Kubernetes Pods in Managed Namespace
The Mayope Managed Namespace provides a full-fledged namespace experience. You can deploy any kind of app configuration you want.
To ensure a safe and uninterrupted experience pods restrict to the Baseline PodSecurityStandard:
#
Volume RestrictionsMounting hostPath
volumes is not allowed.
#
Privileged containersPrivileged containers through securityContext.privileged
are not allowed
#
CapabilitiesAdding of capabilities beyond the default set through securityContext.capabilities.add
is not allowed.
#
Port RestrictionsUsing hostPort
is not allowed
#
SELinuxSetting the SELinux type is restricted, and setting a custom SELinux user or role option is forbidden. Restricted
fields: securityContext.seLinuxOptions.type
, securityContext.seLinuxOptions.role
,
securityContext.seLinuxOptions.user
#
/proc Mount TypeParameter securityContext.procMount
is not allowed.
#
SysctlChanging the value of securityContext.sysctls
is not allowed.
#
Privilege EscalationPrivilege escalation through allowPrivilegeEscalation
is not allowed.
#
Non-root groupsUsing the parameters runAsGroup
,supplementalGroups
and fsGroup
are not supported in the security context.