Skip to content

Latest commit

 

History

History
70 lines (62 loc) · 2.57 KB

k8s-pod-security-policies.md

File metadata and controls

70 lines (62 loc) · 2.57 KB

Apply Pod Security Policies to k8s cluster

Pod Security Policy allows administrators to define a set of conditions that a pod must run with in order to be accepted into the system.

The following recommendations need to be applied to the k8s cluster before any other pod is deployed.

  • If kops is used, edit cluster configuration by running:
kops edit cluster

and adding the following:

spec:
  kubeAPIServer:
    admissionControl:
    - PodSecurityPolicy
    - NamespaceLifecycle
    - LimitRanger
    - ServiceAccount
    - DefaultStorageClass
    - DefaultTolerationSeconds
    - MutatingAdmissionWebhook
    - ValidatingAdmissionWebhook
    - ResourceQuota

Please note the presence of PodSecurityPolicy admission controller.

  • Update the cluster by running:
kops update cluster --yes
kops rolling-update cluster --yes
  • Once the cluster is back in operation check if the default Pod Security Policy (psp) was created by running:
kubectl get psp

The output should show a default psp named kube-system.

  • Modify the psp by running:
kubectl edit psp kube-system

Change the following configuration:

spec:
  allowPrivilegeEscalation: false
  privileged: false
  hostNetwork: false
  hostIPC: false
  hostPID: false
  volumes:
  - configMap
  - emptyDir
  - projected
  - secret
  - downwardAPI
  - persistentVolumeClaim

Note that the containers are still allowed to use root user as tiller requires it, see this issue. Also using root filesystem (readOnlyRootFilesystem) is allowed as nginx ingress needs it.

If cluster-autoscaler is deployed, it will require hostPath type volume to operate.

  • Installation of pods using cluster-admin role in kube-system namespace can now use the new psp. Other deployments like nginx-ingress will require additional roles to be set up:
kubectl -n $namespace create role $namespace:psp --verb=use --resource=podsecuritypolicy --resource-name=kube-system
kubectl -n $namespace create rolebinding $namespace:psp:default --role=$namespace:psp --serviceaccount=$namespace:default
kubectl -n $namespace create rolebinding $namespace:psp:$release_name-nginx-ingress --role=$namespace:psp --serviceaccount=$namespace:$release_name-nginx-ingress

A new role is created in the desired namespace. This role can use the new psp. This role then needs to be bound to default and nginx-ingress service accounts in the desired namespace.