d536e46dbd
fix typos
2023-12-24 21:00:53 -05:00
45fb394ca7
Merge main into dev-1.29 to maintain sync
2023-12-07 15:59:56 +00:00
bb2cb5fa86
update sysctl-cluster.md, pod-security-standards.md
...
Signed-off-by: hunshcn <hunsh.cn@gmail.com>
2023-12-01 14:47:36 +08:00
8dc08062a7
Link PSS to User Namespaces
...
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Co-authored-by: Tim Bannister <tim@scalefactory.com>
2023-11-30 12:16:59 +01:00
2d9fbc1c7e
Merge remote-tracking branch 'upstream/main' into dev-1.29
2023-11-22 22:07:26 +00:00
244c6353bd
Improve documentation for `kubernetes.io/enforce-mountable-secrets` annotation on `ServiceAccount`
2023-11-22 00:46:34 +09:00
f893a19ee6
Resolved merge conflict when merging main into dev-1.29 branch
2023-11-19 16:02:40 +01:00
42c9e4e20f
KEP-4193: bound service account token improvements
...
Signed-off-by: Monis Khan <mok@microsoft.com>
2023-11-16 08:48:59 -05:00
5f3f34b39b
Fix some typos in [en] docs.
...
Signed-off-by: yanggang <gang.yang@daocloud.io>
2023-11-16 00:35:39 +00:00
430dad213e
Merge pull request #42486 from raesene/main
...
Kubernetes Hardening Guide Section on Authentication Mechanisms
2023-09-18 10:22:31 -07:00
0e9e6affd3
fix broken link
2023-09-07 16:47:01 +05:30
1a3cf0a7fa
Change text in Pod Security Admission metrics ( #42856 )
...
* Change text in Pod Security Admission metrics
* remove changes from the metrics.md file
2023-09-03 13:05:47 -07:00
bf75860f4d
Merge pull request #41814 from ugur99/ugur-develop
...
List metrics that relate to Pod security admission
2023-09-03 10:19:46 -07:00
8ed2edd0e2
change serviceaccount wording
2023-08-27 09:31:11 +01:00
076c879c70
Update content/en/docs/concepts/security/hardening-guide/authentication-mechanisms.md
...
Co-authored-by: Qiming Teng <tengqm@outlook.com>
2023-08-27 09:28:51 +01:00
5f17fd8fb3
[en] typo secrets-good-practices.md
2023-08-22 03:07:58 +03:00
eee06d1b81
Add whitespace into “Good practices for Kubernetes Secrets” ( #42650 )
...
* Update secrets-good-practices.md
changed caution as per docs
https://kubernetes.io/docs/contribute/style/style-guide/#caution
* Update secrets-good-practices.md
added spaces as per style guide https://kubernetes.io/docs/contribute/style/style-guide/#caution
2023-08-20 19:33:22 -07:00
0761ef8e19
Update content/en/docs/concepts/security/hardening-guide/authentication-mechanisms.md
...
Co-authored-by: Tim Bannister <tim@scalefactory.com>
2023-08-19 18:28:41 +01:00
3dd0bd16ba
sentence case, wrapping and fixes from comments
2023-08-19 15:37:26 +01:00
1e7a4eb633
Initial commit of Draft Kubernetes Hardening Guide Section on Authentication Mechanisms
2023-08-10 13:39:03 +01:00
fd6648f165
removed( enable log handling) command and its content
2023-08-02 19:28:38 +05:30
bae7a10d64
attached correct link to the documentation
2023-08-02 18:54:14 +05:30
ca08498f33
Provide a consistent appearance to bullets
2023-07-25 09:23:22 +08:00
3581bb036d
Reword seccomp paragraph to remove alpha feature reference
...
Fix capitalization
2023-07-09 09:46:29 -07:00
b773649fb2
improvement psa document fix
...
Signed-off-by: Ugur <ugurozturk918@gmail.com>
2023-06-30 16:20:31 +02:00
26f72a7358
improvement psa document
...
Signed-off-by: Ugur <ugurozturk918@gmail.com>
2023-06-30 13:09:21 +02:00
49135cefb8
Tweak line wrappings in /services-networking/ingress.md
2023-06-01 21:38:11 +08:00
821ca22ac1
Merge pull request #40915 from mrgiles/37738_securing_cluster_checklist_align
...
Add links between Securing a Cluster and Security Checklist for alignment
2023-05-15 13:45:34 -07:00
eb7c049f04
Merge pull request #40376 from dtzar/patch-1
...
clarify Windows privileged containers feature enablement
2023-05-07 03:51:16 -07:00
057766eed7
updated link
2023-05-02 00:35:47 +05:30
19a3dc0f6f
Add links between securing cluster and security checklist
2023-04-30 23:28:52 -07:00
d8a6fd602c
fixed broken link
2023-04-28 22:39:33 +05:30
8f3790c3a9
clarify Windows privileged containers feature enablement
2023-04-07 10:50:25 -07:00
7b7fa2c8ec
Merge pull request #38874 from sftim/20230110_add_logs_api_to_security_checklist
...
Add /logs API to security checklist
2023-04-03 08:31:51 -07:00
47319756be
fix links in service-accounts.md
2023-03-28 14:48:04 +09:00
458c0e3b26
Improvement: Added the Note for External applications. ( #39691 )
...
* Improvement: Added the word External applications.
* Added the Note for External Applications.
* Modify the note
2023-03-21 20:08:36 -07:00
52bb8f9282
Add /logs API to security checklist
...
It's best to disable this API, which is deprecated at the time of
writing.
Co-authored-by: Jordan Liggitt <jordan@liggitt.net>
2023-03-16 17:38:38 +00:00
da84dd8419
Merge pull request #39436 from sftim/20230213_tweak_sa_concept
...
Fix wording, punctuation and Markdown for ServiceAccount concept page
2023-02-14 15:53:41 -08:00
ee4b88ed37
Merge pull request #37733 from sftim/20221105_update_docs_podsecuritypolicy_removal
...
Update documentation for PodSecurityPolicy removal
2023-02-14 12:55:51 -08:00
96d49317a2
Fix wording for ServiceAccount concept
...
Co-authored-by: Qiming Teng <tengqm@outlook.com>
Co-authored-by: Shannon Kularathna <ax3shannonkularathna@gmail.com>
2023-02-14 09:17:03 +00:00
cb5a8930dc
Fix broken anchor
2023-02-14 09:16:57 +00:00
9eb2767333
Add a missing anchor pound sign
2023-02-13 12:49:20 -05:00
b1f18bfa9b
Merge pull request #38289 from shannonxtreme/service-account
...
Add a new concept page for service accounts
2023-02-13 09:37:29 -08:00
7cb6d1eb35
Add a new concept page for service accounts
...
Also add a glossary definition for JWTs
Co-authored-by: Tim Bannister <tim+github@scalefactory.com>
Co-authored-by: Jordan Liggitt <jordan@liggitt.net>
Co-authored-by: stlaz <https://github.com/stlaz >
2023-02-13 17:29:12 +00:00
42e746a379
Clean up api-server-bypass-risks.md
2023-02-06 09:55:04 +08:00
fe12a4054b
Update PSS - HostPorts should be disallowed
...
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
2023-01-30 13:12:45 -08:00
bb85d62752
Update docs for PodSecurityPolicy removal
2023-01-24 22:24:09 +00:00
d0779881e6
Further updates to clarify language
2023-01-19 15:32:18 -05:00
5c9af80d8c
Update content/en/docs/concepts/security/rbac-good-practices.md
...
Co-authored-by: Tim Bannister <tim@scalefactory.com>
2023-01-19 15:16:19 -05:00
cc56241ccd
Update content/en/docs/concepts/security/rbac-good-practices.md
...
Co-authored-by: Tim Bannister <tim@scalefactory.com>
2023-01-19 15:13:47 -05:00
d11408b9d9
Update RBAC Good Practices for PersistentVolumes
...
The docs previously referred to the reader to the now defunct PodSecurityPolicy
page to explain how PersistentVolumes can be a path of privilege escalation,
burrying the lede.
Now that PodSecurityPolicy is gone, update this bit to actually explain that it
it is unfettered access to creating hostPath-typed PersistentVolumes that are
a problem. Some words lifted from the 1.24 PodSecurityPolicy docs.
Signed-off-by: Mike Waychison <mike@waychison.com>
2023-01-19 13:45:50 -05:00
a437285212
Fix nits in markdown links
...
This PR fixes a few "bad links" identified by the `scripts/linkchecker.py` script.
2022-12-22 08:45:10 +08:00
61b13a19d0
[en] fix quotation mark in multi-tenancy page
2022-12-12 09:55:49 +01:00
f8a2d2319a
Add documentation about signed Kubernetes artifacts
...
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2022-11-28 12:05:11 +01:00
aaaa6303f4
Merge pull request #37731 from sftim/20221105_tweak_psp_removal_page
...
Tweak page about PodSecurityPolicy removal
2022-11-08 11:14:19 -08:00
4e006c898d
Tweak page about PSP removal
...
- Remove reviewers (feature was removed)
- Use semi-custom Docsy callout to note the removal
- Stop stating that the API is deprecated; it's now actually removed.
2022-11-05 18:22:27 +00:00
3174fdf2d4
Adjust page weights for /docs/concepts section
...
Changes the page weights of the index files for folders in the /docs/concepts folder. There were some overlapping weights and weights that were close together.
2022-11-04 10:13:53 -04:00
0f9b65b429
Add page weights to concepts -> security pages
2022-10-24 19:02:52 +00:00
05a17c16fc
[en] fix typo secrets-good-practices.md
2022-10-05 01:31:49 +03:00
91ecbb977c
Merge pull request #36805 from harshchauhan1988/patch-2
...
Adding recommendation for network isolation
2022-09-30 06:54:28 -07:00
d8132bcd35
Improve the RBAC policies section
...
- Change the heading to be more goal-oriented and add an anchor
- Separate list items into 'component' and 'human' users
- Add info about get access and third-party authorization mechanisms for finer control
- Add caution for granting list access
2022-09-22 16:07:06 +00:00
6ca919d4bd
Add caution callout for base64 encoding
2022-09-22 16:07:06 +00:00
89b9c18121
Split developer content into headings and remove redundant points
...
Add short description to cluster admin and dev section
2022-09-22 16:07:06 +00:00
8eb3ae60f3
Move developer content below cluster admins
...
Additionally, fixed a couple of markdown links to not line wrap
2022-09-22 16:07:06 +00:00
502eac3635
Clean up etcd wording
2022-09-22 16:07:06 +00:00
4887467aa4
Add sections for cluster admins
...
- Add section for encryption at rest
- Add section for RBAC
- Clean up RBAC bullets
- Move etcd bullets to own section on etcd management
- Add section for third party secret stores
2022-09-22 16:07:06 +00:00
1c625d0659
Update glossary and move existing info to new page
...
- Update glossary term for secrets
- Improve clarity of privileged container warning note
- Create a new page for Secrets good practices and bring existing content as-is to the page
- Add weights to pages
- Add link for good practices for secrets and remove moved content
2022-09-22 16:07:05 +00:00
de922ae019
Merge pull request #36562 from windsonsea/secovy
...
Fix typo and consistency: /security/overview.md
2022-09-18 11:12:29 -07:00
8ab4ebb376
Adding recommendation for network isolation
2022-09-14 15:00:14 +05:30
5ada01a5ce
Merge pull request #36343 from tallclair/workload-creation
...
Update RBAC best practices for workload creation
2022-09-07 09:18:37 -07:00
0df6c75da0
Reformat multi-tenancy page
...
When translating/synchronizing changes to the multi-tenancy page, we
found that the long lines are difficult for change tracking. This PR
changes nothing other than manually wrapping the long lines.
2022-09-06 13:12:14 +08:00
922aed0bf8
Fix typo and consistency: /security/overview.md
2022-09-03 22:43:12 +08:00
7e23b9e97d
Update overview.md
...
Add huawei cloud trust center link
2022-09-03 17:45:26 +08:00
32e47b31bb
Fix a few mini typos in the API bypass security page
2022-09-02 19:41:24 +02:00
09707c0aef
Merge pull request #35908 from raesene/main
...
New Docs page for API Server Bypass Risks
2022-09-02 09:14:06 -07:00
a5e96bfbc5
Merge pull request #33992 from mtardy/security-checklist
...
Add a security checklist for clusters
2022-09-01 13:13:19 -07:00
9f5a35978f
RBAC guide is presented as a checklist item
2022-09-01 11:44:55 +02:00
eb962b4c12
Rewrite the part on the Pod Security standards and admission
2022-09-01 11:43:28 +02:00
a4305381fb
Reword the service mesh suggestion
2022-08-31 18:29:59 +02:00
d4fcf2fc7c
Reword the secret injection suggestion
2022-08-31 18:29:43 +02:00
f14a7544e5
Rewrite the admission plugins list
2022-08-31 18:26:49 +02:00
239dc4c2fe
Fix a typo on the word securely
2022-08-31 17:54:20 +02:00
c006a43f97
Replace a wrong unicode space character
2022-08-31 17:51:51 +02:00
63ae0a9521
Split checklist item and explanation
2022-08-31 17:38:42 +02:00
d40e9cfa89
Remove an empty line
2022-08-31 17:37:01 +02:00
2f8388e830
Add precision about pod security with pod security standards
...
Co-authored-by: Rey Lejano <rlejano@gmail.com>
2022-08-31 17:35:03 +02:00
0e81bfd8ef
Detail and add info on the CPU and memory limit item
2022-08-31 17:32:00 +02:00
7139aba954
Add some guidelines on how to read the doc
2022-08-31 17:17:56 +02:00
949e499db3
Rewrite the checklist item on minimal container images
2022-08-31 16:55:31 +02:00
5167ab5c88
Use correct name for PodSecurityPolicy admission controller
2022-08-31 16:55:05 +02:00
777d396905
Remove warning on PodSecurityPolicy removal in 1.25
2022-08-31 16:54:30 +02:00
19894182dc
Explain namespace subdividing better
2022-08-29 15:14:28 -07:00
6162bcde28
Update RBAC best practices for workload creation
2022-08-26 16:46:27 -07:00
49bc9b34eb
New docs page for API Server Bypass Risks
...
New Docs page for API Server Bypass Risks
This is a new documentation page for the Security Concepts section, looking at the risks of attackers bypassing the Kubernetes API server.
We've been working on this in Kubernetes SIG-Security docs (issue [here](https://github.com/kubernetes/sig-security/issues/42 ))
Co-Authored-By: Shannon Kularathna <ax3shannonkularathna@gmail.com>
Co-Authored-By: Qiming Teng <tengqm@outlook.com>
Co-Authored-By: Tim Bannister <tim@scalefactory.com>
Co-Authored-By: Jordan Liggitt <jordan@liggitt.net>
2022-08-25 17:25:58 +01:00
56e78c2011
Merge pull request #34920 from mk46/en_crlftolf
...
Convert CRLF to LF
2022-08-24 14:15:50 -07:00
28b1854383
Merge pull request #36198 from davidmlentz/patch-2
...
Fix typo
2022-08-23 21:57:48 -07:00
603f810903
Fix typo
...
There are redundant instances of "future" in this sentence.
2022-08-23 14:43:41 -06:00
c4a36a8067
Merge pull request #36165 from cathchu/merged-main-dev-1.25
...
Merged main branch into dev-1.25
2022-08-22 15:12:09 -07:00
e5ea8833be
Merge remote-tracking branch 'upstream/main' into dev-1.25
2022-08-22 08:35:18 -04:00
a3064b1a36
[en] typo fix "privilge -> privilege"
2022-08-19 16:37:47 +03:00
Takashiidobe
Kat Cosgrove
hunshcn
Sascha Grunert
chansuke
Oluebube Princes Egbuna
Monis Khan
yanggang
Kubernetes Prow Robot
SomPandey
MeenuyD
Rory McCune
Rory McCune
Arhell
Dudi Varaprasad
Deepak
windsonsea
Marcelo Giles
Ugur
Michael
niranjandarshann
David Tesar
Hiroki Takatsuka
Shubham
Tim Bannister
Shannon Kularathna
zhuzhenghao
Rita Zhang
Mike Waychison
Qiming Teng
Oscar Utbult
Abigail McCarthy
Christopher Negus
harshchauhan1988
liufangwai
mtardy
Tim Allclair
David M. Lentz
cathchu
Stanislav Kardashov