mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 13:44:56 +03:00
mukul975
39 lines
1.0 KiB
Markdown
39 lines
1.0 KiB
Markdown
# Workflow - Implementing Pod Security Admission
|
|
|
|
## Phase 1: Assessment
|
|
1. List all namespaces and their current security posture
|
|
2. Run dry-run against restricted profile for each namespace
|
|
3. Document violations and required exemptions
|
|
|
|
## Phase 2: Apply Audit Mode
|
|
```bash
|
|
for ns in production staging; do
|
|
kubectl label namespace $ns \
|
|
pod-security.kubernetes.io/audit=restricted \
|
|
pod-security.kubernetes.io/warn=restricted
|
|
done
|
|
```
|
|
|
|
## Phase 3: Fix Violations
|
|
1. Update Deployments/StatefulSets with compliant security contexts
|
|
2. Add seccomp profiles
|
|
3. Switch containers to non-root
|
|
4. Drop ALL capabilities
|
|
|
|
## Phase 4: Enable Enforcement
|
|
```bash
|
|
kubectl label namespace production \
|
|
pod-security.kubernetes.io/enforce=restricted \
|
|
pod-security.kubernetes.io/enforce-version=v1.28
|
|
```
|
|
|
|
## Phase 5: Set Cluster Defaults
|
|
1. Create AdmissionConfiguration with baseline defaults
|
|
2. Apply to kube-apiserver
|
|
3. Exempt system namespaces
|
|
|
|
## Phase 6: Monitor
|
|
1. Watch for FailedCreate events
|
|
2. Review audit logs weekly
|
|
3. Update exemptions as needed
|