Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Warning

This page was translated from the original Japanese version by PLaMo Translate. The Japanese version is authoritative; the English translation may contain inaccuracies.

Applying Security Policies to Pods

Kubernetes defines Pod Security Standards (hereafter PSS) as recommended configurations for Pod security to reduce security risks. PFCP applies Pod security profiles compliant with these standards.

PSS provides three policy options: Restricted, Baseline, and Privileged. PFCP defaults to the Baseline policy, which maintains relatively relaxed restrictions on container workloads while providing protection against known privilege escalation vulnerabilities.

For enhanced Pod security, the Restricted policy is also available. By adding the policy.preferred.jp/pod-security: restricted label to a Pod, you enforce the Restricted policy and prevent the creation of Pods that violate its security requirements.

Note

The Privileged policy, which permits privilege escalation, is unavailable.

For detailed information about each PSS policy, please refer to the official Kubernetes documentation.

Profile Usage for the MN-Core Series

When creating Pods that request resources from the MN-Core series, automatic assignment of the SYS_NICE capability is performed to accelerate computation using MN-Core series hardware1. This enhancement applies exclusively to Pods requesting MN-Core series resources. For Pods that do not request MN-Core series resources, compliance with the PSS Baseline policy prevents the assignment of SYS_NICE capability.


  1. This is not a standard Kubernetes feature but is a unique extension provided by PFCP.