pod_security_standard
Description
The pod_security_standard parameter applies a Kubernetes Pod Security Standard to every App namespace on the Rack. When a standard is set, the Rack adds the pod-security.kubernetes.io/<mode>: <standard> label to each App namespace on that App's next deploy, and Kubernetes evaluates the App's pods against the standard in the mode selected by pod_security_mode.
baseline: blocks the most common privilege escalations (privileged containers, host namespaces, host ports, hostPath mounts). A default Convox Service pod passesbaseline.restricted: additionally requires pods to run as non-root, set a seccomp profile, disallow privilege escalation, and drop all capabilities. A default Convox Service pod does not meetrestricted, so every Service needs a conforming securityContext inconvox.ymlbeforerestrictedcan be enforced.
The standard is Rack-wide and evaluates every pod in each App namespace, including Services, Timers, and convox run processes. There is no per-App override, and Rack system namespaces are not labeled.
Default Value
The default value is empty. With no standard set, App namespaces carry no Pod Security Admission label and admission behavior is unchanged, so upgrading an existing Rack to 3.24.10 changes nothing until you opt in.
Setting the Parameter
$ convox rack params set pod_security_standard=baseline -r rackName
Updating parameters... OK
The Rack update reconfigures the Rack API, then the label reaches each App namespace on that App's next deploy. Roll out gradually: keep pod_security_mode at warn (the default), review the admission warnings on deploys, move to audit, and set enforce only after workloads are confirmed clean.
Clear the value to disable Pod Security Admission labeling:
$ convox rack params set pod_security_standard= -r rackName
Updating parameters... OK
The label is removed from each App namespace on that App's next deploy.
Additional Information
This parameter is available on AWS Racks only and requires Rack version 3.24.10 or later.
- Validation: must be
baseline,restricted, or empty. The CLI rejects any other value. - Builds under
enforce: Builds run in a dedicated per-App build namespace so the standard does not reject build pods, andconvox buildandconvox deploycontinue to work without changes. See pod_security_mode for details. - Leaving
enforce: after you revert the mode or clear the standard, each App namespace keeps itsenforcelabel until that App's next deploy. Builds detect the remaining label and continue to run in the dedicated build namespace, soconvox buildandconvox deploywork throughout the transition.convox runpods in that namespace follow the previous admission rules until the App deploys again. Running pods andconvox execare unaffected, since admission only evaluates new pods. - The parameter configures the Rack API and creates no cloud resources. Moving the Rack to an earlier version removes it cleanly.