From e7d47c4eb899ed28d48d75c0818da25d096a30fd Mon Sep 17 00:00:00 2001
From: Jess Frazelle <jessfraz@users.noreply.github.com>
Date: Thu, 20 Sep 2018 01:27:37 -0400
Subject: [PATCH] add AllowedProcMountTypes and ProcMountType to docs (#9911)

Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
---
 .../docs/concepts/policy/pod-security-policy.md  | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/content/en/docs/concepts/policy/pod-security-policy.md b/content/en/docs/concepts/policy/pod-security-policy.md
index 4f528a8d8fe52..27bb494370740 100644
--- a/content/en/docs/concepts/policy/pod-security-policy.md
+++ b/content/en/docs/concepts/policy/pod-security-policy.md
@@ -42,6 +42,7 @@ administrator to control the following:
 | Restricting escalation to root privileges           | [`allowPrivilegeEscalation`, `defaultAllowPrivilegeEscalation`](#privilege-escalation) |
 | Linux capabilities                                  | [`defaultAddCapabilities`, `requiredDropCapabilities`, `allowedCapabilities`](#capabilities) |
 | The SELinux context of the container                | [`seLinux`](#selinux)                       |
+| The Allowed Proc Mount types for the container      | [`allowedProcMountTypes`](#allowedProcMountTypes) |
 | The AppArmor profile used by containers             | [annotations](#apparmor)                    |
 | The seccomp profile used by containers              | [annotations](#seccomp)                     |
 | The sysctl profile used by containers               | [annotations](#sysctl)                      |
@@ -554,6 +555,21 @@ for the default list of capabilities when using the Docker runtime.
 - *RunAsAny* - No default provided. Allows any `seLinuxOptions` to be
 specified.
 
+### AllowedProcMountTypes
+
+`allowedProcMountTypes` is a whitelist of allowed ProcMountTypes.
+Empty or nil indicates that only the `DefaultProcMountType` may be used. 
+
+`DefaultProcMount` uses the container runtime defaults for readonly and masked
+paths for /proc.  Most container runtimes mask certain paths in /proc to avoid
+accidental security exposure of special devices or information. This is denoted
+as the string `Default`.
+
+The only other ProcMountType is `UnmaskedProcMount`, which bypasses the 
+default masking behavior of the container runtime and ensures the newly 
+created /proc the container stays in tact with no modifications. This is
+denoted as the string `Unmasked`.
+
 ### AppArmor
 
 Controlled via annotations on the PodSecurityPolicy. Refer to the [AppArmor