Back to Policies

Add Privileged Label to Existing Namespaces

When Pod Security Admission is configured with a cluster-wide AdmissionConfiguration file which sets either baseline or restricted, for example in many PaaS CIS profiles, it may be necessary to relax this to privileged on a per-Namespace basis so that more granular control can be provided. This policy labels new and existing Namespaces, except that of kube-system, with the `pod-security.kubernetes.io/enforce: privileged` label.

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-privileged-existing-namespaces
  annotations:
    policies.kyverno.io/title: Add Privileged Label to Existing Namespaces
    policies.kyverno.io/category: Pod Security Admission
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Namespace
    kyverno.io/kyverno-version: 1.8.0
    policies.kyverno.io/minversion: 1.7.0
    kyverno.io/kubernetes-version: "1.24"
    policies.kyverno.io/description: "When Pod Security Admission is configured with a cluster-wide AdmissionConfiguration file which sets either baseline or restricted, for example in many PaaS CIS profiles, it may be necessary to relax this to privileged on a per-Namespace basis so that more granular control can be provided. This policy labels new and existing Namespaces, except that of kube-system, with the `pod-security.kubernetes.io/enforce: privileged` label."
spec:
  mutateExistingOnPolicyUpdate: true
  rules:
    - name: label-privileged-namespaces
      match:
        any:
          - resources:
              kinds:
                - Namespace
      mutate:
        targets:
          - apiVersion: v1
            kind: Namespace
        patchStrategicMerge:
          metadata:
            <(name): "!kube-system"
            labels:
              pod-security.kubernetes.io/enforce: privileged

Related Policies

MutateMedium

Add Safe To Evict

The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.

Pod
MutateMedium

Add Safe To Evict

The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.

Pod
MutateMedium

Add CAST AI Removal Disabled

CAST AI will not downscale a node that includes a pod with the autoscaling.cast.ai/removal-disabled="true" label on it, this protects sensitive workloads from being evicted and can be attributed to any pod to protect against unwanted downscaling. This policy will mutate jobs and cronjobs to add the removal-disabled label to protect against eviction.

Job