All Policies
Add Privileged Label to Existing Namespaces
When Pod Security Admission is configured with a cluster-wide AdmissionConfiguration file which sets either baseline or restricted, for example in many PaaS CIS profiles, it may be necessary to relax this to privileged on a per-Namespace basis so that more granular control can be provided. This policy labels new and existing Namespaces, except that of kube-system, with the `pod-security.kubernetes.io/enforce: privileged` label.
Policy Definition
/psa/add-privileged-existing-namespaces/add-privileged-existing-namespaces.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: add-privileged-existing-namespaces
5 annotations:
6 policies.kyverno.io/title: Add Privileged Label to Existing Namespaces
7 policies.kyverno.io/category: Pod Security Admission
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Namespace
10 kyverno.io/kyverno-version: 1.8.0
11 policies.kyverno.io/minversion: 1.7.0
12 kyverno.io/kubernetes-version: "1.24"
13 policies.kyverno.io/description: >-
14 When Pod Security Admission is configured with a cluster-wide AdmissionConfiguration file
15 which sets either baseline or restricted, for example in many PaaS CIS profiles, it may
16 be necessary to relax this to privileged on a per-Namespace basis so that more
17 granular control can be provided. This policy labels new and existing Namespaces, except
18 that of kube-system, with the `pod-security.kubernetes.io/enforce: privileged` label.
19spec:
20 mutateExistingOnPolicyUpdate: true
21 rules:
22 - name: label-privileged-namespaces
23 match:
24 any:
25 - resources:
26 kinds:
27 - Namespace
28 mutate:
29 targets:
30 - apiVersion: v1
31 kind: Namespace
32 patchStrategicMerge:
33 metadata:
34 <(name): "!kube-system"
35 labels:
36 pod-security.kubernetes.io/enforce: privileged