Closed jvanz closed 2 years ago
As far as I can see, the "PSP Best Practice" feature is a deny rule which apply the following rules:
I believe we can have the same "PSP Best Practice" behavior using policies available in our Hub:
https://github.com/kubewarden/allow-privilege-escalation-psp-policy https://github.com/kubewarden/host-namespaces-psp-policy https://github.com/kubewarden/pod-privileged-policy https://github.com/kubewarden/user-group-psp-policy
In other words, it should not be difficult to add this policies in the kubewarden-defaults
chart. It's a matter of deciding if we should do that or not. I think we should. It's a good thing to have with no much work.
What do you think @kubewarden/kubewarden-developers ?
I've updated the PR https://github.com/kubewarden/helm-charts/pull/65 adding some policies to perform security checks as the "PSP Best Practice" feature.
We adding a new Helm chart to install a default Policy Server, see more in #52 . We could take this opportunity to install some default policies in the cluster as well. Thus, let's look in the NeuVector documentation which PSPs they install in the customer cluster when the users enable the "best practices PSPs" feature. Once we have this information, let's decide if we should add this policies in the chart or not.