Skip to main content

Kubernetes Pods in Managed Namespace

The Mayope Managed Namespace provides a full-fledged namespace experience. You can deploy any kind of app configuration you want.

To ensure a safe and uninterrupted experience pods restrict to the Baseline PodSecurityStandard:

Volume Restrictions#

Mounting hostPath volumes is not allowed.

Privileged containers#

Privileged containers through securityContext.privileged are not allowed

Capabilities#

Adding of capabilities beyond the default set through securityContext.capabilities.add is not allowed.

Port Restrictions#

Using hostPort is not allowed

SELinux#

Setting the SELinux type is restricted, and setting a custom SELinux user or role option is forbidden. Restricted fields: securityContext.seLinuxOptions.type, securityContext.seLinuxOptions.role, securityContext.seLinuxOptions.user

/proc Mount Type#

Parameter securityContext.procMount is not allowed.

Sysctl#

Changing the value of securityContext.sysctls is not allowed.

Privilege Escalation#

Privilege escalation through allowPrivilegeEscalation is not allowed.

Non-root groups#

Using the parameters runAsGroup,supplementalGroups and fsGroup are not supported in the security context.