The module is enabled by default in the following bundles: Default, Managed.
The module is disabled by default in the Minimal bundle.
The module is configured using the ModuleConfig custom resource named admission-policy-engine (learn more about setting up Deckhouse…).
Example of the ModuleConfig/admission-policy-engine resource for configuring the module:
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: admission-policy-engine
spec:
version: 1
enabled: true
settings: # <-- Module parameters from the "Parameters" section below.
Parameters
Schema version: 1
- podSecurityStandardsobject
Pod Security Standards policy settings.
- podSecurityStandards.enforcementActionstring
The enforcement action to control what to do with the result of the constraint.
- Deny — Deny action.
- Dryrun — No action. It is used when debugging. Information about the event can be viewed in Grafana or in the console via kubectl.
- Warn — Same as
Dryrun. In addition to the event information, it provides some info on why that constraint would have been denied if you had setDenyinstead ofWarn.
Default:
"Deny"Allowed values:
Warn,Deny,Dryrun - podSecurityStandards.policiesobject
- podSecurityStandards.policies.hostPortsobject
HostPort constraint settings.
- podSecurityStandards.policies.hostPorts.knownRangesarray of objects
Set the range of known ports which will be allowed in a hostPort binding.
- podSecurityStandards.policies.hostPorts.knownRanges.maxinteger
- podSecurityStandards.policies.hostPorts.knownRanges.mininteger
- podSecurityStandards.policies.hostPorts.knownRangesarray of objects
- podSecurityStandards.policies.hostPortsobject
- podSecurityStandards.enforcementActionstring