Security hardening

Admission Controller strives to be secure with little configuration. In this section and its subpages, you can find hardening tips (with their trade-offs) to secure Admission Controller itself.

Please refer to the threat model for more information.

`kubewarden-defaults` Helm chart

Operators can obtain a secure deployment by installing all the Kubewarden Helm charts. It’s recommended to install the kubewarden-defaults Helm chart and enable its recommended policies with:

helm install --wait -n kubewarden kubewarden-defaults kubewarden/kubewarden-defaults \
  --set recommendedPolicies.enabled=True \
  --set recommendedPolicies.defaultPolicyMode=protect

This provides a default PolicyServer and default policies, in protect mode, to ensure the Admission Controller stack is safe from other workloads.

Verifying Admission Controller artifacts

Refer to the Verifying Admission Controller tutorial.

RBAC

Admission Controller describes RBAC configurations in different Explanations sections. Users can fine-tune the needed permissions for the Audit Scanner feature, as well as per Policy Server Service Account for the context-aware feature.

To view all Roles:

kubectl get clusterroles,roles -A | grep kubewarden

Per-policy permissions

For context-aware policies, operators specify fine-grained permissions per policy under its spec.contextAwareResources, and those work in conjunction with the Service Account configured for the Policy Server where the policy runs.

Workload coverage

By default, Admission Controller excludes specific Namespaces from Admission Controller coverage. This is done to simplify first-time use and interoperability with other workloads.

Security-conscious operators can tune these Namespaces list via the .global.skipNamespaces value for both the kubewarden-controller and kubewarden-defaults Helm charts.

Pod Security Admission

From 1.23, Admission Controller’s stack is able to run in a Namespace where the restricted` Pod Security Standards are in place, with current Pod hardening best practices.

To do that, you need to add the pod-security.kubernetes.io/enforce: restricted label to the Admission Controller deployment Namespace.

kubectl label namespace kubewarden pod-security.kubernetes.io/enforce=restricted --overwrite

See the official documentation of Kubernetes' Pod Security Admission for more details.

SecurityContexts

The kubewarden-controller Helm chart configures the SecurityContexts and exposes them in its values.yaml.

The kubewarden-defaults Helm chart allows for configuring the default Policy Server .spec.securityContexts under .Values.policyServer.securityContexts.

For Policy Servers managed by operators, you can configure them via their spec.securityContexts.