From 57f5c6a65177c8725cb68c4f845a8db77560e118 Mon Sep 17 00:00:00 2001 From: David Kwon Date: Thu, 30 Jan 2025 19:07:56 -0500 Subject: [PATCH] fix: Update security best practices doc (#2848) * fix: Update security best practices doc Signed-off-by: dkwon17 * Update xref Signed-off-by: dkwon17 --------- Signed-off-by: dkwon17 --- .../examples/snip_che-curated-access.adoc | 2 +- .../pages/security-best-practices.adoc | 19 +++++++++---------- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/modules/administration-guide/examples/snip_che-curated-access.adoc b/modules/administration-guide/examples/snip_che-curated-access.adoc index 83c6957ed3..0e75123a69 100644 --- a/modules/administration-guide/examples/snip_che-curated-access.adoc +++ b/modules/administration-guide/examples/snip_che-curated-access.adoc @@ -1,4 +1,4 @@ With this setup, you achieve a curated access to {prod-short}, where cluster administrators control provisioning for each user and can explicitly configure various settings including resource limits and quotas. -Learn more about project provisioning in the link:https://eclipse.dev/che/docs/stable/administration-guide/mounting-a-secret-as-a-file-or-an-environment-variable-into-a-container/#mounting-a-secret-or-a-configmap-as-an-environment-variable-into-a-container[product documentation]. \ No newline at end of file +Learn more about project provisioning in the xref:administration-guide:provisioning-namespaces-in-advance.adoc[]. diff --git a/modules/administration-guide/pages/security-best-practices.adoc b/modules/administration-guide/pages/security-best-practices.adoc index 1be1515687..f9dbc56922 100644 --- a/modules/administration-guide/pages/security-best-practices.adoc +++ b/modules/administration-guide/pages/security-best-practices.adoc @@ -60,10 +60,10 @@ All resources and actions you can grant users permission to use in their {namesp |"get", "list", "create" |configmaps -|“get", "list", "create", "update", "patch", "delete" +|"get", "list", "create", "update", "patch", "delete" |events -|“watch” +|"list", "watch" |secrets |"get", "list", "create", "update", "patch", "delete" @@ -72,10 +72,10 @@ All resources and actions you can grant users permission to use in their {namesp |"get", "list", "create", "delete", "update", "patch" |routes -|”get", "list", "create", "delete" +|"get", "list", "create", "delete" |persistentvolumeclaims -|“get", "list", "watch", "create", "delete", "update", "patch" +|"get", "list", "watch", "create", "delete", "update", "patch" |apps/deployments |"get", "list", "watch", "create", "patch", "delete" @@ -87,7 +87,7 @@ All resources and actions you can grant users permission to use in their {namesp |"get", "list" |projects -|“get” +|"get" |devworkspace |"get", "create", "delete", "list", "update", "patch", "watch" @@ -215,8 +215,8 @@ spec: .Resource Quotas and Limit Ranges -Resource Quotas and Limit Ranges are {kubernetes} features you can use to help prevent bad actors or resource abuse within a cluster. -They help in controlling and managing resource consumption by pods and containers. +Resource Quotas and Limit Ranges are {kubernetes} features you can use to help prevent bad actors and resource abuse within a cluster. +Specifically, they allow you to set resource consumption constraints for pods and containers. By combining Resource Quotas and Limit Ranges, you can enforce project-specific policies to prevent bad actors from consuming excessive resources. @@ -227,8 +227,7 @@ More details about link:https://docs.openshift.com/container-platform/4.14/appli An air-gapped OpenShift disconnected cluster refers to an OpenShift cluster isolated from the internet or any external network. -This isolation is often done for security reasons, -to protect sensitive or critical systems from potential cyber threats. +This isolation is often done for security reasons to protect sensitive or critical systems from potential cyber threats. In an air-gapped environment, the cluster cannot access external repositories or registries to download container images, updates, or dependencies. @@ -239,7 +238,7 @@ include::example$snip_che-installation-instructions.adoc[] By default, {prod} includes the embedded Open VSX registry -which contains a limited set of extensions used by Microsoft Visual Studio Code - +which contains a limited set of extensions for the Microsoft Visual Studio Code - Open Source editor. Alternatively, cluster administrators can specify a different plugin registry in the Custom Resource, e.g. https://open-vsx.org that contains thousands of extensions.