Kubernetes Pod Security Policy
Enabling Pod Security Policies
Build Cluster with PSP enabled.
If using Kubeadm, the following config can be used.
1apiServer:
2 extraArgs:
3 authorization-mode: Node,RBAC
4 enable-admission-plugins: PodSecurityPolicy
5 timeoutForControlPlane: 4m0s
6apiVersion: kubeadm.k8s.io/v1beta2
7kind: ClusterConfiguration
8networking:
9 podSubnet: 10.20.0.0/16
Run kubeadm
1kubeadm init --config config.yaml
Create a PSP configuration
1apiVersion: policy/v1beta1
2kind: PodSecurityPolicy
3metadata:
4 name: restrictive
5spec:
6 privileged: false
7 hostNetwork: false
8 allowPrivilegeEscalation: false
9 defaultAllowPrivilegeEscalation: false
10 hostPID: false
11 hostIPC: false
12 runAsUser:
13 rule: RunAsAny
14 fsGroup:
15 rule: RunAsAny
16 seLinux:
17 rule: RunAsAny
18 supplementalGroups:
19 rule: RunAsAny
20 volumes:
21 - 'configMap'
22 - 'downwardAPI'
23 - 'emptyDir'
24 - 'persistentVolumeClaim'
25 - 'secret'
26 - 'projected'
27 allowedCapabilities:
28 - '*'
29
30---
31
32apiVersion: policy/v1beta1
33kind: PodSecurityPolicy
34metadata:
35 name: permissive
36spec:
37 privileged: true
38 hostNetwork: true
39 hostIPC: true
40 hostPID: true
41 seLinux:
42 rule: RunAsAny
43 supplementalGroups:
44 rule: RunAsAny
45 runAsUser:
46 rule: RunAsAny
47 fsGroup:
48 rule: RunAsAny
49 hostPorts:
50 - min: 0
51 max: 65535
52 volumes:
53 - '*'
Map the PSP to a service accounts, restrictive will be default, permissive is required by certain base k8s objects
1kind: ClusterRole
2apiVersion: rbac.authorization.k8s.io/v1
3metadata:
4 name: psp-restrictive
5rules:
6- apiGroups:
7 - extensions
8 resources:
9 - podsecuritypolicies
10 resourceNames:
11 - restrictive
12 verbs:
13 - use
14---
15kind: ClusterRole
16apiVersion: rbac.authorization.k8s.io/v1
17metadata:
18 name: psp-permissive
19rules:
20- apiGroups:
21 - extensions
22 resources:
23 - podsecuritypolicies
24 resourceNames:
25 - permissive
26 verbs:
27 - use
28---
29kind: ClusterRoleBinding
30apiVersion: rbac.authorization.k8s.io/v1
31metadata:
32 name: psp-default
33subjects:
34- kind: Group
35 name: system:serviceaccounts
36 namespace: kube-system
37roleRef:
38 kind: ClusterRole
39 name: psp-restrictive
40 apiGroup: rbac.authorization.k8s.io
permissive role binding
1rulesapiVersion: rbac.authorization.k8s.io/v1beta1
2kind: RoleBinding
3metadata:
4 name: psp-permissive
5 namespace: kube-system
6roleRef:
7 apiGroup: rbac.authorization.k8s.io
8 kind: ClusterRole
9 name: psp-permissive
10subjects:
11- kind: ServiceAccount
12 name: daemon-set-controller
13 namespace: kube-system
14- kind: ServiceAccount
15 name: replicaset-controller
16 namespace: kube-system
17- kind: ServiceAccount
18 name: job-controller
19 namespace: kube-system
20- kind: ServiceAccount
21 name: cillium
22 namespace: kube-system
23- kind: ServiceAccount
24 name: cillium-operator
25 namespace: kube-system
comments powered by Disqus