Available with limitations inCE, BE, SE, SE+

Available without limitations in:  EE

The module lifecycle stageGeneral Availability

The module has 4 alerts.

The module is enabled by default in the following bundles: Default, Managed. The module is disabled by default in the Minimal bundle.

How to explicitly enable the module…

You may explicitly enable or disable the module in one of the following ways:

  • Via Deckhouse web UI. In the “System” → “System Management” → “Deckhouse” → “Modules” section, open the admission-policy-engine module and enable (or disable) the “Module enabled” toggle. Save changes.

    Example:

    Module enable/disable interface

  • Via Deckhouse CLI (d8).

    Use the d8 system module enable command for enabling, or d8 system module disable command for disabling the module (you need Deckhouse CLI (d8), configured to work with the cluster).

    Example of enabling the module:

    d8 system module enable admission-policy-engine

  • Using ModuleConfig admission-policy-engine.

    Set spec.enabled to true or false in ModuleConfig admission-policy-engine (create it if necessary);

    Example of a manifest to enable module admission-policy-engine:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: admission-policy-engine
spec:
  enabled: true

How to configure the module…

You can configure the module in one of the following ways:

  • Via Deckhouse web UI.

    In the “System” → “System Management” → “Deckhouse” → “Modules” section, open the admission-policy-engine module and enable the “Advanced Settings” switch. Fill in the required fields in the “Configuration” tab or specify the module settings in YAML format on the “YAML” tab, excluding the settings section. Save the changes.

    Example:

    Module Setup Interface

    You can also edit the ModuleConfig object admission-policy-engine on the “YAML” tab in the module settings window (“System” → “System Management” → “Deckhouse” → “Modules”, open the module admission-policy-engine) by specifying the schema version in the spec.version parameter and the necessary module parameters in the spec.settings section.

  • Via Deckhouse CLI (d8) (requires Deckhouse CLI (d8) configured to work with the cluster).

    Edit the existing ModuleConfig admission-policy-engine (for more details on configuring Deckhouse, see the documentation) by executing the following command:

    d8 k edit mc admission-policy-engine

    Make the necessary changes in the spec.settings section. If necessary, specify the schema version in the spec.version parameter. Save the changes.

    You can also create a file with manifest for ModuleConfig admission-policy-engine using the example below. Fill in the spec.settings section with the required module parameters. If necessary, specify the schema version in the spec.version parameter.

    Apply the manifest using the following command (indicate the manifest file name):

    d8 k apply -f <FILENAME>

    Example of a manifest for ModuleConfig admission-policy-engine:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: admission-policy-engine
spec:
  version: 1
  enabled: true
  settings: # Module parameters from the "Parameters" section below.

Parameters

Schema version: 1

  • settings
    object
    • settings.denyVulnerableImages
      object

      Available in editions: EE

      Trivy provider will deny creation of the Pod/Deployment/StatefulSet/DaemonSet with vulnerable images in namespaces with security.deckhouse.io/trivy-provider: "" label.

      • settings.denyVulnerableImages.allowedSeverityLevels
        array of strings

        Images containing only vulnerabilities of specified severities will not be denied.

        • Element of the array
          string

          Allowed values: UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL

      • settings.denyVulnerableImages.enabled
        boolean

        Enable trivy provider.

        Default: false

      • settings.denyVulnerableImages.registrySecrets
        array of objects

        List of additional registry secrets to use for downloading images from private registries.

        By default, the deckhouse-registry secret is used to download images for scanning.

        Default: []

        • settings.denyVulnerableImages.registrySecrets.name
          string

          Required value

        • settings.denyVulnerableImages.registrySecrets.namespace
          string

          Required value

      • settings.denyVulnerableImages.storageClass
        string

        The name of the StorageClass to use for trivy-provider.

        If the value is not specified, the StorageClass will be used according to the global storageClass parameter setting.

        The global storageClass parameter is only considered when the module is enabled. Changing the global storageClass parameter while the module is enabled will not trigger disk re-provisioning.

        Warning. Specifying a value different from the one currently used (in the existing PVC) will result in disk re-provisioning and all data will be deleted.

        If false is specified, emptyDir will be forced to be used.

        Examples:

        storageClass: ceph-ssd

        storageClass: 'false'
    • settings.podSecurityStandards
      object

      Pod Security Standards policy settings (PSS).

      • settings.podSecurityStandards.defaultPolicy
        string

        Sets the default Pod Security Standards policy for all non-system namespaces:

        • Privileged — an unrestricted policy. Privilege escalation is possible with this policy;
        • Baseline — a policy with minimum restrictions that prevents privilege escalation;
        • Restricted — a policy with maximum restrictions that conforms to current best practices for securely running applications in a cluster.

        By default:

        • Baseline — if a Deckhouse version starting with v1.55 is being installed;
        • Privileged — if a Deckhouse version lower than v1.55 is being installed (upgrading Deckhouse in a cluster to v1.55+ does not automatically result in a default policy change).

        Allowed values: Privileged, Baseline, Restricted

      • settings.podSecurityStandards.enforcementAction
        string

        The enforcement action to control what to do with the result of the constraint.

        • Deny — Deny action.
        • Dryrun — No action. It is used when debugging. Information about the event can be viewed in Grafana or in the console via kubectl.
        • Warn — Same as Dryrun. In addition to the event information, it provides some info on why that constraint would have been denied if you had set Deny instead of Warn.

        Default: Deny

        Allowed values: Warn, Deny, Dryrun

      • settings.podSecurityStandards.policies
        object

        Sets additional policy parameters.

        • settings.podSecurityStandards.policies.hostPorts
          object

          HostPort constraint settings.

          • settings.podSecurityStandards.policies.hostPorts.knownRanges
            array of objects

            Set the range of known ports which will be allowed in a hostPort binding.

            • settings.podSecurityStandards.policies.hostPorts.knownRanges.max
              integer
            • settings.podSecurityStandards.policies.hostPorts.knownRanges.min
              integer