deprecate DenyExecOnPrivileged/DenyEscalatingExec #12152
Conversation
k8s-ci-robot
added
do-not-merge/hold
| @@ -205,7 +205,15 @@ Reference [here](http://kubernetes.io/docs/api-reference/v1/definitions/#_v1_pod | |||
|
|
|||
|
|
|||
|
|
|||
There was a problem hiding this comment.
wasn't sure how revisionist we get about blog post updates, but this advice isn't current
There was a problem hiding this comment.
The ResourceQuota section is incorrect, also
There was a problem hiding this comment.
Maybe just mark the blog post as being out of date and containing errors?
|
Deploy preview for kubernetes-io-master-staging ready! Built with commit 2b3c150 https://deploy-preview-12152--kubernetes-io-master-staging.netlify.com |
| @@ -205,7 +205,15 @@ Reference [here](http://kubernetes.io/docs/api-reference/v1/definitions/#_v1_pod | |||
|
|
|||
|
|
|||
|
|
|||
There was a problem hiding this comment.
The ResourceQuota section is incorrect, also
| @@ -205,7 +205,15 @@ Reference [here](http://kubernetes.io/docs/api-reference/v1/definitions/#_v1_pod | |||
|
|
|||
|
|
|||
|
|
|||
There was a problem hiding this comment.
Maybe just mark the blog post as being out of date and containing errors?
k8s-ci-robot
added
the
lgtm
| running privileged containers. | ||
|
|
||
| If you do not want all users with the ability to create a pod to have root-level access to nodes, | ||
| you should consider using a policy-based admission plugin to limit the types of pods that can be created. |
There was a problem hiding this comment.
| you should consider using a policy-based admission plugin to limit the types of pods that can be created. | |
| you should consider using a policy-based admission plugin to limit the types of Pods that can be created. |
| access to the nodes they run on, including mounting arbitrary host paths, running as root, and | ||
| running privileged containers. | ||
|
|
||
| If you do not want all users with the ability to create a pod to have root-level access to nodes, |
There was a problem hiding this comment.
| If you do not want all users with the ability to create a pod to have root-level access to nodes, | |
| If you do not want all users with the ability to create a Pod to have root-level access to nodes, |
| @@ -205,7 +205,15 @@ Reference [here](http://kubernetes.io/docs/api-reference/v1/definitions/#_v1_pod | |||
|
|
|||
|
|
|||
|
|
|||
| In case you are running containers with elevated privileges (--privileged) you should consider using the “DenyEscalatingExec” admission control. This control denies exec and attach commands to pods that run with escalated privileges that allow host access. This includes pods that run as privileged, have access to the host IPC namespace, and have access to the host PID namespace. For more details on admission controls, see the Kubernetes [documentation](http://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/). | |||
| By default, users with the ability to create pods can make use of features that allow root-level | |||
| access to the nodes they run on, including mounting arbitrary host paths, running as root, and | |||
There was a problem hiding this comment.
| access to the nodes they run on, including mounting arbitrary host paths, running as root, and | |
| access to the Nodes they run on, including mounting arbitrary host paths, running as the `root` user, and |
| @@ -205,7 +205,15 @@ Reference [here](http://kubernetes.io/docs/api-reference/v1/definitions/#_v1_pod | |||
|
|
|||
|
|
|||
|
|
|||
| In case you are running containers with elevated privileges (--privileged) you should consider using the “DenyEscalatingExec” admission control. This control denies exec and attach commands to pods that run with escalated privileges that allow host access. This includes pods that run as privileged, have access to the host IPC namespace, and have access to the host PID namespace. For more details on admission controls, see the Kubernetes [documentation](http://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/). | |||
| By default, users with the ability to create pods can make use of features that allow root-level | |||
There was a problem hiding this comment.
| By default, users with the ability to create pods can make use of features that allow root-level | |
| By default, users with the ability to create Pods can make use of features that allow root-level |
content/en/docs/reference/access-authn-authz/admission-controllers.md
Outdated
Show resolved
Hide resolved
content/en/docs/reference/access-authn-authz/admission-controllers.md
Outdated
Show resolved
Hide resolved
|
@liggitt Small nits, also great to see you again! Let me know if you (dis)agree. I made them as suggestions, so you should just be able to accept them if they work. |
k8s-ci-robot
removed
the
lgtm
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
|
@zparnold made the suggested changes inline, and reverted the blog post content changes in favor of a note at the top pointing to latest cluster hardening guides. |
|
@zparnold Please take a look and state your approval. |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: zparnold The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Update guidance for admission plugins
/hold
for kubernetes/kubernetes#72737