- Newest
- Most votes
- Most comments
First, I would look into this blog post that explains how PSA/PSS is used on Amazon EKS. It is based on testing we did and publsihed in this GitHub repository. As far as customizing PSA settings, that should be done via namespace levels. As a general rule, Amazon EKS does not permit customizations at the API server level:
"In order to ensure operational stability and maintain our SLA, Amazon EKS does not allow custom configuration of API server settings. Amazon EKS will evaluate requests for custom configurations on a case by case basis, and may allow a setting to be configured if there is enough customer demand. As an example, the Amazon EKS API supports OIDC user authentication, which is then passed as API server flags when a cluster is started."
At this time, you cannot customize the API settings for PSA on Amazon EKS. The default settings come from cluster creation, and you can opt in to different PSS profiles and PSA modes via namespace labels. However, customization of PSA, such as exemptions, can be had, without needing to customize API server settings, using Policy-as-Code (PaC) solutions. In particular, Kyverno 1.8 offers new functionality to customize your PSA/PSS settings, with their new rule type validate.podSecurity
:
- Cluster-wide pod security defaults do not require updating the static configuration file
- Namespace level pod security application does not require labels
- Pod security checks are automatically applied to pod controllers (e.g. deployments)
- Granular exemptions can be configured at a container image level
- Violations are reported in an in-cluster report
- Static validation and testing can be performed via the Kyverno CLI without requiring a cluster
Relevant content
- asked 7 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago