Configure Pod security policies#
Kubernetes clusters use PodSecurityPolicy to enforce security and policy controls on Pod creation and updates.
Pod security policies#
The PodSecurityPolicy object enables Kubernetes cluster admins to configure granular access to cluster resources and privileges for each Pod. By default, Rackspace KaaS includes the following predefined security policies:
privileged- provides a broad set of privileges that are used by cluster admins.
restricted- provides a limited set of privileges for cluster tenants, such as users and namespaces.
The following text is an example of the restricted policy:
apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: restricted spec: privileged: false # Required to prevent escalations to root. allowPrivilegeEscalation: false # This is redundant with non-root + disallow privilege escalation, # but we can provide it for defense in depth. requiredDropCapabilities: - ALL # Allow core volume types. volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' # Assume that persistentVolumes set up by the cluster admin are safe to use. - 'persistentVolumeClaim' hostNetwork: false hostIPC: false hostPID: false runAsUser: # Require the container to run without root privileges. rule: 'MustRunAsNonRoot' seLinux: # This policy assumes the nodes are using AppArmor rather than SELinux. rule: 'RunAsAny' supplementalGroups: rule: 'MustRunAs' ranges: # Forbid adding the root group. - min: 1 max: 65535 fsGroup: rule: 'MustRunAs' ranges: # Forbid adding the root group. - min: 1 max: 65535 readOnlyRootFilesystem: false
To enforce the users with the
roles to use the restricted PodSecurityPolicy, the following
ClusterRole is predefined:
kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: restricted-psp # Aggregate to admin/edit roles so that admins don't always have to bind users # to custom role. labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rules: - apiGroups: ["extensions"] resources: ["podsecuritypolicies"] verbs: ["use"] resourceNames: ["restricted"]
To grant non-cluster-admin users broader permissions, you can configure additional PodSecurityPolicies, make them usable by a Role, and bind them to the user through a RoleBinding.
For more information, see Kubernetes Pod Security Policy documentation.