Pod Security Standards
The Kubernetes Pod Security Standards define different isolation levels for Pods. These standards let you define how you want to restrict the behavior of pods in a clear, consistent fashion.
Kubernetes offers a built-in Pod Security admission controller to enforce the Pod Security Standards. Pod security restrictions are applied at the namespace level when pods are created.
# Privileged
Unrestricted policy, providing the widest possible level of permissions. This policy allows for known privilege escalations.
# Baseline
Minimally restrictive policy which prevents known privilege escalations. Allows the default (minimally specified) Pod configuration.
# Restricted
Heavily restricted policy, following current Pod hardening best practices
# enforce
Policy violations will cause the pod to be rejected.
# audit
Policy violations will trigger the addition of an audit annotation to the event recorded in the audit log, but are otherwise allowed.
# warn
Policy violations will trigger a user-facing warning, but are otherwise allowed.
# The per-mode level label indicates which policy level to apply for the mode.
#
# MODE must be one of `enforce`, `audit`, or `warn`.
# LEVEL must be one of `privileged`, `baseline`, or `restricted`.
pod-security.kubernetes.io/<MODE>: <LEVEL>
# Optional: per-mode version label that can be used to pin the policy to the
# version that shipped with a given Kubernetes minor version (for example v1.26).
#
# MODE must be one of `enforce`, `audit`, or `warn`.
# VERSION must be a valid Kubernetes minor version, or `latest`.
pod-security.kubernetes.io/<MODE>-version: <VERSION>
Setting labels will allow you to enforce security pod policies that are also controlled via am18 (azurepolicy)
labels enforce=baseline
and enforce=resticted
I would advise using restricted
where possible and baseline
as standard.
for production its recommended using audit for a week or more to check for any effected workloads
labels audit=baseline
and audit=resticted
For detailed restrictions please see: pod-security-standards
Example usage:
``
# Ensure to check warnings before enforcing this policy
k label ns < namespace > pod-security.kubernetes.io/warn=baseline
k label ns < namespace > pod-security.kubernetes.io/warn=restricted
# We advise you to send logs to audit and monitor to check if anything is being blocked.
k label ns < namespace > pod-security.kubernetes.io/audit=baseline
k label ns < namespace > pod-security.kubernetes.io/audit=restricted
# After you have remediated any warnings you can enforce settings.
k label ns < namespace > pod-security.kubernetes.io/enforce=baseline
k label ns < namespace > pod-security.kubernetes.io/enforce=restricted
# Apply using script
#!/bin/bash
# Get a list of all namespaces in the cluster
namespaces=$(kubectl get namespaces -o jsonpath='{range .items[*]}{.metadata.name}{"\\n"}{end}')
# Apply the label to each namespace
for namespace in $namespaces
do
kubectl label namespace $namespace pod-security.kubernetes.io/enforce=baseline
done