From fae89c5c7d2d02dff1784925d40a67ba14ac1577 Mon Sep 17 00:00:00 2001 From: Vyacheslav Semushin Date: Sat, 3 Mar 2018 20:47:53 +0100 Subject: [PATCH] Use PSP from policy API group. (#7562) --- docs/admin/authorization/index.md | 2 +- docs/concepts/policy/example-psp.yaml | 2 +- docs/concepts/policy/pod-security-policy.md | 4 ++-- docs/concepts/policy/privileged-psp.yaml | 2 +- docs/concepts/policy/restricted-psp.yaml | 2 +- docs/tutorials/clusters/apparmor.md | 5 ++--- 6 files changed, 8 insertions(+), 9 deletions(-) diff --git a/docs/admin/authorization/index.md b/docs/admin/authorization/index.md index 7215332f7a1ef..998176d264c1c 100644 --- a/docs/admin/authorization/index.md +++ b/docs/admin/authorization/index.md @@ -67,7 +67,7 @@ DELETE | delete (for individual resources), deletecollection (for collections Kubernetes sometimes checks authorization for additional permissions using specialized verbs. For example: -* [PodSecurityPolicy](/docs/concepts/policy/pod-security-policy/) checks for authorization of the `use` verb on `podsecuritypolicies` resources in the `extensions` API group. +* [PodSecurityPolicy](/docs/concepts/policy/pod-security-policy/) checks for authorization of the `use` verb on `podsecuritypolicies` resources in the `policy` API group. * [RBAC](/docs/admin/authorization/rbac/#privilege-escalation-prevention-and-bootstrapping) checks for authorization of the `bind` verb on `roles` and `clusterroles` resources in the `rbac.authorization.k8s.io` API group. * [Authentication](/docs/admin/authentication/) layer checks for authorization of the `impersonate` verb on `users`, `groups`, and `serviceaccounts` in the core API group, and the `userextras` in the `authentication.k8s.io` API group. diff --git a/docs/concepts/policy/example-psp.yaml b/docs/concepts/policy/example-psp.yaml index d8359220e42b5..7531949b650ec 100644 --- a/docs/concepts/policy/example-psp.yaml +++ b/docs/concepts/policy/example-psp.yaml @@ -1,4 +1,4 @@ -apiVersion: extensions/v1beta1 +apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: example diff --git a/docs/concepts/policy/pod-security-policy.md b/docs/concepts/policy/pod-security-policy.md index e8177afa2af80..73c517d8ca9a6 100644 --- a/docs/concepts/policy/pod-security-policy.md +++ b/docs/concepts/policy/pod-security-policy.md @@ -49,7 +49,7 @@ controller](/docs/admin/admission-controllers/#how-do-i-turn-on-an-admission-con but doing so without authorizing any policies **will prevent any pods from being created** in the cluster. -Since the pod security policy API (`extensions/v1beta1/podsecuritypolicy`) is +Since the pod security policy API (`policy/v1beta1/podsecuritypolicy`) is enabled independently of the admission controller, for existing clusters it is recommended that policies are added and authorized before enabling the admission controller. @@ -84,7 +84,7 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rules: -- apiGroups: ['extensions'] +- apiGroups: ['policy'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: diff --git a/docs/concepts/policy/privileged-psp.yaml b/docs/concepts/policy/privileged-psp.yaml index 6b6ec6687831d..915c8d37b5460 100644 --- a/docs/concepts/policy/privileged-psp.yaml +++ b/docs/concepts/policy/privileged-psp.yaml @@ -1,4 +1,4 @@ -apiVersion: extensions/v1beta1 +apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: privileged diff --git a/docs/concepts/policy/restricted-psp.yaml b/docs/concepts/policy/restricted-psp.yaml index fe1c1d90fe33d..e677ba8e22946 100644 --- a/docs/concepts/policy/restricted-psp.yaml +++ b/docs/concepts/policy/restricted-psp.yaml @@ -1,4 +1,4 @@ -apiVersion: extensions/v1beta1 +apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restricted diff --git a/docs/tutorials/clusters/apparmor.md b/docs/tutorials/clusters/apparmor.md index f61186b626880..720f3e6b22141 100644 --- a/docs/tutorials/clusters/apparmor.md +++ b/docs/tutorials/clusters/apparmor.md @@ -317,14 +317,13 @@ node with the required profile. ### Restricting profiles with the PodSecurityPolicy If the PodSecurityPolicy extension is enabled, cluster-wide AppArmor restrictions can be applied. To -enable the PodSecurityPolicy, two flags must be set on the `apiserver`: +enable the PodSecurityPolicy, the following flag must be set on the `apiserver`: ``` --admission-control=PodSecurityPolicy[,others...] ---runtime-config=extensions/v1beta1/podsecuritypolicy[,others...] ``` -With the extension enabled, the AppArmor options can be specified as annotations on the PodSecurityPolicy: +The AppArmor options can be specified as annotations on the PodSecurityPolicy: ```yaml apparmor.security.beta.kubernetes.io/defaultProfileName: