Posture Admission Policies

Admission Controller is a Kubernetes-native enforcement point that intercepts resource creation requests after they are authenticated and authorized, but before they are persisted to the cluster. It applies real-time security policies, from posture controls to image scanning rules, to block non-compliant workloads at deploy time, improving overall security posture across clusters.

Posture Policies and Checks

Admission Controller supports multiple use cases across deploy-time security, compliance, and audit. Use the following guidelines as general examples to enable policies and enforce your best practices in your Kubernetes runtime.

Create and Assign Policies

To enable posture policies for Admission Controller enforcement, follow these steps:

  1. Log in to Sysdig Secure and navigate to Policies > Posture | Policies.

  2. Locate the posture policy you want to enforce at admission. If none of the out-of-the-box (OOTB) policies meet your needs, create a custom policy by clicking New Policy and defining the necessary controls.

    You can also review and create Posture policies via API.

  3. For an existing or newly created policy, click the three-dots menu next to the policy and select Edit.

  4. Locate the Assigned Zones section.

  5. In the Select Zones… drop-down, choose the Zone(s) where you want the policy enforced during admission.

  6. If the desired Zone does not exist, create it first in the Inventory > Zones page.

  7. For each assigned Zone, select the Admission Controller Action:

  • None: Policy is not enforced during admission.
  • Warn: Violations generate alerts but workloads are admitted.
  • Reject: Workloads violating the policy are blocked at deployment.
  1. Click Save to apply changes.

Use Cases and Examples

The following are a few examples of how you can use the Admission Controller to enforce your organizational best-practices.

Rejecting Privileged Containers

Privileged containers pose significant security risks by granting processes extended host-level permissions. To block their deployment:

  1. Use the Built-in Posture Control Container running as privileged (or create a custom control that checks for securityContext.privileged: true).

  2. Create a custom policy and include this control in one of its requirements.

  3. Assign this policy to the relevant Zone(s) with the Admission Controller Action set to Reject.

  4. Deploy a test workload with privileged: true in its security context to verify blocking.

Only Allow Deployment from Specific Registries

To restrict workload images to trusted registries:

  1. Create a custom posture control that validates the container image registry domain against an allowed list (e.g., only images from mycompany.registry.com).
package sysdig

import future.keywords.if
import future.keywords.in

default risky := false

risky if {
  some container in input.spec.template.spec.containers
  not startswith(container.image, "mycompany.registry.com")
}
  1. Bundle this control into a posture policy.

  2. Assign the policy to your Zone(s) with enforcement set to Warn or Reject.

  3. Verify by attempting deployment of an image from an unapproved registry and confirming it is blocked or logged.

Require specific Linux Capabilities

Limiting Linux capabilities reduces the attack surface by restricting what privileged operations containers can perform.

  1. Use the Built-in Posture Control Container with Forbidden Capabilities.

  2. Assign this policy to the relevant Zone(s) with the Admission Controller Action set to Reject.

  3. Deploy a test workload with privileged: true in its security context to verify blocking.