From 8917b26250798ac6bfc786567066734425f00e84 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Mon, 24 Jan 2022 10:09:00 -0500 Subject: [PATCH 1/2] PodSecurity: switch restricted volume check to positive check --- .../security/pod-security-standards.md | 34 ++++++------------- 1 file changed, 11 insertions(+), 23 deletions(-) diff --git a/content/en/docs/concepts/security/pod-security-standards.md b/content/en/docs/concepts/security/pod-security-standards.md index 205d4ddc8e..014b64ab96 100644 --- a/content/en/docs/concepts/security/pod-security-standards.md +++ b/content/en/docs/concepts/security/pod-security-standards.md @@ -305,34 +305,22 @@ fail validation. Volume Types -

In addition to restricting HostPath volumes, the restricted policy limits usage of non-core volume types to those defined through PersistentVolumes.

+

The restricted policy only permits the following volume types.

Restricted Fields

Allowed Values

+ Every item in the spec.volumes[*] list must set one of the following fields to a non-null value: From 4ca5ff6b3c0f3ee2fc99ca31653459d01dea2f3b Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Mon, 24 Jan 2022 10:10:12 -0500 Subject: [PATCH 2/2] PodSecurity: remove optional non-root group check --- .../security/pod-security-standards.md | 20 ------------------- 1 file changed, 20 deletions(-) diff --git a/content/en/docs/concepts/security/pod-security-standards.md b/content/en/docs/concepts/security/pod-security-standards.md index 014b64ab96..73341e4c71 100644 --- a/content/en/docs/concepts/security/pod-security-standards.md +++ b/content/en/docs/concepts/security/pod-security-standards.md @@ -379,26 +379,6 @@ fail validation. - - Non-root groups (optional) - -

Containers should be forbidden from running with a root primary or supplementary GID.

-

Restricted Fields

- -

Allowed Values

- - - Seccomp (v1.19+)