ionysos
commented
5 years ago We discussed this and decided to establish a new custom resource instead of re-using the karydia default security policy because we want to set a cluster-wide default configuration which gets considered if there is no other specific annotation (e.g. at a namespace) found and so, that's a slightly different approach independent from service accounts. The new custom resource is just called 'KarydiaConfig'.
The karydia default security policy provides configurations which should be used if a user hasn't specified settings for a namespace or a pod. With this mechanism, karydia provides a configurable "secure by default".
The karydia webhook and controller are responsible to implement the default behavior. If either one is triggered it should check if an annotation (e.g. for seccomp, network policy, ...) is available. If it is missing the default should be applied.