Configure Pod security policies#

Kubernetes clusters use PodSecurityPolicy to enforce security and policy controls on Pod creation and updates.

The PodSecurityPolicy object enables Kubernetes cluster admins to configure granular access to cluster resources and privileges for each Pod. By default, Rackspace KaaS includes the following predefined security policies:

  • privileged - provides a broad set of privileges that are used by cluster admins.
  • restricted - provides a limited set of privileges for cluster tenants, such as users and namespaces.

To enforce the users with the admin (not cluster-admin) or edit roles to use the restricted PodSecurityPolicy, the following ClusterRole is predefined:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: restricted-psp
  # Aggregate to admin/edit roles so that admins don't always have to bind users
  # to custom role.
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
- apiGroups:     ["extensions"]
  resources:     ["podsecuritypolicies"]
  verbs:         ["use"]
  resourceNames: ["restricted"]

To grant non-cluster-admin users broader permissions, you can configure additional PodSecurityPolicies, make them usable by a Role, and bind them to the user through a RoleBinding.

You can configure a Pod security policy by using the KaaS Control Panel or by creating a PodSecurityPolicy configuration file and applying it with the kubectl create command.

To configure a Pod security policy, complete the following steps:

  • Using the KaaS Control Panel:

    1. Log in to the control panel as a Kubernetes cluster administrator.

    2. In the Administration menu, select Security.

    3. Click Create Pod Security Policy.

    4. Define the Pod security properties. For more information, see What is a Pod Security Policy?.

    5. Save your changes.

      KaaS creates a security policy and a role for the security policy named psp:<security-policy-name>. You need to bind that role to specific users.

    6. Go to Namespaces.

    7. Bind the created role to the required users by creating a new access rule.

  • Using CLI:

    1. Create a new Pod security policy configuration file. The following text is an example of a restricted policy:

      apiVersion: extensions/v1beta1
      kind: PodSecurityPolicy
        metadata:
          name: restricted
        spec:
          privileged: false
          # Required to prevent escalations to root.
          allowPrivilegeEscalation: false
          # This is redundant with non-root + disallow privilege escalation,
          # but we can provide it for defense in depth.
          requiredDropCapabilities:
            - ALL
          # Allow core volume types.
          volumes:
            - 'configMap'
            - 'emptyDir'
            - 'projected'
            - 'secret'
            - 'downwardAPI'
            # Assume that persistentVolumes set up by the cluster admin are safe to use.
            - 'persistentVolumeClaim'
          hostNetwork: false
          hostIPC: false
          hostPID: false
          runAsUser:
            # Require the container to run without root privileges.
            rule: 'MustRunAsNonRoot'
          seLinux:
            # This policy assumes the nodes are using AppArmor rather than SELinux.
            rule: 'RunAsAny'
          supplementalGroups:
            rule: 'MustRunAs'
            ranges:
              # Forbid adding the root group.
              - min: 1
                max: 65535
          fsGroup:
            rule: 'MustRunAs'
            ranges:
              # Forbid adding the root group.
              - min: 1
                max: 65535
          readOnlyRootFilesystem: false
      
    1. Create a Pod and the security policy:

      kubectl create -f <name-of-security-policy-file>
      
    2. Verify that the Pod security policy has been created by running the following command:

      kubectl get psp
      

For more information, see Kubernetes Pod Security Policy documentation.