A pod security policy is an admission controller resource that validates requests to create and update pods in your cluster based on the rules that are defined by the policy. If a request to create or update a pod does not meet the rules, the request is rejected and an error is returned. This topic describes how to use pod security polices in a Container Service for Kubernetes (ACK) cluster.
Prerequisites
Before you configure network policies, make sure that you have performed the following steps:
The default pod security policy
By default, pod security policy control is enabled for standard managed Kubernetes clusters (Kubernetes 1.16.6) and standard dedicated Kubernetes clusters (Kubernetes 1.16.6). A pod security policy named ack.privileged is automatically created. This security policy accepts all types of pods. This provides the same effect as when pod security policy control is disabled for the cluster.
Query the default pod security policy
$ kubectl get psp ack.privileged
NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP READONLYROOTFS VOLUMES
ack.privileged true * RunAsAny RunAsAny RunAsAny RunAsAny false *
Query details about the default pod security policy
kubectl describe psp ack.privileged
Name: ack.privileged
Settings:
Allow Privileged: true
Allow Privilege Escalation: true
Default Add Capabilities: <none>
Required Drop Capabilities: <none>
Allowed Capabilities: *
Allowed Volume Types: *
Allow Host Network: true
Allow Host Ports: 0-65535
Allow Host PID: true
Allow Host IPC: true
Read Only Root Filesystem: false
SELinux Context Strategy: RunAsAny
User: <none>
Role: <none>
Type: <none>
Level: <none>
Run As User Strategy: RunAsAny
Ranges: <none>
FSGroup Strategy: RunAsAny
Ranges: <none>
Supplemental Groups Strategy: RunAsAny
Ranges: <none>
Click to see the code that defines the pod security policy, and the related ClusterRole and ClusterRoleBinding resources
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: ack.privileged
annotations:
kubernetes.io/description: 'privileged allows full unrestricted access to
pod features, as if the PodSecurityPolicy controller was not enabled.'
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
labels:
kubernetes.io/cluster-service: "true"
ack.alicloud.com/component: pod-security-policy
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
volumes:
- '*'
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
readOnlyRootFilesystem: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack:podsecuritypolicy:privileged
labels:
kubernetes.io/cluster-service: "true"
ack.alicloud.com/component: pod-security-policy
rules:
- apiGroups:
- policy
resourceNames:
- ack.privileged
resources:
- podsecuritypolicies
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ack:podsecuritypolicy:authenticated
annotations:
kubernetes.io/description: 'Allow all authenticated users to create privileged pods.'
labels:
kubernetes.io/cluster-service: "true"
ack.alicloud.com/component: pod-security-policy
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ack:podsecuritypolicy:privileged
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: system:authenticated
Delete the ClusterRoleBinding resource that is related to the default pod security policy
Warning Before you delete the ClusterRoleBinding resource, you must configure a custom pod security policy and a related RBAC binding. Otherwise, all users, controllers, and service accounts will be unable to create or update pods.
After you configure a custom pod security policy and a related RBAC binding, you can delete the ClusterRoleBinding resource of the default pod security policy ack.privileged to enable the custom pod security policy.
Important Do not delete or rename ack.privileged and the ack:podsecuritypolicy:privileged ClusterRole. These two resources are required to run the cluster.
Click to view the code that deletes the ClusterRoleBinding resource of the default pod security policy ack.privileged
$ cat <<EOF | kubectl delete -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ack:podsecuritypolicy:authenticated
annotations:
kubernetes.io/description: 'Allow all authenticated users to create privileged pods.'
labels:
kubernetes.io/cluster-service: "true"
ack.alicloud.com/component: pod-security-policy
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ack:podsecuritypolicy:privileged
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: system:authenticated
EOF
Configure or restore the default pod security policy
Click to view the code that configures or restores the default pod security policy and its RBAC binding
$ cat <<EOF | kubectl apply -f -
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: ack.privileged
annotations:
kubernetes.io/description: 'privileged allows full unrestricted access to
pod features, as if the PodSecurityPolicy controller was not enabled.'
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
labels:
kubernetes.io/cluster-service: "true"
ack.alicloud.com/component: pod-security-policy
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
volumes:
- '*'
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
readOnlyRootFilesystem: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack:podsecuritypolicy:privileged
labels:
kubernetes.io/cluster-service: "true"
ack.alicloud.com/component: pod-security-policy
rules:
- apiGroups:
- policy
resourceNames:
- ack.privileged
resources:
- podsecuritypolicies
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ack:podsecuritypolicy:authenticated
annotations:
kubernetes.io/description: 'Allow all authenticated users to create privileged pods.'
labels:
kubernetes.io/cluster-service: "true"
ack.alicloud.com/component: pod-security-policy
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ack:podsecuritypolicy:privileged
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: system:authenticated
EOF