mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
90 lines
2.5 KiB
Plaintext
90 lines
2.5 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * authentication/understanding-and-managing-pod-security-admission.adoc
|
|
// * operators/operator_sdk/osdk-complying-with-psa.adoc
|
|
|
|
:_mod-docs-content-type: CONCEPT
|
|
[id="security-context-constraints-psa-about_{context}"]
|
|
= About pod security admission
|
|
|
|
{product-title} includes link:https://kubernetes.io/docs/concepts/security/pod-security-admission[Kubernetes pod security admission]. Pods that do not comply with the pod security admission defined globally or at the namespace level are not admitted to the cluster and cannot run.
|
|
|
|
Globally, the `privileged` profile is enforced, and the `restricted` profile is used for warnings and audits.
|
|
|
|
You can also configure the pod security admission settings at the namespace level.
|
|
|
|
include::snippets/default-projects.adoc[]
|
|
|
|
[id="psa-modes_{context}"]
|
|
== Pod security admission modes
|
|
|
|
You can configure the following pod security admission modes for a namespace:
|
|
|
|
.Pod security admission modes
|
|
[cols="1,2,3a",options="header"]
|
|
|===
|
|
|Mode
|
|
|Label
|
|
|Description
|
|
|
|
|`enforce`
|
|
|`pod-security.kubernetes.io/enforce`
|
|
|Rejects a pod from admission if it does not comply with the set profile
|
|
|
|
|`audit`
|
|
|`pod-security.kubernetes.io/audit`
|
|
|Logs audit events if a pod does not comply with the set profile
|
|
|
|
|`warn`
|
|
|`pod-security.kubernetes.io/warn`
|
|
|Displays warnings if a pod does not comply with the set profile
|
|
|===
|
|
|
|
[id="psa-profiles_{context}"]
|
|
== Pod security admission profiles
|
|
|
|
You can set each of the pod security admission modes to one of the following profiles:
|
|
|
|
.Pod security admission profiles
|
|
[cols="1,3a",options="header"]
|
|
|===
|
|
|Profile
|
|
|Description
|
|
|
|
|`privileged`
|
|
|Least restrictive policy; allows for known privilege escalation
|
|
|
|
|`baseline`
|
|
|Minimally restrictive policy; prevents known privilege escalations
|
|
|
|
|`restricted`
|
|
|Most restrictive policy; follows current pod hardening best practices
|
|
|===
|
|
|
|
[id="psa-privileged-namespaces_{context}"]
|
|
== Privileged namespaces
|
|
|
|
The following system namespaces are always set to the `privileged` pod security admission profile:
|
|
|
|
* `default`
|
|
* `kube-public`
|
|
* `kube-system`
|
|
|
|
You cannot change the pod security profile for these privileged namespaces.
|
|
|
|
.Example privileged namespace configuration
|
|
|
|
[source,yaml]
|
|
----
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
labels:
|
|
openshift.io/cluster-monitoring: "true"
|
|
pod-security.kubernetes.io/enforce: privileged
|
|
pod-security.kubernetes.io/audit: privileged
|
|
pod-security.kubernetes.io/warn: privileged
|
|
name: "<mig_namespace>"
|
|
# ...
|
|
----
|