Kubernetes Pod Security Policy Concepts
External
- https://kubernetes.io/docs/concepts/policy/pod-security-policy/
- https://kubernetes.io/docs/concepts/security/pod-security-standards/
Internal
Overview
A pod security policy is an example of a Kubernetes policy.
Pod security policy is implemented by a set of specialized Kubernetes resources (PodSecurityPolicy), generic resources (ServiceAccount, higher level pod controllers such as Deployments, ReplicaSets and so on), the PodSecurityPolicy admission controller and other controllers, all working in concert to ensure that the pods are created within strict security assumptions, and the pods access various resources in a controlled, secured manner. The pod security policy controls security sensitive aspects of the pod specification.
To enable pod security policy control, the PodSecurityPolicy admission controller must be explicitly enabled.
PodSecurityPolicy
The PodSecurityPolicy is a cluster-level resource that defines a set of conditions that a pod must run with in order to be accepted in the system, aspects of pod behavior, as well as defaults for the related fields.
PodSecurityPolicy Manifest
PodSecurityPolicy Controlled Aspects and Fields
Capability of Enabling Privileged Mode
privileged
Access to Host Namespaces
hostPID
, hostIPC
, hostNetwork
, hostPorts
.
Specification of Accepted Volume Types and File System Access Control
volumes
, allowedHostPaths
, allowedFlexVolumes
, fsGroup
, readOnlyRootFilesystem
User and Group Control
runAsUser
, runAsGroup
, supplementalGroups
Privilege Escalation Control
allowPrivilegeEscalation
, defaultAllowPrivilegeEscalation
Linux Capabilities
defaultAddCapabilities
, requiredDropCapabilities
, allowedCapabilities
SELinux Configuration
seLinux
Others
allowedProcMountTypes
, forbiddenSysctls
, allowedUnsafeSysctls
PodSecurityPolicy Admission Controller
The PodSecurityPolicy admission controller is a piece of code within the API server that intercepts pod creation and modification requests and determines if the request should be allowed based on the requested security context and the available PodSecurityPolicies.
More about admission controllers and admission controller operations: