Merge pull request #21492 from tallclair/pod-security-profiles

k8s-ci-robot · web-flow · commit 0909848f1e14 · 2020-06-05T04:31:44.000-07:00
Minor cleanup of standardized pod security
diff --git a/content/en/docs/concepts/security/pod-security-standards.md b/content/en/docs/concepts/security/pod-security-standards.md
@@ -56,8 +56,8 @@ developers of non-critical applications. The following listed controls should be
 enforced/disallowed:
 
 <table>
-    <caption style="display:none">Baseline policy specification</caption>
-    <tbody>
+	<caption style="display:none">Baseline policy specification</caption>
+	<tbody>
 		<tr>
 			<td><strong>Control</strong></td>
 			<td><strong>Policy</strong></td>
@@ -115,7 +115,7 @@ enforced/disallowed:
 		<tr>
 			<td>AppArmor <em>(optional)</em></td>
 			<td>
-				On supported hosts, the `runtime/default` AppArmor profile is applied by default. The default policy should prevent overriding or disabling the policy, or restrict overrides to a whitelisted set of profiles.<br>
+				On supported hosts, the 'runtime/default' AppArmor profile is applied by default. The default policy should prevent overriding or disabling the policy, or restrict overrides to a whitelisted set of profiles.<br>
 				<br><b>Restricted Fields:</b><br>
 				metadata.annotations['container.apparmor.security.beta.kubernetes.io/*']<br>
 				<br><b>Allowed Values:</b> 'runtime/default', undefined<br>
@@ -146,14 +146,14 @@ enforced/disallowed:
 			<td>Sysctls</td>
 			<td>
 				Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for a whitelisted "safe" subset.
-                A sysctl is considered safe if it is namespaced in the container or the pod, and it is isolated from other pods or processes on the same node.<br>
+				A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node.<br>
 				<br><b>Restricted Fields:</b><br>
 				spec.securityContext.sysctls<br>
 				<br><b>Allowed Values:</b><br>
-                kernel.shm_rmid_forced<br>
-                net.ipv4.ip_local_port_range<br>
-                net.ipv4.tcp_syncookies<br>
-                net.ipv4.ping_group_range<br>
+				kernel.shm_rmid_forced<br>
+				net.ipv4.ip_local_port_range<br>
+				net.ipv4.tcp_syncookies<br>
+				net.ipv4.ping_group_range<br>
 				undefined/empty<br>
 			</td>
 		</tr>
@@ -168,7 +168,7 @@ well as lower-trust users.The following listed controls should be enforced/disal
 
 
 <table>
-    <caption style="display:none">Restricted policy specification</caption>
+	<caption style="display:none">Restricted policy specification</caption>
 	<tbody>
 		<tr>
 			<td><strong>Control</strong></td>
@@ -209,7 +209,7 @@ well as lower-trust users.The following listed controls should be enforced/disal
 		<tr>
 			<td>Privilege Escalation</td>
 			<td>
-                Privilege escalation to root should not be allowed.<br>
+				Privilege escalation to root should not be allowed.<br>
 				<br><b>Restricted Fields:</b><br>
 				spec.containers[*].securityContext.privileged<br>
 				spec.initContainers[*].securityContext.privileged<br>
@@ -219,7 +219,7 @@ well as lower-trust users.The following listed controls should be enforced/disal
 		<tr>
 			<td>Running as Non-root</td>
 			<td>
-                Containers must be required to run as non-root users.<br>
+				Containers must be required to run as non-root users.<br>
 				<br><b>Restricted Fields:</b><br>
 				spec.securityContext.runAsNonRoot<br>
 				spec.containers[*].securityContext.runAsNonRoot<br>
@@ -230,7 +230,7 @@ well as lower-trust users.The following listed controls should be enforced/disal
 		<tr>
 			<td>Non-root groups <em>(optional)</em></td>
 			<td>
-                Containers should be forbidden from running with a root primary or supplementary GID.<br>
+				Containers should be forbidden from running with a root primary or supplementary GID.<br>
 				<br><b>Restricted Fields:</b><br>
 				spec.securityContext.runAsGroup<br>
 				spec.securityContext.supplementalGroups[*]<br>
@@ -249,12 +249,12 @@ well as lower-trust users.The following listed controls should be enforced/disal
 		<tr>
 			<td>Seccomp</td>
 			<td>
-				The runtime/default seccomp profile must be required, or allow additional whitelisted values.<br>
+				The 'runtime/default' seccomp profile must be required, or allow additional whitelisted values.<br>
 				<br><b>Restricted Fields:</b><br>
 				metadata.annotations['seccomp.security.alpha.kubernetes.io/pod']<br>
 				metadata.annotations['container.seccomp.security.alpha.kubernetes.io/*']<br>
 				<br><b>Allowed Values:</b><br>
-				runtime/default<br>
+				'runtime/default'<br>
 				undefined (container annotation)<br>
 			</td>
 		</tr>
