From the previous output, you'll notice that applying the privileged Pod Security Standard shows no warnings for any namespaces. However, baseline and restricted standards both have warnings, specifically in the kube-systemnamespace.

Adding Security

Multiple pod security standards can be enabled on any namespace, using labels. Following command will enforce the baseline Pod Security Standard, but warn and audit for restricted Pod Security Standards as per the latest version (default value)

Code Block

theme	Emacs

kubectl label --overwrite ns <NAMESPACE> \
  pod-security.kubernetes.io/enforce=baseline \
  pod-security.kubernetes.io/enforce-version=latest \
  pod-security.kubernetes.io/warn=restricted \
  pod-security.kubernetes.io/warn-version=latest \
  pod-security.kubernetes.io/audit=restricted \
  pod-security.kubernetes.io/audit-version=latest

Example: Enable Restricted on default namespace:

Code Block

kubectl label --overwrite ns default \
  pod-security.kubernetes.io/enforce=restricted \
  pod-security.kubernetes.io/enforce-version=latest \
  pod-security.kubernetes.io/warn=restricted \
  pod-security.kubernetes.io/warn-version=latest \
  pod-security.kubernetes.io/audit=restricted \
  pod-security.kubernetes.io/audit-version=latest

References

Reference	URL
Apply Pod Security Standards at the Cluster Level	https://kubernetes.io/docs/tutorials/security/cluster-level-pss/

Space shortcuts

Page tree

Versions Compared

Old Version 4

New Version 5

Key

Adding Security

References

Space shortcuts

Page tree

Page History

Versions Compared

Old Version 4

New Version 5

Key

Adding Security

References