proposalbot
a70a2c8b2e
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com> Co-authored-by: proposalbot <proposalbot@otc-service.com> Co-committed-by: proposalbot <proposalbot@otc-service.com>
171 lines
5.1 KiB
ReStructuredText
171 lines
5.1 KiB
ReStructuredText
:original_name: cce_01_0275.html
|
|
|
|
.. _cce_01_0275:
|
|
|
|
Pod Security Policies
|
|
=====================
|
|
|
|
A pod security policy (PSP) is a cluster-level resource that controls sensitive security aspects of the pod specification. The `PodSecurityPolicy <https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#podsecuritypolicy-v1beta1-policy>`__ object in Kubernetes defines a group of conditions that a pod must comply with to be accepted by the system, as well as the default values of related fields.
|
|
|
|
By default, the PSP access control component is enabled for clusters of v1.17.17 and a global default PSP named **psp-global** is created. You can modify the default policy (but not delete it). You can also create a PSP and bind it to the RBAC configuration.
|
|
|
|
.. note::
|
|
|
|
In addition to the global default PSP, the system configures independent PSPs for system components in namespace kube-system. Modifying the psp-global configuration does not affect pod creation in namespace kube-system.
|
|
|
|
Modifying the Global Default PSP
|
|
--------------------------------
|
|
|
|
Before modifying the global default PSP, ensure that a CCE cluster has been created and connected by using kubectl.
|
|
|
|
#. Run the following command:
|
|
|
|
**kubectl edit psp psp-global**
|
|
|
|
#. Modify the parameters as required. For details, see `PodSecurityPolicy <https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/>`__.
|
|
|
|
.. _cce_01_0275__section155111941177:
|
|
|
|
Example of Enabling Unsafe Sysctls in Pod Security Policy
|
|
---------------------------------------------------------
|
|
|
|
You can configure allowed-unsafe-sysctls for a node pool. For CCE **v1.17.17** and later versions, add configurations in **allowedUnsafeSysctls** of the pod security policy to make the configuration take effect. For details, see `PodSecurityPolicy <https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/>`__.
|
|
|
|
In addition to modifying the global pod security policy, you can add new pod security policies. For example, enable the **net.core.somaxconn** unsafe sysctls. The following is an example of adding a pod security policy:
|
|
|
|
.. code-block::
|
|
|
|
apiVersion: policy/v1beta1
|
|
kind: PodSecurityPolicy
|
|
metadata:
|
|
annotations:
|
|
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
|
|
name: sysctl-psp
|
|
spec:
|
|
allowedUnsafeSysctls:
|
|
- net.core.somaxconn
|
|
allowPrivilegeEscalation: true
|
|
allowedCapabilities:
|
|
- '*'
|
|
fsGroup:
|
|
rule: RunAsAny
|
|
hostIPC: true
|
|
hostNetwork: true
|
|
hostPID: true
|
|
hostPorts:
|
|
- max: 65535
|
|
min: 0
|
|
privileged: true
|
|
runAsGroup:
|
|
rule: RunAsAny
|
|
runAsUser:
|
|
rule: RunAsAny
|
|
seLinux:
|
|
rule: RunAsAny
|
|
supplementalGroups:
|
|
rule: RunAsAny
|
|
volumes:
|
|
- '*'
|
|
---
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: sysctl-psp
|
|
rules:
|
|
- apiGroups:
|
|
- "*"
|
|
resources:
|
|
- podsecuritypolicies
|
|
resourceNames:
|
|
- sysctl-psp
|
|
verbs:
|
|
- use
|
|
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: sysctl-psp
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: sysctl-psp
|
|
apiGroup: rbac.authorization.k8s.io
|
|
subjects:
|
|
- kind: Group
|
|
name: system:authenticated
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
Restoring the Original PSP
|
|
--------------------------
|
|
|
|
If you have modified the default pod security policy and want to restore the original pod security policy, perform the following operations.
|
|
|
|
#. Create a policy description file named **policy.yaml**. **policy.yaml** is an example file name. You can rename it as required.
|
|
|
|
**vi policy.yaml**
|
|
|
|
The content of the description file is as follows:
|
|
|
|
.. code-block::
|
|
|
|
apiVersion: policy/v1beta1
|
|
kind: PodSecurityPolicy
|
|
metadata:
|
|
name: psp-global
|
|
annotations:
|
|
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
|
|
spec:
|
|
privileged: true
|
|
allowPrivilegeEscalation: true
|
|
allowedCapabilities:
|
|
- '*'
|
|
volumes:
|
|
- '*'
|
|
hostNetwork: true
|
|
hostPorts:
|
|
- min: 0
|
|
max: 65535
|
|
hostIPC: true
|
|
hostPID: true
|
|
runAsUser:
|
|
rule: 'RunAsAny'
|
|
seLinux:
|
|
rule: 'RunAsAny'
|
|
supplementalGroups:
|
|
rule: 'RunAsAny'
|
|
fsGroup:
|
|
rule: 'RunAsAny'
|
|
|
|
---
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: psp-global
|
|
rules:
|
|
- apiGroups:
|
|
- "*"
|
|
resources:
|
|
- podsecuritypolicies
|
|
resourceNames:
|
|
- psp-global
|
|
verbs:
|
|
- use
|
|
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: psp-global
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: psp-global
|
|
apiGroup: rbac.authorization.k8s.io
|
|
subjects:
|
|
- kind: Group
|
|
name: system:authenticated
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
#. Run the following commands:
|
|
|
|
**kubectl apply -f policy.yaml**
|