Skip to content
This repository has been archived by the owner on Oct 29, 2021. It is now read-only.

Latest commit

 

History

History
167 lines (141 loc) · 5.83 KB

7.Configure-default-pod-security-policy.md

File metadata and controls

167 lines (141 loc) · 5.83 KB
Raw

7. Configure default Pod Security Policy

Once this feature is activated, proceed to configure the default behavior. In this case, set some very restrictive and secure policies.

First, use the kube config with cluster-admin privileges:

$ export KUBECONFIG=$(pwd)/.kube-default-kube-system-conf
$ kubectl get nodes
NAME     STATUS   ROLES    AGE   VERSION
pc1282   Ready    <none>   27h   v1.13.2

Then, you are ready to create the Pod Security Policy:

$ kubectl apply -f psp/restrictive.yml
podsecuritypolicy.policy/restrictive created
$ kubectl get psp
NAME          PRIV    CAPS   SELINUX    RUNASUSER   FSGROUP    SUPGROUP   READONLYROOTFS   VOLUMES
restrictive   false   *      RunAsAny   RunAsAny    RunAsAny   RunAsAny   false            configMap,downwardAPI,emptyDir,persistentVolumeClaim,secret,projected

But this does not imply that it can be used. To do this, create a ClusterRole that allows the use of this security policy.

$ kubectl apply -f psp/psp-restrictive.yml
podsecuritypolicy.policy/restrictive created
$ kubectl get -o yaml clusterrole.rbac.authorization.k8s.io/psp-restrictive
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"name":"psp-restrictive"},"rules":[{"apiGroups":["extensions"],"resourceNames":["restrictive"],"resources":["podsecuritypolicies"],"verbs":["use"]}]}
  creationTimestamp: "2019-01-24T14:27:33Z"
  name: psp-restrictive
  resourceVersion: "61720"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/psp-restrictive
  uid: 30544352-1fe4-11e9-b5a8-9cb6d0e7e121
rules:
- apiGroups:
  - extensions
  resourceNames:
  - restrictive
  resources:
  - podsecuritypolicies
  verbs:
  - use

This way, it is not yet configured to be used. We will assign this ClusterRole to the serviceaccount that are in charge of deploying containers in the cluster.

$ kubectl apply -f psp/psp-default.yml
clusterrolebinding.rbac.authorization.k8s.io/psp-default created
$ kubectl get clusterrolebinding | grep psp
psp-default                                            91s

Try the default policy

Re-deploys the nginx from the previous step:

$ export KUBECONFIG=$(pwd)/.kube-default-kube-system-conf
$ kubectl apply -f examples/nginx.yaml -n default
$ kubectl get deploy,rs,pod -n default
NAME                                     READY   UP-TO-DATE   AVAILABLE   AGE
deployment.extensions/nginx-deployment   1/1     1            1           59s

NAME                                                DESIRED   CURRENT   READY   AGE
replicaset.extensions/nginx-deployment-7c74c7d654   1         1         1       59s

NAME                                    READY   STATUS    RESTARTS   AGE
pod/nginx-deployment-7c74c7d654-m6hlw   1/1     Running   0          59s
$ kubectl describe pod/nginx-deployment-7c74c7d654-m6hlw -n default | grep psp
Annotations:        kubernetes.io/psp: restrictive

As the above command indicates, the pod has started with the restrictive policy (cluster default).

Remove the deploy and redeploy a new one (with host access):

$ kubectl apply -f examples/nginx-host.yaml -n default
$ kubectl get deploy,rs,pod -n default
NAME                                     READY   UP-TO-DATE   AVAILABLE   AGE
deployment.extensions/nginx-deployment   0/1     0            0           5s

NAME                                                DESIRED   CURRENT   READY   AGE
replicaset.extensions/nginx-deployment-597c4cff45   1         0         0       5s
$ kubectl describe  replicaset.extensions/nginx-deployment-597c4cff45 -n default
Name:           nginx-deployment-597c4cff45
Namespace:      default
Selector:       app=nginx,pod-template-hash=597c4cff45
Labels:         app=nginx
                pod-template-hash=597c4cff45
Annotations:    deployment.kubernetes.io/desired-replicas: 1
                deployment.kubernetes.io/max-replicas: 2
                deployment.kubernetes.io/revision: 1
Controlled By:  Deployment/nginx-deployment
Replicas:       0 current / 1 desired
Pods Status:    0 Running / 0 Waiting / 0 Succeeded / 0 Failed
Pod Template:
  Labels:  app=nginx
           pod-template-hash=597c4cff45
  Containers:
   nginx:
    Image:        nginx:1.15.4
    Port:         <none>
    Host Port:    <none>
    Environment:  <none>
    Mounts:       <none>
  Volumes:        <none>
Conditions:
  Type             Status  Reason
  ----             ------  ------
  ReplicaFailure   True    FailedCreate
Events:
  Type     Reason        Age                 From                   Message
  ----     ------        ----                ----                   -------
  Warning  FailedCreate  20s (x14 over 61s)  replicaset-controller  Error creating: pods "nginx-deployment-597c4cff45-" is forbidden: unable to validate against any pod security policy: [spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used]

As seen in the above command, the deployment cannot be carried out because it does not comply with the security policy.

What happended

If we look at the deployment, we see how it asks for access to the host's network:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.15.4
      hostNetwork: true

And the security policy we've set up doesn't allow this behavior:

$ kubectl describe psp restrictive | grep "Allow Host Network"
  Allow Host Network:                     false

Clean up

$ kubectl delete -f examples/nginx-host.yaml -n default
deployment.apps "nginx-deployment" deleted