The module is enabled by default in the following bundles: Default, Managed. The module is disabled by default in the Minimal bundle.

How to explicitly enable the module…

Note that the configOverrides parameter of the InitConfiguration resource is used when installing Deckhouse, not ModuleConfig.

Set the admissionPolicyEngineEnabled: true or admissionPolicyEngineEnabled: false in the configOverrides parameter to explicitly enable or disable the module when installing Deckhouse.

Use the admissionPolicyEngine section of the configOverrides parameter to configure the module when installing Deckhouse.

Set the spec.enabled module parameter to true or false to explicitly enable or disable the module.

Example of enabling the admission-policy-engine module:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: admission-policy-engine
spec:
  enabled: true

Example of disabling the admission-policy-engine module:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: admission-policy-engine
spec:
  enabled: false

The module is configured using the ModuleConfig custom resource named admission-policy-engine (learn more about setting up Deckhouse…).

Example of the ModuleConfig/admission-policy-engine resource for configuring the module:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: admission-policy-engine
spec:
  version: 1
  enabled: true
  settings: # <-- Module parameters from the "Parameters" section below.

Parameters

Schema version: 1

  • podSecurityStandardsobject

    Pod Security Standards policy settings.

    • podSecurityStandards.enforcementActionstring

      The enforcement action to control what to do with the result of the constraint.

      • Deny — Deny action.
      • Dryrun — No action. It is used when debugging. Information about the event can be viewed in Grafana or in the console via kubectl.
      • Warn — Same as Dryrun. In addition to the event information, it provides some info on why that constraint would have been denied if you had set Deny instead of Warn.

      Default: "Deny"

      Allowed values: Warn, Deny, Dryrun

    • podSecurityStandards.policiesobject
      • podSecurityStandards.policies.hostPortsobject

        HostPort constraint settings.

        • podSecurityStandards.policies.hostPorts.knownRangesarray of objects

          Set the range of known ports which will be allowed in a hostPort binding.

          • podSecurityStandards.policies.hostPorts.knownRanges.maxinteger
          • podSecurityStandards.policies.hostPorts.knownRanges.mininteger