Kubernetes Pod security policy (PSP) configuration

By default, Kubernetes allows the creation of Pods with privileged containers, which may endanger the system security, while the POD Security Policy (PSP) protects the cluster from privileged PODs by ensuring that requesters have the right to create PODs according to the configuration.

Other plug-ins come from the list of recommended plug-ins in the Kubernetes document.

Then directly create the above deployment:

Deployment.apps/nginx-deploy created.

We can see that the deployment has been successfully created. Now, check the pod, replication set and deployment under the default namespace:

The name-ready state starts aging again.

The expected current ready age of the name.

replicaset.extensions/nginx-deploy-77f7d4c6b4 1 0 0 40

The name is ready with the latest available age.

deployment.extensions/nginx-deploy 0/ 1 0 0 40

As you can see, both replicaset and deployment were created successfully, but the replicaset controller did not create a Pod, so a ServiceAccount is needed at this time.

Connection separation controller

Printed fabric controller

Certificate controller

Cluster role aggregation controller

Cronjob controller

Daemon setting controller

Deployment controller

Interrupt controller

Endpoint controller

Extended controller

Job controller

Namespace controller

Node controller

Photovoltaic protection controller

Pvc protection controller

Replica set controller

Replication controller

Resource Quota-Controller

Service account controller

Service controller

State set controller

Ttl controller

These ServiceAccount specify which controller can resolve the configuration of which policies.

Podsecuritypolicy.policy/restrictive is configured.

Although limited access is enough for most Pod creation, some rights policies are needed for PODs that need to improve access rights. For example, kube-proxy needs to enable the hostNetwork:

The name-ready state starts aging again.

Kube-proxy-4Z4VF11run018d.

$ kubectl get pods-n kube-system kube-proxy-4z4vf-o YAML | grep host network

Host network: correct

Therefore, it is necessary to create a permission policy to enhance the creation permission: (PSP-Permission. Yaml)

Podsecuritypolicy.policy/permissive is configured.

$ TERM kubectl gets psp

Name privcaps selinux runas userfs group supgroup readonly rootfs volume

Allow true RunAsAny RunAsAny RunAsAny leave.

Restricted false * runas any runas any runas any false config map, downwardAPI, emptyDir, persistentVolumeClaim, secret, projected.

Now the configuration is ready, but we need to introduce Kubernetes authorization to determine whether the user requesting Pod creation or ServiceAccount has solved the restrictive or permissive policy, which requires RBAC.

Clusterrole.rbac.authorization.k8s.io/psp-restrictive created.

Clusterrolebinding.rbac.authorization.k8s.io/psp-default created.

Now, let's recreate the deployment defined above:

Deployment.apps "nginx-deploy "has been deleted.

$ kubectl apply -f nginx.yaml

Deployment.apps/nginx-deploy created.

After the creation, we should also look at some resource objects we created in the default namespace:

The name-ready state starts aging again.

Pod/Nginx-deploy-77F7D4C6b4-NJFDL11run013s

The expected current ready age of the name.

replicaset.extensions/nginx-deploy-77f7d4c6b4 1 1 1 13s

The name is ready with the latest available age.

deployment.extensions/nginx-deploy 1/ 1 1 1 13s

We can see that Pods was successfully created, but if we try to do something that is not allowed by the policy, we should be rejected normally. Delete the above deployment first:

Deployment.apps "nginx-deploy "has been deleted.

Now we add hostNetwork: true to nginx-deploy to use this privilege: (nginx-hostnetwork.yaml).

Deployment.apps/nginx-hostnetwork-deploy created.

After creation, you should also look at some resource objects under namespace defaults:

The name-ready state starts aging again.

The expected current ready age of the name.

replicaset.extensions/nginx-hostnetwork-deploy-74c8fbd687 1 0 0 44s

The name is ready with the latest available age.

deployment.extensions/nginx-hostnetwork-deploy 0/ 1 0 0 44

Now we find that ReplicaSet didn't create Pod. You can use the kubectl describe command to view the ReplicaSet resource object we created here to learn more:

Name: nginx-host network-deploy-74c8fbd687

......

Event:

Type the reason age from the email.

Warning Failed to create 80s (x 15 over 2m42s) replication set-controller error creation: pod "nginx-host network-deploy-74c8fbd687-"forbidden: unable to verify any pod security policy: [spec. securitycontext. host network: invalid value: true: host network is not allowed]

We can see that obviously the Hostnetwork is not allowed to be used, but in some cases, we do create a Pod using the hostNetwork in a certain namespace (such as kube-system), so we need to create a ClusterRole that allows execution, and then create a RoleBinding for a specific namespace. Bind the ClusterRole here with the related controller ServiceAccount: (PSP-permission-rbac.yaml)

Clusterrole.rbac.authorization.k8s.io/psp-permissive created.

Rolebinding.rbac.authorization.k8s.io/psp-permissive created.

Now, we can use hostNetwork to create Pod under the namespace of kube-system, and change the nginx resource list above to the namespace of kube-system:

Recreate this deployment:

Deployment.apps/nginx-hostnetwork-deploy created.

After creation, check the creation of the corresponding resource object:

The name-ready state starts aging again.

Pod/nginx-host network-deploy-74c8fbd687-7x8px11run02m1

The expected current ready age of the name.

replicaset.extensions/nginx-hostnetwork-deploy-74c8fbd687 1 1 1 2m 1s

The name is ready with the latest available age.

deployment.extensions/nginx-hostnetwork-deploy 1/ 1 1 1 2m 1s

Now we can see that Pod has been successfully created under the namespace kube-system.

Service account/special a has been created.

Then create a RoleBinding to bind the specialsa to the psp-permissive thread above: (specialsa-psp.yaml).