All Products
Search
Document Center

Container Service for Kubernetes:Use policy governance to configure pod security policies

Last Updated:Sep 12, 2024

We recommend that you enable the policy governance feature to meet compliance requirements and enhance cluster security. The policy governance feature provides security policies that are suitable for Kubernetes scenarios, including Infra (infrastructure resources), Compliance (Kubernetes security compliance), PSP (PodSecurityPolicy-based extension), and K8s-general (general-purpose policies). You can enable or customize security policies for containerized applications in the Container Service for Kubernetes (ACK) console to verify the security of pod deployment and updates.

Introduction to policy governance

PSP is marked as Deprecated in Kubernetes 1.21 and later. Therefore, ACK optimizes the PSP-based policy governance feature. ACK uses OPA as a Gatekeeper admission controller to extend features, such as policy governance status monitoring, log collection, and log retrieval. In addition, a variety of policy libraries are provided to allow you to use more security policies that target Kubernetes scenarios. You can directly configure security policies in the console, which greatly simplifies policy governance configuration.

Prerequisites

  • The cluster runs Kubernetes 1.16 or later. For more information about how to update an ACK cluster, see Manually update ACK clusters.

  • When you manage security policies as a Resource Access Management (RAM) user, make sure that the RAM user is granted the following permissions:

    • cs:DescribePolicies: queries policies.

    • cs:DescribePoliceDetails: queries information about a policy.

    • cs:DescribePolicyGovernanceInCluster: queries information about policies in a cluster.

    • cs:DescribePolicyInstances: queries a policy instance that is deployed in a cluster.

    • cs:DescribePolicyInstancesStatus: queries information about policy instances in a cluster.

    • cs:DeployPolicyInstance: deploys a policy instance in a cluster.

    • cs:DeletePolicyInstance: deletes policy instances in a cluster.

    • cs:ModifyPolicyInstance: modifies a policy instance in a cluster.

    For more information about how to create custom RAM policies, see Create a custom RAM policy.

Usage notes

  • The policy governance feature is applicable only to Linux nodes.

  • Custom policies are not supported. All policies are from the built-in policy libraries of ACK.

Step 1: Install or update the policy governance components

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose Security > Policy Governance.

  3. On the Policy Governance page, follow the on-screen instructions to install or update the components.

    To enable policy governance, you must install the following components: The following components are free of charge but consume your pod resources.

    • gatekeeper: an OPA-based Kubernetes admission controller. You can use this component to manage and use security policies executed by OPA in ACK clusters. This allows you to manage namespace labels.

      Note

      You can use only the gatekeeper component provided by ACK. If you use a gatekeeper component that is not provided by ACK, uninstall it and then install the component provided by ACK. For more information about the release notes for the gatekeeper component, see gatekeeper.

    • alibaba-log-controller: This component can be used to collect and retrieve blocking or alerting events that are generated due to security policy compliance issues.

    • policy-template-controller: a Kubernetes controller developed based on Alibaba Cloud security policy templates. You can use this component to manage the status of ACK clusters and policy instances deployed from different policy templates.

Step 2: Work with the policy governance feature

Platform

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose Security > Policy Governance.

  3. On the Policy Governance page, follow the on-screen instructions to install or update the components, and then perform the following operations on demand.

View information about security policies in the current cluster

You can click the Overview tab to view information about security policies in the current cluster.

  • An overview of security policies in the cluster, including the numbers of high-risk policies, high-risk policies that are enabled, medium-risk policies, and medium-risk policies that are enabled. Security policies that the system suggests you to enable are also listed.

  • The numbers of blocking events and alerting events that are generated within the previous seven days.

  • The records of the latest 100 events that are generated within the last 7 days. To view more information about the audit log, click the 未知 icon next to Actions within Last 7 Days. In the tooltip that appears, click the hyperlink to go to the Logstore details page in the Log Service console. You can view the log that is stored in the Logstore.策略实施总览

Create and manage policy instances

Click the My Policies tab. Then, click Create Policy Instance and configure parameters in the Create Policy Instance dialog box.

Parameter

Description

Policy Type

Select a policy type. Valid values:

  • Infra: Policies of this type are used to enforce security control on infrastructure resources.

  • Compliance: Policies of this type are customized based on Kubernetes compliance standards, such as Alibaba Cloud Kubernetes Security Hardening.

  • PSP: Policies of this type are used to substitute the PSP resource.

  • K8s-general: Policies of this type are used to enforce security control on Kubernetes resources based on the standards of Alibaba Cloud security best practices.

For more information, see Predefined security policies of ACK.

Policy Name

Select a policy name from the drop-down list.

Action

  • Block: blocks resource deployments that match the policy.

  • Alert: generates alerts for resource deployments that match the policy. The resource deployments can still be performed.

Applicable Scope

Select the namespaces to which you want to apply the policy instance.

Parameters

  • If the editor is empty, it indicates that no parameter is required for the policy.

  • If parameters are displayed in the editor, set the parameters based on the descriptions.

View policies and policy instances in the current cluster

Click the My Policies tab to view all policies in the current cluster.

You can click the filter conditions in the upper-right corner of the list to filter policies. Enabled policies are displayed at the top of the list. The Instances column displays the number of policy instances deployed for each policy.

If the number of policy instances is zero, the corresponding policy is not deployed in the cluster. You can click Enable in the Actions column of the policy to configure and deploy policy instances.

策略规则说明

  • To modify the configuration of policy instances, click Modify in the Actions column.

    If more than one policy instance is deployed for a policy, you can click View Instances in the Actions column and click Modify to modify the configuration.

  • Click Delete in the Actions column to delete all policy instances deployed for a policy.

For more information about security policies and their templates, see Predefined security policies of ACK.

Related operations: Enable deletion protection for a namespace or a Service

After you enable the policy governance feature by performing Step 1: Install or update the policy governance components, you can also enable deletion protection for namespaces or Services that involve businesses-critical and sensitive data to avoid incurring maintenance costs caused by accidental namespace or Service deletion. After you enable deletion protection, the resources can be deleted only after you manually disable deletion protection.

The following content describes how to enable deletion protection for an existing namespace. You can also go to the corresponding page in the console and follow the on-screen instructions to enable deletion protection for other resources.

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side navigation pane, click Namespaces and Quotas.

  3. On the Namespace page, find the namespace that you want to manage and click Edit in the Actions column. In the dialog box that appears, enable deletion protection.

References

You can configure cluster inspection to identify potential security risks in workload configurations in your cluster. For more information, see Use the inspection feature to detect security risks in the workloads of an ACK cluster.