Pod Security Standards define the fields and their options which are allowable for Pods to achieve certain security best practices. While these are typically validation policies, workloads will either be accepted or rejected based upon what has already been defined. It is also possible to mutate incoming Pods to achieve the desired PSS level rather than reject. This policy sets all the fields necessary to pass the PSS Restricted profile. Note that it does not attempt to remove non-compliant volumes and volumeMounts. Additional policies may be employed for this purpose.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: apply-pss-restricted-profileannotations:policies.kyverno.io/title: Apply PSS Restricted Profilepolicies.kyverno.io/category: Other, PSP Migrationkyverno.io/kyverno-version: 1.6.2kyverno.io/kubernetes-version: "1.23"policies.kyverno.io/subject: Podpolicies.kyverno.io/description: Pod Security Standards define the fields and their options which are allowable for Pods to achieve certain security best practices. While these are typically validation policies, workloads will either be accepted or rejected based upon what has already been defined. It is also possible to mutate incoming Pods to achieve the desired PSS level rather than reject. This policy sets all the fields necessary to pass the PSS Restricted profile. Note that it does not attempt to remove non-compliant volumes and volumeMounts. Additional policies may be employed for this purpose.spec:rules:- name: add-pss-fieldsmatch:any:- resources:kinds:- Podmutate:patchStrategicMerge:spec:securityContext:seccompProfile:type: RuntimeDefaultrunAsNonRoot: truerunAsUser: 1000runAsGroup: 3000fsGroup: 2000containers:- (name): "?*"securityContext:privileged: falsecapabilities:drop:- ALLallowPrivilegeEscalation: false
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
A read-only root file system helps to enforce an immutable infrastructure strategy; the container only needs to write on the mounted volume that persists the state. An immutable root filesystem can also prevent malicious binaries from writing to the host system. This policy validates that containers define a securityContext with `readOnlyRootFilesystem: true`.