Available with limitations inCE, BE, SE, SE+

Available without limitations in:  EE

The module has 4 alerts.

The module is enabled by default in the following bundles: Default, Managed. The module is disabled by default in the Minimal bundle.

How to explicitly enable the module…

Set the spec.enabled module parameter to true or false in the ModuleConfig/admission-policy-engine resource (create it, if necessary) to explicitly enable or disable the module, or use the deckhouse-controller module command in the d8-system/deckhouse pod.

Example of enabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: admission-policy-engine
spec:
  enabled: true

  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module enable admission-policy-engine

Example of disabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: admission-policy-engine
spec:
  enabled: false

  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module disable admission-policy-engine

The module is configured using the ModuleConfig custom resource named admission-policy-engine (learn more about setting up Deckhouse…).

Example of the ModuleConfig/admission-policy-engine resource for configuring the module:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: admission-policy-engine
spec:
  version: 1
  enabled: true
  settings: # <-- Module parameters from the "Parameters" section below.

Parameters

Schema version: 1

  • settings
    object
    • settings.denyVulnerableImages
      object

      Available in editions: EE

      Trivy provider will deny creation of the Pod/Deployment/StatefulSet/DaemonSet with vulnerable images in namespaces with security.deckhouse.io/trivy-provider: "" label.

      • settings.denyVulnerableImages.enabled
        boolean

        Enable trivy provider.

        Default: false

      • settings.denyVulnerableImages.registrySecrets
        array of objects

        List of additional registry secrets to use for downloading images from private registries.

        By default, the deckhouse-registry secret is used to download images for scanning.

        Default: []

        • settings.denyVulnerableImages.registrySecrets.name
          string

          Required value

        • settings.denyVulnerableImages.registrySecrets.namespace
          string

          Required value

      • settings.denyVulnerableImages.storageClass
        string

        The name of the StorageClass to use for trivy-provider.

        If the value is not specified, the StorageClass will be used according to the global storageClass parameter setting.

        The global storageClass parameter is only considered when the module is enabled. Changing the global storageClass parameter while the module is enabled will not trigger disk re-provisioning.

        Warning. Specifying a value different from the one currently used (in the existing PVC) will result in disk re-provisioning and all data will be deleted.

        If false is specified, emptyDir will be forced to be used.

        Examples:

        storageClass: ceph-ssd

        storageClass: 'false'
    • settings.podSecurityStandards
      object

      Pod Security Standards policy settings (PSS).

      • settings.podSecurityStandards.defaultPolicy
        string

        Sets the default Pod Security Standards policy for all non-system namespaces:

        • Privileged — an unrestricted policy. Privilege escalation is possible with this policy;
        • Baseline — a policy with minimum restrictions that prevents privilege escalation;
        • Restricted — a policy with maximum restrictions that conforms to current best practices for securely running applications in a cluster.

        By default:

        • Baseline — if a Deckhouse version starting with v1.55 is being installed;
        • Privileged — if a Deckhouse version lower than v1.55 is being installed (upgrading Deckhouse in a cluster to v1.55+ does not automatically result in a default policy change).

        Allowed values: Privileged, Baseline, Restricted

      • settings.podSecurityStandards.enforcementAction
        string

        The enforcement action to control what to do with the result of the constraint.

        • Deny — Deny action.
        • Dryrun — No action. It is used when debugging. Information about the event can be viewed in Grafana or in the console via kubectl.
        • Warn — Same as Dryrun. In addition to the event information, it provides some info on why that constraint would have been denied if you had set Deny instead of Warn.

        Default: "Deny"

        Allowed values: Warn, Deny, Dryrun

      • settings.podSecurityStandards.policies
        object

        Sets additional policy parameters.

        • settings.podSecurityStandards.policies.hostPorts
          object

          HostPort constraint settings.

          • settings.podSecurityStandards.policies.hostPorts.knownRanges
            array of objects

            Set the range of known ports which will be allowed in a hostPort binding.

            • settings.podSecurityStandards.policies.hostPorts.knownRanges.max
              integer
            • settings.podSecurityStandards.policies.hostPorts.knownRanges.min
              integer