Pod Security Standards
K8s docs on the topic.
Pod Security Gets defined at the namespace level.
3 Examples:
- privileged
- baseline
- restricted
# Privileged
# pods here can do a lot
apiVersion: v1
kind: Namespace
metadata:
name: freebird
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce-version: latest
# Baseline
# some restrictions apply
apiVersion: v1
kind: Namespace
metadata:
name: basespace
labels:
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/enforce-version: latest
pod-security.kubernetes.io/warn: baseline
pod-security.kubernetes.io/warn-version: latest
# Restricted
# the most restricted, apparently this is the best-practice
apiVersion: v1
kind: Namespace
metadata:
name: restrictedspace
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: latest
pod-security.kubernetes.io/warn: restricted
pod-security.kubernetes.io/warn-version: latest