Given that Pod Security Admission has been beta and then generally
available for a while, assume that kind gives the reader a cluster than
includes this feature.
The kubectl tool includes a client for fetching manifests using HTTP,
and we usually rely on that for tutorials. Switch to an approach where
we don't create a manifest on the filesystem and then apply that.
Running `kubectl exec <pod_name> <command>` is deprecated:
```
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead
```
It should be: `kubectl exec <pod_name> -- <command>`
From the release notes of
https://github.com/kubernetes/kubernetes/pull/109819, we have to update
according to the following situation:
```
Action required: support for the alpha seccomp annotations
`seccomp.security.alpha.kubernetes.io/pod` and
`container.seccomp.security.alpha.kubernetes.io`, deprecated since
v1.19, has been partially removed. Kubelets no longer support the
annotations, use of the annotations in static pods is no longer
supported, and the seccomp annotations are no longer auto-populated when
pods with seccomp fields are created. Auto-population of the seccomp
fields from the annotations is planned to be removed in 1.27. Pods
should use the corresponding pod or container
`securityContext.seccompProfile` field instead.
```
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
We now update the documentation to reflect the current state of the
feature.
Refers to: https://github.com/kubernetes/enhancements/issues/2413
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Co-authored-by: Tim Bannister <tim@scalefactory.com>
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
The logical navigation definitely works better if Pod Security admission
and PodSecurityPolicy are pages in the same section. Make It So.
Co-authored-by: Rey Lejano <rlejano@gmail.com>
- Highlight that we do not change the Kubernetes API and how to verify
the used seccomp profile
- Fix the kind configuration and enhance the example with a custom
workload.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Tim Bannister
Kubernetes Prow Robot
Michael
shubham82
Abigail McCarthy
Parthava Adabala
Thomas Balthazar
Alex Pakalniskis
Jordan Liggitt
carolina valencia
ydFu
windsonsea
William Steinford
Sascha Grunert
bladepoint
Qiming Teng
Vitthal Sai
Sean Wei
Noppadol
Tim Allclair
Thomas Guettler
Alex McCarthy
Pushkar Joglekar
Pushkar Joglekar