-
Notifications
You must be signed in to change notification settings - Fork 19
Policies
Michal Rostecki edited this page Jul 19, 2021
·
1 revision
Draft design document about how we would like to define policies.
The following tables try to define each policy's behavior towards actions (which are going to be, directly or indirectly, caught by LSM hooks).
This table lists what Kubernetes community agreed on their latest proposal
restricted | baseline | privileged | |
---|---|---|---|
Host ports | forbidden | forbidden | allowed |
This table lists our ideas:
restricted | baseline | privileged | |
---|---|---|---|
Kernel logs | forbidden | forbidden | allowed |
Host mounts | forbidden | only /home and /var/container-data
|
allowed |
Using root account | forbidden | allowed | allowed |
--device |
forbidden | allowed (not fully sure tho) | allowed |