我的书签
添加书签
移除书签Enforce Pod Security Standards with Namespace Labels
Pod Security Admission was available by default in Kubernetes v1.23, as a beta. From version 1.25 onwards, Pod Security Admission is generally available.
To check the version, enter kubectl version.
- Generates a user-facing warning and adds an audit annotation to any created pod that does not meet the
restrictedpolicy requirements. - Pins the versions of the
baselineandrestrictedpolicies to v1.27.
Note: When an policy (or version) label is added or changed, the admission plugin will test each pod in the namespace against the new policy. Violations are returned to the user as warnings.
It is helpful to apply the --dry-run flag when initially evaluating security profile changes for namespaces. The Pod Security Standard checks will still be run in dry run mode, giving you information about how the new policy would treat existing pods, without actually updating a policy.
Note that this is not setting an enforce level, so that namespaces that haven’t been explicitly evaluated can be distinguished. You can list namespaces without an explicitly set enforce level using this command:
Applying to a single namespace
You can update a specific namespace as well. This command adds the enforce=restricted policy to my-existing-namespace, pinning the restricted policy version to v1.27.
