From 8a8059a1e417871cff316f9a53ed678d8a1671ee Mon Sep 17 00:00:00 2001 From: Juanita Balaraj Date: Tue, 3 Sep 2024 21:27:09 +0000 Subject: [PATCH] PSP Removal in support of transition to k8s 1.25/1.26 Updated Patchset 1 comments Removed topic from an archived folder Commented out related links to these topics Removed all PSP topics Story: 2010590 Task: 50961 Change-Id: If129ebfc9f4622f69114c5dac0163a5e84caa27f Signed-off-by: Juanita Balaraj --- doc/source/_vendor/rl-strings.txt | 8 +- doc/source/archive/configuration/index.rst | 3 - .../configuration/k8s_pod_sec_policies.rst | 138 ------------------ .../configuration/k8s_res_policies.rst | 21 +-- .../assign-pod-security-policies.rst | 134 ----------------- .../disable-pod-security-policy-checking.rst | 34 ----- .../enable-pod-security-policy-checking.rst | 39 ----- .../index-security-kub-81153c1254c3.rst | 4 - ...rity-admission-controller-8e9e6994100f.rst | 2 +- .../kubernetes/pod-security-policies.rst | 71 --------- .../kubernetes/resource-management.rst | 8 +- 11 files changed, 12 insertions(+), 450 deletions(-) delete mode 100644 doc/source/archive/configuration/k8s_pod_sec_policies.rst delete mode 100644 doc/source/security/kubernetes/assign-pod-security-policies.rst delete mode 100644 doc/source/security/kubernetes/disable-pod-security-policy-checking.rst delete mode 100644 doc/source/security/kubernetes/enable-pod-security-policy-checking.rst delete mode 100644 doc/source/security/kubernetes/pod-security-policies.rst diff --git a/doc/source/_vendor/rl-strings.txt b/doc/source/_vendor/rl-strings.txt index 86cb81870..e41b6f84b 100644 --- a/doc/source/_vendor/rl-strings.txt +++ b/doc/source/_vendor/rl-strings.txt @@ -255,7 +255,7 @@ .. |index-security-84d0d8aa401b| replace:: :ref:`Security ` .. |pod-security-admission-controller-8e9e6994100f| replace:: :ref:`Pod Security Admission Controller ` .. |install-update-the-starlingx-rest-and-web-server-certificate| replace:: :ref:`Install/Update the StarlingX Rest and Web Server Certificate ` -.. |pod-security-policies| replace:: :ref:`Pod Security Policies ` +.. .. |pod-security-policies| replace:: :ref:`Pod Security Policies ` .. |remove-portieris| replace:: :ref:`Remove Portieris ` .. |delete-ldap-linux-accounts-7de0782fbafd| replace:: :ref:`Delete LDAP Linux Accounts ` .. |security-install-update-the-docker-registry-certificate| replace:: :ref:`Local Registry Server Certificates ` @@ -308,14 +308,14 @@ .. |kubernetes-certificates-f4196d7cae9c| replace:: :ref:`Kubernetes Certificates ` .. |security-access-the-gui| replace:: :ref:`Access the GUI ` .. |install-portieris| replace:: :ref:`Install Portieris ` -.. |disable-pod-security-policy-checking| replace:: :ref:`Disable Pod Security Policy Checking ` +.. .. |disable-pod-security-policy-checking| replace:: :ref:`Disable Pod Security Policy Checking ` .. |configure-local-cli-access| replace:: :ref:`Configure Local CLI Access ` .. |deprovision-ldap-server-authentication| replace:: :ref:`Deprovision LDAP Server Authentication ` .. |overview-of-ldap-servers| replace:: :ref:`Overview of LDAP Servers ` .. |etcd-certificates-c1fc943e4a9c| replace:: :ref:`Etcd Certificates ` .. |install-the-kubernetes-dashboard| replace:: :ref:`Install the Kubernetes Dashboard ` .. |enable-https-access-for-starlingx-rest-and-web-server-endpoints| replace:: :ref:`Enable HTTPS Access for StarlingX REST and Web Server Endpoints ` -.. |assign-pod-security-policies| replace:: :ref:`Assign Pod Security Policies ` +.. .. |assign-pod-security-policies| replace:: :ref:`Assign Pod Security Policies ` .. |install-vault| replace:: :ref:`Install Vault ` .. |configure-vault| replace:: :ref:`Configure Vault Using the Vault REST API ` .. |configure-rest-api-applications-and-web-administration-server-certificates-after-installation-6816457ab95f| replace:: :ref:`Configure REST API Applications and Web Administration Server certificate ` @@ -358,7 +358,7 @@ .. |portieris-clusterimagepolicy-and-imagepolicy-configuration| replace:: :ref:`Portieris ClusterImagePolicy and ImagePolicy Configuration ` .. |selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c| replace:: :ref:`Selectively Disable SSH for Local OpenLDAP and WAD Users ` .. |security-cert-manager| replace:: :ref:`Cert Manager ` -.. |enable-pod-security-policy-checking| replace:: :ref:`Enable Pod Security Policy Checking ` +.. .. |enable-pod-security-policy-checking| replace:: :ref:`Enable Pod Security Policy Checking ` .. |starlingx-rest-api-applications-and-the-web-administration-server| replace:: :ref:`StarlingX REST API Applications and the Web Administration Server Certificate ` .. |starlingx-openstack-kubernetes-from-stsadmin-account-login| replace:: :ref:`For StarlingX, Platform OpenStack and Kubernetes CLIs from the 'sysadmin' Linux Account Login ` .. |configure-users-groups-and-authorization| replace:: :ref:`Configure Users, Groups, and Authorization ` diff --git a/doc/source/archive/configuration/index.rst b/doc/source/archive/configuration/index.rst index 82b5e7d82..d8fad6e0f 100644 --- a/doc/source/archive/configuration/index.rst +++ b/doc/source/archive/configuration/index.rst @@ -23,8 +23,6 @@ General Configuration system_config time_sync_config - - ------------------------ Kubernetes Configuration ------------------------ @@ -34,7 +32,6 @@ Kubernetes Configuration k8s_auth_winactivedir k8s_persistent_vol - k8s_pod_sec_policies k8s_res_policies k8s_upgrade diff --git a/doc/source/archive/configuration/k8s_pod_sec_policies.rst b/doc/source/archive/configuration/k8s_pod_sec_policies.rst deleted file mode 100644 index cd7571b0f..000000000 --- a/doc/source/archive/configuration/k8s_pod_sec_policies.rst +++ /dev/null @@ -1,138 +0,0 @@ -===================== -Pod Security Policies -===================== - -.. note:: - - PodSecurityPolicy (PSP) ONLY applies if running on K8S v1.24 or earlier. - PodSecurityPolicy (PSP) is deprecated as of Kubernetes v1.21 and removed from K8S v1.25. - Instead of using PodSecurityPolicy, you can enforce similar restrictions on Pods using - :ref:`Pod Security Admission Controller ` - -.. note:: - - This guide was replaced by: :ref:`Pod Security Policies ` - -This guide describes how to enable Kubernetes pod security policies. - -.. contents:: - :local: - :depth: 1 - --------- -Overview --------- - -Pod Security Policies (PSPs) enable fine-grained authorization of pod creation -and updates. :abbr:`PSPs (Pod Security Policies)` control access to security -sensitive aspects of pod specifications such as running of privileged -containers, use of host file system, running as root, etc. PSPs define a set of -conditions that a pod must run with in order to be accepted into the system, as -well as defaults for the related fields. PSPs are assigned to users using -Kubernetes RBAC RoleBindings. See -https://kubernetes.io/docs/concepts/policy/pod-security-policy/ for details. - -When enabled, pod security policy checking authorizes all Kubernetes API -commands against the PSPs which the issuer of the command has access to. If -there are no PSPs defined in the system or the issuer does not have access to -any PSPs, PSP checking will fail to authorize the command. - -StarlingX provides a system service parameter to enable pod security policy -checking. Setting this service parameter also creates two PSPs (privileged and -restricted). Users with the cluster-admin role can access all resources and -therefore have PSPs to authorize against. The parameter also creates two -corresponding roles for specifying access to these PSPs (``privileged-psp-user`` -and ``restricted-psp-user``) for binding to other non-admin type subjects. - -------------------- -Enable PSP checking -------------------- - -Perform the following steps. - -#. Set the Kubernetes ``kube_apiserver admission_plugins`` system parameter to - include PodSecurityPolicy. - - :: - - system service-parameter-add kubernetes kube_apiserver admission_plugins=PodSecurityPolicy - -#. Apply the Kubernetes system parameters. - - :: - - system service-parameter-apply kubernetes - -Use the following commands to view the automatically added PSPs, as well as -privileged and restricted PSPs. - -:: - - kubectl get psp - kubectl describe psp privileged - kubectl describe psp restricted - -------------------------------- -Update role for non-admin users -------------------------------- - -After enabling Pod security policy checking in StarlingX, all users -with the cluster-admin role are unaffected because they have access to the -privileged PSP. However, other users require a new ``RoleBinding`` to either -the privileged-psp-user role or the restricted-psp-user role. - -For example, the following ``RoleBinding`` assigns the restricted PSP to -``basic-user`` in the ``billing-dept-ns`` namespace: - -:: - - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: basic-restricted-psp-users - namespace: billing-dept-ns - subjects: - - kind: ServiceAccount - name: basic-user - namespace: kube-system - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: restricted-psp-user - -This enables ``basic-user`` to create pods in the ``billing-dept-ns`` namespace -subject to the restricted PSP policy. - ---------------------------------- -Bind to the PSP for the namespace ---------------------------------- - -An unexpected behavior when PSP checking is enabled is that the above -``basic-user`` is able to create pods in ``billing-dept-ns`` (subject to the -restricted PSP), however they are **not** able to create deployments. This is -because the pods of the deployment are created using the replicaSet -controller’s serviceAccount and RBAC bindings, not the ``basic-user`` -serviceAccount and RBAC bindings. - -The typical approach for addressing this is to bind all the serviceAccounts in -kube-system (which includes replicaSet controller serviceAccounts) to the -appropriate PSP for the specific namespace. - -For example, the following RoleBinding assigns the restricted PSP to all -kube-system serviceAccounts operating in the ``billing-dept-ns`` namespace. - -:: - - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: kube-system-restricted-psp-users - namespace: billing-dept-ns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: restricted-psp-user - subjects: - - kind: Group - name: system:serviceaccounts:kube-system - apiGroup: rbac.authorization.k8s.io diff --git a/doc/source/archive/configuration/k8s_res_policies.rst b/doc/source/archive/configuration/k8s_res_policies.rst index 8debf2b58..46ab62df7 100644 --- a/doc/source/archive/configuration/k8s_res_policies.rst +++ b/doc/source/archive/configuration/k8s_res_policies.rst @@ -1,3 +1,4 @@ + ================= Resource Policies ================= @@ -35,7 +36,7 @@ Specifically a LimitRange policy provides constraints that can: See https://kubernetes.io/docs/concepts/policy/limit-range/ for more details. An example of LimitRange policies for the ``billing-dept-ns`` namespace in the -:doc:`k8s_pod_sec_policies` example is shown below: +:ref:`private-namespace-and-restricted-rbac` example is shown below: :: @@ -96,6 +97,8 @@ An example of LimitRange policies for the ``billing-dept-ns`` namespace in the memory: 10 type: Pod + + ------------- ResourceQuota ------------- @@ -109,19 +112,3 @@ namespaced resource types such as secrets, configmaps, and others. See https://kubernetes.io/docs/concepts/policy/resource-quotas/ for more details. -An example of ResourceQuota policies for the ``billing-dept-ns`` namespace of -the :doc:`k8s_pod_sec_policies` example is shown below: - -:: - - apiVersion: v1 - kind: ResourceQuota - metadata: - name: resource-quotas - namespace: billing-dept-ns - spec: - hard: - persistentvolumeclaims: "1" - services.loadbalancers: "2" - services.nodeports: "0" - diff --git a/doc/source/security/kubernetes/assign-pod-security-policies.rst b/doc/source/security/kubernetes/assign-pod-security-policies.rst deleted file mode 100644 index a31660bf5..000000000 --- a/doc/source/security/kubernetes/assign-pod-security-policies.rst +++ /dev/null @@ -1,134 +0,0 @@ - -.. ler1590089128119 -.. _assign-pod-security-policies: - -============================ -Assign Pod Security Policies -============================ - -.. note:: - - PodSecurityPolicy (PSP) ONLY applies if running on K8S v1.24 or earlier. - PodSecurityPolicy (PSP) is deprecated as of Kubernetes v1.21 and removed from K8S v1.25. - Instead of using PodSecurityPolicy, you can enforce similar restrictions on Pods using - :ref:`Pod Security Admission Controller ` - -This section describes Pod security policies for **cluster-admin users**, -and **non-cluster-admin users**. - -.. contents:: - :local: - :depth: 1 - -.. _assign-pod-security-policies-section-xyl-2vp-bmb: - -------------------- -cluster-admin users -------------------- - -After enabling |PSP| checking, all users with **cluster-admin** roles can -directly create pods since they have access to the **privileged** |PSP|. Also, -based on the ClusterRoleBindings and RoleBindings automatically added by -|prod|, all users with cluster-admin roles can also create privileged -Deployment/ReplicaSets/etc. in the kube-system namespace and restricted -Deployment/ReplicaSets/etc. in any other namespace. - - -In order to enable privileged Deployment/ReplicaSets/etc. to be created in -another namespace, a role binding of a |PSP| role to -**system:serviceaccounts:kube-system** for the target namespace, is required. -However, this will enable *ANY* user with access to Deployments/ReplicaSets/etc -in this namespace to create privileged Deployments/ReplicaSets. The following -example describes the required RoleBinding to allow "creates" of privileged -Deployments/ReplicaSets/etc in the 'default' namespace for any user with access -to Deployments/ReplicaSets/etc. in the ‘default’ namespace. - -.. code-block:: none - - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: default-privileged-psp-users - namespace: default - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: privileged-psp-user - subjects: - - kind: Group - name: system:serviceaccounts:kube-system - apiGroup: rbac.authorization.k8s.io - - - -.. _assign-pod-security-policies-section-bm5-vxp-bmb: - ------------------------ -non-cluster-admin users ------------------------ - -Based on the ClusterRoleBindings and RoleBindings automatically added by -|prod|, non-cluster-admin users have at least restricted |PSP| privileges, for -both Pods and Deployment/ReplicaSets/etc., for any namespaces they have access -to based on other [Cluster]RoleBindings. If a non-cluster-admin user requires -privileged capabilities for the namespaces they have access to, they require a -new RoleBinding to the **privileged-psp-user** role to create pods directly. -For creating privileged pods through deployments/ReplicaSets/etc., the target -namespace being used will also require a RoleBinding for the corresponding -controller serviceAccounts in kube-system (or generally -**system:serviceaccounts:kube-system**). - -.. rubric:: |proc| - -#. Define the required RoleBinding for the user in the target namespace. - - For example, the following RoleBinding assigns the 'privileged' |PSP| - role to dave-user in the billing-dept-ns namespace, from the examples - in :ref:`Enable Pod Security Policy Checking - `. - - .. code-block:: none - - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: dave-privileged-psp-users - namespace: billing-dept-ns - subjects: - - kind: ServiceAccount - name: dave-user - namespace: kube-system - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: privileged-psp-user - - This will enable dave-user to create Pods in billing-dept-ns namespace - subject to the privileged |PSP| policy. - -#. Define the required RoleBinding for system:serviceaccounts:kube-system - in the target namespace. - - For example, the following RoleBinding assigns the 'privileged' |PSP| to - all kube-system ServiceAccounts operating in billing-dept-ns namespace. - - .. code-block:: none - - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: billing-dept-ns-privileged-psp-users - namespace: billing-dept-ns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: privileged-psp-user - subjects: - - kind: Group - name: system:serviceaccounts:kube-system - apiGroup: rbac.authorization.k8s.io - - This will enable dave-user to create Deployments/ReplicaSets/etc. in - billing-dept-ns namespace subject to the privileged |PSP| policy. - - diff --git a/doc/source/security/kubernetes/disable-pod-security-policy-checking.rst b/doc/source/security/kubernetes/disable-pod-security-policy-checking.rst deleted file mode 100644 index e4f9ecd96..000000000 --- a/doc/source/security/kubernetes/disable-pod-security-policy-checking.rst +++ /dev/null @@ -1,34 +0,0 @@ - -.. ecz1590154334366 -.. _disable-pod-security-policy-checking: - -==================================== -Disable Pod Security Policy Checking -==================================== - -.. note:: - - PodSecurityPolicy (PSP) ONLY applies if running on K8S v1.24 or earlier. - PodSecurityPolicy (PSP) is deprecated as of Kubernetes v1.21 and removed from K8S v1.25. - Instead of using PodSecurityPolicy, you can enforce similar restrictions on Pods using - :ref:`Pod Security Admission Controller ` - -You can delete the previously added PodSecurityPolicy service parameter to -disable pod security policy checking. - -.. rubric:: |proc| - -#. Remove the kubernetes **kube_apiserver admission_plugins** system - parameter to exclude PodSecurityPolicy. - - .. code-block:: none - - ~(keystone_admin)]$ system service-parameter-delete - -#. Apply the Kubernetes system parameters. - - .. code-block:: none - - ~(keystone_admin)]$ system service-parameter-apply kubernetes - - diff --git a/doc/source/security/kubernetes/enable-pod-security-policy-checking.rst b/doc/source/security/kubernetes/enable-pod-security-policy-checking.rst deleted file mode 100644 index 3a72d878c..000000000 --- a/doc/source/security/kubernetes/enable-pod-security-policy-checking.rst +++ /dev/null @@ -1,39 +0,0 @@ - -.. vca1590088383576 -.. _enable-pod-security-policy-checking: - -=================================== -Enable Pod Security Policy Checking -=================================== - -.. note:: - - PodSecurityPolicy (PSP) ONLY applies if running on K8S v1.24 or earlier. - PodSecurityPolicy (PSP) is deprecated as of Kubernetes v1.21 and removed from K8S v1.25. - Instead of using PodSecurityPolicy, you can enforce similar restrictions on Pods using - :ref:`Pod Security Admission Controller ` - -.. rubric:: |proc| - -#. Set the kubernetes kube_apiserver admission_plugins system parameter to - include PodSecurityPolicy. - - .. code-block:: none - - ~(keystone_admin)]$ system service-parameter-add kubernetes kube_apiserver admission_plugins=PodSecurityPolicy - -#. Apply the Kubernetes system parameters. - - .. code-block:: none - - ~(keystone_admin)]$ system service-parameter-apply kubernetes - -#. View the automatically added pod security policies. - - .. code-block:: none - - $ kubectl get psp - $ kubectl describe privileged - $ kubectl describe restricted - - diff --git a/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst b/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst index f45572e62..b9498f22f 100644 --- a/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst +++ b/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst @@ -44,10 +44,6 @@ Manage Non-Admin Type Users :maxdepth: 1 private-namespace-and-restricted-rbac - pod-security-policies - enable-pod-security-policy-checking - disable-pod-security-policy-checking - assign-pod-security-policies resource-management pod-security-admission-controller-8e9e6994100f diff --git a/doc/source/security/kubernetes/pod-security-admission-controller-8e9e6994100f.rst b/doc/source/security/kubernetes/pod-security-admission-controller-8e9e6994100f.rst index 96c5adeda..4451eb5c7 100644 --- a/doc/source/security/kubernetes/pod-security-admission-controller-8e9e6994100f.rst +++ b/doc/source/security/kubernetes/pod-security-admission-controller-8e9e6994100f.rst @@ -8,7 +8,7 @@ Pod Security Admission (PSA) Controller is the |PSP| replacement, and this document describes the |PSA| functionality, which is 'beta' quality in Kubernetes v1.24 . -The |PSA| admission controller acts on creation and modification of the pod and +The |PSA| controller acts on creation and modification of the pod and determines if it should be admitted based on the requested security context and the policies defined by Pod Security Standards. diff --git a/doc/source/security/kubernetes/pod-security-policies.rst b/doc/source/security/kubernetes/pod-security-policies.rst deleted file mode 100644 index c17a549c7..000000000 --- a/doc/source/security/kubernetes/pod-security-policies.rst +++ /dev/null @@ -1,71 +0,0 @@ - -.. pui1590088143541 -.. _pod-security-policies: - -===================== -Pod Security Policies -===================== - -.. note:: - - PodSecurityPolicy (PSP) ONLY applies if running on K8S v1.24 or earlier. - PodSecurityPolicy (PSP) is deprecated as of Kubernetes v1.21 and removed from K8S v1.25. - Instead of using PodSecurityPolicy, you can enforce similar restrictions on Pods using - :ref:`Pod Security Admission Controller ` - -|PSPs| enable fine-grained authorization of pod creation and updates. - -|PSPs| control access to security sensitive aspects of Pod specifications -such as running of privileged containers, use of host filesystem, running as -root, etc. |PSPs| define a set of conditions that a pod must run with, in -order to be accepted into the system, as well as defaults for the related -fields. |PSPs| are assigned to users through Kubernetes |RBAC| RoleBindings. -See `https://kubernetes.io/docs/concepts/policy/pod-security-policy/ -`__ for -details. - -When enabled, Pod security policy checking will authorize all Kubernetes -API commands against the |PSPs| which the issuer of the command has access -to. If there are no |PSPs| defined in the system or the issuer does not have -access to any |PSPs|, the Pod security policy checking will fail to authorize -the command. - -|prod-long| provides a system service-parameter to enable Pod security -policy checking. Setting this parameter also creates: - -- Two |PSPs| (privileged and restricted) such that users with cluster-admin - role (which has access to all resources) has |PSPs| to authorize against. - -- Two corresponding roles for specifying access to these |PSPs| - (privileged-psp-user and restricted-psp-user), for binding to other - non-admin type subjects. - -- A RoleBinding for the kube-system namespace of the privileged-psp-user Role - to serviceAccounts in kubesystem, such that privileged - Deployments/ReplicaSets/etc. can be created by any user with access to - Deployments/ReplicaSets/etc. in the kube-system namespace (e.g. user with - cluster-admin role). - -- A ClusterRoleBinding of the restricted-psp-user Role to any authenticated - user, such that at least restricted Pods can be created by any - authenticated user in any namespaces that user has access to based on other - [Cluster]RoleBindings. - -- A ClusterRoleBinding of the restricted-psp-user Role to serviceAccounts in - kube-system, such that at least restricted Deployments/ReplicaSets/etc. can - be created by any authenticated user in any namespaces that user has access - to based on other [Cluster]RoleBindings. - -PodSecurityPolicy (PSP) is deprecated as of Kubernetes v1.21 and will be -removed in v1.25. PSP will continue to be fully functional until being removed -in v1.25. - -Since first introduced PSP has shown some serious usability problems. - -The way PSPs are applied to Pods has proven confusing especially when trying to -use them. It is easy to accidentally grant broader permissions than intended, -and difficult to inspect which PSPs apply in a certain situation. - -As a beta feature, Kubernetes offers a built-in Pod Security Admission (PSA) -controller, the successor to PSP. See :ref:`Technology Preview - Pod Security -Admission Controller `. diff --git a/doc/source/security/kubernetes/resource-management.rst b/doc/source/security/kubernetes/resource-management.rst index e89e6eadb..daa1ca508 100644 --- a/doc/source/security/kubernetes/resource-management.rst +++ b/doc/source/security/kubernetes/resource-management.rst @@ -44,8 +44,8 @@ Specifically a **LimitRange** policy provides constraints that can: See `https://kubernetes.io/docs/concepts/policy/limit-range/ `__ for more details. An example of **LimitRange** policies for the billing-dept-ns namespace of -the example in :ref:`Assign Pod Security Policies -` is shown below: +the example in :ref:`Private Namespace and Restricted RBAC +` is shown below: .. code-block:: none @@ -107,7 +107,6 @@ the example in :ref:`Assign Pod Security Policies type: Pod - .. _resource-management-section-ur2-q5m-tlb: ------------- @@ -127,7 +126,7 @@ See `https://kubernetes.io/docs/concepts/policy/resource-quotas/ details. An example of **ResourceQuota** policies for the billing-dept-ns namespace -of :ref:`Assign Pod Security Policies ` +of :ref:`Private Namespace and Restricted RBAC ` is shown below: .. code-block:: none @@ -142,4 +141,3 @@ is shown below: persistentvolumeclaims: "1" services.loadbalancers: "2" services.nodeports: "0" -