From 22cf07e1dc9a6d722c4de48770827a8519fb5a86 Mon Sep 17 00:00:00 2001 From: Yangmin Zhu Date: Thu, 12 Sep 2019 12:01:30 -0700 Subject: [PATCH] update psp --- content/en/docs/tasks/security/auth-sds/index.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/content/en/docs/tasks/security/auth-sds/index.md b/content/en/docs/tasks/security/auth-sds/index.md index 31297f5b67ab5..feb043af20609 100644 --- a/content/en/docs/tasks/security/auth-sds/index.md +++ b/content/en/docs/tasks/security/auth-sds/index.md @@ -86,16 +86,16 @@ $ kubectl exec -it $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..me As you can see there is no secret file mounted at `/etc/certs` folder. -## Increasing security with pod security policies +## Securing SDS with pod security policies The Istio Secret Discovery Service (SDS) uses the Citadel agent to distribute the certificate to the Envoy sidecar via a Unix domain socket. All pods running in the same Kubernetes node share the Citadel agent and Unix domain socket. -To prevent malicious modifications to the Unix domain socket, enable the [pod security policy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) -to restrict the pod's permission on the Unix domain socket. Otherwise, a malicious pod could hijack the -Unix domain socket to break the SDS service or steal the identity credentials from other pods running -on the same Kubernetes node. +To prevent unexpected modifications to the Unix domain socket, enable the [pod security policy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) +to restrict the pod's permission on the Unix domain socket. Otherwise, a malicious user who has the +permission to modify the deployment could hijack the Unix domain socket to break the SDS service or +steal the identity credentials from other pods running on the same Kubernetes node. To enable the pod security policy, perform the following steps: