search

kubernetes / website

Kubernetes website and documentation repo:
https://kubernetes.io
Creative Commons Attribution 4.0 International
4.48k stars 14.4k forks source link

Issue with k8s.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/ #37269

Closed bavishal closed 3 months ago

bavishal commented 2 years ago

Documentation misses couple of major points which has caused many issues.

  1. What exactly is AdmissionController
  2. The usage of flag "--admission-control-config-file", this AdmissionController, and the corresponding PodSecurity plugin e.g: kube-apiserver --admission-control-config-file=/some/path/pod-security.yaml.
  3. No support for Different CRI Flavours' Implementation. For e.g: Rancher does not have a straight forward way of changing /etc/kubernetes/manifests/kube-apiserver.yaml, as this file does not even exist for Rancher K3S implementation.
sftim commented 2 years ago

What exactly is AdmissionController

It feels like the clue is in the question.

The first link in k8s.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/ is to https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/ If you wish to, you can report an issue about https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/ and explain what parts of that page you found difficult to understand.

The usage of flag "--admission-control-config-file", this AdmissionController, and the corresponding PodSecurity plugin e.g: kube-apiserver --admission-control-config-file=/some/path/pod-security.yaml.

That is a fair comment. We should improve https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/ to explain setting the --admission-control-config-file command line argument to the API server, and to state that you must make sure to enable the PodSecurity admission controller (it's enabled by default, but it doesn't hurt to check).

No support for Different CRI Flavours' Implementation. For e.g: Rancher does not have a straight forward way of changing /etc/kubernetes/manifests/kube-apiserver.yaml, as this file does not even exist for Rancher K3S implementation.

You can use Pod Security Admission with any CRI implementation. However, if you are using a Kubernetes distribution or service that doesn't let you changes these settings, this documentation won't be relevant. Typically, you should read the docs for the distribution or service instead.

We won't update our docs to document restrictions that only exist in third-party software, even third-party software that is based on or includes Kubernetes.

sftim commented 2 years ago

/language en

sftim commented 2 years ago

/sig auth

aramase commented 1 year ago

/triage accepted

liggitt commented 1 year ago
  • we plan to bring this up in sig-auth meeting to discuss how we can better handle making enforce as default.

I'm not seeing this mentioned in the issue description... what is this referring to?

k8s-triage-robot commented 9 months ago

This issue has not been updated in over 1 year, and should be re-triaged.

You can:

For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/

/remove-triage accepted

sftim commented 8 months ago

SIG Auth folks: what's your intent here?

k8s-triage-robot commented 5 months ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot commented 4 months ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot commented 3 months ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

k8s-ci-robot commented 3 months ago

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to [this](https://github.com/kubernetes/website/issues/37269#issuecomment-2226221467): >The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. > >This bot triages issues according to the following rules: >- After 90d of inactivity, `lifecycle/stale` is applied >- After 30d of inactivity since `lifecycle/stale` was applied, `lifecycle/rotten` is applied >- After 30d of inactivity since `lifecycle/rotten` was applied, the issue is closed > >You can: >- Reopen this issue with `/reopen` >- Mark this issue as fresh with `/remove-lifecycle rotten` >- Offer to help out with [Issue Triage][1] > >Please send feedback to sig-contributor-experience at [kubernetes/community](https://github.com/kubernetes/community). > >/close not-planned > >[1]: https://www.kubernetes.dev/docs/guide/issue-triage/ Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.