wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 6 Packages Projects Releases Wiki Activity
Files
2a2cb16c135fd7e5b159d94de9b5ff04f6cf31f5
awoooi/k8s/pod-security/namespace-labels.yaml
OG T f0572ae906 feat(k4.3): Pod Security Standards + Grafana Dashboard 
K4.3 Pod Security Standards:
- awoooi-prod: baseline
- kube-state-metrics: baseline
- kured: privileged (hostPID required)
- descheduler: restricted
- velero: baseline
- argocd: baseline

Grafana Dashboard:
- K3s Cluster Overview (9 panels)
- Nodes, Pods, HPA, Velero, Alerts

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-28 23:16:54 +08:00

84 lines
2.7 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# =============================================================================
# Pod Security Standards - Namespace Labels
# =============================================================================
# K4.3 2026-03-29: Kubernetes 內建安全機制
# 部署者: Claude Code (首席架構師)
# 參考: https://kubernetes.io/docs/concepts/security/pod-security-standards/
# =============================================================================
#
# PSS 三級標準:
# - privileged: 無限制 (僅限特殊用途)
# - baseline: 基本限制 (防止已知提權)
# - restricted: 最嚴格 (最佳安全實踐)
#
# =============================================================================
---
# awoooi-prod: 生產應用使用 baseline (HPA 需要 metrics)
apiVersion: v1
kind: Namespace
metadata:
name: awoooi-prod
labels:
app.kubernetes.io/name: awoooi
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/enforce-version: latest
pod-security.kubernetes.io/warn: restricted
pod-security.kubernetes.io/warn-version: latest
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/audit-version: latest
---
# kube-state-metrics: 監控需要讀取 API使用 baseline
apiVersion: v1
kind: Namespace
metadata:
name: kube-state-metrics
labels:
app.kubernetes.io/name: kube-state-metrics
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/enforce-version: latest
pod-security.kubernetes.io/warn: restricted
pod-security.kubernetes.io/warn-version: latest
---
# kured: 需要 privileged (hostPID + 重啟節點)
apiVersion: v1
kind: Namespace
metadata:
name: kured
labels:
app.kubernetes.io/name: kured
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce-version: latest
# Kured 必須 privileged不發警告
---
# descheduler: 僅需 API 存取,可用 restricted
apiVersion: v1
kind: Namespace
metadata:
name: descheduler
labels:
app.kubernetes.io/name: descheduler
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: latest
---
# velero: 需要存取 hostPath 備份,使用 baseline
apiVersion: v1
kind: Namespace
metadata:
name: velero
labels:
app.kubernetes.io/name: velero
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/enforce-version: latest
pod-security.kubernetes.io/warn: restricted
pod-security.kubernetes.io/warn-version: latest
---
# argocd: GitOps 控制器,使用 baseline
apiVersion: v1
kind: Namespace
metadata:
name: argocd
labels:
app.kubernetes.io/name: argocd
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/enforce-version: latest
Reference in New Issue View Git Blame Copy Permalink