FAQs: Pod Security Standards and Pod Security Admission in Amazon EKS Pods

Q: How do I turn on or turn off Pod Security Standards and Pod Security Admission for my Amazon EKS cluster?

By default, Kubernetes versions 1.23 and later activates all Pod Security Admission modes for the Privileged Pod Security Standards profile at the cluster level. Pod Security Admission allows deployments or Pods with the Privileged Pod Security Standards profile across all namespaces.

Q: How do I apply specific Pod Security Admission modes and Pod Security Standards profiles at the Kubernetes namespace level?

To apply specific Pod Security Admission modes and Pod Security Standards profiles at the Kubernetes namespace level, configure the namespace labels.

For example, run the following command to apply the enforce mode for Baseline Pod Security Standards to a single namespace:

kubectl label --overwrite ns test-namespace pod-security.kubernetes.io/enforce=baseline

Or, run the following command to apply the enforce mode for Baseline Pod Security Standards to all available namespaces:

kubectl label --overwrite ns --all pod-security.kubernetes.io/enforce=baseline

Note: Replace test-namespace with the name of your namespace, enforce with your Pod Security Admission mode, and baseline with your Pod Security Standards policy profile. For more information, see Pod Security Admission labels for namespaces and Pod Security Standards on the Kubernetes website.

Q: When I modify my namespace to use a more restrictive Pod Security Standards profile, does it affect the function of existing Pods in the namespace?

No. If you modify a namespace with existing Pods to use the audit or warn modes, you get a message on your terminal. You can also see the message in the status.message section of the Pod YAML output. If you modify the namespace to use the enforce mode, then Kubernetes doesn't delete the existing Pods in the namespace. However, you receive a message that's similar to the following example:

"Warning: existing pods in namespace "policy-test" violate the new PodSecurity enforce level "restricted:latest"

"Warning: test-688f68dc87-htm8x: allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, seccompProfilenamespace/policy-test configured"

Example enforce mode message in the Pod YAML output:

lastTransitionTime: "2022-11-24T05:10:49Z"
lastUpdateTime: "2022-11-24T05:10:49Z"
message: 'pods "test-67d5fc995b-8r9t2" is forbidden: violates PodSecurity "baseline:latest": privileged (container "assets" must not set securityContext.privileged=true)'
reason: FailedCreate
status: "True"
type: ReplicaFailure

If a Pod doesn't adhere to the namespace's Pod Security Standards profile policy or Pod Security Admission mode, then update its deployment manifest.

Q: How do I customize the Pod security policy that the Pod Security Admission controller applied at my namespace level?

You can't directly customize the applied Pod security policy through the Pod Security Admission controller. Instead, use validating admission policies to implement and enforce your custom rules, or use Webhook admission control with external code.

Q: Can I apply multiple Pod Security Admission modes and Pod Security Standards profiles to a single Kubernetes namespace?

No. However, you can use labels to configure multiple Pod Security Standards checks on any namespace.

For example, the following command applies the enforce mode to Baseline Pod Security Standards, and the warn and audit modes to Restricted Pod Security Standards according to the latest version:

  kubectl label --overwrite ns test \\
  pod-security.kubernetes.io/enforce=baseline \\
  pod-security.kubernetes.io/enforce-version=latest \\
  pod-security.kubernetes.io/warn=restricted \\
  pod-security.kubernetes.io/warn-version=latest \\
  pod-security.kubernetes.io/audit=restricted \\
  pod-security.kubernetes.io/audit-version=latest

Q: Can I apply the Pod Security Admission modes and Pod Security Standards profiles at the cluster level for my managed Kubernetes cluster?

No. For managed clusters, you can apply Pod Security Admission modes and Pod Security Standards profiles only at the namespace level.

Q. Can I use the Pod Security Admission webhook with my Amazon EKS cluster?

Yes. You can install the Pod Security Admission webhook in your Amazon EKS cluster. For more information, see pod-security-admission webhook on the GitHub website.

Q. Why should I use the Pod Security Admission webhook in my Amazon EKS cluster?

With the Pod Security Admission webhook, you can apply the same Pod Security Admission modes and Pod Security Standards profiles across all Kubernetes namespaces. You can also exempt namespaces. Without the Pod Security Admission webhook, you must apply changes at the individual namespace level.