Skip to content

Policies

Michal Rostecki edited this page Jul 19, 2021 · 1 revision

Draft design document about how we would like to define policies.

The following tables try to define each policy's behavior towards actions (which are going to be, directly or indirectly, caught by LSM hooks).

This table lists what Kubernetes community agreed on their latest proposal

restricted baseline privileged
Host ports forbidden forbidden allowed

This table lists our ideas:

restricted baseline privileged
Kernel logs forbidden forbidden allowed
Host mounts forbidden only /home and /var/container-data allowed
Using root account forbidden allowed allowed
--device forbidden allowed (not fully sure tho) allowed
Clone this wiki locally