Slide 78
Slide 78 text
PodSecurityPolicy
79 Copyright © 2022, Oracle and/or its affiliates
PodSecurityPolicy設定可能なポリシー
Field Names Control Aspect
privileged Running of privileged containers
hostPID, hostIPC Usage of host namespaces
hostNetwork, hostPorts Usage of host networking and ports
volumes Usage of volume types
allowedHostPaths Usage of the host filesystem
allowedFlexVolumes Allow specific FlexVolume drivers
fsGroup Allocating an FSGroup that owns the pod's volumes
readOnlyRootFilesystem Requiring the use of a read only root file system
runAsUser, runAsGroup, supplementalGroups The user and group IDs of the container
allowPrivilegeEscalation, defaultAllowPrivilegeEscalation Restricting escalation to root privileges
defaultAddCapabilities, requiredDropCapabilities, allowedCapabilities Linux capabilities
seLinux The SELinux context of the container
allowedProcMountTypes The Allowed Proc Mount types for the container
annotations The AppArmor profile used by containers
annotations The seccomp profile used by containers
forbiddenSysctls,allowedUnsafeSysctls The sysctl profile used by containers
https://kubernetes.io/docs/concepts/policy/pod-security-policy/