NOTE

The PSP replacement has been announced. This project is just a stopgap until it is replaced.

Pod Security Admission

pod-security-admission is a set of Kubernetes Admission Webhooks to ensure Pod Security Standards v1.30.

pod-security-admission aims to be a simple Pod Security Policy replacement.

This is not a policy engine and users cannot write their own policies flexibly. If you want to do that, I recommend using a policy engine such as OPA/GateKeeper and Kyverno.

Getting started

Please see the getting-started.md to deploy pod-security-admission to your Kubernetes cluster.

Policies

pod-security-admission provides 3 policy types based on Pod Security Standards.

Privileged

The Privileged is an entirely unrestricted policy. Admission webhook does nothing to the Pods in namespaces with Privileged label. This policy should be applied to the Pods that are the core components for the Kubernetes cluster, such as network plugins.

This policy will be applied to Pods that belong to namespaces with the following label:

apiVersion: v1
kind: Namespace
metadata:
  name: your-namespace
  labels: 
    pod-security.cybozu.com/policy: privileged

Baseline

The Baseline is a basic policy that applies to Pods for many applications.

This policy prohibits the creation of Pods that violate the following rules:

• https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline

This policy will be applied to Pods that belong to all namespaces except privileged.

Restricted

The Restricted is a restricted policy that applies to Pods for secure applications.

In addition to the Baseline, this policy prohibits the creation of Pods that violate the following rules:

• https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted

Furthermore, if a Pod violates Running as Non-root, the mutating webhook will rewrite the securityContext forcibly.

This policy will be applied to Pods that belong to namespaces with the following label:

apiVersion: v1
kind: Namespace
metadata:
  name: your-namespace
  labels:
    pod-security.cybozu.com/policy: restricted

Documentation

docs directory contains documents about designs and specifications.

Limitations

The behavior of the webhooks are restricted intentionally as follows:

• Validating Webhook does not deny an ephemeral container from running as root user.
• Mutating Webhook does not force an ephemeral container to run as non-root user.

This is because kubectl debug command cannot specify a user to run ephemeral containers.

We have to wait until the following Issue is completed: kubernetes/kubectl#1108

Docker images

Docker images are available on ghcr.io

License

pod-security-admission is licensed under the Apache License, Version 2.0.