From f7f3bbd5abbd8da25e8dbf4d82b5a9d6ba54d891 Mon Sep 17 00:00:00 2001 From: Sunil Singh Date: Tue, 11 Mar 2025 16:32:48 -0700 Subject: [PATCH] Adding note to PSA template on users handling policy exemptions, tied to Rancher docs issue 1632. Signed-off-by: Sunil Singh --- .../psa-config-templates.md | 4 ++++ .../psa-config-templates.md | 4 ++++ .../psa-config-templates.md | 4 ++++ .../psa-config-templates.md | 4 ++++ .../psa-config-templates.md | 4 ++++ .../psa-config-templates.md | 4 ++++ .../psa-config-templates.md | 4 ++++ .../psa-config-templates.md | 4 ++++ .../psa-config-templates.md | 4 ++++ .../psa-config-templates.md | 4 ++++ .../psa-config-templates.md | 4 ++++ .../psa-config-templates.md | 4 ++++ 12 files changed, 48 insertions(+) diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index 963bebfd316..67949dbbff4 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -8,6 +8,10 @@ title: Pod Security Admission (PSA) Configuration Templates [Pod Security admission (PSA)](./pod-security-standards.md) configuration templates are a Rancher custom-defined resource (CRD), available in Rancher v2.7.2 and above. The templates provide pre-defined security configurations that you can apply to a cluster: +:::info important +The policies shipped by default in Rancher aim to provide a trade-off between security and convenience. If a more strict policy configuration is needed, users are able to craft such policies themselves based on their specific requirements. In the case Rancher policies are preferred, you will need to deploy admission controllers that block the creation of any [exempted namespaces](#exempting-required-rancher-namespaces) that won't be used within your environments. +::: + - `rancher-privileged`: The most permissive configuration. It doesn't restrict the behavior of any pods. This allows for known privilege escalations. This policy has no exemptions. - `rancher-restricted`: A heavily restricted configuration that follows current best practices for hardening pods. You must make [namespace-level exemptions](./pod-security-standards.md#rancher-on-psa-restricted-clusters) for Rancher components. diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index 5089f8e11d7..e38b0fd3113 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -4,6 +4,10 @@ title: Pod 安全准入 (PSA) 配置模板 [Pod Security admission (PSA)](./pod-security-standards.md) 配置模板是 Rancher 自定义资源 (CRD),在 Rancher v2.7.2 及更高版本中可用。这些模板提供了可应用于集群的预定义安全配置: +:::info important +The policies shipped by default in Rancher aim to provide a trade-off between security and convenience. If a more strict policy configuration is needed, users are able to craft such policies themselves based on their specific requirements. In the case Rancher policies are preferred, you will need to deploy admission controllers that block the creation of any [exempted namespaces](#豁免必须的-rancher-命名空间) that won't be used within your environments. +::: + - `rancher-privileged`:最宽松的配置。它不限制任何 Pod 行为,允许已知的权限升级。该策略没有豁免。 - `rancher-restricted`:严格限制的配置,遵循当前加固 pod 的最佳实践。你必须对 Rancher 组件进行[命名空间级别豁免](./pod-security-standards.md#受-psa-限制的集群上的-rancher)。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index 5089f8e11d7..e38b0fd3113 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -4,6 +4,10 @@ title: Pod 安全准入 (PSA) 配置模板 [Pod Security admission (PSA)](./pod-security-standards.md) 配置模板是 Rancher 自定义资源 (CRD),在 Rancher v2.7.2 及更高版本中可用。这些模板提供了可应用于集群的预定义安全配置: +:::info important +The policies shipped by default in Rancher aim to provide a trade-off between security and convenience. If a more strict policy configuration is needed, users are able to craft such policies themselves based on their specific requirements. In the case Rancher policies are preferred, you will need to deploy admission controllers that block the creation of any [exempted namespaces](#豁免必须的-rancher-命名空间) that won't be used within your environments. +::: + - `rancher-privileged`:最宽松的配置。它不限制任何 Pod 行为,允许已知的权限升级。该策略没有豁免。 - `rancher-restricted`:严格限制的配置,遵循当前加固 pod 的最佳实践。你必须对 Rancher 组件进行[命名空间级别豁免](./pod-security-standards.md#受-psa-限制的集群上的-rancher)。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.11/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.11/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index 5089f8e11d7..e38b0fd3113 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.11/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.11/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -4,6 +4,10 @@ title: Pod 安全准入 (PSA) 配置模板 [Pod Security admission (PSA)](./pod-security-standards.md) 配置模板是 Rancher 自定义资源 (CRD),在 Rancher v2.7.2 及更高版本中可用。这些模板提供了可应用于集群的预定义安全配置: +:::info important +The policies shipped by default in Rancher aim to provide a trade-off between security and convenience. If a more strict policy configuration is needed, users are able to craft such policies themselves based on their specific requirements. In the case Rancher policies are preferred, you will need to deploy admission controllers that block the creation of any [exempted namespaces](#豁免必须的-rancher-命名空间) that won't be used within your environments. +::: + - `rancher-privileged`:最宽松的配置。它不限制任何 Pod 行为,允许已知的权限升级。该策略没有豁免。 - `rancher-restricted`:严格限制的配置,遵循当前加固 pod 的最佳实践。你必须对 Rancher 组件进行[命名空间级别豁免](./pod-security-standards.md#受-psa-限制的集群上的-rancher)。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.7/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.7/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index c3b4d6252f4..2b99324f266 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.7/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.7/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -4,6 +4,10 @@ title: Pod 安全准入 (PSA) 配置模板 [Pod Security admission (PSA)](./pod-security-standards.md) 配置模板是 Rancher 自定义资源 (CRD),在 Rancher v2.7.2 及更高版本中可用。这些模板提供了可应用于集群的预定义安全配置: +:::info important +The policies shipped by default in Rancher aim to provide a trade-off between security and convenience. If a more strict policy configuration is needed, users are able to craft such policies themselves based on their specific requirements. In the case Rancher policies are preferred, you will need to deploy admission controllers that block the creation of any [exempted namespaces](#豁免必须的-rancher-命名空间) that won't be used within your environments. +::: + - `rancher-privileged`:最宽松的配置。它不限制任何 Pod 行为,允许已知的权限升级。该策略没有豁免。 - `rancher-restricted`:严格限制的配置,遵循当前加固 pod 的最佳实践。你必须对 Rancher 组件进行[命名空间级别豁免](./pod-security-standards.md#受-psa-限制的集群上的-rancher)。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index 5089f8e11d7..e38b0fd3113 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -4,6 +4,10 @@ title: Pod 安全准入 (PSA) 配置模板 [Pod Security admission (PSA)](./pod-security-standards.md) 配置模板是 Rancher 自定义资源 (CRD),在 Rancher v2.7.2 及更高版本中可用。这些模板提供了可应用于集群的预定义安全配置: +:::info important +The policies shipped by default in Rancher aim to provide a trade-off between security and convenience. If a more strict policy configuration is needed, users are able to craft such policies themselves based on their specific requirements. In the case Rancher policies are preferred, you will need to deploy admission controllers that block the creation of any [exempted namespaces](#豁免必须的-rancher-命名空间) that won't be used within your environments. +::: + - `rancher-privileged`:最宽松的配置。它不限制任何 Pod 行为,允许已知的权限升级。该策略没有豁免。 - `rancher-restricted`:严格限制的配置,遵循当前加固 pod 的最佳实践。你必须对 Rancher 组件进行[命名空间级别豁免](./pod-security-standards.md#受-psa-限制的集群上的-rancher)。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.9/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.9/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index c3b4d6252f4..2b99324f266 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.9/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.9/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -4,6 +4,10 @@ title: Pod 安全准入 (PSA) 配置模板 [Pod Security admission (PSA)](./pod-security-standards.md) 配置模板是 Rancher 自定义资源 (CRD),在 Rancher v2.7.2 及更高版本中可用。这些模板提供了可应用于集群的预定义安全配置: +:::info important +The policies shipped by default in Rancher aim to provide a trade-off between security and convenience. If a more strict policy configuration is needed, users are able to craft such policies themselves based on their specific requirements. In the case Rancher policies are preferred, you will need to deploy admission controllers that block the creation of any [exempted namespaces](#豁免必须的-rancher-命名空间) that won't be used within your environments. +::: + - `rancher-privileged`:最宽松的配置。它不限制任何 Pod 行为,允许已知的权限升级。该策略没有豁免。 - `rancher-restricted`:严格限制的配置,遵循当前加固 pod 的最佳实践。你必须对 Rancher 组件进行[命名空间级别豁免](./pod-security-standards.md#受-psa-限制的集群上的-rancher)。 diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index 963bebfd316..67949dbbff4 100644 --- a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -8,6 +8,10 @@ title: Pod Security Admission (PSA) Configuration Templates [Pod Security admission (PSA)](./pod-security-standards.md) configuration templates are a Rancher custom-defined resource (CRD), available in Rancher v2.7.2 and above. The templates provide pre-defined security configurations that you can apply to a cluster: +:::info important +The policies shipped by default in Rancher aim to provide a trade-off between security and convenience. If a more strict policy configuration is needed, users are able to craft such policies themselves based on their specific requirements. In the case Rancher policies are preferred, you will need to deploy admission controllers that block the creation of any [exempted namespaces](#exempting-required-rancher-namespaces) that won't be used within your environments. +::: + - `rancher-privileged`: The most permissive configuration. It doesn't restrict the behavior of any pods. This allows for known privilege escalations. This policy has no exemptions. - `rancher-restricted`: A heavily restricted configuration that follows current best practices for hardening pods. You must make [namespace-level exemptions](./pod-security-standards.md#rancher-on-psa-restricted-clusters) for Rancher components. diff --git a/versioned_docs/version-2.11/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/versioned_docs/version-2.11/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index 963bebfd316..67949dbbff4 100644 --- a/versioned_docs/version-2.11/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/versioned_docs/version-2.11/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -8,6 +8,10 @@ title: Pod Security Admission (PSA) Configuration Templates [Pod Security admission (PSA)](./pod-security-standards.md) configuration templates are a Rancher custom-defined resource (CRD), available in Rancher v2.7.2 and above. The templates provide pre-defined security configurations that you can apply to a cluster: +:::info important +The policies shipped by default in Rancher aim to provide a trade-off between security and convenience. If a more strict policy configuration is needed, users are able to craft such policies themselves based on their specific requirements. In the case Rancher policies are preferred, you will need to deploy admission controllers that block the creation of any [exempted namespaces](#exempting-required-rancher-namespaces) that won't be used within your environments. +::: + - `rancher-privileged`: The most permissive configuration. It doesn't restrict the behavior of any pods. This allows for known privilege escalations. This policy has no exemptions. - `rancher-restricted`: A heavily restricted configuration that follows current best practices for hardening pods. You must make [namespace-level exemptions](./pod-security-standards.md#rancher-on-psa-restricted-clusters) for Rancher components. diff --git a/versioned_docs/version-2.7/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/versioned_docs/version-2.7/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index 963bebfd316..67949dbbff4 100644 --- a/versioned_docs/version-2.7/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/versioned_docs/version-2.7/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -8,6 +8,10 @@ title: Pod Security Admission (PSA) Configuration Templates [Pod Security admission (PSA)](./pod-security-standards.md) configuration templates are a Rancher custom-defined resource (CRD), available in Rancher v2.7.2 and above. The templates provide pre-defined security configurations that you can apply to a cluster: +:::info important +The policies shipped by default in Rancher aim to provide a trade-off between security and convenience. If a more strict policy configuration is needed, users are able to craft such policies themselves based on their specific requirements. In the case Rancher policies are preferred, you will need to deploy admission controllers that block the creation of any [exempted namespaces](#exempting-required-rancher-namespaces) that won't be used within your environments. +::: + - `rancher-privileged`: The most permissive configuration. It doesn't restrict the behavior of any pods. This allows for known privilege escalations. This policy has no exemptions. - `rancher-restricted`: A heavily restricted configuration that follows current best practices for hardening pods. You must make [namespace-level exemptions](./pod-security-standards.md#rancher-on-psa-restricted-clusters) for Rancher components. diff --git a/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index 18b869c600b..2b02b9abfc2 100644 --- a/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -8,6 +8,10 @@ title: Pod Security Admission (PSA) Configuration Templates [Pod Security admission (PSA)](./pod-security-standards.md) configuration templates are a Rancher custom-defined resource (CRD), available in Rancher v2.7.2 and above. The templates provide pre-defined security configurations that you can apply to a cluster: +:::info important +The policies shipped by default in Rancher aim to provide a trade-off between security and convenience. If a more strict policy configuration is needed, users are able to craft such policies themselves based on their specific requirements. In the case Rancher policies are preferred, you will need to deploy admission controllers that block the creation of any [exempted namespaces](#exempting-required-rancher-namespaces) that won't be used within your environments. +::: + - `rancher-privileged`: The most permissive configuration. It doesn't restrict the behavior of any pods. This allows for known privilege escalations. This policy has no exemptions. - `rancher-restricted`: A heavily restricted configuration that follows current best practices for hardening pods. You must make [namespace-level exemptions](./pod-security-standards.md#rancher-on-psa-restricted-clusters) for Rancher components. diff --git a/versioned_docs/version-2.9/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/versioned_docs/version-2.9/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index 963bebfd316..67949dbbff4 100644 --- a/versioned_docs/version-2.9/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/versioned_docs/version-2.9/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -8,6 +8,10 @@ title: Pod Security Admission (PSA) Configuration Templates [Pod Security admission (PSA)](./pod-security-standards.md) configuration templates are a Rancher custom-defined resource (CRD), available in Rancher v2.7.2 and above. The templates provide pre-defined security configurations that you can apply to a cluster: +:::info important +The policies shipped by default in Rancher aim to provide a trade-off between security and convenience. If a more strict policy configuration is needed, users are able to craft such policies themselves based on their specific requirements. In the case Rancher policies are preferred, you will need to deploy admission controllers that block the creation of any [exempted namespaces](#exempting-required-rancher-namespaces) that won't be used within your environments. +::: + - `rancher-privileged`: The most permissive configuration. It doesn't restrict the behavior of any pods. This allows for known privilege escalations. This policy has no exemptions. - `rancher-restricted`: A heavily restricted configuration that follows current best practices for hardening pods. You must make [namespace-level exemptions](./pod-security-standards.md#rancher-on-psa-restricted-clusters) for Rancher components.