• Kubernetes Submit Queue's avatar
    Merge pull request #42360 from liggitt/psp-namespaced-use-check · cc571d18
    Kubernetes Submit Queue authored
    Automatic merge from submit-queue (batch tested with PRs 42360, 43109, 43737, 43853)
    
    Include pod namespace in PSP 'use' authorization check
    
    Follow up to https://github.com/kubernetes/kubernetes/pull/33080/files#diff-291b8dd7d08cc034975ddb3925dbb08fR341
    
    Prior to this PR, when PodSecurityPolicy admission is active, you must be authorized to use a covering PodSecurityPolicy cluster-wide in order to create a pod. This PR changes that to only require a covering PodSecurityPolicy within the pod's namespace.
    
    When used in concert with mechanisms that limits pods within a namespace to a particular set of nodes, this can be used to allow users to create privileged pods within specific namespaces only.
    
    ```release-note
    Permission to use a PodSecurityPolicy can now be granted within a single namespace by allowing the `use` verb on the `podsecuritypolicies` resource within the namespace.
    ```
    cc571d18
Name
Last commit
Last update
..
admit Loading commit data...
alwayspullimages Loading commit data...
antiaffinity Loading commit data...
defaulttolerationseconds Loading commit data...
deny Loading commit data...
exec Loading commit data...
gc Loading commit data...
imagepolicy Loading commit data...
initialresources Loading commit data...
limitranger Loading commit data...
namespace Loading commit data...
persistentvolume/label Loading commit data...
podnodeselector Loading commit data...
podpreset Loading commit data...
resourcequota Loading commit data...
security Loading commit data...
securitycontext/scdeny Loading commit data...
serviceaccount Loading commit data...
storageclass/default Loading commit data...
OWNERS Loading commit data...