Configure Pod security policies#
Kubernetes clusters use PodSecurityPolicy to enforce security and policy controls on Pod creation and updates.
The PodSecurityPolicy object enables Kubernetes cluster admins to configure granular access to cluster resources and privileges for each Pod. By default, Rackspace KaaS includes the following predefined security policies:
privileged- provides a broad set of privileges that are used by cluster admins.
restricted- provides a limited set of privileges for cluster tenants, such as users and namespaces.
To enforce the users with the
edit roles to use the restricted PodSecurityPolicy, the following
ClusterRole is predefined:
kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: restricted-psp # Aggregate to admin/edit roles so that admins don't always have to bind users # to custom role. labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rules: - apiGroups: ["extensions"] resources: ["podsecuritypolicies"] verbs: ["use"] resourceNames: ["restricted"]
To grant non-cluster-admin users broader permissions, you can configure additional PodSecurityPolicies, make them usable by a Role, and bind them to the user through a RoleBinding.
You can configure a Pod security policy by using the KaaS Control Panel or
by creating a PodSecurityPolicy configuration file and applying it with
kubectl create command.
To configure a Pod security policy, complete the following steps:
Using the KaaS Control Panel:
Log in to the control panel as a Kubernetes cluster administrator.
In the Administration menu, select Security.
Click Create Pod Security Policy.
Define the Pod security properties. For more information, see What is a Pod Security Policy?.
Save your changes.
KaaS creates a security policy and a role for the security policy named
psp:<security-policy-name>. You need to bind that role to specific users.
Go to Namespaces.
Bind the created role to the required users by creating a new access rule.
Create a new Pod security policy configuration file. The following text is an example of a restricted policy:
apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: restricted spec: privileged: false # Required to prevent escalations to root. allowPrivilegeEscalation: false # This is redundant with non-root + disallow privilege escalation, # but we can provide it for defense in depth. requiredDropCapabilities: - ALL # Allow core volume types. volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' # Assume that persistentVolumes set up by the cluster admin are safe to use. - 'persistentVolumeClaim' hostNetwork: false hostIPC: false hostPID: false runAsUser: # Require the container to run without root privileges. rule: 'MustRunAsNonRoot' seLinux: # This policy assumes the nodes are using AppArmor rather than SELinux. rule: 'RunAsAny' supplementalGroups: rule: 'MustRunAs' ranges: # Forbid adding the root group. - min: 1 max: 65535 fsGroup: rule: 'MustRunAs' ranges: # Forbid adding the root group. - min: 1 max: 65535 readOnlyRootFilesystem: false
Create a Pod and the security policy:
kubectl create -f <name-of-security-policy-file>
Verify that the Pod security policy has been created by running the following command:
kubectl get psp
For more information, see Kubernetes Pod Security Policy documentation.