Kubernetes Pod Security Policy Concepts

From NovaOrdis Knowledge Base
Revision as of 02:20, 3 September 2020 by Ovidiu (talk | contribs) (→‎Overview)
Jump to navigation Jump to search

External

Internal

Overview

A pod security policy is an example of a Kubernetes policy.

Pod security policy is implemented by a set of specialized Kubernetes resources (PodSecurityPolicy), generic resources (ServiceAccount, higher level pod controllers such as Deployments, ReplicaSets and so on), the PodSecurityPolicy admission controller and other controllers, all working in concert to ensure that the pods are created within strict security assumptions, and the pods access various resources in a controlled, secured manner. The pod security policy controls security sensitive aspects of the pod specification.

To enable pod security policy control, the PodSecurityPolicy admission controller must be explicitly enabled. At the same time, corresponding PodSecurityPolicy instances must be created and enabled, otherwise the admission controller will prevent any pods from being created in the cluster. The PodSecurityPolicies can be deployed before enabling the admission controller, and this is the recommended sequence.

To be used, a specific PodSecurityPolicy must be associated with either users or the target pods' service accounts, via a role and a binding. More details on how a PodSecurityPolicy can be associated with users and security accounts are available in PodSecurityPolicy Operations. Apparently, and alternative method to associate pods with a specific policy is to grant its higher-level controller access to the policy, but that would meant that all pods created by the controller are associated with the policy. The more selective method of using a service account is preferred.

PodSecurityPolicy

The PodSecurityPolicy is a cluster-level resource that defines a set of conditions that a pod must run with in order to be accepted in the system, aspects of pod behavior, as well as defaults for the related fields.

PodSecurityPolicy Manifest

https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#podsecuritypolicy-v1beta1-policy

PodSecurityPolicy Controlled Aspects and Fields

Capability of Enabling Privileged Mode

https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged

privileged

Access to Host Namespaces

https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces

hostPID, hostIPC, hostNetwork, hostPorts.

Specification of Accepted Volume Types and File System Access Control

https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems

volumes, allowedHostPaths, allowedFlexVolumes, fsGroup, readOnlyRootFilesystem

User and Group Control

https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups

runAsUser, runAsGroup, supplementalGroups

Privilege Escalation Control

https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation

allowPrivilegeEscalation, defaultAllowPrivilegeEscalation

Linux Capabilities

https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities

defaultAddCapabilities, requiredDropCapabilities, allowedCapabilities

SELinux Configuration

https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux

seLinux

Others

allowedProcMountTypes, forbiddenSysctls, allowedUnsafeSysctls

PodSecurityPolicy Operations

PodSecurityPolicy Operations

PodSecurityPolicy Admission Controller

The PodSecurityPolicy admission controller is a piece of code within the API server that intercepts pod creation and modification requests and determines if the request should be allowed based on the requested security context and the available PodSecurityPolicies.

More about admission controllers and admission controller operations:

Kubernetes Admission Controller Concepts
Admission Controller Operations
Retrieved from "https://kb.novaordis.com/index.php?title=Kubernetes_Pod_Security_Policy_Concepts&oldid=68394"