# Cluster Policies

## Validating Admission Policy

To enable (prior to Kubernetes v1.30):

1. Add the following to `apiServer.extraArgs` in the `ClusterConfiguration` key
   of the `kubeadm-config` ConfigMap:

   ```yaml
   feature-gates: ValidatingAdmissionPolicy=true
   runtime-config: admissionregistration.k8s.io/v1beta1=true
   ```
2. Redeploy the API servers using `kubeadm`:

   ```sh
   doas kubeadm upgrade apply v1.29.15 --yes
   ```


### disallow-hostnetwork

This policy prevents pods from running in the host's network namespace. This is
especially important because most nodes are connected to the storage network
VLAN, so allowing pods to use the host network namespace would give them access
to the iSCSI LUNs and NFS shares on the NAS.

If a trusted pod needs to run in the host's network namespace, its Kubernetes
namespace can be listed in the exclusion list of the
`disallow-hostnetwork-binding` policy binding resource.