Merge pull request #39109 from Shubham82/improve_flow

k8s-ci-robot · web-flow · commit d79743277539 · 2023-01-26T17:46:25.000-08:00
Improved the content Flow.
diff --git a/content/en/docs/tutorials/security/seccomp.md b/content/en/docs/tutorials/security/seccomp.md
@@ -265,6 +265,44 @@ docker exec -it kind-worker bash -c \
 }
 ```
 
+## Create Pod that uses the container runtime default seccomp profile
+
+Most container runtimes provide a sane set of default syscalls that are allowed
+or not. You can adopt these defaults for your workload by setting the seccomp
+type in the security context of a pod or container to `RuntimeDefault`.
+
+{{< note >}}
+If you have the `SeccompDefault` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
+enabled, then Pods use the `RuntimeDefault` seccomp profile whenever
+no other seccomp profile is specified. Otherwise, the default is `Unconfined`.
+{{< /note >}}
+
+Here's a manifest for a Pod that requests the `RuntimeDefault` seccomp profile
+for all its containers:
+
+{{< codenew file="pods/security/seccomp/ga/default-pod.yaml" >}}
+
+Create that Pod:
+```shell
+kubectl apply -f https://k8s.io/examples/pods/security/seccomp/ga/default-pod.yaml
+```
+
+```shell
+kubectl get pod default-pod
+```
+
+The Pod should be showing as having started successfully:
+```
+NAME        READY   STATUS    RESTARTS   AGE
+default-pod 1/1     Running   0          20s
+```
+
+Finally, now that you saw that work OK, clean up:
+
+```shell
+kubectl delete pod default-pod --wait --now
+```
+
 ## Create a Pod with a seccomp profile for syscall auditing
 
 To start off, apply the `audit.json` profile, which will log all syscalls of the
@@ -493,43 +531,6 @@ kubectl delete service fine-pod --wait
 kubectl delete pod fine-pod --wait --now
 ```
 
-## Create Pod that uses the container runtime default seccomp profile
-
-Most container runtimes provide a sane set of default syscalls that are allowed
-or not. You can adopt these defaults for your workload by setting the seccomp
-type in the security context of a pod or container to `RuntimeDefault`.
-
-{{< note >}}
-If you have the `SeccompDefault` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) enabled, then Pods use the `RuntimeDefault` seccomp profile whenever
-no other seccomp profile is specified. Otherwise, the default is `Unconfined`.
-{{< /note >}}
-
-Here's a manifest for a Pod that requests the `RuntimeDefault` seccomp profile
-for all its containers:
-
-{{< codenew file="pods/security/seccomp/ga/default-pod.yaml" >}}
-
-Create that Pod:
-```shell
-kubectl apply -f https://k8s.io/examples/pods/security/seccomp/ga/default-pod.yaml
-```
-
-```shell
-kubectl get pod default-pod
-```
-
-The Pod should be showing as having started successfully:
-```
-NAME        READY   STATUS    RESTARTS   AGE
-default-pod 1/1     Running   0          20s
-```
-
-Finally, now that you saw that work OK, clean up:
-
-```shell
-kubectl delete pod default-pod --wait --now
-```
-
 ## {{% heading "whatsnext" %}}
 
 You can learn more about Linux seccomp:
