Documentation survey

This is unreleased documentation for Policy Manager 1.29-next.

Security hardening

SUSE® Admission Policy Manager strives to be secure with little configuration. In this section and its subpages, you can find hardening tips (with their trade-offs) to secure SUSE® Admission Policy Manager itself.

Please refer to the threat model for more information.

kubewarden-defaults Helm chart

Operators can obtain a secure deployment by installing all the Kubewarden Helm charts. It’s recommended to install the kubewarden-defaults Helm chart and enable its recommended policies with:

helm install --wait -n kubewarden kubewarden-defaults kubewarden/kubewarden-defaults \
  --set recommendedPolicies.enabled=True \
  --set recommendedPolicies.defaultPolicyMode=protect

This provides a default PolicyServer and default policies, in protect mode, to ensure the SUSE® Admission Policy Manager stack is safe from other workloads.

Verifying SUSE® Admission Policy Manager artifacts

Refer to the Verifying SUSE® Admission Policy Manager tutorial.

RBAC

SUSE® Admission Policy Manager describes RBAC configurations in different Explanations sections. Users can fine-tune the needed permissions for the Audit Scanner feature, as well as per Policy Server Service Account for the context-aware feature.

To view all Roles:

kubectl get clusterroles,roles -A | grep kubewarden

Per-policy permissions

For context-aware policies, operators specify fine-grained permissions per policy under its spec.contextAwareResources, and those work in conjunction with the Service Account configured for the Policy Server where the policy runs.

Workload coverage

By default, SUSE® Admission Policy Manager excludes specific Namespaces from SUSE® Admission Policy Manager coverage. This is done to simplify first-time use and interoperability with other workloads.

Security-conscious operators can tune these Namespaces list via the .global.skipNamespaces value for both the kubewarden-controller and kubewarden-defaults Helm charts.

Pod Security Admission

From 1.23, SUSE® Admission Policy Manager’s stack is able to run in a Namespace where the restricted` Pod Security Standards are in place, with current Pod hardening best practices.

To do that, you need to add the pod-security.kubernetes.io/enforce: restricted label to the SUSE® Admission Policy Manager deployment Namespace.

kubectl label namespace kubewarden pod-security.kubernetes.io/enforce=restricted --overwrite

See the official documentation of Kubernetes' Pod Security Admission for more details.

SecurityContexts

The kubewarden-controller Helm chart configures the SecurityContexts and exposes them in its values.yaml.

The kubewarden-defaults Helm chart allows for configuring the default Policy Server .spec.securityContexts under .Values.policyServer.securityContexts.

For Policy Servers managed by operators, you can configure them via their spec.securityContexts.