The module has 4 alerts.

The module is enabled by default in the following bundles: Default, Managed. The module is disabled by default in the Minimal bundle.

How to explicitly enable the module…

Set the spec.enabled module parameter to true or false in the ModuleConfig/admission-policy-engine resource (create it, if necessary) to explicitly enable or disable the module, or use the deckhouse-controller module command in the d8-system/deckhouse pod.

Example of enabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: admission-policy-engine
spec:
  enabled: true

  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module enable admission-policy-engine

Example of disabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: admission-policy-engine
spec:
  enabled: false

  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module disable admission-policy-engine

The module is configured using the ModuleConfig custom resource named admission-policy-engine (learn more about setting up Deckhouse…).

Example of the ModuleConfig/admission-policy-engine resource for configuring the module:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: admission-policy-engine
spec:
  version: 1
  enabled: true
  settings: # <-- Module parameters from the "Parameters" section below.

Parameters

Schema version: 1

  • settings
    object
    • settings.denyVulnerableImages
      object

      Trivy provider will deny creation of the Pod/Deployment/StatefulSet/DaemonSet with vulnerable images in namespaces with security.deckhouse.io/trivy-provider: "" label.

      This feature is available in enterprise edition only.

      • settings.denyVulnerableImages.enabled
        boolean

        Enable trivy provider.

        Default: false

      • settings.denyVulnerableImages.registrySecrets
        array of objects

        List of additional registry secrets to use for downloading images from private registries.

        By default, the deckhouse-registry secret is used to download images for scanning.

        Default: []

        • settings.denyVulnerableImages.registrySecrets.name
          string

          Required value

        • settings.denyVulnerableImages.registrySecrets.namespace
          string

          Required value

      • settings.denyVulnerableImages.storageClass
        string

        The name of the StorageClass to use for trivy-provider.

        false — forces the emptyDir usage. Manually delete the old PVC and restart Pod, after setting the parameter.

        Examples:

        storageClass: ceph-ssd

        storageClass: 'false'
    • settings.podSecurityStandards
      object

      Pod Security Standards policy settings (PSS).

      • settings.podSecurityStandards.defaultPolicy
        string

        Sets the default Pod Security Standards policy for all non-system namespaces:

        • Privileged — an unrestricted policy. Privilege escalation is possible with this policy;
        • Baseline — a policy with minimum restrictions that prevents privilege escalation;
        • Restricted — a policy with maximum restrictions that conforms to current best practices for securely running applications in a cluster.

        By default:

        • Baseline — if a Deckhouse version starting with v1.55 is being installed;
        • Privileged — if a Deckhouse version lower than v1.55 is being installed (upgrading Deckhouse in a cluster to v1.55+ does not automatically result in a default policy change).

        Allowed values: Privileged, Baseline, Restricted

      • settings.podSecurityStandards.enforcementAction
        string

        The enforcement action to control what to do with the result of the constraint.

        • Deny — Deny action.
        • Dryrun — No action. It is used when debugging. Information about the event can be viewed in Grafana or in the console via kubectl.
        • Warn — Same as Dryrun. In addition to the event information, it provides some info on why that constraint would have been denied if you had set Deny instead of Warn.

        Default: "Deny"

        Allowed values: Warn, Deny, Dryrun

      • settings.podSecurityStandards.policies
        object

        Sets additional policy parameters.

        • settings.podSecurityStandards.policies.hostPorts
          object

          HostPort constraint settings.

          • settings.podSecurityStandards.policies.hostPorts.knownRanges
            array of objects

            Set the range of known ports which will be allowed in a hostPort binding.

            • settings.podSecurityStandards.policies.hostPorts.knownRanges.max
              integer
            • settings.podSecurityStandards.policies.hostPorts.knownRanges.min
              integer