From d20a5723e761e1d7815dc8ca17f8e4b9f670df63 Mon Sep 17 00:00:00 2001 From: Haoran Wang Date: Tue, 5 Dec 2017 13:56:20 +0800 Subject: [PATCH] Add doc for allowedFlexVolues --- docs/concepts/policy/pod-security-policy.md | 59 ++++++++++++++------- 1 file changed, 41 insertions(+), 18 deletions(-) diff --git a/docs/concepts/policy/pod-security-policy.md b/docs/concepts/policy/pod-security-policy.md index a1e219c146126..037ede4339a3d 100644 --- a/docs/concepts/policy/pod-security-policy.md +++ b/docs/concepts/policy/pod-security-policy.md @@ -21,25 +21,26 @@ actions that a pod can perform and what it has the ability to access. The run with in order to be accepted into the system. They allow an administrator to control the following: -| Control Aspect | Field Name | -| ---------------------------------------------------------------------- | ------------------------------------------- | -| Running of privileged containers | `privileged` | -| Default set of capabilities that will be added to a container | `defaultAddCapabilities` | -| Capabilities that will be dropped from a container | `requiredDropCapabilities` | -| Capabilities a container can request to be added | `allowedCapabilities` | -| Controlling the usage of volume types | [`volumes`](#controlling-volumes) | -| The use of host networking | [`hostNetwork`](#host-network) | -| The use of host ports | `hostPorts` | -| The use of host's PID namespace | `hostPID` | -| The use of host's IPC namespace | `hostIPC` | -| The SELinux context of the container | [`seLinux`](#selinux) | -| The user ID | [`runAsUser`](#runasuser) | -| Configuring allowable supplemental groups | [`supplementalGroups`](#supplementalgroups) | -| Allocating an FSGroup that owns the pod's volumes | [`fsGroup`](#fsgroup) | -| Requiring the use of a read only root file system | `readOnlyRootFilesystem` | -| Running of a container that allow privilege escalation from its parent | [`allowPrivilegeEscalation`](#allowprivilegeescalation) | +| Control Aspect | Field Name | +| ---------------------------------------------------------------------- | ------------------------------------------- | +| Running of privileged containers | `privileged` | +| Default set of capabilities that will be added to a container | `defaultAddCapabilities` | +| Capabilities that will be dropped from a container | `requiredDropCapabilities` | +| Capabilities a container can request to be added | `allowedCapabilities` | +| Controlling the usage of volume types | [`volumes`](#controlling-volumes) | +| The use of host networking | [`hostNetwork`](#host-network) | +| The use of host ports | `hostPorts` | +| The use of host's PID namespace | `hostPID` | +| The use of host's IPC namespace | `hostIPC` | +| The SELinux context of the container | [`seLinux`](#selinux) | +| The user ID | [`runAsUser`](#runasuser) | +| Configuring allowable supplemental groups | [`supplementalGroups`](#supplementalgroups) | +| Allocating an FSGroup that owns the pod's volumes | [`fsGroup`](#fsgroup) | +| Requiring the use of a read only root file system | `readOnlyRootFilesystem` | +| Running of a container that allow privilege escalation from its parent | [`allowPrivilegeEscalation`](#allowprivilegeescalation) | | Control whether a process can gain more privileges than its parent process | [`defaultAllowPrivilegeEscalation`](#defaultallowprivilegeescalation) | -| Whitelist of allowed host paths | [`allowedHostPaths`](#allowedhostpaths) | +| Whitelist of allowed host paths | [`allowedHostPaths`](#allowedhostpaths) | +| Whitelist of allowed flexVolume drivers | [`allowedFlexVolumes`](#allowedflexvolumes) | _Pod Security Policies_ are comprised of settings and strategies that control the security features a pod has access to. These settings fall @@ -162,6 +163,28 @@ spec: - pathPrefix: "/foo" ``` +### AllowedFlexVolumes + +This specifies a whitelist of flex volume drivers that are allowed to be used +by flexVolume. An empty list means there is no restriction on the drivers. we +need make sure `volumes` contains the `flexVolume` volume type, if it doesn't +, no flex volume driver is allowed. + +For example: + +```yaml +apiVersion: extensions/v1beta1 +kind: PodSecurityPolicy +metadata: + name: allow-flex-volumes +spec: + volumes: + - flexVolume + allowedFlexVolumes: + - driver: example/lvm + - driver: example/cifs +``` + ## Admission [_Admission control_ with `PodSecurityPolicy`](/docs/admin/admission-controllers/#podsecuritypolicy)