ghndrx/k8s-manifests
1
0
Fork 0
mirror of https://github.com/ghndrx/k8s-manifests.git synced 2026-02-10 06:45:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
58e8140f363f4cf06bb92cdcd0871abeac2eca1a
k8s-manifests/pod-security/examples/baseline-deployment.yaml
Greg Hendrickson 58e8140f36 feat(security): add Pod Security Standards (PSA) namespace configurations 
- Add namespace templates for privileged, baseline, and restricted levels
- Include compliant deployment examples for baseline and restricted
- Add migration audit script for checking namespace compliance
- Document PSA levels, enforcement modes, and migration strategy

Follows Kubernetes Pod Security Admission best practices for 2025+.
Reference: https://kubernetes.io/docs/concepts/security/pod-security-standards/
2026-02-06 18:02:09 +00:00

75 lines
1.8 KiB
YAML
Raw Blame History

# Example deployment compliant with BASELINE Pod Security Standard
# Suitable for most application workloads
apiVersion: apps/v1
kind: Deployment
metadata:
name: standard-app
namespace: baseline-apps
labels:
app: standard-app
security.kubernetes.io/compliant: "baseline"
spec:
replicas: 2
selector:
matchLabels:
app: standard-app
template:
metadata:
labels:
app: standard-app
spec:
# Baseline allows running as root, but we still recommend non-root
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: nginx:1.27
ports:
- containerPort: 80
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
# Baseline allows writable root filesystem
# readOnlyRootFilesystem: false # default
capabilities:
drop:
- ALL
add:
# Baseline allows these capabilities
- NET_BIND_SERVICE
- CHOWN
- SETGID
- SETUID
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 256Mi
livenessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 10
periodSeconds: 10
readinessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 5
periodSeconds: 5
# Service account with minimal permissions
serviceAccountName: default
automountServiceAccountToken: false
Reference in New Issue View Git Blame Copy Permalink