Pod Security Policies

Refer to the official Kubernetes documentation: Pod Security Policies

Pod Security Policies can restrict which privileges or features the containers in a pod can use, as well as regulate how the containers in a pod operate. The platform implements a more granular pod security policy based on Pod Security Admission (PSA). It defines three security modes and security standards:

Security Modes: The security mode in Kubernetes is a mechanism to control security policies, used to define how Kubernetes handles pods that violate security policies. For more details, please refer to the official documentation. The security modes can be classified into the following three:
- Enforce Mode: If a pod violates the security policy, Kubernetes will reject the creation or modification of the pod and return an error message. This mode is suitable for production environments with high-security requirements.
- Audit Mode: When a pod violates the security policy, Kubernetes will log the event and store the record in the audit log. This mode is typically used to understand security incidents in the cluster for subsequent investigation and analysis.
- Warn Mode: If a pod violates the security policy, Kubernetes will allow the creation or modification of the pod and return a warning message. This mode is typically used in testing or transitional periods so that administrators can gradually adjust security policies without impacting applications.
Security Standards: Pod security standards define three different policies to broadly cover security application scenarios. For more details, please refer to the official documentation.
- Privileged Standard: Containers in the pod have privileged access, allowing all operations without any restrictions.
- Baseline Standard: Restricts containers in the pod from using host namespaces, networks, file systems, processes, etc. This is a default security standard that typically applies to most scenarios.
- Restricted Standard: Further restricts containers in the pod from using host resources, including limiting container access to file systems, networks, etc. This is a highly secure standard suited for scenarios with very high security requirements. These security standards can be verified against pods using the Admission Controller in Kubernetes to ensure that containers in the pod do not compromise the security of the Kubernetes cluster.

How to

Architecture

Concepts

Guides

How To

Trouble Shooting

Concepts

Guides

How To

Troubleshooting

Install

Concepts

Guides

How To

Disaster Recovery

Concepts

Guides

How To

Guides

Compliance

Install

API Refiner

User

Guides

Group

Guides

Role

Guides

IDP

Guides

Troubleshooting

User Policy

Guides

Overview

Images

Guides

How To

Virtual Machine

Guides

How To

Troubleshooting

Network

Guides

How To

Storage

Guides

Backup and Recovery

Guides

Concepts

Guides

Pre-Application Creation Preparation

Creating Applications

Creating Workloads

Actions You Can Take After Creating an Application

Configuring Network

Using Services

Using Ingresses

Using Gateways and Route Rules

Using LoadBalancers

Operation and Maintenance

Catalog

Pod and Container

Pod

Container

How To

Concepts

Guides

How To

Install

Guides

How To

Concepts

Guides

Argo CD Concept

Alauda Container Platform GitOps Concepts

Creating GitOps Application

GitOps Observability

Architecture

Guides

How To