Implementing Admission Control for Runtime Security
Implementing Admission Control for Runtime Security
Admission controllers enforce runtime security policies before container deployment. By validating pod specifications against security policies, admission controllers prevent insecure configurations from reaching production. This shift-left approach catches security issues early, reducing runtime security incidents.
Pod Security Standards (PSS) provide baseline admission control for runtime security. The restricted profile enforces comprehensive security controls including non-root execution, capability dropping, and seccomp profiles. Organizations can implement PSS at namespace level, ensuring all workloads meet minimum security requirements.
# ValidatingAdmissionWebhook for runtime security enforcement
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: runtime-security-webhook
webhooks:
- name: validate.runtime.security
clientConfig:
service:
name: runtime-security-webhook
namespace: security-system
path: "/validate"
caBundle: ${CA_BUNDLE}
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
failurePolicy: Fail
namespaceSelector:
matchLabels:
runtime-security: enforced
---
# Webhook service implementation example
apiVersion: v1
kind: ConfigMap
metadata:
name: webhook-rules
namespace: security-system
data:
rules.yaml: |
rules:
- name: "require-non-root"
description: "Containers must run as non-root"
match:
any:
- resources:
kinds: ["Pod"]
validate:
pattern:
spec:
containers:
- name: "*"
securityContext:
runAsNonRoot: true
- name: "require-readonly-root"
description: "Containers must use read-only root filesystem"
match:
any:
- resources:
kinds: ["Pod"]
validate:
pattern:
spec:
containers:
- name: "*"
securityContext:
readOnlyRootFilesystem: true
- name: "forbidden-capabilities"
description: "Containers cannot request dangerous capabilities"
match:
any:
- resources:
kinds: ["Pod"]
validate:
pattern:
spec:
containers:
- name: "*"
securityContext:
capabilities:
add:
- "!SYS_ADMIN"
- "!SYS_MODULE"
- "!SYS_RAWIO"
- "!SYS_PTRACE"
Custom admission webhooks enable organization-specific runtime security policies. These webhooks can validate container images, enforce runtime configurations, and integrate with external security tools. Mutating webhooks can automatically inject security configurations, ensuring consistent security across all deployments.