pod_security_mode
Description
The pod_security_mode parameter selects how Kubernetes applies the Pod Security Standard chosen by pod_security_standard to App namespaces.
When a standard is set, the Rack labels each App namespace pod-security.kubernetes.io/<mode>: <standard> on that App's next deploy, and Kubernetes evaluates the App's pods against the standard in the selected mode:
warn(default): the Kubernetes API returns warnings for non-conforming pods. Never blocks a deploy.audit: violations are recorded as annotations in the cluster audit log. Never blocks a deploy. On AWS Racks the control plane audit log is disabled by default, so viewing these annotations requires setting eks_log_types to includeaudit.enforce: non-conforming pods are rejected at admission. A deploy whose pods violate the standard fails.
This parameter has no effect while pod_security_standard is empty. The mode is Rack-wide; there is no per-App override.
Default Value
The default value is warn. Because pod_security_standard defaults to empty, Racks that do not opt in apply no namespace label and see no change in behavior. Once a standard is set, warn surfaces violations without blocking any deploy.
Setting the Parameter
$ convox rack params set pod_security_mode=audit -r rackName
Updating parameters... OK
Changing the value triggers a Rack update that reconfigures the Rack API. The new mode applies to each App namespace on that App's next deploy.
Move to enforce gradually: start at warn, review the admission warnings, move to audit, and set enforce only after workloads are confirmed clean. Setting enforce while a standard is active prints a CLI warning describing the impact.
If enforce blocks deploys, set pod_security_mode=warn to recover. The standard remains applied in warn mode, so it no longer rejects pods and Apps deploy again.
Additional Information
This parameter is available on AWS Racks only and requires Rack version 3.24.10 or later.
- Validation: must be
warn,audit, orenforce. The CLI rejects any other value, including an empty value. - Builds under enforce: each App's Builds run in a dedicated per-App build namespace, so
convox buildandconvox deploycontinue to work without changes. While a Build runs, its build pod does not appear inconvox psfor the App; Build output and logs are unaffected. Inwarnandauditmodes, Builds run in the App namespace as before. Builds also route to the build namespace while an App namespace still carries anenforcelabel after leavingenforcemode, so Builds keep working through the transition. restrictedwithenforcerejects a default Convox Service pod. Every Service must set a conforming securityContext inconvox.ymlbefore enforcingrestricted.baselinewithenforcepasses a default Service.- The parameter configures the Rack API and creates no cloud resources. Moving the Rack to an earlier version removes it cleanly.