Configure pod security policies#

Kubernetes clusters use PodSecurityPolicy objects to enforce security and policy controls on pod creation and updates.

PodSecurityPolicy enables Kubernetes cluster admins to configure granular access to cluster resources and privileges for each pod. By default, Rackspace KaaS includes the following predefined Pod Security Policies (PSP):

  • privileged - provides a broad set of privileges that are used by cluster admins.
  • restricted - provides a limited set of privileges for cluster tenants, such as users and namespaces.

To ensure that users with the edit or admin (not cluster-admin) roles use the restricted PodSecurityPolicy, Rackspace KaaS predefines the following ClusterRole:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: restricted-psp
  # Aggregate to admin/edit roles so that admins don't always have to bind users
  # to custom role.
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
- apiGroups:     ["extensions"]
  resources:     ["podsecuritypolicies"]
  verbs:         ["use"]
  resourceNames: ["restricted"]

To grant non-cluster-admin users broader permissions, configure additional PSPs, make them usable by assigning a Role, and bind them to the user through a RoleBinding.

You can configure a PSP by creating a PodSecurityPolicy configuration file and applying it with the kubectl create command.

To configure a PodSecurityPolicy object, perform the following steps:

  1. Create a new PodSecurityPolicy configuration file. The following text is an example of a restricted policy:

    apiVersion: extensions/v1beta1
    kind: PodSecurityPolicy
      metadata:
        name: restricted
      spec:
        privileged: false
        # Required to prevent escalations to root.
        allowPrivilegeEscalation: false
        # This is redundant with non-root + disallow privilege escalation,
        # but we can provide it for defense in depth.
        requiredDropCapabilities:
          - ALL
        # Allow core volume types.
        volumes:
          - 'configMap'
          - 'emptyDir'
          - 'projected'
          - 'secret'
          - 'downwardAPI'
          # Assume that persistentVolumes set up by the cluster admin are safe to use.
          - 'persistentVolumeClaim'
        hostNetwork: false
        hostIPC: false
        hostPID: false
        runAsUser:
          # Require the container to run without root privileges.
          rule: 'MustRunAsNonRoot'
        seLinux:
          # This policy assumes the nodes are using AppArmor rather than SELinux.
          rule: 'RunAsAny'
        supplementalGroups:
          rule: 'MustRunAs'
          ranges:
            # Forbid adding the root group.
            - min: 1
              max: 65535
        fsGroup:
          rule: 'MustRunAs'
          ranges:
            # Forbid adding the root group.
            - min: 1
              max: 65535
        readOnlyRootFilesystem: false
    
  2. Create a pod and the security policy by running the following command:

    kubectl create -f <name-of-security-policy-file>
    
  3. Verify that the PodSecurityPolicy object was created by running the following command:

    kubectl get psp
    

For more information, see Cluster hardening and the Kubernetes Pod Security Policy documentation.