This repository implements Pod Security Standards as Conftest policy.
It also corresponds to Gatekeeper policy.
For Conftest:
$ conftest test --update https://github.com/YunosukeY/policy-for-pss/raw/1.28/bundle.tar.gz <file-to-test>
For Gatekeeper:
$ kubectl apply -f https://github.com/YunosukeY/policy-for-pss/raw/1.28/k8s/template_PodSecurityStandards.yaml
$ kubectl apply -f https://github.com/YunosukeY/policy-for-pss/raw/1.28/k8s/constraint_PodSecurityStandards.yaml
If you want to allow violations for specific resources, you can use allowXxx
labels.
For baseline level rules:
allowHostProcess
allowHostNamespace
allowPrivileged
allowPrivilegedLevelCapabilities
allowHostPath
allowHostPort
allowAllAppArmorProfile
allowAllSeLinuxOptions
allowUnmaskedProcMount
allowPrivilegedLevelSeccompTypes
allowAllSysctls
For restricted level rules:
allowAllVolumeTypes
allowPrivilegeEscalation
allowRunAsRoot
allowRunAsRootUser
allowBaselineLevelSeccompTypes
allowBaselineLevelCapabilities
Example:
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
allowPrivilegeEscalation: "true"
allowRunAsRoot: "true"
allowBaselineLevelSeccompTypes: "true"
allowBaselineLevelCapabilities: "true"
spec:
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2