This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 68%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Hello,
Is it possible to create Pod security admission at cluster level as described here. If yes, then
Please suggest. Thank you.
Kind Regards,
Tanul
I suggest you look at using Azure Policy's capability for securing Aks using gatekeeper.
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes
@AirGordon Its been almost an year I'm trying to understand Azure policies. But for a beginner the documentation is very difficult. In addition, the details are very less and its extremely difficult to create a custom policy. I prefer kyverno over this because the open source support is better and faster on slack channels and github.
@AirGordon I have followed every single step mentioned here still its not working.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 93%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBG%3C/text%3E%3C/svg%3E)
For the benefit of others I believe the same question is being followed here https://github.com/Azure/AKS/issues/3684
Yes, it is possible to create Pod security admission at cluster level as described in the documentation
To add usernames in exemptions section in case of RBAC based AKS, you can use Azure RBAC to define access to the Kubernetes configuration file in AKS. You can assign users built-in roles or create custom roles using Azure RBAC mechanisms and APIs, just as you would with Kubernetes roles. With this feature, you not only give users permissions to the AKS resource across subscriptions, but you also configure the role and permissions for inside each of those clusters controlling Kubernetes API access.
You can add AD group object id to the group claims for applications by using Azure Active Directory.
Sources:
https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/aks/concepts-identity.md
https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/aks/manage-azure-rbac.md
If this does answer your question, please accept it as the answer as a token of appreciation.