Cluster hardening#

Rackspace KaaS uses Kubernetes Pod Security Policies (PSP) to perform cluster hardening and provide security for your cluster. PSPs, a list of security rules, enable administrators to configure what pods can access and what they can do.

Implementation details#

Rackspace KaaS creates two PSPs by default: privileged and restricted.

The default restricted PSP prevents common security problems such as users who run as root or mounting host resources.

The privileged PSP is unrestricted and permits a pod to perform all actions.

Specific usage instructions#

To use the privileged PSP, create a service account for the deployment and create a RoleBinding for the service account, granting it access to the privileged-psp ClusterRole.

For more information, see Configure pod security policies.