All Policies
Apply PSS Restricted Profile
Pod Security Standards define the fields and their options which are allowable for Pods to achieve certain security best practices. While these are typically validation policies, workloads will either be accepted or rejected based upon what has already been defined. It is also possible to mutate incoming Pods to achieve the desired PSS level rather than reject. This policy sets all the fields necessary to pass the PSS Restricted profile.
Policy Definition
/other/apply-pss-restricted-profile/apply-pss-restricted-profile.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: apply-pss-restricted-profile
5 annotations:
6 policies.kyverno.io/title: Apply PSS Restricted Profile
7 policies.kyverno.io/category: Other
8 kyverno.io/kyverno-version: 1.6.2
9 kyverno.io/kubernetes-version: "1.23"
10 policies.kyverno.io/subject: Pod
11 policies.kyverno.io/description: >-
12 Pod Security Standards define the fields and their options which
13 are allowable for Pods to achieve certain security best practices. While
14 these are typically validation policies, workloads will either be accepted or
15 rejected based upon what has already been defined. It is also possible to mutate
16 incoming Pods to achieve the desired PSS level rather than reject. This policy
17 sets all the fields necessary to pass the PSS Restricted profile.
18spec:
19 rules:
20 - name: add-pss-fields
21 match:
22 any:
23 - resources:
24 kinds:
25 - Pod
26 mutate:
27 patchStrategicMerge:
28 spec:
29 securityContext:
30 seccompProfile:
31 type: RuntimeDefault
32 runAsNonRoot: true
33 runAsUser: 1000
34 runAsGroup: 3000
35 fsGroup: 2000
36 containers:
37 - (name): "?*"
38 securityContext:
39 privileged: false
40 capabilities:
41 drop:
42 - ALL
43 allowPrivilegeEscalation: false