You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/docs/platform/security/kyverno.md
+15-4Lines changed: 15 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,11 +1,11 @@
1
1
# Kyverno Policies
2
2
3
-
## :octicons-stack-24: Overview
3
+
## Overview
4
4
5
5
Kyverno is a policy engine designed for Kubernetes that validates, mutates, and generates configurations using policies as Kubernetes resources. It provides key features like:
6
6
7
7
- Policy validation and enforcement
8
-
- Resource mutation and generation
8
+
- Resource mutation and generation
9
9
- Image verification and security controls
10
10
- Audit logging and reporting
11
11
- Admission control webhooks
@@ -15,7 +15,6 @@ The following policies are shipped by default in this platform to enforce securi
15
15
For detailed information about Kyverno's capabilities, refer to the [official documentation](https://kyverno.io/docs/) or [policy library](https://kyverno.io/policies/).
**Category:** Best Practices | **Severity:** medium | **Scope:** Cluster-wide
@@ -79,6 +78,18 @@ A Kubernetes Service of type NodePort uses a host port to receive traffic from a
79
78
80
79
---
81
80
81
+
## :material-shield-lock: Rule: mutate-psa-labels
82
+
83
+
**Category:** Pod Security Admission, EKS Best Practices | **Severity:** medium | **Scope:** Cluster-wide
84
+
85
+
Pod Security Admission (PSA) can be controlled via the assignment of labels at the Namespace level which define the Pod Security Standard (PSS) profile in use and the action to take. If not using a cluster-wide configuration via an AdmissionConfiguration file, Namespaces must be explicitly labeled. This policy assigns the labels `pod-security.kubernetes.io/enforce=baseline` and `pod-security.kubernetes.io/warn=restricted` to all new Namespaces if those labels are not included.
0 commit comments