Enforce Pod Security Standards by Configuring the Built-in Admission Controller

As of v1.22, Kubernetes provides a built-in admission controller to enforce the Pod Security Standards. You can configure this admission controller to set cluster-wide defaults and exemptions.

Before you begin

Your Kubernetes server must be at or later than version v1.22. To check the version, enter kubectl version.

Configure the Admission Controller

  1. apiVersion: apiserver.config.k8s.io/v1
  2. kind: AdmissionConfiguration
  3. plugins:
  4. - name: PodSecurity
  5.   configuration:
  6.     apiVersion: pod-security.admission.config.k8s.io/v1beta1
  7.     kind: PodSecurityConfiguration
  8.     # Defaults applied when a mode label is not set.
  9.     #
  10.     # Level label values must be one of:
  11.     # - "privileged" (default)
  12.     # - "baseline"
  13.     # - "restricted"
  14.     #
  15.     # Version label values must be one of:
  16.     # - "latest" (default) 
  17.     # - specific version like "v1.24"
  18.     defaults:
  19.       enforce: "privileged"
  20.       enforce-version: "latest"
  21.       audit: "privileged"
  22.       audit-version: "latest"
  23.       warn: "privileged"
  24.       warn-version: "latest"
  25.     exemptions:
  26.       # Array of authenticated usernames to exempt.
  27.       usernames: []
  28.       # Array of runtime class names to exempt.
  29.       runtimeClasses: []
  30.       # Array of namespaces to exempt.
  31.       namespaces: []

Note: v1beta1 configuration requires v1.23+. For v1.22, use v1alpha1.

  1. apiVersion: apiserver.config.k8s.io/v1
  2. kind: AdmissionConfiguration
  3. plugins:
  4. - name: PodSecurity
  5.   configuration:
  6.     apiVersion: pod-security.admission.config.k8s.io/v1alpha1
  7.     kind: PodSecurityConfiguration
  8.     # Defaults applied when a mode label is not set.
  9.     #
  10.     # Level label values must be one of:
  11.     # - "privileged" (default)
  12.     # - "baseline"
  13.     # - "restricted"
  14.     #
  15.     # Version label values must be one of:
  16.     # - "latest" (default) 
  17.     # - specific version like "v1.24"
  18.     defaults:
  19.       enforce: "privileged"
  20.       enforce-version: "latest"
  21.       audit: "privileged"
  22.       audit-version: "latest"
  23.       warn: "privileged"
  24.       warn-version: "latest"
  25.     exemptions:
  26.       # Array of authenticated usernames to exempt.
  27.       usernames: []
  28.       # Array of runtime class names to exempt.
  29.       runtimeClasses: []
  30.       # Array of namespaces to exempt.
  31.       namespaces: []