我的书签
添加书签
移除书签Pod Security Admission
FEATURE STATE: Kubernetes v1.23 [beta]
The Kubernetes Pod Security Standards define different isolation levels for Pods. These standards let you define how you want to restrict the behavior of pods in a clear, consistent fashion.
As an Beta feature, Kubernetes offers a built-in Pod Security , the successor to PodSecurityPolicies. Pod security restrictions are applied at the level when pods are created.
Note: The PodSecurityPolicy API is deprecated and will be removed from Kubernetes in v1.25.
In v1.23, the PodSecurity is a Beta feature and is enabled by default.
In v1.22, the PodSecurity feature gate is an Alpha feature and must be enabled in kube-apiserver in order to use the built-in admission plugin.
Alternative: installing the admission webhook
A pre-built container image, certificate generation scripts, and example manifests are available at https://git.k8s.io/pod-security-admission/webhook.
To install:
Note: The generated certificate is valid for 2 years. Before it expires, regenerate the certificate or remove the webhook in favor of the built-in admission plugin.
Pod Security admission places requirements on a Pod’s and other related fields according to the three levels defined by the Pod Security Standards: privileged, baseline, and restricted. Refer to the page for an in-depth look at those requirements.
Pod Security Admission labels for namespaces
Once the feature is enabled or the webhook is installed, you can configure namespaces to define the admission control mode you want to use for pod security in each namespace. Kubernetes defines a set of that you can set to define which of the predefined Pod Security Standard levels you want to use for a namespace. The label you select defines what action the control plane takes if a potential violation is detected:
A namespace can configure any or all modes, or even set a different level for different modes.
Check out to see example usage.
Pods are often created indirectly, by creating a workload object such as a or Job. The workload object defines a Pod template and a for the workload resource creates Pods based on that template. To help catch violations early, both the audit and warning modes are applied to the workload resources. However, enforce mode is not applied to workload resources, only to the resulting pod objects.
Exemptions
You can define exemptions from pod security enforcement in order allow the creation of pods that would have otherwise been prohibited due to the policy associated with a given namespace. Exemptions can be statically configured in the .
Exemptions must be explicitly enumerated. Requests meeting exemption criteria are ignored by the Admission Controller (all , audit and warn behaviors are skipped). Exemption dimensions include:
- Usernames: requests from users with an exempt authenticated (or impersonated) username are ignored.
- RuntimeClassNames: pods and workload resources specifying an exempt runtime class name are ignored.
- Namespaces: pods and in an exempt namespace are ignored.
Caution: Most pods are created by a controller in response to a workload resource, meaning that exempting an end user will only exempt them from enforcement when creating pods directly, but not when creating a workload resource. Controller service accounts (such as system:serviceaccount:kube-system:replicaset-controller) should generally not be exempted, as doing so would implicitly exempt any user that can create the corresponding workload resource.
Updates to the following pod fields are exempt from policy checks, meaning that if a pod update request only changes these fields, it will not be denied even if the pod is in violation of the current policy level:
- Any metadata updates except changes to the seccomp or AppArmor annotations:
seccomp.security.alpha.kubernetes.io/pod(deprecated)container.seccomp.security.alpha.kubernetes.io/*(deprecated)
- Valid updates to
- Valid updates to
.spec.tolerations
