Skip to content

Commit 59607b7

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request kubernetes#4320 from saschagrunert/pss-kep
KEP-127: Update KEP to reflect integration state
2 parents 3c2b72e + e0ef157 commit 59607b7

File tree

1 file changed

+18
-9
lines changed

1 file changed

+18
-9
lines changed

keps/sig-node/127-user-namespaces/README.md

Lines changed: 18 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@
2626
- [Regarding the previous implementation for volumes](#regarding-the-previous-implementation-for-volumes)
2727
- [Pod Security Standards (PSS) integration](#pod-security-standards-pss-integration)
2828
- [Unresolved](#unresolved)
29+
- [Pod Security Standards (PSS)](#pod-security-standards-pss)
2930
- [Test Plan](#test-plan)
3031
- [Prerequisite testing updates](#prerequisite-testing-updates)
3132
- [Unit tests](#unit-tests)
@@ -433,15 +434,6 @@ inside the container:
433434
- `spec.containers[*].securityContext.runAsUser`
434435
- `spec.initContainers[*].securityContext.runAsUser`
435436
- `spec.ephemeralContainers[*].securityContext.runAsUser`
436-
- `spec.containers[*].securityContext.allowPrivilegeEscalation`
437-
- `spec.initContainers[*].securityContext.allowPrivilegeEscalation`
438-
- `spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation`
439-
- `spec.containers[*].securityContext.capabilities.drop`
440-
- `spec.initContainers[*].securityContext.capabilities.drop`
441-
- `spec.ephemeralContainers[*].securityContext.capabilities.drop`
442-
- `spec.containers[*].securityContext.capabilities.add`
443-
- `spec.initContainers[*].securityContext.capabilities.add`
444-
- `spec.ephemeralContainers[*].securityContext.capabilities.add`
445437

446438
A serial test will be added to validate the functionality with the enabled
447439
feature gate.
@@ -467,6 +459,23 @@ something else to this list:
467459
allows). Same applies for VM runtimes.
468460
UPDATE: Windows maintainers reviewed and [this change looks good to them][windows-review].
469461

462+
#### Pod Security Standards (PSS)
463+
464+
The following security context fields have not been relaxed with respect to PSS
465+
because of [raised security concerns](https://github.com/kubernetes/kubernetes/pull/118760#discussion_r1373287637):
466+
467+
- `spec.containers[*].securityContext.allowPrivilegeEscalation`
468+
- `spec.initContainers[*].securityContext.allowPrivilegeEscalation`
469+
- `spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation`
470+
- `spec.containers[*].securityContext.capabilities.drop`
471+
- `spec.initContainers[*].securityContext.capabilities.drop`
472+
- `spec.ephemeralContainers[*].securityContext.capabilities.drop`
473+
- `spec.containers[*].securityContext.capabilities.add`
474+
- `spec.initContainers[*].securityContext.capabilities.add`
475+
- `spec.ephemeralContainers[*].securityContext.capabilities.add`
476+
477+
Further investigations will be done in future Kubernetes releases to revisit
478+
them.
470479

471480
### Test Plan
472481

0 commit comments

Comments
 (0)