feat(security): add Pod Security Standards (PSA) namespace configurations

- Add namespace templates for privileged, baseline, and restricted levels - Include compliant deployment examples for baseline and restricted - Add migration audit script for checking namespace compliance - Document PSA levels, enforcement modes, and migration strategy Follows Kubernetes Pod Security Admission best practices for 2025+. Reference: https://kubernetes.io/docs/concepts/security/pod-security-standards/
2026-02-10 06:45:09 +00:00 · 2026-02-06 18:02:00 +00:00
parent ef86c1a6c7
commit 58e8140f36
8 changed files with 380 additions and 1 deletions
--- a/pod-security/migration/audit-namespaces.sh
+++ b/pod-security/migration/audit-namespaces.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+# audit-namespaces.sh - Check PSA compliance across all namespaces
+# Usage: ./audit-namespaces.sh [restricted|baseline]
+
+set -euo pipefail
+
+LEVEL="${1:-restricted}"
+
+echo "=== Pod Security Standards Compliance Audit ==="
+echo "Target level: $LEVEL"
+echo "Date: $(date -u +%Y-%m-%dT%H:%M:%SZ)"
+echo ""
+
+# Get all namespaces
+NAMESPACES=$(kubectl get namespaces -o jsonpath='{.items[*].metadata.name}')
+
+for NS in $NAMESPACES; do
+  # Skip system namespaces
+  if [[ "$NS" == "kube-system" || "$NS" == "kube-public" || "$NS" == "kube-node-lease" ]]; then
+    echo "[$NS] SKIPPED (system namespace)"
+    continue
+  fi
+
+  # Check current PSA labels
+  CURRENT_LEVEL=$(kubectl get namespace "$NS" -o jsonpath='{.metadata.labels.pod-security\.kubernetes\.io/enforce}' 2>/dev/null || echo "none")
+
+  # Dry-run label to check violations
+  echo ""
+  echo "=== Namespace: $NS (current: $CURRENT_LEVEL) ==="
+
+  # Use --dry-run to preview what would be blocked
+  kubectl label namespace "$NS" \
+    "pod-security.kubernetes.io/enforce=$LEVEL" \
+    "pod-security.kubernetes.io/warn=$LEVEL" \
+    --dry-run=server \
+    --overwrite 2>&1 | grep -E "(Warning|Error)" || echo "✓ No violations detected"
+
+  # List pods that might violate
+  echo ""
+  echo "Pods in namespace:"
+  kubectl get pods -n "$NS" -o wide --no-headers 2>/dev/null | head -5 || echo "  (no pods)"
+done
+
+echo ""
+echo "=== Audit Complete ==="
+echo ""
+echo "To apply restricted level to a namespace:"
+echo "  kubectl label namespace <name> \\"
+echo "    pod-security.kubernetes.io/enforce=restricted \\"
+echo "    pod-security.kubernetes.io/audit=restricted \\"
+echo "    pod-security.kubernetes.io/warn=restricted \\"
+echo "    --overwrite"