mirror of https://github.com/k3s-io/k3s
cc571d1833
Automatic merge from submit-queue (batch tested with PRs 42360, 43109, 43737, 43853) Include pod namespace in PSP 'use' authorization check Follow up to https://github.com/kubernetes/kubernetes/pull/33080/files#diff-291b8dd7d08cc034975ddb3925dbb08fR341 Prior to this PR, when PodSecurityPolicy admission is active, you must be authorized to use a covering PodSecurityPolicy cluster-wide in order to create a pod. This PR changes that to only require a covering PodSecurityPolicy within the pod's namespace. When used in concert with mechanisms that limits pods within a namespace to a particular set of nodes, this can be used to allow users to create privileged pods within specific namespaces only. ```release-note Permission to use a PodSecurityPolicy can now be granted within a single namespace by allowing the `use` verb on the `podsecuritypolicies` resource within the namespace. ``` |
||
|---|---|---|
| .. | ||
| admit | ||
| alwayspullimages | ||
| antiaffinity | ||
| defaulttolerationseconds | ||
| deny | ||
| exec | ||
| gc | ||
| imagepolicy | ||
| initialresources | ||
| limitranger | ||
| namespace | ||
| persistentvolume/label | ||
| podnodeselector | ||
| podpreset | ||
| resourcequota | ||
| security | ||
| securitycontext/scdeny | ||
| serviceaccount | ||
| storageclass/default | ||
| OWNERS | ||