Configure pod security policies#
Kubernetes clusters use
PodSecurityPolicy objects to enforce security
and policy controls on pod creation and updates.
PodSecurityPolicy enables Kubernetes cluster admins to configure granular
access to cluster resources and privileges for each pod. By default,
Rackspace KaaS includes the following predefined Pod Security Policies (PSP):
privileged- provides a broad set of privileges that are used by cluster admins.
restricted- provides a limited set of privileges for cluster tenants, such as users and namespaces.
To ensure that users with the
roles use the restricted PodSecurityPolicy, Rackspace KaaS predefines the
kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: restricted-psp # Aggregate to admin/edit roles so that admins don't always have to bind users # to custom role. labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rules: - apiGroups: ["extensions"] resources: ["podsecuritypolicies"] verbs: ["use"] resourceNames: ["restricted"]
To grant non-cluster-admin users broader permissions, configure additional
PSPs, make them usable by assigning a
Role, and bind them to the user through a
You can configure a PSP by creating a
configuration file and applying it with the
kubectl create command.
To configure a
PodSecurityPolicy object, perform the following steps:
Create a new
PodSecurityPolicyconfiguration file. The following text is an example of a restricted policy:apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: restricted spec: privileged: false # Required to prevent escalations to root. allowPrivilegeEscalation: false # This is redundant with non-root + disallow privilege escalation, # but we can provide it for defense in depth. requiredDropCapabilities: - ALL # Allow core volume types. volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' # Assume that persistentVolumes set up by the cluster admin are safe to use. - 'persistentVolumeClaim' hostNetwork: false hostIPC: false hostPID: false runAsUser: # Require the container to run without root privileges. rule: 'MustRunAsNonRoot' seLinux: # This policy assumes the nodes are using AppArmor rather than SELinux. rule: 'RunAsAny' supplementalGroups: rule: 'MustRunAs' ranges: # Forbid adding the root group. - min: 1 max: 65535 fsGroup: rule: 'MustRunAs' ranges: # Forbid adding the root group. - min: 1 max: 65535 readOnlyRootFilesystem: false
Create a pod and the security policy by running the following command:kubectl create -f <name-of-security-policy-file>
Verify that the
PodSecurityPolicyobject was created by running the following command:kubectl get psp