This module is enabled by default.

To disable it, add the following parameter to the deckhouse ConfigMap:

admissionPolicyEngineEnabled: "false"


  • podSecurityStandardsobject

    Pod Security Standards policy settings.

    • enforcementActionstring

      The enforcement action to control what to do with the result of the constraint.

      • Deny — Deny action.
      • Dryrun — No action. It is used when debugging. Information about the event can be viewed in Grafana or in the console via kubectl.
      • Warn — Same as Dryrun. In addition to the event information, it provides some info on why that constraint would have been denied if you had set Deny instead of Warn.

      Default: "Deny"

      Allowed values: Warn, Deny, Dryrun

    • policiesobject
      • hostPortsobject

        HostPort constraint settings.

        • knownRangesarray of objects

          Set the range of known ports which will be allowed in a hostPort binding.

          • maxinteger
          • mininteger