Merge pull request #13447 from pweil-/pid-mode

Auto commit by PR queue bot
2025-09-16 22:53:22 +00:00 · 2015-09-16 23:34:35 -07:00
parent d680ea2444 ed80c2b940
commit 445fde3dc5
37 changed files with 366 additions and 145 deletions
--- a/docs/admin/admission-controllers.md
+++ b/docs/admin/admission-controllers.md
@@ -43,7 +43,8 @@ Documentation for other releases can be found at
  - [What does each plug-in do?](#what-does-each-plug-in-do)
    - [AlwaysAdmit](#alwaysadmit)
    - [AlwaysDeny](#alwaysdeny)
-    - [DenyExecOnPrivileged](#denyexeconprivileged)
+    - [DenyExecOnPrivileged (deprecated)](#denyexeconprivileged-deprecated)
+    - [DenyEscalatingExec](#denyescalatingexec)
    - [ServiceAccount](#serviceaccount)
    - [SecurityContextDeny](#securitycontextdeny)
    - [ResourceQuota](#resourcequota)
@@ -92,13 +93,25 @@ Use this plugin by itself to pass-through all requests.

 Rejects all requests.  Used for testing.

-### DenyExecOnPrivileged
+### DenyExecOnPrivileged (deprecated)

 This plug-in will intercept all requests to exec a command in a pod if that pod has a privileged container.

 If your cluster supports privileged containers, and you want to restrict the ability of end-users to exec
 commands in those containers, we strongly encourage enabling this plug-in.

+This functionality has been merged into [DenyEscalatingExec](#denyescalatingexec).
+
+### DenyEscalatingExec
+
+This plug-in will deny exec and attach commands to pods that run with escalated privileges that
+allow host access.  This includes pods that run as privileged, have access to the host IPC namespace, and
+have access to the host PID namespace.
+
+If your cluster supports containers that run with escalated privileges, and you want to
+restrict the ability of end-users to exec commands in those containers, we strongly encourage
+enabling this plug-in.
+
 ### ServiceAccount

 This plug-in implements automation for [serviceAccounts](../user-guide/service-accounts.md).
@@ -159,7 +172,7 @@ Yes.
 For Kubernetes 1.0, we strongly recommend running the following set of admission control plug-ins (order matters):

 ```
--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
+--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DenyEscalatingExec,ResourceQuota
 ```


--- a/docs/admin/high-availability/kube-apiserver.yaml
+++ b/docs/admin/high-availability/kube-apiserver.yaml
@@ -11,7 +11,7 @@ spec:
    - /bin/sh
    - -c
    - /usr/local/bin/kube-apiserver --address=127.0.0.1 --etcd-servers=http://127.0.0.1:4001
-      --cloud-provider=gce   --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
+      --cloud-provider=gce   --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DenyEscalatingExec,ResourceQuota
      --service-cluster-ip-range=10.0.0.0/16 --client-ca-file=/srv/kubernetes/ca.crt
      --basic-auth-file=/srv/kubernetes/basic_auth.csv --cluster-name=e2e-test-bburns
      --tls-cert-file=/srv/kubernetes/server.cert --tls-private-key-file=/srv/kubernetes/server.key
--- a/docs/admin/kube-apiserver.md
+++ b/docs/admin/kube-apiserver.md
@@ -48,7 +48,7 @@ cluster's shared state through which all other components interact.

 ```
      --address=<nil>: DEPRECATED: see --insecure-bind-address instead
-      --admission-control="": Ordered list of plug-ins to do admission control of resources into cluster. Comma-delimited list of: AlwaysAdmit, AlwaysDeny, DenyExecOnPrivileged, LimitRanger, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, ResourceQuota, SecurityContextDeny, ServiceAccount
+      --admission-control="": Ordered list of plug-ins to do admission control of resources into cluster. Comma-delimited list of: AlwaysAdmit, AlwaysDeny, DenyExecOnPrivileged, DenyEscalatingExec, LimitRanger, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, ResourceQuota, SecurityContextDeny, ServiceAccount
      --admission-control-config-file="": File with admission control configuration.
      --advertise-address=<nil>: The IP address on which to advertise the apiserver to members of the cluster. This address must be reachable by the rest of the cluster. If blank, the --bind-address will be used. If --bind-address is unspecified, the host's default interface will be used.
      --allow-privileged=false: If true, allow privileged containers.
--- a/docs/admin/kubelet.md
+++ b/docs/admin/kubelet.md
@@ -84,6 +84,7 @@ HTTP server: The kubelet can also listen for HTTP and respond to a simple API
      --healthz-port=0: The port of the localhost healthz endpoint
  -h, --help=false: help for kubelet
      --host-network-sources="": Comma-separated list of sources from which the Kubelet allows pods to use of host network. For all sources use "*" [default="file"]
+      --host-pid-sources="": Comma-separated list of sources from which the Kubelet allows pods to use the host pid namespace. For all sources use "*" [default="file"]
      --hostname-override="": If non-empty, will use this string as identification instead of the actual hostname.
      --http-check-frequency=0: Duration between checking http for new data
      --image-gc-high-threshold=0: The percent of disk usage after which image garbage collection is always run. Default: 90%%