Policy & Enforcement
Kubernetes Admission Controller
Reject pods running images that fail your PodArmor policy.
The admission controller enforces your security policy at deploy time. PodArmor hosts the webhook — you install a ValidatingWebhookConfiguration that points at it.
How it works
- A pod (or Deployment/StatefulSet/Job…) is created in an opted-in namespace.
- The Kubernetes API server calls PodArmor's webhook with the image references.
- PodArmor grades every managed image against your policy and returns allow/deny with the failing rules named.
Only images in your PodArmor catalog are evaluated; anything else passes through untouched.
1 · Create an admission key
The webhook authenticates with a scoped API key carried in the URL (Kubernetes can't attach auth headers). In Portal → API keys, create a key with only the admission scope. See API keys.
2 · Install the webhook
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: podarmor-policy
webhooks:
- name: policy.podarmor.dev
admissionReviewVersions: ["v1"]
sideEffects: None
failurePolicy: Ignore # a PodArmor blip must never block your deploys
timeoutSeconds: 5
clientConfig:
url: "https://<your-subdomain>.app.podarmor.dev/v1/admission?key=YOUR_ADMISSION_KEY"
namespaceSelector:
matchExpressions:
- key: podarmor-policy # only enforce where you opt in
operator: In
values: ["enforce"]
rules:
- apiGroups: ["", "apps", "batch"]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE"]
resources: ["pods", "deployments", "statefulsets", "daemonsets", "jobs", "cronjobs", "replicasets"]3 · Opt a namespace in
Enforcement only applies where you label it — roll out gradually:
kubectl label namespace production podarmor-policy=enforceBehavior
- Fail-open. If PodArmor is unreachable,
failurePolicy: Ignorelets deploys proceed rather than break. - Only your images. Non-PodArmor images pass through; only catalog images are gated.
- Exemptions apply. A CVE you've exempted under Policy won't trip admission either.
- Latest-version grading. A managed image is judged by its latest scanned version's policy result.
A denied deploy returns the failing rules in the API-server error, e.g.
blocked 1 image(s): nginx: no_kev (1 exploited-in-the-wild).