I’ve added the following labels to my namespace:
pod-security.kubernetes.io/enforce=restricted
pod-security.kubernetes.io/warn=restricted
pod-security.kubernetes.io/warn-version=latest
All is fine and dandy but when i try to apply this Privileged Pod in that namespace, it allows the create, no warning is thrown and also the pods starts up, I would have expected a warning and also the pods being blocked being created due to the most restrictive enforcement
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello-kubernetes
namespace: gatekeeper-system
labels:
product: hello-kubernetes
team: forward-deployed-engineering
spec:
replicas: 3
selector:
matchLabels:
app: hello-kubernetes
template:
metadata:
labels:
app: hello-kubernetes
spec:
containers:
- name: api-server
image: nginxdemos/hello
imagePullPolicy: Always
ports:
- containerPort: 80
securityContext:
allowPrivilegeEscalation: true
privileged: true
capabilities:
add: ["NET_ADMIN"]
resources:
requests:
memory: "8Mi"
cpu: "32m"
limits:
memory: "16Mi"
cpu: "64m"
tolerations:
- key: "kubernetes.azure.com/scalesetpriority"
value: "spot"
effect: "NoSchedule"
My question, what am I over looking for this PSA to work.
Im running in AKS 1.24, and PSA have been available since 1.23 according to: https://learn.microsoft.com/en-us/azure/aks/use-psa
edit for some reason it does not work on the namespace i use in the deployment file, but it works as intended in another namespace
After research it is figured out that the namespace was in a admission exemption list, created by the cloud provider.
It seems like Azure for their own OPA deployments have made the decission to excempt the gatekeeper-system namespace, provided this message that was trying to add the psa enforcements on a 1.25 cluster.