psa

package module
v0.7.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 16, 2024 License: Apache-2.0 Imports: 0 Imported by: 0

README

Project Status GitHub release CI PkgGoDev Go Report Card

NOTE

The PSP replacement has been announced. This project is just a stopgap until it is replaced.

Pod Security Admission

pod-security-admission is a set of Kubernetes Admission Webhooks to ensure Pod Security Standards.

pod-security-admission aims to be a simple Pod Security Policy replacement.

This is not a policy engine and users cannot write their own policies flexibly. If you want to do that, I recommend using a policy engine such as OPA/GateKeeper and Kyverno.

Getting started

Please see the getting-started.md to deploy pod-security-admission to your Kubernetes cluster.

Policies

pod-security-admission provides 3 policy types based on Pod Security Standards.

Privileged

The Privileged is an entirely unrestricted policy. Admission webhook does nothing to the Pods in namespaces with Privileged label. This policy should be applied to the Pods that are the core components for the Kubernetes cluster, such as network plugins.

This policy will be applied to Pods that belong to namespaces with the following label:

apiVersion: v1
kind: Namespace
metadata:
  name: your-namespace
  labels: 
    pod-security.cybozu.com/policy: privileged
Baseline

The Baseline is a basic policy that applies to Pods for many applications.

This policy prohibits the creation of Pods that violate the following rules:

This policy will be applied to Pods that belong to all namespaces except privileged.

Restricted

The Restricted is a restricted policy that applies to Pods for secure applications.

In addition to the Baseline, this policy prohibits the creation of Pods that violate the following rules:

Furthermore, if a Pod violates Running as Non-root, the mutating webhook will rewrite the securityContext forcibly.

This policy will be applied to Pods that belong to namespaces with the following label:

apiVersion: v1
kind: Namespace
metadata:
  name: your-namespace
  labels:
    pod-security.cybozu.com/policy: restricted

Documentation

docs directory contains documents about designs and specifications.

Limitations

The behavior of the webhooks are restricted intentionally as follows:

  • Validating Webhook does not deny an ephemeral container from running as root user.
  • Mutating Webhook does not force an ephemeral container to run as non-root user.

This is because kubectl debug command cannot specify a user to run ephemeral containers.

We have to wait until the following Issue is completed: https://github.com/kubernetes/kubectl/issues/1108

Docker images

Docker images are available on Quay.io

License

pod-security-admission is licensed under the Apache License, Version 2.0.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Version 

func Version() string

Version returns the semantic versioning string of pod-security-admission.

Types

This section is empty.

Source Files

View all Source files

Directories

Path Synopsis
cmd
sub
mutators
validators

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.