Skip to content

Latest commit

 

History

History

README.md

Pod Security Standards

This library provides Gatekeeper policies that implement the Kubernetes Pod Security Standards. These standards define three profiles that cover the security spectrum:

  • Privileged: Unrestricted policy, providing the widest possible level of permissions.
  • Baseline: Minimally restrictive policy which prevents known privilege escalations. Allows the default (minimally specified) Pod configuration.
  • Restricted: Heavily restricted policy, following current Pod hardening best practices.

Note: The profiles are cumulative - the Restricted profile includes all policies from the Baseline profile, plus additional restrictions.

These policies were originally based on the deprecated Pod Security Policy but have been updated to align with the modern Pod Security Standards.

An administrator can control the following by deploying the corresponding Gatekeeper constraint and constraint templates:

Baseline Profile

These policies prevent known privilege escalations and are recommended as the minimum security configuration for most workloads.

Control Aspect Gatekeeper Constraint and Constraint Template
Running of privileged containers privileged-containers
Usage of host namespaces host-namespaces
Usage of host networking and ports host-network-ports
Usage of the host filesystem host-filesystem
Linux capabilities capabilities
The SELinux context of the container selinux
The allowed Proc mount types for the container proc-mount
The AppArmor profile used by containers apparmor
The seccomp profile used by containers seccompv2
The sysctl profile used by containers forbidden-sysctls

Restricted Profile

These policies provide additional hardening on top of the Baseline profile. Deploy these in addition to the Baseline policies for maximum security.

Control Aspect Gatekeeper Constraint and Constraint Template
Restricting escalation to root privileges allow-privilege-escalation
Approved list of flex-volume drivers flexvolume-drivers
Allocating an FSGroup that owns the Pod's volumes fsgroup
Requiring the use of a read only root file system read-only-root-filesystem
The user and group IDs of the container users
Usage of volume types volumes