2525 - [ Profile: restricted] ( #profile-restricted )
2626 - [ Profile: sysadmin] ( #profile-sysadmin )
2727 - [ Profile: netadmin] ( #profile-netadmin )
28- - [ Default Profile and Automation Selection ] ( #default-profile-and-automation-selection )
28+ - [ Default Profile] ( #default-profile )
2929 - [ Future Improvements] ( #future-improvements )
3030 - [ User Stories] ( #user-stories )
3131 - [ Operations] ( #operations )
@@ -329,15 +329,14 @@ debugging a node to create a pod with the `NET_ADMIN` capaibility.
329329
330330The available profiles will be:
331331
332- | Profile | Description |
333- | ------------ | --------------------------------------------------------------- |
334- | general | A reasonable set of defaults tailored for each debuging journey |
335- | baseline | Compatible with baseline [ Pod Security Standard] |
336- | restricted | Compatible with restricted [ Pod Security Standard] |
337- | auto | Automatically choose between general, baseline, and restricted |
338- | sysadmin | System Administrator (root) privileges |
339- | netadmin | Network Administrator privileges. |
340- | legacy | Backwards compatibility with 1.22 behavior |
332+ | Profile | Description |
333+ | ------------| -----------------------------------------------------------------|
334+ | general | A reasonable set of defaults tailored for each debuging journey |
335+ | baseline | Compatible with baseline [ Pod Security Standard] |
336+ | restricted | Compatible with restricted [ Pod Security Standard] |
337+ | sysadmin | System Administrator (root) privileges |
338+ | netadmin | Network Administrator privileges. |
339+ | legacy | Backwards compatibility with 1.22 behavior |
341340
342341Debugging profiles are intended to work seamlessly with the [ Pod Security Standard]
343342enforced by the [ PodSecurity] admission controller. The baseline and restricted
@@ -349,11 +348,11 @@ level.
349348
350349#### Profile: general
351350
352- | Journey | Debug Container Behavior |
353- | ------------------- | -- ------------------------------------------------------------------------ |
354- | Node | empty securityContext; uses host namespaces, mounts root partition |
355- | Pod Copy | sets ` SYS_PTRACE ` in debugging container, sets shareProcessNamespace |
356- | Ephemeral Container | sets ` SYS_PTRACE ` in ephemeral container |
351+ | Journey | Debug Container Behavior |
352+ | --------------------- | ----------------------------------------------------------------------|
353+ | Node | empty securityContext; uses host namespaces, mounts root partition |
354+ | Pod Copy | sets ` SYS_PTRACE ` in debugging container, sets shareProcessNamespace |
355+ | Ephemeral Container | sets ` SYS_PTRACE ` in ephemeral container |
357356
358357This profile prioritizes the debugging experience for the general case. For pod debugging it sets
359358` SYS_PTRACE ` and uses pod-scoped namespaces. Probes and labels are stripped from Pod copies to
@@ -363,11 +362,11 @@ Node debugging uses host-scoped namespaces but doesn't otherwise request escalat
363362
364363#### Profile: baseline
365364
366- | Journey | Debug Container Behavior |
367- | ------------------- | -- ------------------------------------------------------------------------ |
368- | Node | empty securityContext; uses isolated namespaces |
369- | Pod Copy | empty securityContext; sets shareProcessNamespace |
370- | Ephemeral Container | empty securityContext |
365+ | Journey | Debug Container Behavior |
366+ | --------------------- | ---------------------------------------------------|
367+ | Node | empty securityContext; uses isolated namespaces |
368+ | Pod Copy | empty securityContext; sets shareProcessNamespace |
369+ | Ephemeral Container | empty securityContext |
371370
372371This profile is identical to "general" but eliminates privileges that are disallowed under the
373372baseline security profile, such as host namespaces, host volume, mounts and ` SYS_PTRACE ` .
@@ -376,11 +375,11 @@ Probes and labels continue to be stripped from Pod copies.
376375
377376#### Profile: restricted
378377
379- | Journey | Debug Container Behavior |
380- | ------------------- | -- ------------------------------------------------------------------------ |
381- | Node | empty securityContext; uses private namespaces |
382- | Pod Copy | empty securityContext; sets shareProcessNamespace |
383- | Ephemeral Container | empty securityContext |
378+ | Journey | Debug Container Behavior |
379+ | --------------------- | ---------------------------------------------------|
380+ | Node | empty securityContext; uses private namespaces |
381+ | Pod Copy | empty securityContext; sets shareProcessNamespace |
382+ | Ephemeral Container | empty securityContext |
384383
385384This profile is identical to "baseline" but adds configuration that's required under the restricted
386385security profile, such as requiring a non-root user and dropping all capabilities.
@@ -390,7 +389,7 @@ Probes and labels continue to be stripped from Pod copies.
390389#### Profile: sysadmin
391390
392391| Journey | Debug Container Behavior |
393- | ------------------- | -------------------------------------- |
392+ | --------------------- | ---------------------------------------- |
394393| Node | sets privileged; uses host namespaces |
395394| Pod Copy | sets privileged on debugging container |
396395| Ephemeral Container | sets privileged on ephemeral container |
@@ -402,7 +401,7 @@ Probes and labels are be stripped from Pod copies.
402401#### Profile: netadmin
403402
404403| Journey | Debug Container Behavior |
405- | ------------------- | --------------------------------------------------------------------------------- |
404+ | --------------------- | ----------------------------------------------------------------------------------- |
406405| Node | sets ` NET_ADMIN ` and ` NET_RAW ` ; uses host namespaces |
407406| Pod Copy | sets ` NET_ADMIN ` and ` NET_RAW ` on debugging container; sets shareProcessNamespace |
408407| Ephemeral Container | sets ` NET_ADMIN ` and ` NET_RAW ` on ephemeral container |
@@ -411,13 +410,9 @@ This profile offers elevated privileges for network debugging.
411410
412411Probes and labels are be stripped from Pod copies.
413412
414- #### Default Profile and Automation Selection
413+ #### Default Profile
415414
416- In order to provide a seamless experience and encourage use of [ PodSecurity] , the "auto"
417- profile will automatically choose a profile that's compatible with the current security profile
418- by examining the ` pod-security.kubernetes.io/enforce ` annotation on the namespace and
419- selecting the most permissive of "general", "baseline", and "restricted" that the
420- controller will allow.
415+ Default profile will be ` general ` .
421416
422417This will become the default behavior, but in order to maintain backwards compatibility
423418the "legacy" profile will be the default profile until the 1.25 release. When ` --profile `
@@ -443,8 +438,8 @@ be able to inspect the running pod without restarting it, but she doesn't
443438necessarily need to enter the container itself. She wants to:
444439
4454401 . Inspect the filesystem of target container
446- 1 . Execute debugging utilities not included in the container image
447- 1 . Initiate network requests from the pod network namespace
441+ 2 . Execute debugging utilities not included in the container image
442+ 3 . Initiate network requests from the pod network namespace
448443
449444This is achieved by running a new "debug" container in the pod namespaces. Her
450445troubleshooting session might resemble:
0 commit comments