Pod Security Standards
Wayfinder comes with Pod Security Standards (PSS) enabled as the default setting in all cluster plans that are shipped with Wayfinder. This means PSS labels are added to all new
Wayfinder-managed namespaces (NamespaceClaims). PSS is set to a baseline
level of restriction for all 'standard' plans and to restricted
for all 'hardened' plans. You can change this
at a global level by creating your own cluster plans and either disable PSS or change the level of the policy restriction (defaultProfile
).
Below is an example of a 'standard' Custom Resource Definition (yaml) of a cluster plan that is shipped with Wayfinder. Note that defaultProfile
is set to baseline
.
security:
podSecurityStandard:
enabled: true
defaultProfile: baseline
allowed: ["restricted", "baseline", "privileged"]
See Add a new cluster plan for a detailed look at a cluster plan definition.
For more information on PSS, see the Kubernetes documentation.
Change how PSS is applied
Change PSS at a global level
To disable PSS or change the restriction level:
Wayfinder's default cluster plans are read-only. If you want to update the PSS, you need to make a copy and then edit the copied plan as needed. Thereafter, specify your copy of the cluster plan when creating clusters. For more information on how to create your own cluster plans, click here.
-
Edit the yaml definition of one or more cluster plans:
-
To disable PSS globally, set
spec.security.podSecurityStandard.enabled
tofalse
. -
To change the restriction level, set
spec.security.podSecurityStandard.defaultProfile
to one of the following:Default Profile Policy restricted
Heavily restricted policy, following current Pod hardening best practices. baseline
Minimally restrictive policy which prevents known privilege escalations. Allows the default (minimally specified) Pod configuration. privileged
Unrestricted policy, providing the widest possible level of permissions. This policy allows for known privilege escalations.
-
-
Apply the edited definition, for example:
wf apply -f myclusterplan.yaml
Change PSS for a specific namespace
You can change the PSS restriction level for a specific namespace by editing the NamespaceClaim resource definition.
To change the PSS restriction level for one namespace:
-
In the yaml resource definition of the NamespaceClaim, change the setting for the label
pod-security.kubernetes.io/enforce
to the desired default profile (see descriptions above). For example, to change the restriction level tobaseline
:apiVersion: compute.appvia.io/v1alpha1
kind: NamespaceClaim
metadata:
generation: 1
labels:
pod-security.kubernetes.io/enforce: baseline
appvia.io/name: aks-dev
appvia.io/ownerworkspace: test -
Apply the edited definition, for example:
wf apply -f my-namespaceclaim.yaml
There may be rare situations where you want to disable PSS or do a custom configuration for a namespace via kubectl
, but you still want to use the namespace in Wayfinder. In this case, you can add the label appvia.io/noReconcile: true
to the namespace claim. This prevents the namespace from reconciling to a desired state in Wayfinder.