Pod Security Policies are in-cluster Kubernetes resources that provides ways of securing pods. The official Pod Security Policy of the official Kubernetes docs provides a great deal of helpful information and a walkthrough of how to use them, and is highly recommended reading. For the purposes of this documentation, we really just want to focus on getting them running on your Crit cluster.
The APIServer has quite a few admission plugins enabled by default, however, the
PodSecurityPolicy plugin must be enabled when configuring the APIServer with the
apiVersion: crit.sh/v1alpha2 kind: ControlPlaneConfiguration kubeAPIServer: extraArgs: enable-admission-plugins: PodSecurityPolicy
enable-admission-plugin can be provided a comma-delimited list of admission plugins to enable. While the order that admission plugins run does matter, it does not matter for this particular option as it simply enables the plugin.
The admission plugin
SecurityContextDeny must NOT be enabled along with
PodSecurityPolicy. In the case that
PodSecurityPolicy is enabled, the usage completely supplants the functionality provided by