others-prepare for cks exam with me 10: Pod security policy in Kubernetes
In this post, I would continue to write about preparing for the CKS (Certified Kubernetes Security Specialist) exam. I would write my own notes about the exam, and you can refer to these articles to prepare your own.
List of the series of posts:
-prepare for cks exam with me 1: Linux user and group management
-prepare for cks exam with me 2: Linux ssh hardening
-prepare for cks exam with me 3: Linux remove obsolete packages and services
-prepare for cks exam with me 4: Linux kernal hardening
-prepare for cks exam with me 5: Linux UFW（Uncomplicated firewall）
-prepare for cks exam with me 6: Seccomp in Linux, Docker and Kubernetes
-prepare for cks exam with me 7: Apparmor in Linux, Docker and Kubernetes
-prepare for cks exam with me 8: Security context in Kubernetes
-prepare for cks exam with me 9: Admission controllers in Kubernetes
-prepare for cks exam with me 10: Pod security policy in Kubernetes
-prepare for cks exam with me 11: Open policy agent in Kubernetes
-prepare for cks exam with me 12: Secrets in Kubernetes
-prepare for cks exam with me 13: Container runtimes(gvisor/kata containers) in Kubernetes
-prepare for cks exam with me 14: Container Image security in Docker and Kubernetes
-prepare for cks exam with me 15: How to print docker images of all pods in kubernetes
- Ubuntu System
3. Pod security policy in Kubernetes
3.1 What is pod security policy?
A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.
For example: The below PodSecurityPolicy does not allow pod to be privileged in kubernetes.
apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: example-psp spec: privileged: false # Don't allow privileged pods! # The rest fills in some required fields. seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny volumes: - '*'
3.2 How to check if the pod security policy is enabled in kubernetes?
Pod security policy is part of the admission controllers. we can check the
PodSecurityPolicy status by running this command:
$ kubectl exec kube-apiserver-controlplane -n kube-system —- kube-apiserver -h | grep enable-admission-plugins
By default, the
PodSecurityPolicy is not enabled in kubernetes, we can enable it by adding these options to kube-apiserver:
3.3 Authorize the service account to access pod security policy
All requests to create pod would be rejected if we don’t authorize the service account to access pod security polices after enabling the admission controller.
We can use RBAC to grant pod’s service account to access the policy.
Suppose our pod is using default service account in the default namespace, we can grant as follows:
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: psp-role rules: - apiGroups: ['policy'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: ['example-psp'] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: psp-rolebinding roleRef: kind: Role name: psp-role apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: default namespace: default
In the above yaml, we grant the default service account in default namespace to
use the podsecuritypolicy named
In this post, I write some examples about pod security policy in kubernetes.