Add PSA Labels

Pod Security Admission (PSA) can be controlled via the assignment of labels at the Namespace level which define the Pod Security Standard (PSS) profile in use and the action to take. If not using a cluster-wide configuration via an AdmissionConfiguration file, Namespaces must be explicitly labeled. This policy assigns the labels `pod-security.kubernetes.io/enforce=baseline` and `pod-security.kubernetes.io/warn=restricted` to all new Namespaces if those labels are not included.

Policy Definition

/psa/add-psa-labels/add-psa-labels.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: add-psa-labels
 5  annotations:
 6    policies.kyverno.io/title: Add PSA Labels
 7    policies.kyverno.io/category: Pod Security Admission, EKS Best Practices
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.7.1
10    policies.kyverno.io/minversion: 1.6.0
11    kyverno.io/kubernetes-version: "1.24"
12    policies.kyverno.io/subject: Namespace
13    policies.kyverno.io/description: >-
14      Pod Security Admission (PSA) can be controlled via the assignment of labels
15      at the Namespace level which define the Pod Security Standard (PSS) profile
16      in use and the action to take. If not using a cluster-wide configuration
17      via an AdmissionConfiguration file, Namespaces must be explicitly labeled.
18      This policy assigns the labels `pod-security.kubernetes.io/enforce=baseline`
19      and `pod-security.kubernetes.io/warn=restricted` to all new Namespaces if
20      those labels are not included.
21spec:
22  rules:
23  - name: add-baseline-enforce-restricted-warn
24    match:
25      any:
26      - resources:
27          kinds:
28          - Namespace
29    mutate:
30      patchStrategicMerge:
31        metadata:
32          labels:
33            +(pod-security.kubernetes.io/enforce): baseline
34            +(pod-security.kubernetes.io/warn): restricted

Create policy issue