Check NeuVector documentation what are the PSPs installed when the user enable the "best practices PSPs" feature in their product.

[jvanz]

We adding a new Helm chart to install a default Policy Server, see more in #52 . We could take this opportunity to install some default policies in the cluster as well. Thus, let's look in the NeuVector documentation which PSPs they install in the customer cluster when the users enable the "best practices PSPs" feature. Once we have this information, let's decide if we should add this policies in the chart or not.

[jvanz]

As far as I can see, the "PSP Best Practice" feature is a deny rule which apply the following rules:

• Run as privileged
• Run as root
• Share host's PID namespaces
• Share host's IPC namespaces
• Share host's Network
• Allow Privilege Escalation

[jvanz]

I believe we can have the same "PSP Best Practice" behavior using policies available in our Hub:

https://github.com/kubewarden/allow-privilege-escalation-psp-policy https://github.com/kubewarden/host-namespaces-psp-policy https://github.com/kubewarden/pod-privileged-policy https://github.com/kubewarden/user-group-psp-policy

In other words, it should not be difficult to add this policies in the kubewarden-defaults chart. It's a matter of deciding if we should do that or not. I think we should. It's a good thing to have with no much work.

What do you think @kubewarden/kubewarden-developers ?

[jvanz]

I've updated the PR https://github.com/kubewarden/helm-charts/pull/65 adding some policies to perform security checks as the "PSP Best Practice" feature.