 'csi'
  hostNetwork: false
  hostIPC: false
  hostPID: false