Warning
This page was translated from the original Japanese version by PLaMo Translate. The Japanese version is authoritative; the English translation may contain inaccuracies.
Applying Security Policies to Pods
Kubernetes defines Pod Security Standards (hereafter PSS) as recommended configurations for Pod security to reduce security risks. PFCP applies Pod security profiles compliant with these standards.
PSS provides three policy options: Restricted, Baseline, and Privileged. PFCP defaults to the Baseline policy, which maintains relatively relaxed restrictions on container workloads while providing protection against known privilege escalation vulnerabilities.
For enhanced Pod security, the Restricted policy is also available.
By adding the policy.preferred.jp/pod-security: restricted label to a Pod, you enforce the Restricted policy and prevent the creation of Pods that violate its security requirements.
Note
The Privileged policy, which permits privilege escalation, is unavailable.
For detailed information about each PSS policy, please refer to the official Kubernetes documentation.
Profile Usage for the MN-Core Series
When creating Pods that request resources from the MN-Core series, automatic assignment of the SYS_NICE capability is performed to accelerate computation using MN-Core series hardware1. This enhancement applies exclusively to Pods requesting MN-Core series resources. For Pods that do not request MN-Core series resources, compliance with the PSS Baseline policy prevents the assignment of SYS_NICE capability.
-
This is not a standard Kubernetes feature but is a unique extension provided by PFCP. ↩