Pod Security Standards

Wayfinder comes with Pod Security Standards (PSS) enabled as the default setting in all cluster plans that are shipped with Wayfinder. This means PSS labels are added to all new Wayfinder-managed namespaces (NamespaceClaims). PSS is set to a baseline level of restriction for all 'standard' plans and to restricted for all 'hardened' plans. You can change this at a global level by creating your own cluster plans and either disable PSS or change the level of the policy restriction (defaultProfile).

Below is an example of a 'standard' Custom Resource Definition (yaml) of a cluster plan that is shipped with Wayfinder. Note that defaultProfile is set to baseline.

	security:
	  podSecurityStandard:
        enabled: true
        defaultProfile: baseline
        allowed: ["restricted", "baseline", "privileged"]

See Add a new cluster plan for a detailed look at a cluster plan definition.

For more information on PSS, see the Kubernetes documentation.

Change how PSS is applied

Change PSS at a global level

To disable PSS or change the restriction level:

IMPORTANT

Wayfinder's default cluster plans are read-only. If you want to update the PSS, you need to make a copy and then edit the copied plan as needed. Thereafter, specify your copy of the cluster plan when creating clusters. For more information on how to create your own cluster plans, click here.

1. Edit the yaml definition of one or more cluster plans:

   • To disable PSS globally, set spec.security.podSecurityStandard.enabled to false.

   • To change the restriction level, set spec.security.podSecurityStandard.defaultProfile to one of the following:

     Default Profile	Policy
     restricted	Heavily restricted policy, following current Pod hardening best practices.
     baseline	Minimally restrictive policy which prevents known privilege escalations. Allows the default (minimally specified) Pod configuration.
     privileged	Unrestricted policy, providing the widest possible level of permissions. This policy allows for known privilege escalations.

2. Apply the edited definition, for example:

   wf apply -f myclusterplan.yaml

Change PSS for a specific namespace

You can change the PSS restriction level for a specific namespace by editing the NamespaceClaim resource definition.

To change the PSS restriction level for one namespace:

1. In the yaml resource definition of the NamespaceClaim, change the setting for the label pod-security.kubernetes.io/enforce to the desired default profile (see descriptions above). For example, to change the restriction level to baseline:

   apiVersion: compute.appvia.io/v1alpha1
     kind: NamespaceClaim
     metadata:
       generation: 1
       labels: 
         pod-security.kubernetes.io/enforce: baseline
         appvia.io/name: aks-dev
         appvia.io/ownerworkspace: test
   

2. Apply the edited definition, for example:

   wf apply -f my-namespaceclaim.yaml

note

There may be rare situations where you want to disable PSS or do a custom configuration for a namespace via kubectl, but you still want to use the namespace in Wayfinder. In this case, you can add the label appvia.io/noReconcile: true to the namespace claim. This prevents the namespace from reconciling to a desired state in Wayfinder.