feat(security): add Pod Security Standards (PSA) namespace configurations

- Add namespace templates for privileged, baseline, and restricted levels - Include compliant deployment examples for baseline and restricted - Add migration audit script for checking namespace compliance - Document PSA levels, enforcement modes, and migration strategy Follows Kubernetes Pod Security Admission best practices for 2025+. Reference: https://kubernetes.io/docs/concepts/security/pod-security-standards/
2026-02-10 14:55:02 +00:00 · 2026-02-06 18:02:00 +00:00
parent ef86c1a6c7
commit 58e8140f36
8 changed files with 380 additions and 1 deletions
--- a/pod-security/namespaces/restricted.yaml
+++ b/pod-security/namespaces/restricted.yaml
@@ -0,0 +1,34 @@
+# Restricted namespace - maximum security hardening
+# For sensitive workloads and untrusted code
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: restricted-apps
+  labels:
+    # PSA labels - restricted at all levels
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: latest
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/audit-version: latest
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/warn-version: latest
+    # Metadata
+    environment: production
+    security-level: restricted
+  annotations:
+    description: "Restricted security for sensitive and untrusted workloads"
+---
+# Restricted REQUIRES:
+# - runAsNonRoot: true
+# - allowPrivilegeEscalation: false
+# - Drop ALL capabilities (except NET_BIND_SERVICE)
+# - seccompProfile: RuntimeDefault or Localhost
+# - Read-only root filesystem (recommended)
+#
+# Restricted BLOCKS:
+# - Everything baseline blocks, plus:
+# - Running as root
+# - Privilege escalation
+# - Most capabilities
+# - HostPath volumes
+# - Writable root filesystems (warning only)