Pod Security Standards
Pod Security Standards
Successor of Pod Security Policies
Manages security context (among other things)
spec:
securityContext:
fsGroup: <integer>
runAsGroup: <integer>
runAsNonRoot: <boolean>
runAsUser: <integer>
spec:
containers:
- securityContext:
allowPrivilegeEscalation: <boolean>
capabilities: <Object>
privileged: <boolean>
readOnlyRootFilesystem: <boolean>
runAsGroup: <integer>
runAsNonRoot: <boolean>
runAsUser: <integer>
Policies
Three policies from highly-permissive to highly-restrictive
Privileged Baseline Restricted
Pod Security Admission
Built-in admission controller for pod security
Enabled by default
Cluster-wide enforcement of the Pod Security Standards
| Modes | Description |
|---|---|
| enforce | Violations cause a pod to be rejected |
| audit | Violations will be recorded in the audit log |
| warn | Violations will trigger user-facing message |
Enforce without audit or warn = fail quietly
Enforce with audit or warn = fail with admin log or with user message
Enforce with audit and warn = fail with both admin log and user message
No enforce but audit = succeed but learn about possible outcome
Demo: Pod Security Standard
Opt-in per namespace
Labels control operational mode:
pod-security.kubernetes.io/MODE: POLICY
Labels for all three modes for a single policy are supported
See here for demos