Pod Security Admission (PSA) can be controlled via the assignment of labels at the Namespace level which define the Pod Security Standard (PSS) profile in use and the action to take. If not using a cluster-wide configuration via an AdmissionConfiguration file, Namespaces must be explicitly labeled. This policy assigns the labels `pod-security.kubernetes.io/enforce=baseline` and `pod-security.kubernetes.io/warn=restricted` to all new Namespaces if those labels are not included.
apiVersion: policies.kyverno.io/v1alpha1kind: MutatingPolicymetadata:name: add-psa-labelsannotations:policies.kyverno.io/title: Add PSA Labelspolicies.kyverno.io/category: Pod Security Admission, EKS Best Practicespolicies.kyverno.io/severity: mediumkyverno.io/kyverno-version: 1.7.1policies.kyverno.io/minversion: 1.6.0kyverno.io/kubernetes-version: "1.24"policies.kyverno.io/subject: Namespacepolicies.kyverno.io/description: Pod Security Admission (PSA) can be controlled via the assignment of labels at the Namespace level which define the Pod Security Standard (PSS) profile in use and the action to take. If not using a cluster-wide configuration via an AdmissionConfiguration file, Namespaces must be explicitly labeled. This policy assigns the labels `pod-security.kubernetes.io/enforce=baseline` and `pod-security.kubernetes.io/warn=restricted` to all new Namespaces if those labels are not included.spec:matchConstraints:resourceRules:- apiGroups:- ""apiVersions:- v1operations:- CREATE- UPDATEresources:- namespacesmatchConditions:- name: needs-psa-labelsexpression: |!has(object.metadata.labels) ||!object.metadata.labels.exists(k, k == 'pod-security.kubernetes.io/enforce') ||!object.metadata.labels.exists(k, k == 'pod-security.kubernetes.io/warn')variables:- name: enforceValueexpression: |has(object.metadata.labels) &&object.metadata.labels.exists(k, k == 'pod-security.kubernetes.io/enforce') ?object.metadata.labels['pod-security.kubernetes.io/enforce'] : 'baseline'- name: warnValueexpression: |has(object.metadata.labels) &&object.metadata.labels.exists(k, k == 'pod-security.kubernetes.io/warn') ?object.metadata.labels['pod-security.kubernetes.io/warn'] : 'restricted'mutations:- patchType: ApplyConfigurationapplyConfiguration:expression: |Object{metadata: Object.metadata{labels: {"pod-security.kubernetes.io/enforce": string(variables.enforceValue),"pod-security.kubernetes.io/warn": string(variables.warnValue)}}}
According to EKS best practices, the `aws-node` DaemonSet is configured to use a role assigned to the EC2 instances to assign IPs to Pods. This role includes several AWS managed policies that effectively allow all Pods running on a Node to attach/detach ENIs, assign/unassign IP addresses, or pull images from ECR. Since this presents a risk to your cluster, it is recommended that you update the `aws-node` DaemonSet to use IRSA. This policy ensures that the `aws-node` DaemonSet running in the `kube-system` Namespace is not still using the `aws-node` ServiceAccount.
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
A read-only root file system helps to enforce an immutable infrastructure strategy; the container only needs to write on the mounted volume that persists the state. An immutable root filesystem can also prevent malicious binaries from writing to the host system. This policy validates that containers define a securityContext with `readOnlyRootFilesystem: true`.