In this post, I would continue to write about preparing for the CKS (Certified Kubernetes Security Specialist) exam. I would write my own notes about the exam, and you can refer to these articles to prepare your own.
List of the series of posts:
- Ubuntu System
3. Pod security policy in Kubernetes
3.1 What is pod security policy?
A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.
For example: The below PodSecurityPolicy does not allow pod to be privileged in kubernetes.
apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: example-psp spec: privileged: false # Don't allow privileged pods! # The rest fills in some required fields. seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny volumes: - '*'
3.2 How to check if the pod security policy is enabled in kubernetes?
Pod security policy is part of the admission controllers. we can check the
PodSecurityPolicy status by running this command:
$ kubectl exec kube-apiserver-controlplane -n kube-system —- kube-apiserver -h | grep enable-admission-plugins
By default, the
PodSecurityPolicy is not enabled in kubernetes, we can enable it by adding these options to kube-apiserver:
3.3 Authorize the service account to access pod security policy
All requests to create pod would be rejected if we don’t authorize the service account to access pod security polices after enabling the admission controller.
We can use RBAC to grant pod’s service account to access the policy.
Suppose our pod is using default service account in the default namespace, we can grant as follows:
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: psp-role rules: - apiGroups: ['policy'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: ['example-psp'] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: psp-rolebinding roleRef: kind: Role name: psp-role apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: default namespace: default
In the above yaml, we grant the default service account in default namespace to
use the podsecuritypolicy named
In this post, I write some examples about pod security policy in kubernetes.