Configure Pod security policies#

Kubernetes clusters use PodSecurityPolicy to enforce security and policy controls on Pod creation and updates.

Pod security policies#

The PodSecurityPolicy object enables Kubernetes cluster admins to configure granular access to cluster resources and privileges for each Pod. By default, Rackspace KaaS includes the following predefined security policies:

  • privileged - provides a broad set of privileges that are used by cluster admins.
  • restricted - provides a limited set of privileges for cluster tenants, such as users and namespaces.

The following text is an example of the restricted policy:

apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
    name: restricted
    privileged: false
    # Required to prevent escalations to root.
    allowPrivilegeEscalation: false
    # This is redundant with non-root + disallow privilege escalation,
    # but we can provide it for defense in depth.
      - ALL
    # Allow core volume types.
      - 'configMap'
      - 'emptyDir'
      - 'projected'
      - 'secret'
      - 'downwardAPI'
      # Assume that persistentVolumes set up by the cluster admin are safe to use.
      - 'persistentVolumeClaim'
    hostNetwork: false
    hostIPC: false
    hostPID: false
      # Require the container to run without root privileges.
      rule: 'MustRunAsNonRoot'
      # This policy assumes the nodes are using AppArmor rather than SELinux.
      rule: 'RunAsAny'
      rule: 'MustRunAs'
        # Forbid adding the root group.
        - min: 1
          max: 65535
      rule: 'MustRunAs'
        # Forbid adding the root group.
        - min: 1
          max: 65535
    readOnlyRootFilesystem: false

To enforce the users with the admin (not cluster-admin) or edit roles to use the restricted PodSecurityPolicy, the following ClusterRole is predefined:

kind: ClusterRole
  name: restricted-psp
  # Aggregate to admin/edit roles so that admins don't always have to bind users
  # to custom role.
  labels: "true" "true"
- apiGroups:     ["extensions"]
  resources:     ["podsecuritypolicies"]
  verbs:         ["use"]
  resourceNames: ["restricted"]

To grant non-cluster-admin users broader permissions, you can configure additional PodSecurityPolicies, make them usable by a Role, and bind them to the user through a RoleBinding.

For more information, see Kubernetes Pod Security Policy documentation.