Swiftorial Logo
Home
Swift Lessons
Matchups
CodeSnaps
Tutorials
Career
Resources

Kubernetes - Enforcing Pod Security Policies

Introduction

Pod Security Policies (PSPs) in Kubernetes provide a mechanism to control the security specifications of pods running in a cluster. By defining and enforcing PSPs, you can ensure that pods adhere to security best practices and compliance requirements. This guide provides an advanced overview of enforcing pod security policies in Kubernetes.

Key Points:

  • PSPs control the security context of pods, including privilege levels, file system permissions, and allowed capabilities.
  • PSPs are defined using YAML manifests and enforced through Kubernetes admission controllers.
  • Properly configured PSPs enhance the security posture of your Kubernetes cluster.

What are Pod Security Policies?

Pod Security Policies (PSPs) are Kubernetes resources that define a set of conditions that a pod must meet to be accepted into the system. PSPs are used to control various aspects of pod security, such as:

  • Privilege levels and capabilities
  • Volume types
  • File system permissions
  • Network policies
  • AppArmor and SELinux profiles

Creating a Pod Security Policy

To create a PSP, define the policy in a YAML manifest. Here is an example of a PSP that restricts pods from running as root:

# Example of a Pod Security Policy (psp.yaml)
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted-psp
spec:
  privileged: false
  allowPrivilegeEscalation: false
  requiredDropCapabilities:
  - ALL
  runAsUser:
    rule: MustRunAsNonRoot
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
  - 'configMap'
  - 'emptyDir'
  - 'projected'
  - 'secret'
  - 'downwardAPI'
  - 'persistentVolumeClaim'

# Apply the Pod Security Policy
kubectl apply -f psp.yaml

# Verify the Pod Security Policy
kubectl get psp

Enforcing Pod Security Policies

To enforce PSPs, you need to configure the Kubernetes admission controller. Here is how to enable and enforce PSPs:

# Edit the Kubernetes API server configuration (apiserver.yaml)
--enable-admission-plugins=...,PodSecurityPolicy,...

# Restart the API server to apply the changes
kubectl get pods -n kube-system -l component=kube-apiserver
kubectl delete pod  -n kube-system

# Create a Role and RoleBinding to grant access to the PSP (psp-role.yaml)
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: use-psp
  namespace: default
rules:
- apiGroups:
  - policy
  resources:
  - podsecuritypolicies
  resourceNames:
  - restricted-psp
  verbs:
  - use

# Create a RoleBinding to bind the role to a service account
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: use-psp
  namespace: default
subjects:
- kind: ServiceAccount
  name: default
  namespace: default
roleRef:
  kind: Role
  name: use-psp
  apiGroup: rbac.authorization.k8s.io

# Apply the Role and RoleBinding
kubectl apply -f psp-role.yaml

# Verify the RoleBinding
kubectl get rolebinding -n default

Advanced PSP Configurations

PSPs can be configured to enforce more advanced security policies. Here are a few examples:

  • AppArmor Profiles: Specify AppArmor profiles to restrict the system calls that pods can use.
  • SELinux Options: Define SELinux contexts to enforce security policies at the kernel level.
  • Allowed Capabilities: Specify which Linux capabilities are allowed for containers running in the pod.
  • Host Network and Ports: Control whether pods can use the host network, IPC, and PID namespaces, and specify allowed host ports.
# Example of an advanced PSP (advanced-psp.yaml)
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: advanced-psp
spec:
  privileged: false
  allowPrivilegeEscalation: false
  allowedCapabilities:
  - 'NET_ADMIN'
  volumes:
  - 'configMap'
  - 'emptyDir'
  - 'secret'
  hostNetwork: false
  hostIPC: false
  hostPID: false
  runAsUser:
    rule: MustRunAsNonRoot
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: MustRunAs
    ranges:
    - min: 1
      max: 65535
  fsGroup:
    rule: MustRunAs
    ranges:
    - min: 1
      max: 65535

# Apply the advanced PSP
kubectl apply -f advanced-psp.yaml

# Verify the advanced PSP
kubectl get psp

Best Practices

Follow these best practices when implementing and enforcing PSPs in Kubernetes:

  • Start with Restricted Policies: Begin with restrictive policies and gradually relax them as needed based on application requirements.
  • Use Role-Based Access Control (RBAC): Use RBAC to control which users and service accounts can use specific PSPs.
  • Regularly Review Policies: Periodically review and update your PSPs to ensure they meet the latest security requirements and compliance standards.
  • Monitor Compliance: Continuously monitor your clusters for compliance with defined PSPs and address any deviations promptly.
  • Document Policies: Document your PSPs and their configurations to ensure clarity and consistency across your team.

Conclusion

This guide provided an advanced overview of enforcing pod security policies in Kubernetes, including creating PSPs, configuring the admission controller, and using advanced configurations. By leveraging PSPs, you can enhance the security of your Kubernetes clusters and ensure compliance with best practices and regulatory requirements.