mirror of
https://github.com/ghndrx/k8s-manifests.git
synced 2026-02-10 06:45:09 +00:00
58e8140f36
- Add namespace templates for privileged, baseline, and restricted levels - Include compliant deployment examples for baseline and restricted - Add migration audit script for checking namespace compliance - Document PSA levels, enforcement modes, and migration strategy Follows Kubernetes Pod Security Admission best practices for 2025+. Reference: https://kubernetes.io/docs/concepts/security/pod-security-standards/
1.9 KiB
1.9 KiB
Pod Security Standards (PSS) Configuration
Kubernetes Pod Security Admission (PSA) enforces the Pod Security Standards at the namespace level.
Security Levels
| Level | Description | Use Case |
|---|---|---|
| Privileged | Unrestricted, allows all capabilities | System workloads, CNI, monitoring agents |
| Baseline | Prevents known privilege escalations | Most application workloads |
| Restricted | Hardened, follows best practices | Sensitive/untrusted workloads |
Enforcement Modes
enforce- Rejects pods that violate the policyaudit- Logs violations but allows podswarn- Sends warnings to users but allows pods
Quick Start
# Apply all namespace configurations
kubectl apply -f namespaces/
# Test a deployment against restricted namespace
kubectl apply -f examples/restricted-deployment.yaml -n restricted-apps
Namespace Configuration
Each namespace is configured with PSA labels:
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: latest
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted
Migration Strategy
- Start with
auditandwarnmodes to identify violations - Fix non-compliant workloads
- Enable
enforcemode
Files
namespaces/- Pre-configured namespaces for each security levelexamples/- Compliant deployment examples for each levelmigration/- Tools for auditing existing namespaces