others-prepare for cks exam with me 10: Pod security policy in Kubernetes

May 30, 2021

1. Purpose

In this post, I would continue to write about preparing for the CKS (Certified Kubernetes Security Specialist) exam. I would write my own notes about the exam, and you can refer to these articles to prepare your own.

List of the series of posts:

-prepare for cks exam with me 1: Linux user and group management

-prepare for cks exam with me 2: Linux ssh hardening

-prepare for cks exam with me 3: Linux remove obsolete packages and services

-prepare for cks exam with me 4: Linux kernal hardening

-prepare for cks exam with me 5: Linux UFW（Uncomplicated firewall）

-prepare for cks exam with me 6: Seccomp in Linux, Docker and Kubernetes

-prepare for cks exam with me 7: Apparmor in Linux, Docker and Kubernetes

-prepare for cks exam with me 8: Security context in Kubernetes

-prepare for cks exam with me 9: Admission controllers in Kubernetes

-prepare for cks exam with me 10: Pod security policy in Kubernetes

-prepare for cks exam with me 11: Open policy agent in Kubernetes

-prepare for cks exam with me 12: Secrets in Kubernetes

-prepare for cks exam with me 13: Container runtimes(gvisor/kata containers) in Kubernetes

-prepare for cks exam with me 14: Container Image security in Docker and Kubernetes

-prepare for cks exam with me 15: How to print docker images of all pods in kubernetes

2. Environment

CKS
Ubuntu System

3. Pod security policy in Kubernetes

3.1 What is pod security policy?

A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.

For example: The below PodSecurityPolicy does not allow pod to be privileged in kubernetes.

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example-psp
spec:
  privileged: false  # Don't allow privileged pods!
  # The rest fills in some required fields.
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'

3.2 How to check if the pod security policy is enabled in kubernetes?

Pod security policy is part of the admission controllers. we can check the PodSecurityPolicy status by running this command:

$ kubectl exec kube-apiserver-controlplane -n kube-system —- kube-apiserver -h | grep enable-admission-plugins

By default, the PodSecurityPolicy is not enabled in kubernetes, we can enable it by adding these options to kube-apiserver:

- --enable-admission-plugins=NodeRestriction,PodSecurityPolicy

3.3 Authorize the service account to access pod security policy

All requests to create pod would be rejected if we don’t authorize the service account to access pod security polices after enabling the admission controller.

We can use RBAC to grant pod’s service account to access the policy.

Suppose our pod is using default service account in the default namespace, we can grant as follows:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: psp-role
rules:
- apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames: ['example-psp']
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: psp-rolebinding
roleRef:
  kind: Role
  name: psp-role
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: default
  namespace: default

In the above yaml, we grant the default service account in default namespace to use the podsecuritypolicy named example-psp.

4. Summary

In this post, I write some examples about pod security policy in kubernetes.