You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/en/docs/concepts/security/pod-security-admission.md
+12-14Lines changed: 12 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -19,7 +19,7 @@ The Kubernetes [Pod Security Standards](/docs/concepts/security/pod-security-sta
19
19
different isolation levels for Pods. These standards let you define how you want to restrict the
20
20
behavior of pods in a clear, consistent fashion.
21
21
22
-
As a Beta feature, Kubernetes offers a built-in _Pod Security_ {{< glossary_tooltip
22
+
As a beta feature, Kubernetes offers a built-in _Pod Security_ {{< glossary_tooltip
23
23
text="admission controller" term_id="admission-controller" >}}, the successor
24
24
to [PodSecurityPolicies](/docs/concepts/security/pod-security-policy/). Pod security restrictions
25
25
are applied at the {{< glossary_tooltip text="namespace" term_id="namespace" >}} level when pods
@@ -30,25 +30,21 @@ The PodSecurityPolicy API is deprecated and will be
30
30
[removed](/docs/reference/using-api/deprecation-guide/#v1-25) from Kubernetes in v1.25.
31
31
{{< /note >}}
32
32
33
-
<!-- body -->
34
33
35
-
## Enabling the `PodSecurity` admission plugin
34
+
## {{% heading "prerequisites" %}}
36
35
37
-
In v1.23, the `PodSecurity`[feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
38
-
is a Beta feature and is enabled by default.
36
+
To use this mechanism, your cluster must enforce Pod Security admission.
39
37
40
-
In v1.22, the `PodSecurity`[feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
41
-
is an Alpha feature and must be enabled in `kube-apiserver` in order to use the built-in admission plugin.
38
+
### Built-in Pod Security admission enforcement
42
39
43
-
```shell
44
-
--feature-gates="...,PodSecurity=true"
45
-
```
40
+
In Kubernetes v{{< skew currentVersion >}}, the `PodSecurity`[feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
41
+
is a beta feature and is enabled by default. You must have this feature gate enabled.
42
+
If you are running a different version of Kubernetes, consult the documentation for that release.
46
43
47
-
## Alternative: installing the `PodSecurity` admission webhook {#webhook}
44
+
###Alternative: installing the `PodSecurity` admission webhook {#webhook}
48
45
49
-
For environments where the built-in `PodSecurity` admission plugin cannot be used,
50
-
either because the cluster is older than v1.22, or the `PodSecurity` feature cannot be enabled,
51
-
the `PodSecurity` admission logic is also available as a Beta [validating admission webhook](https://git.k8s.io/pod-security-admission/webhook).
46
+
The `PodSecurity` admission logic is also available as a [validating admission webhook](https://git.k8s.io/pod-security-admission/webhook). This implementation is also beta.
47
+
For environments where the built-in `PodSecurity` admission plugin cannot be enabled, you can instead enable that logic via a validating admission webhook.
52
48
53
49
A pre-built container image, certificate generation scripts, and example manifests
54
50
are available at [https://git.k8s.io/pod-security-admission/webhook](https://git.k8s.io/pod-security-admission/webhook).
@@ -66,6 +62,8 @@ The generated certificate is valid for 2 years. Before it expires,
66
62
regenerate the certificate or remove the webhook in favor of the built-in admission plugin.
67
63
{{< /note >}}
68
64
65
+
<!-- body -->
66
+
69
67
## Pod Security levels
70
68
71
69
Pod Security admission places requirements on a Pod's [Security
0 commit comments