From 6b38f198990e3768139e8b5065403b79c7f0a018 Mon Sep 17 00:00:00 2001 From: Christian Schlotter Date: Tue, 19 Apr 2022 10:09:01 +0200 Subject: [PATCH] book: implement review fixes Signed-off-by: Christian Schlotter --- docs/book/src/security-guidelines/index.md | 2 +- .../src/security-guidelines/pod-security-standards.md | 9 ++++++--- .../cluster-class/write-clusterclass.md | 4 ++-- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/docs/book/src/security-guidelines/index.md b/docs/book/src/security-guidelines/index.md index 6d1e4f448d73..15f8989dcd21 100644 --- a/docs/book/src/security-guidelines/index.md +++ b/docs/book/src/security-guidelines/index.md @@ -1,6 +1,6 @@ # Security Guidelines This section provides security guidelines useful to provision clusters which are -secure by default to follow the [secure defaults guidelines for cloud native apps]. +_secure by default_ to follow the [secure defaults guidelines for cloud native apps]. [secure defaults guidelines for cloud native apps]: https://github.com/cncf/tag-security/blob/main/security-whitepaper/secure-defaults-cloud-native-8.md \ No newline at end of file diff --git a/docs/book/src/security-guidelines/pod-security-standards.md b/docs/book/src/security-guidelines/pod-security-standards.md index 5b066456e7f7..b0c82403b53f 100644 --- a/docs/book/src/security-guidelines/pod-security-standards.md +++ b/docs/book/src/security-guidelines/pod-security-standards.md @@ -1,6 +1,6 @@ # Pod Security Standards -Pod Security Admission allows defining [Pod Security Standards] for creation of pods at the cluster level. +Pod Security Admission allows applying [Pod Security Standards] during creation of pods at the cluster level. The flavor `development-topology` for the docker provider used in [Quick Start](../user/quick-start.md) already includes a basic Pod Security Standard configuration. It is using variables and patches via ClusterClass to inject the configuration. @@ -44,6 +44,9 @@ spec: ... ``` +* The version field in Pod Security Admission Config defaults to `latest`. +* The `kube-system` namespace is exempt from Pod Security Standards enforcement, because it runs control-plane pods that need higher privileges. + ### Adding the patches to a ClusterClass The following snippet contains the patch to be added to the ClusterClass. @@ -64,7 +67,7 @@ kind: ClusterClass spec: ... patches: - - name: admissionPodSecurityPolicy + - name: podSecurityStandard description: "Adds an admission configuration for PodSecurity to the kube-apiserver." definitions: - selector: @@ -187,7 +190,7 @@ spec: ### Create a secure Cluster using the ClusterClass -After adding the variables and patches the Pod Security Standard would be added by default. +After adding the variables and patches the Pod Security Standards would be applied by default. It is also possible to disable this patch or configure different levels for the configuration using variables. diff --git a/docs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.md b/docs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.md index 7b0f685f4b2c..3eb1e48ec9d8 100644 --- a/docs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.md +++ b/docs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.md @@ -687,9 +687,9 @@ a ClusterClass matches all of the following conditions: * the patch is a JSON patch * the patch tries to `add` a value to a **slice** * the slice was defined with `omitempty` -* the slice is currently does not exist +* the slice currently does not exist -A workaround in this particular case is to create the slice in the patch instead of adding to the not existing one. +A workaround in this particular case is to create the slice in the patch instead of adding it to the non-existing one. When creating the slice, existing values would be overwritten so this should only be used when it does not exist. The following example shows both cases to consider while writing a patch for adding a value to a slice.