diff --git a/docs/concepts/cluster-administration/sysctl-cluster.md b/docs/concepts/cluster-administration/sysctl-cluster.md index 6fa32786cb6a7..796c735bb2871 100644 --- a/docs/concepts/cluster-administration/sysctl-cluster.md +++ b/docs/concepts/cluster-administration/sysctl-cluster.md @@ -130,10 +130,13 @@ to schedule those pods onto the right nodes. ## PodSecurityPolicy Annotations -The use of sysctl in pods can be controlled via annotations on the PodSecurityPolicy. +The use of sysctl in pods can be controlled via annotation on the PodSecurityPolicy. -Here is an example, it authorizes binding user creating pod with corresponding -_safe_ and _unsafe_ sysctls. +Sysctl annotation represents a whitelist of allowed safe and unsafe sysctls +in a pod spec. It's a comma-separated list of plain sysctl names or sysctl patterns +(which end in `*`). The string `*` matches all sysctls. + +Here is an example, it authorizes binding user creating pod with corresponding sysctls. ```yaml apiVersion: extensions/v1beta1 @@ -141,8 +144,7 @@ kind: PodSecurityPolicy metadata: name: sysctl-psp annotations: - security.alpha.kubernetes.io/sysctls: 'kernel.shm_rmid_forced' - security.alpha.kubernetes.io/unsafe-sysctls: 'net.ipv4.route.*,kernel.msg*' + security.alpha.kubernetes.io/sysctls: 'net.ipv4.route.*,kernel.msg*' spec: ... ```