Filter

Pod Security

Policies to secure Kubernetes Pods.

These Kyverno policies are based the on Kubernetes Pod Security Standards definitons. To apply all pod security policies (recommended) install Kyverno and kustomize, then run:

1kustomize build https://github.com/kyverno/policies/pod-security | kubectl apply -f -

Pod Security Standard policies are organized in two groups, Baseline and Restricted:


Baseline

Minimally restrictive policies to prevent known privilege escalations.

Control Policy
Host Namespaces Disallow Host Namespaces
Privileged Containers Disallow Privileged Containers
Capabilities Disallow Adding Capabilities
HostPath Volumes Disallow Host Path
Host Ports Disallow Host Ports
AppArmor (optional) Restrict AppArmor Profiles
SELinux (optional) Disallow Custom SELinux Options
/proc Mount Type Require Default Proc Mount
Sysctls Restrict Sysctls

Apply the Baseline Pod Security policies using:

1kustomize build https://github.com/kyverno/policies/pod-security/baseline | kubectl apply -f -

Restricted

Heavily restricted policies following current Pod hardening best practices.

Control Policy
Volume Types Restrict Volume Types
Privilege Escalation Deny Privilege Escalation
Running as Non-root Require Run As Non Root
Non-root groups (optional) Require Non Root Groups
Seccomp Restrict Seccomp

Apply the Restricted Pod Security policies (includes all Baseline policies) using:

1kustomize build https://github.com/kyverno/policies/pod-security/restricted | kubectl apply -f -