kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #47500 from everpeace/fix-typo-blog-KEP-3619-SupplementalGroupsPolicy 

KEP-3619: fix typo in the feature blog to be published on 2024-08-22
pull/47505/head
Kubernetes Prow Robot 2024-08-14 15:43:18 -07:00 committed by GitHub
parent c6eebeda62 fa2365b434
commit 8a44d276f7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
content/en/blog/_posts/2024-08-22-Fine-grained-SupplementalGroups-control/index.md
View File

@ -90,7 +90,7 @@ uid=1000 gid=3000 groups=3000,4000
You can see `Strict` policy can exclude group `50000` from `groups`!
Thus, ensuring `supplementalGroupsPolicy: Merge` (enforced by some policy mechanism) helps prevent the implicit supplementary groups in a Pod.
Thus, ensuring `supplementalGroupsPolicy: Strict` (enforced by some policy mechanism) helps prevent the implicit supplementary groups in a Pod.
{{<note>}}
Actually, this is not enough because container with sufficient privileges / capability can change its process identity. Please see the following section for details.