Pod Security Standards#
Since Pod Security Policies are deprecated as of Kubernetes v1.21, and will be removed in v1.25, Kubernetes offers Pod Security Standards – a new way to enhance cluster security.
To enable PSS in k0s you need to create an admission controller config file:
```yaml
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
configuration:
apiVersion: pod-security.admission.config.k8s.io/v1beta1
kind: PodSecurityConfiguration
# Defaults applied when a mode label is not set.
defaults:
enforce: "privileged"
enforce-version: "latest"
exemptions:
# Don't forget to exempt namespaces or users that are responsible for deploying
# cluster components, because they need to run privileged containers
usernames: ["admin"]
namespaces: ["kube-system"]
```
Add these extra arguments to the k0s configuration:
```yaml
apiVersion: k0s.k0sproject.io/v1beta1
kind: ClusterConfig
spec:
api:
extraArgs:
disable-admission-plugins: PodSecurityPolicy # if you want to disable PodSecurityPolicy admission controller, not required
enable-admission-plugins: PodSecurity # only for Kubernetes 1.22, since 1.23 it's enabled by default
feature-gates: "PodSecurity=true" # only for Kubernetes 1.22, since 1.23 it's enabled by default
admission-control-config-file: /path/to/admission/control/config.yaml
```
And finally, install k0s with the PodSecurityPolicy component disabled.
```shell
$ k0s install controller --disable-components=default-psp
```