The module is enabled by default in the following bundles: Default, Managed. The module is disabled by default in the Minimal bundle.

How to explicitly enable the module…

Set the spec.enabled module parameter to true or false in the ModuleConfig/admission-policy-engine resource (create it, if necessary) to explicitly enable or disable the module, or use the deckhouse-controller module command in the d8-system/deckhouse pod.

Example of enabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: admission-policy-engine
spec:
  enabled: true

  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec deploy/deckhouse -c deckhouse -- deckhouse-controller module enable admission-policy-engine

Example of disabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: admission-policy-engine
spec:
  enabled: false

  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec deploy/deckhouse -c deckhouse -- deckhouse-controller module disable admission-policy-engine

The module is configured using the ModuleConfig custom resource named admission-policy-engine (learn more about setting up Deckhouse…).

Example of the ModuleConfig/admission-policy-engine resource for configuring the module:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: admission-policy-engine
spec:
  version: 1
  enabled: true
  settings: # <-- Module parameters from the "Parameters" section below.

Parameters

Schema version: 1

  • denyVulnerableImages
    object

    Trivy provider will deny creation of the Pod/Deployment/StatefulSet/DaemonSet with vulnerable images in namespaces with security.deckhouse.io/trivy-provider: "" label.

    This feature is available in enterprise edition only.

    • denyVulnerableImages.enabled
      boolean

      Enable trivy provider.

      Default: false

    • denyVulnerableImages.registrySecrets
      array of objects

      List of additional registry secrets to use for downloading images from private registries.

      By default, the deckhouse-registry secret is used to download images for scanning.

      Default: []

      • denyVulnerableImages.registrySecrets.name
        string

        Required value

      • denyVulnerableImages.registrySecrets.namespace
        string

        Required value

    • denyVulnerableImages.storageClass
      string

      The name of the StorageClass to use for trivy-provider.

      false — forces the emptyDir usage. Manually delete the old PVC and restart Pod, after setting the parameter.

      Examples:

      storageClass: ceph-ssd

      storageClass: 'false'
  • podSecurityStandards
    object

    Pod Security Standards policy settings (PSS).

    • podSecurityStandards.defaultPolicy
      string

      Sets the default Pod Security Standards policy for all non-system namespaces:

      • Privileged — an unrestricted policy. Privilege escalation is possible with this policy;
      • Baseline — a policy with minimum restrictions that prevents privilege escalation;
      • Restricted — a policy with maximum restrictions that conforms to current best practices for securely running applications in a cluster.

      By default:

      • Baseline — if a Deckhouse version starting with v1.55 is being installed;
      • Privileged — if a Deckhouse version lower than v1.55 is being installed (upgrading Deckhouse in a cluster to v1.55+ does not automatically result in a default policy change).

      Allowed values: Privileged, Baseline, Restricted

    • podSecurityStandards.enforcementAction
      string

      The enforcement action to control what to do with the result of the constraint.

      • Deny — Deny action.
      • Dryrun — No action. It is used when debugging. Information about the event can be viewed in Grafana or in the console via kubectl.
      • Warn — Same as Dryrun. In addition to the event information, it provides some info on why that constraint would have been denied if you had set Deny instead of Warn.

      Default: "Deny"

      Allowed values: Warn, Deny, Dryrun

    • podSecurityStandards.policies
      object

      Sets additional policy parameters.

      • podSecurityStandards.policies.hostPorts
        object

        HostPort constraint settings.

        • podSecurityStandards.policies.hostPorts.knownRanges
          array of objects

          Set the range of known ports which will be allowed in a hostPort binding.

          • podSecurityStandards.policies.hostPorts.knownRanges.max
            integer
          • podSecurityStandards.policies.hostPorts.knownRanges.min
            integer