Security constraints

Pod security policies can be used to define under what conditions workloads can run. With Portainer we achieve this by leveraging Open Policy Agent via OPA Gatekeeper.

Policies are configured on a per-environment basis. To enable and configure security policies, from the menu select a Kubernetes environment, then expand Cluster and click Security constraints.

This is advanced functionality and should be applied with caution. If a deployment attempts to create a pod that does not meet defined security constraints it may not be immediately obvious that the constraint is the reason for provision failure.

Toggle on Enable pod security constraints to enable the functionality, then toggle on the features you require and configure them as needed.

Policies are based on the Kubernetes security policy reference - for more detail on each option check the Kubernetes documentation.

Once you have completed your configuration, click Save settings to apply your changes.