Filter
Pod Security
Policies to secure Kubernetes Pods.
These Kyverno policies are based the on Kubernetes Pod Security Standards definitons. To apply all pod security policies (recommended) install Kyverno and kustomize, then run:
1kustomize build https://github.com/kyverno/policies/pod-security | kubectl apply -f -
Note
The upstreamkustomize
should be used to apply customizations in these policies, available here. In many cases the version of kustomize
built-in to kubectl
will not work.
Pod Security Standard policies are organized in two groups, Baseline and Restricted:
Baseline
Minimally restrictive policies to prevent known privilege escalations.
Control | Policy |
---|---|
Host Namespaces | Disallow Host Namespaces |
Privileged Containers | Disallow Privileged Containers |
Capabilities | Disallow Adding Capabilities |
HostPath Volumes | Disallow Host Path |
Host Ports | Disallow Host Ports |
AppArmor (optional) | Restrict AppArmor Profiles |
SELinux (optional) | Disallow Custom SELinux Options |
/proc Mount Type | Require Default Proc Mount |
Sysctls | Restrict Sysctls |
Apply the Baseline Pod Security policies using:
1kustomize build https://github.com/kyverno/policies/pod-security/baseline | kubectl apply -f -
Restricted
Heavily restricted policies following current Pod hardening best practices.
Control | Policy |
---|---|
Volume Types | Restrict Volume Types |
Privilege Escalation | Deny Privilege Escalation |
Running as Non-root | Require Run As Non Root |
Non-root groups (optional) | Require Non Root Groups |
Seccomp | Restrict Seccomp |
Apply the Restricted Pod Security policies (includes all Baseline policies) using:
1kustomize build https://github.com/kyverno/policies/pod-security/restricted | kubectl apply -f -