PodArmor docs
Policy & Enforcement

Kubernetes Admission Controller

Reject pods running images that fail your PodArmor policy.

The admission controller enforces your security policy at deploy time. PodArmor hosts the webhook — you install a ValidatingWebhookConfiguration that points at it.

How it works

  1. A pod (or Deployment/StatefulSet/Job…) is created in an opted-in namespace.
  2. The Kubernetes API server calls PodArmor's webhook with the image references.
  3. PodArmor grades every managed image against your policy and returns allow/deny with the failing rules named.

Only images in your PodArmor catalog are evaluated; anything else passes through untouched.

1 · Create an admission key

The webhook authenticates with a scoped API key carried in the URL (Kubernetes can't attach auth headers). In Portal → API keys, create a key with only the admission scope. See API keys.

2 · Install the webhook

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: podarmor-policy
webhooks:
  - name: policy.podarmor.dev
    admissionReviewVersions: ["v1"]
    sideEffects: None
    failurePolicy: Ignore          # a PodArmor blip must never block your deploys
    timeoutSeconds: 5
    clientConfig:
      url: "https://<your-subdomain>.app.podarmor.dev/v1/admission?key=YOUR_ADMISSION_KEY"
    namespaceSelector:
      matchExpressions:
        - key: podarmor-policy      # only enforce where you opt in
          operator: In
          values: ["enforce"]
    rules:
      - apiGroups: ["", "apps", "batch"]
        apiVersions: ["v1"]
        operations: ["CREATE", "UPDATE"]
        resources: ["pods", "deployments", "statefulsets", "daemonsets", "jobs", "cronjobs", "replicasets"]

3 · Opt a namespace in

Enforcement only applies where you label it — roll out gradually:

kubectl label namespace production podarmor-policy=enforce

Behavior

  • Fail-open. If PodArmor is unreachable, failurePolicy: Ignore lets deploys proceed rather than break.
  • Only your images. Non-PodArmor images pass through; only catalog images are gated.
  • Exemptions apply. A CVE you've exempted under Policy won't trip admission either.
  • Latest-version grading. A managed image is judged by its latest scanned version's policy result.
A denied deploy returns the failing rules in the API-server error, e.g. blocked 1 image(s): nginx: no_kev (1 exploited-in-the-wild).

On this page