0

I’ve added the following labels to my namespace:

pod-security.kubernetes.io/enforce=restricted
pod-security.kubernetes.io/warn=restricted
pod-security.kubernetes.io/warn-version=latest

All is fine and dandy but when i try to apply this Privileged Pod in that namespace, it allows the create, no warning is thrown and also the pods starts up, I would have expected a warning and also the pods being blocked being created due to the most restrictive enforcement

apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello-kubernetes
  namespace: gatekeeper-system
  labels:
    product: hello-kubernetes
    team: forward-deployed-engineering
spec:
  replicas: 3
  selector:
    matchLabels:
      app: hello-kubernetes 
  template:
    metadata:
      labels:
        app: hello-kubernetes
    spec:
      containers:
      - name: api-server
        image: nginxdemos/hello
        imagePullPolicy: Always
        ports:
        - containerPort: 80
        securityContext:
          allowPrivilegeEscalation: true
          privileged: true
          capabilities:
            add: ["NET_ADMIN"]
        resources:
          requests:
            memory: "8Mi"
            cpu: "32m"
          limits:
            memory: "16Mi"
            cpu: "64m"
      tolerations:
      - key: "kubernetes.azure.com/scalesetpriority"
        value: "spot"
        effect: "NoSchedule"

My question, what am I over looking for this PSA to work.

Im running in AKS 1.24, and PSA have been available since 1.23 according to: https://learn.microsoft.com/en-us/azure/aks/use-psa

edit for some reason it does not work on the namespace i use in the deployment file, but it works as intended in another namespace

Nopzen
  • 566
  • 2
  • 6
  • 19
  • I'm not sure, so this is not an answer, but I think PSA only became a 'stable' feature in 1.25. So maybe you have to explictly enable a beta feature? – Arfur Narf Jul 14 '23 at 12:13
  • Its been enabled in AKS since 1.23, I'm doing migration work to upgrade to 1.25 so, i need to ensure my polices works before upgrading to 1.25 :) And I've validated that it actually worked, with dry running labels on the namespace, and that seemed to be working. – Nopzen Jul 14 '23 at 12:15

1 Answers1

0

After research it is figured out that the namespace was in a admission exemption list, created by the cloud provider.

It seems like Azure for their own OPA deployments have made the decission to excempt the gatekeeper-system namespace, provided this message that was trying to add the psa enforcements on a 1.25 cluster.

Warning: namespace "gatekeeper-system" is exempt from Pod Security, and the policy (enforce=restricted:latest) will be ignored

Nopzen
  • 566
  • 2
  • 6
  • 19