Skip to content

Pod Security Standards#

Since Pod Security Policies have been removed in Kubernetes v1.25, Kubernetes offers Pod Security Standards – a new way to enhance cluster security.

To enable PSS in k0s you need to create an admission controller config file:

```yaml
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
  configuration:
    apiVersion: pod-security.admission.config.k8s.io/v1beta1
    kind: PodSecurityConfiguration
    # Defaults applied when a mode label is not set.
    defaults:
      enforce: "privileged"
      enforce-version: "latest"
    exemptions:
      # Don't forget to exempt namespaces or users that are responsible for deploying
      # cluster components, because they need to run privileged containers
      usernames: ["admin"]
      namespaces: ["kube-system"]
```

Add these extra arguments to the k0s configuration:

```yaml
apiVersion: k0s.k0sproject.io/v1beta1
kind: ClusterConfig
spec:
  api:
    extraArgs:
      admission-control-config-file: /path/to/admission/control/config.yaml
```