Skip to content

Set a standard Pod Admission Policy to Helm based EE namespaces

Proposers

  • Gabriel Cuba (Whitestack)
  • Gianpietro Lavado (Whitestack)

Description

When using helm based Execution Environments, the helm chart can create pods without restricting any capability. For instance, pods can request hostpaths, privilege escalation, etc.

This feature proposes the use of the built-in Pod Security Admission controller of kubernetes to enforce a Baseline standard policy and prevent the creation of pods with risky capabilities.

Demo or definition of done

The creation of any NS with Helm based EE that doesn't comply with the Baseline policy will fail.