NOTE
The PSP replacement has been announced.
This project is just a stopgap until it is replaced.
Pod Security Admission
pod-security-admission is a set of Kubernetes Admission Webhooks to ensure Pod Security Standards.
pod-security-admission aims to be a simple Pod Security Policy replacement.
This is not a policy engine and users cannot write their own policies flexibly.
If you want to do that, I recommend using a policy engine such as OPA/GateKeeper and Kyverno.
Getting started
Please see the getting-started.md to deploy pod-security-admission
to your Kubernetes cluster.
Policies
pod-security-admission provides 3 policy types based on Pod Security Standards.
Privileged
The Privileged
is an entirely unrestricted policy.
Admission webhook does nothing to the Pods in namespaces with Privileged
label.
This policy should be applied to the Pods that are the core components for the Kubernetes cluster, such as network plugins.
This policy will be applied to Pods that belong to namespaces with the following label:
apiVersion: v1
kind: Namespace
metadata:
name: your-namespace
labels:
pod-security.cybozu.com/policy: privileged
Baseline
The Baseline
is a basic policy that applies to Pods for many applications.
This policy prohibits the creation of Pods that violate the following rules:
This policy will be applied to Pods that belong to all namespaces except privileged.
Restricted
The Restricted
is a restricted policy that applies to Pods for secure applications.
In addition to the Baseline
, this policy prohibits the creation of Pods that violate the following rules:
Furthermore, if a Pod violates Running as Non-root
, the mutating webhook will rewrite the securityContext forcibly.
This policy will be applied to Pods that belong to namespaces with the following label:
apiVersion: v1
kind: Namespace
metadata:
name: your-namespace
labels:
pod-security.cybozu.com/policy: restricted
Documentation
docs directory contains documents about designs and specifications.
Limitations
The behavior of the webhooks are restricted intentionally as follows:
- Validating Webhook does not deny an ephemeral container from running as root user.
- Mutating Webhook does not force an ephemeral container to run as non-root user.
This is because kubectl debug
command cannot specify a user to run ephemeral containers.
We have to wait until the following Issue is completed:
https://github.com/kubernetes/kubectl/issues/1108
Docker images
Docker images are available on Quay.io
License
pod-security-admission is licensed under the Apache License, Version 2.0.