From 3472cfd5fc1fdfc8af38897388e40d09e3854583 Mon Sep 17 00:00:00 2001 From: WanLinghao Date: Fri, 9 Mar 2018 13:57:11 +0800 Subject: [PATCH] fix a desription error in sysctl file. (#7666) modified: docs/concepts/cluster-administration/sysctl-cluster.md --- .../cluster-administration/sysctl-cluster.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/docs/concepts/cluster-administration/sysctl-cluster.md b/docs/concepts/cluster-administration/sysctl-cluster.md index 6fa32786cb6a7..796c735bb2871 100644 --- a/docs/concepts/cluster-administration/sysctl-cluster.md +++ b/docs/concepts/cluster-administration/sysctl-cluster.md @@ -130,10 +130,13 @@ to schedule those pods onto the right nodes. ## PodSecurityPolicy Annotations -The use of sysctl in pods can be controlled via annotations on the PodSecurityPolicy. +The use of sysctl in pods can be controlled via annotation on the PodSecurityPolicy. -Here is an example, it authorizes binding user creating pod with corresponding -_safe_ and _unsafe_ sysctls. +Sysctl annotation represents a whitelist of allowed safe and unsafe sysctls +in a pod spec. It's a comma-separated list of plain sysctl names or sysctl patterns +(which end in `*`). The string `*` matches all sysctls. + +Here is an example, it authorizes binding user creating pod with corresponding sysctls. ```yaml apiVersion: extensions/v1beta1 @@ -141,8 +144,7 @@ kind: PodSecurityPolicy metadata: name: sysctl-psp annotations: - security.alpha.kubernetes.io/sysctls: 'kernel.shm_rmid_forced' - security.alpha.kubernetes.io/unsafe-sysctls: 'net.ipv4.route.*,kernel.msg*' + security.alpha.kubernetes.io/sysctls: 'net.ipv4.route.*,kernel.msg*' spec: ... ```