Three policies from highly-permissive to highly-restrictive
Privileged Baseline Restricted
Built-in admission controller for pod security
Cluster-wide enforcement of the Pod Security Standards
Successor of Pod Security Policies
| Modes | Description |
|---|---|
| enorce | Violations cause a pod to be rejected |
| audit | Violations will be recorded in the audit log |
| warn | Violations will trigger user-facing message |
Opt-in per namespace
Labels control operational mode:
pod-security.kubernetes.io/MODE: POLICY
Labels for all three modes for a single policy are supported
kyverno, the Kubernetes-native policy controller
OPA Gatekeeper, the general purpose policy engine
Focuses on verification of image signatures