Tutorials for Pod Security Admission #30422
Conversation
k8s-ci-robot
added
kind/documentation
k8s-ci-robot
added
the
sig/docs
k8s-ci-robot
requested review from
reylejano,
savitharaghunathan and
shannonxtreme
|
/sig security |
k8s-ci-robot
added
the
sig/security
PushkarJ
changed the title
k8s-ci-robot
added
the
do-not-merge/work-in-progress
|
✔️ Deploy Preview for kubernetes-io-main-staging ready! 🔨 Explore the source changes: d1e2545 🔍 Inspect the deploy log: https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/61b03ec9cc4dd20008ce01fe 😎 Browse the preview: https://deploy-preview-30422--kubernetes-io-main-staging.netlify.app |
PushkarJ
force-pushed
the
psa-tutorial
branch
3 times, most recently
from
a81b779 to
53da735
Compare
PushkarJ
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
/hold Until merge timelines are aligned as per this comment: #30502 (comment) |
k8s-ci-robot
added
the
do-not-merge/hold
PushkarJ
force-pushed
the
psa-tutorial
branch
from
886a373 to
42eecf0
Compare
|
/sig auth |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sftim The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
content/en/examples/security/kind-with-cluster-level-baseline-pod-security.sh
Outdated
Show resolved
Hide resolved
content/en/examples/security/kind-with-namespace-level-baseline-pod-security.sh
Outdated
Show resolved
Hide resolved
|
Thank you Jim, Tim and Shannon. Accepted all inline changes from phone app. Will do some final clean up today/tomorrow when I get on Wi-Fi. After that we should be in good shape to publish this together with the blog! |
Refer blog post for v1.23 + suggestions from code review
Fixed nits, broken links and numbering Co-authored-by: Tim Bannister <[email protected]> Co-authored-by: Shannon Kularathna <[email protected]> Co-authored-by: Jim Angel <[email protected]>
PushkarJ
force-pushed
the
psa-tutorial
branch
from
79822c3 to
d1e2545
Compare
|
Alright, just pushed the final changes that takes care of all the pending actionable feedback. Now that blog post PR is merged, just need someone to Deploy previews: https://deploy-preview-30422--kubernetes-io-main-staging.netlify.app/docs/tutorials/#security |
|
/check-cla |
|
Hold from #30422 (comment) should stand until the blog article publishes. Any time after 16:05 Pacific time on the 8th of December should be good to go, as the related blog article goes live at UTC midnight on the 9th. |
|
This is ready for a technical signoff from SIG Auth. It's already been through quite a few checks, including by me, so what I'm looking for is a final read-through and a formal /lgtm providing no concerns spotted. Page previews: LGTM for SIG Docs, and #30422 (review) implies it also looks good to @shannonxtreme |
|
/remove-label tide/merge-method-squash Commits are already squashed |
k8s-ci-robot
removed
the
tide/merge-method-squash
| # Until v1.23 is released, kind node image needs to be built from k/k master branch | ||
| # Ref: https://kind.sigs.k8s.io/docs/user/quick-start/#building-images |
There was a problem hiding this comment.
femtonit: the release has happened (very happy to fix this in a follow-up PR, though)
| 1. Configure the API server to consume this file during cluster creation: | ||
|
|
||
| ``` | ||
| cat <<EOF > /tmp/pss/cluster-config.yaml |
There was a problem hiding this comment.
is /tmp a good location for cluster confit files? I'm not sure what the typical permissions there are (or if files in /tmp are subject to automated cleanup/removal)
| @@ -0,0 +1,70 @@ | |||
| #!/bin/sh | |||
| mkdir -p /tmp/pss | |||
| cat <<EOF > /tmp/pss/cluster-level-pss.yaml | |||
| pod-security.kubernetes.io/warn-version=latest | ||
| ``` | ||
|
|
||
| 2. Multiple pod security standards can be enabled on any namespace, using labels. |
There was a problem hiding this comment.
it might be worth noting that if this is an existing namespace that already contains workloads, using --dry-run=server is recommended first to determine if the new policy levels will disrupt existing workloads
|
Technical content lgtm, had a non-blocking question about use of tmp and suggestion about calling out use of dry-run |
|
Thanks @liggitt Taking #30422 (comment) as We can do a follow-up PR. I agree about taking care about using |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 377841f45aca39355245243a3391e41bda229ba5
|
|
LGTM too PJ, wonderful work here ❤️
…On Wed., Dec. 8, 2021, 18:09 Kubernetes Prow Robot, < ***@***.***> wrote:
LGTM label has been added.
Git tree hash: 377841f45aca39355245243a3391e41bda229ba5
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#30422 (comment)>,
or unsubscribe
<https://github.com./notifications/unsubscribe-auth/AHH4EFXXTM47JCWCLNJRBZDUP5RJLANCNFSM5HV7LZTQ>
.
|
|
Blog is now published https://kubernetes.io/blog/2021/12/09/pod-security-admission-beta/ /hold remove |
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
Creates a two part tutorial for Pod Security Admission with KinD:
/kind documentation
Notes for reviewers:
kindnode image for v1.23 is not yet available here: https://hub.docker.com/r/kindest/node/tagslatesttag(open to feedback on other ways to tackle this of course :) )
Initial slack discussion: https://kubernetes.slack.com/archives/C1J0BPD2M/p1636152420159200