- Create a namespace enforces the baseline Pod Security Standards (PSS)
kubectl create ns baseline
kubectl label ns baseline pod-security.kubernetes.io/enforce-version=v1.23 pod-security.kubernetes.io/enforce=baseline- Verify that the privileged pod is blocked by the baseline Pod Security Admission (PSa) check
kubectl run privileged-pod --image=busybox --privileged --dry-run=server -n baselineError from server (Forbidden): pods "privileged-pod" is forbidden: violates PodSecurity "baseline:v1.23": privileged (container "privileged-pod" must not set securityContext.privileged=true)
- Create the policy that exempts
runAsNonRootcontrol
kubectl apply -f exempt-run-as-non-root.yaml- Create pods and verify the exemption
The pod root-pod-exempted creation will be allowed:
kubectl apply -f root-pod-exempted.yaml -n baseline --dry-run=serverThe pod root-pod-forbidden creation will be blocked as the policy does not exempt the nginx container image:
kubectl apply -f root-pod-forbidden.yaml -n baseline --dry-run=serverBeyond that, Kyverno applies the PSS checks to workloads.
kubectl apply -f root-deployment-forbidden.yaml -n baseline --dry-run=server- (optional) Verify the restricted PSa check
Create a namespace that enforces the restricted PSS control:
kubectl create ns restricted
kubectl label ns restricted pod-security.kubernetes.io/enforce-version=v1.23 pod-security.kubernetes.io/enforce=restrictedCreate the same pod root-pod-exempted that is allowed in step 4, and it fails the restricted PSa check:
kubectl apply -f root-pod-exempted.yaml -n restricted --dry-run=serverError from server (Forbidden): error when creating "root-pod-exempted.yaml": pods "root-pod-exempted" is forbidden: violates PodSecurity "restricted:v1.23": runAsNonRoot != true (container "nginx" must not set securityContext.runAsNonRoot=false)
kubectl delete ns baseline restricted
kubectl delete -f exempt-run-as-non-root.yaml