• Buy Now
    • Rackspace Cloud
    • Email & Apps
    • Fanatical Support for AWS
    • Managed Google Cloud Platform
    • Office 365
  • Log In
    • MyRackspace Portal
    • Cloud Control Panel
    • Rackspace Webmail Login
    • Cloud Office Control Panel
  • Rackspace Logo
  • Developer Home
  • Developer Documentation
  • Blogs ▼
    • Technical Blog
    • Rackspace Blog
    • Solve: Thought Leadership
  • Support Documentation

Developer Docs


Let’s Build Something Powerful Together!

End-to-End Multicloud Solutions.   Solving Together.™   Learn more at Rackspace.com

Submit an issue
  • Rackspace KaaS
  • Release Notes
    • Preface
    • Known issues
    • What's new in 1.2.0
    • What's new in 1.1.1
    • What's new in 1.1.0
    • What's new in 1.0.x
      • General changes and improvements
      • Kubernetes
      • Rackspace KaaS Control Panel
      • Private Docker image registry
      • Monitoring
      • Logging
      • Networking
      • Storage
    • List of components and versions
    • Document history and additional information
    • Disclaimer
  • Technical FAQ
    • Preface
    • Technical FAQ
    • Document history and additional information
    • Disclaimer
  • User Guide
    • Overview
      • KaaS Control Panel
        • Authentication
        • Authorization
        • Cluster Selection
        • Navigation
          • Cluster Overview
          • Pod Security Policies
          • Namespaces
          • Tokens
      • Managed services
      • Ingress controller
        • Authentication and authorization
      • Cluster roles
      • High availability
      • Resource limits
    • Prerequisites
      • Access your Kubernetes cluster
    • Configure your environment
      • Install the Kubernetes certificate authority
      • Configure application metrics monitoring
      • Access the Rackspace KaaS dashboards
        • Perform OpenStack operations from your local machine
    • Configure Kubernetes users
      • Create a namespace
      • Create an OpenStack role
      • Assign the role to an OpenStack user
      • Map an OpenStack user role to a Kubernetes role
      • Role binding
    • Example of basic operations
      • Launch a new Deployment
      • Expose your Deployment with a LoadBalancer
      • Access your Deployment
      • Add persistent storage to your Deployment
        • Using local storage
      • Scale replicas for your Deployment
      • Clean up the Deployment
    • Set up your cluster to use a private Docker image registry
      • Examples of usage
        • Example of private Docker registry usage
        • Example of the library project usage
    • Logging and monitoring
      • Logging
        • Using Kibana
      • Monitoring
        • Using Grafana
    • Platform security
      • Limitations
      • Configure network policies
        • Example of a restrictive network policy
      • Configure Pod security policies
        • Pod security policies

Configure Pod security policies#

Kubernetes clusters use PodSecurityPolicy to enforce security and policy controls on Pod creation and updates.

Pod security policies#

The PodSecurityPolicy object enables Kubernetes cluster admins to configure granular access to cluster resources and privileges for each Pod. By default, Rackspace KaaS includes the following predefined security policies:

  • privileged - provides a broad set of privileges that are used by cluster admins.
  • restricted - provides a limited set of privileges for cluster tenants, such as users and namespaces.

The following text is an example of the restricted policy:

apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
  metadata:
    name: restricted
  spec:
    privileged: false
    # Required to prevent escalations to root.
    allowPrivilegeEscalation: false
    # This is redundant with non-root + disallow privilege escalation,
    # but we can provide it for defense in depth.
    requiredDropCapabilities:
      - ALL
    # Allow core volume types.
    volumes:
      - 'configMap'
      - 'emptyDir'
      - 'projected'
      - 'secret'
      - 'downwardAPI'
      # Assume that persistentVolumes set up by the cluster admin are safe to use.
      - 'persistentVolumeClaim'
    hostNetwork: false
    hostIPC: false
    hostPID: false
    runAsUser:
      # Require the container to run without root privileges.
      rule: 'MustRunAsNonRoot'
    seLinux:
      # This policy assumes the nodes are using AppArmor rather than SELinux.
      rule: 'RunAsAny'
    supplementalGroups:
      rule: 'MustRunAs'
      ranges:
        # Forbid adding the root group.
        - min: 1
          max: 65535
    fsGroup:
      rule: 'MustRunAs'
      ranges:
        # Forbid adding the root group.
        - min: 1
          max: 65535
    readOnlyRootFilesystem: false

To enforce the users with the admin (not cluster-admin) or edit roles to use the restricted PodSecurityPolicy, the following ClusterRole is predefined:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: restricted-psp
  # Aggregate to admin/edit roles so that admins don't always have to bind users
  # to custom role.
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
- apiGroups:     ["extensions"]
  resources:     ["podsecuritypolicies"]
  verbs:         ["use"]
  resourceNames: ["restricted"]

To grant non-cluster-admin users broader permissions, you can configure additional PodSecurityPolicies, make them usable by a Role, and bind them to the user through a RoleBinding.

For more information, see Kubernetes Pod Security Policy documentation.

Previous Configure network policies
Next Release Notes
Developer Network
  • Developer Center
  • API Documentation and User Guides
  • SDKs
  • Rackspace How-To
Blogs
  • Technical Blog
  • Rackspace Blog
  • Solve: Thought Leadership
Other Information
  • Customer Stories
  • Events
  • Programs
  • Careers
  • Style Guide for Technical Content
©2020 Rackspace US, Inc.
  • ©2020 Rackspace US, Inc.
  • About Rackspace
  • Privacy Statement
  • Website Terms
  • Trademarks