Tidy PSA tutorials

Various tidying to match website style guide better.
2022-10-29 15:54:51 +01:00 · 2022-10-29 15:54:51 +01:00 · a39ee496fe
parent c6b3f34d5b
commit a39ee496fe
2 changed files with 26 additions and 22 deletions
--- a/content/en/docs/tutorials/security/cluster-level-pss.md
+++ b/content/en/docs/tutorials/security/cluster-level-pss.md
@ -82,7 +82,7 @@ that are most appropriate for your configuration, do the following:
   kubectl get ns
   ```
   The output is similar to this:
-   ```     
+   ```
   NAME                 STATUS   AGE
   default              Active   9m30s
   kube-node-lease      Active   9m32s
@ -99,8 +99,9 @@ that are most appropriate for your configuration, do the following:
      kubectl label --dry-run=server --overwrite ns --all \
      pod-security.kubernetes.io/enforce=privileged
      ```
-      The output is similar to this:
-      ```      
+
+      The output is similar to:
+      ```
      namespace/default labeled
      namespace/kube-node-lease labeled
      namespace/kube-public labeled
@ -108,12 +109,13 @@ that are most appropriate for your configuration, do the following:
      namespace/local-path-storage labeled
      ```
   2. Baseline
-      ```shell    
+      ```shell
      kubectl label --dry-run=server --overwrite ns --all \
      pod-security.kubernetes.io/enforce=baseline
      ```
-      The output is similar to this:
-      ```   
+
+      The output is similar to:
+      ```
      namespace/default labeled
      namespace/kube-node-lease labeled
      namespace/kube-public labeled
@ -123,15 +125,16 @@ that are most appropriate for your configuration, do the following:
      Warning: kube-proxy-m6hwf: host namespaces, hostPath volumes, privileged
      namespace/kube-system labeled
      namespace/local-path-storage labeled
-      ```   
+      ```

   3. Restricted
      ```shell
      kubectl label --dry-run=server --overwrite ns --all \
      pod-security.kubernetes.io/enforce=restricted
      ```
-      The output is similar to this:
-      ```   
+
+      The output is similar to:
+      ```
      namespace/default labeled
      namespace/kube-node-lease labeled
      namespace/kube-public labeled
@ -180,7 +183,7 @@ following:

   ```
   mkdir -p /tmp/pss
-   cat <<EOF > /tmp/pss/cluster-level-pss.yaml 
+   cat <<EOF > /tmp/pss/cluster-level-pss.yaml
   apiVersion: apiserver.config.k8s.io/v1
   kind: AdmissionConfiguration
   plugins:
@ -212,7 +215,7 @@ following:
 1. Configure the API server to consume this file during cluster creation:

   ```
-   cat <<EOF > /tmp/pss/cluster-config.yaml 
+   cat <<EOF > /tmp/pss/cluster-config.yaml
   kind: Cluster
   apiVersion: kind.x-k8s.io/v1alpha4
   nodes:
@ -281,11 +284,11 @@ following:
   The output is similar to this:
   ```
   Kubernetes control plane is running at https://127.0.0.1:63855
-
   CoreDNS is running at https://127.0.0.1:63855/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
-  
+
   To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
   ```
+
 1. Create a Pod in the default namespace:

   ```shell
--- a/content/en/docs/tutorials/security/ns-level-pss.md
+++ b/content/en/docs/tutorials/security/ns-level-pss.md
@ -80,11 +80,12 @@ The output is similar to this:
 namespace/example created
 ```

-## Apply Pod Security Standards
+## Enable Pod Security Standards checking for that namespace

 1. Enable Pod Security Standards on this namespace using labels supported by
-   built-in Pod Security Admission. In this step we will warn on baseline pod
-   security standard as per the latest version (default value)
+   built-in Pod Security Admission. In this step you will configure a check to
+   warn on Pods that don't meet the latest version of the _baseline_ pod
+   security standard.

   ```shell
   kubectl label --overwrite ns example \
@ -92,8 +93,8 @@ namespace/example created
      pod-security.kubernetes.io/warn-version=latest
   ```

-2. Multiple pod security standards can be enabled on any namespace, using labels.
-   Following command will `enforce` the `baseline` Pod Security Standard, but
+2. You can configure multiple pod security standard checks on any namespace, using labels.
+   The following command will `enforce` the `baseline` Pod Security Standard, but
   `warn` and `audit` for `restricted` Pod Security Standards as per the latest
   version (default value)

@ -107,7 +108,7 @@ namespace/example created
     pod-security.kubernetes.io/audit-version=latest
   ```

-## Verify the Pod Security Standards
+## Verify the Pod Security Standard enforcement

 1. Create a baseline Pod in the `example` namespace:

@ -132,9 +133,9 @@ namespace/example created
   pod/nginx created
   ```

-The Pod Security Standards were applied only to the `example`
-namespace. You could create the same Pod in the `default` namespace
-with no warnings.
+The Pod Security Standards enforcement and warning settings were applied only
+to the `example` namespace. You could create the same Pod in the `default`
+namespace with no warnings.

 ## Clean up