Configure Pod security policies#
Kubernetes clusters use PodSecurityPolicy to enforce security and policy controls on Pod creation and updates.
Pod security policies#
The PodSecurityPolicy object enables Kubernetes cluster admins to configure granular access to cluster resources and privileges for each Pod. By default, Rackspace KaaS includes the following predefined security policies:
privileged
- provides a broad set of privileges that are used by cluster admins.restricted
- provides a limited set of privileges for cluster tenants, such as users and namespaces.
The following text is an example of the restricted policy:
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
# Allow core volume types.
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
# Assume that persistentVolumes set up by the cluster admin are safe to use.
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: 'MustRunAsNonRoot'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
To enforce the users with the admin
(not cluster-admin
) or edit
roles to use the restricted PodSecurityPolicy, the following
ClusterRole is predefined:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: restricted-psp
# Aggregate to admin/edit roles so that admins don't always have to bind users
# to custom role.
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
- apiGroups: ["extensions"]
resources: ["podsecuritypolicies"]
verbs: ["use"]
resourceNames: ["restricted"]
To grant non-cluster-admin users broader permissions, you can configure additional PodSecurityPolicies, make them usable by a Role, and bind them to the user through a RoleBinding.
For more information, see Kubernetes Pod Security Policy documentation.