Closed bavishal closed 3 months ago
What exactly is AdmissionController
It feels like the clue is in the question.
The first link in k8s.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/ is to https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/ If you wish to, you can report an issue about https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/ and explain what parts of that page you found difficult to understand.
The usage of flag "--admission-control-config-file", this AdmissionController, and the corresponding PodSecurity plugin e.g: kube-apiserver --admission-control-config-file=/some/path/pod-security.yaml.
That is a fair comment. We should improve https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/ to explain setting the --admission-control-config-file
command line argument to the API server, and to state that you must make sure to enable the PodSecurity admission controller (it's enabled by default, but it doesn't hurt to check).
No support for Different CRI Flavours' Implementation. For e.g: Rancher does not have a straight forward way of changing /etc/kubernetes/manifests/kube-apiserver.yaml, as this file does not even exist for Rancher K3S implementation.
You can use Pod Security Admission with any CRI implementation. However, if you are using a Kubernetes distribution or service that doesn't let you changes these settings, this documentation won't be relevant. Typically, you should read the docs for the distribution or service instead.
We won't update our docs to document restrictions that only exist in third-party software, even third-party software that is based on or includes Kubernetes.
/language en
/sig auth
/triage accepted
- we plan to bring this up in sig-auth meeting to discuss how we can better handle making enforce as default.
I'm not seeing this mentioned in the issue description... what is this referring to?
This issue has not been updated in over 1 year, and should be re-triaged.
You can:
/triage accepted
(org members only)/close
For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/
/remove-triage accepted
SIG Auth folks: what's your intent here?
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle rotten
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/reopen
/remove-lifecycle rotten
Please send feedback to sig-contributor-experience at kubernetes/community.
/close not-planned
@k8s-triage-robot: Closing this issue, marking it as "Not Planned".
Documentation misses couple of major points which has caused many issues.
PodSecurity
plugin e.g:kube-apiserver --admission-control-config-file=/some/path/pod-security.yaml
./etc/kubernetes/manifests/kube-apiserver.yaml
, as this file does not even exist for Rancher K3S implementation.