mirror of
https://github.com/ghndrx/k8s-manifests.git
synced 2026-02-10 06:45:09 +00:00
58e8140f36
- Add namespace templates for privileged, baseline, and restricted levels - Include compliant deployment examples for baseline and restricted - Add migration audit script for checking namespace compliance - Document PSA levels, enforcement modes, and migration strategy Follows Kubernetes Pod Security Admission best practices for 2025+. Reference: https://kubernetes.io/docs/concepts/security/pod-security-standards/
31 lines
1.1 KiB
YAML
31 lines
1.1 KiB
YAML
# Baseline namespace - for most application workloads
|
|
# Prevents known privilege escalations while allowing common configurations
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: baseline-apps
|
|
labels:
|
|
# PSA labels - baseline enforcement with restricted auditing
|
|
pod-security.kubernetes.io/enforce: baseline
|
|
pod-security.kubernetes.io/enforce-version: latest
|
|
pod-security.kubernetes.io/audit: restricted # Audit at higher level
|
|
pod-security.kubernetes.io/audit-version: latest
|
|
pod-security.kubernetes.io/warn: restricted # Warn about restricted violations
|
|
pod-security.kubernetes.io/warn-version: latest
|
|
# Metadata
|
|
environment: production
|
|
security-level: baseline
|
|
annotations:
|
|
description: "Baseline security for standard application workloads"
|
|
---
|
|
# Baseline allows:
|
|
# - Default container configurations
|
|
# - Non-privileged containers
|
|
# - Standard capabilities (NET_BIND_SERVICE, etc.)
|
|
#
|
|
# Baseline blocks:
|
|
# - Privileged containers
|
|
# - Host namespaces (hostPID, hostIPC, hostNetwork)
|
|
# - Host path volumes
|
|
# - Privileged capabilities
|