Baseline Pod Security Standards

The baseline profile of the Pod Security Standards is a collection of the most basic and important steps that can be taken to secure Pods. Beginning with Kyverno 1.8, an entire profile may be assigned to the cluster through a single rule. This policy configures the baseline profile through the latest version of the Pod Security Standards cluster wide.

Policy Definition

/pod-security/subrule/podsecurity-subrule-baseline/podsecurity-subrule-baseline.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: podsecurity-subrule-baseline
 5  annotations:
 6    policies.kyverno.io/title: Baseline Pod Security Standards
 7    policies.kyverno.io/category: Pod Security, EKS Best Practices
 8    policies.kyverno.io/severity: high
 9    kyverno.io/kyverno-version: 1.8.0
10    policies.kyverno.io/minversion: 1.8.0
11    kyverno.io/kubernetes-version: "1.24"
12    policies.kyverno.io/subject: Pod
13    policies.kyverno.io/description: >-
14      The baseline profile of the Pod Security Standards is a collection of the
15      most basic and important steps that can be taken to secure Pods. Beginning
16      with Kyverno 1.8, an entire profile may be assigned to the cluster through a
17      single rule. This policy configures the baseline profile through the latest
18      version of the Pod Security Standards cluster wide.
19spec:
20  background: true
21  validationFailureAction: Audit
22  rules:
23  - name: baseline
24    match:
25      any:
26      - resources:
27          kinds:
28          - Pod
29    validate:
30      podSecurity:
31        level: baseline
32        version: latest

Create policy issue