-
Notifications
You must be signed in to change notification settings - Fork 35
/
Copy path_understand_pod_security_policies.md.erb
60 lines (49 loc) · 2.84 KB
/
_understand_pod_security_policies.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
<%
=begin
apps: none
platforms: kubernetes
id: understand_pod_security_policies
title: Understand pod security policies
category: configuration
weight: 20
highlight: 20
=end %>
In Kubernetes, a pod security policy is represented by a PodSecurityPolicy resource. This resource lists the conditions a pod must meet in order to run in the cluster. Here's an example of a pod security policy, expressed in YAML:
~~~
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: example
spec:
privileged: false
runAsUser:
rule: MustRunAsNonRoot
seLinux:
rule: RunAsAny
fsGroup:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- 'nfs'
hostPorts:
- min: 100
max: 100
~~~
Briefly, this pod security policy implements the following security rules:
* [Disallow containers running in privileged mode](/<%= platform_path %>/faq/configuration/use-non-root)
* Disallow containers that require root privileges
* Disallow containers that access volumes apart from NFS volumes
* Disallow containers that access host ports apart from port 100
Let's look at the broad structure of a pod security policy.
* The *metadata* section of the policy specifies its name.
* The *spec* section of the policy outlines the key criteria a pod must fulfil in order to be allowed to run.
Here is a brief description of the main options available (you can find more details in the official Kubernetes documentation):
* The *privileged* field indicates whether to allow containers that use privileged mode. [Learn more about privileged mode](https://kubernetes.io/docs/concepts/workloads/pods/pod/#privileged-mode-for-pod-containers).
* The *runAsUser* field defines which users a container can run as. Most commonly, it is used to prevent pods from running as the root user.
* The *seLinux* field defines the Security-Enhanced Linux (SELinux) security context for containers and only allows containers that match that context. [Learn more about SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux).
* The *supplementalGroups* and *fsGroup* fields define the user groups or fsGroup-owned volumes that a container may access. [Learn more about fsGroups and supplemental groups](https://kubernetes.io/docs/concepts/policy/pod-security-policy/).
* The *volumes* field defines the type(s) of volumes a container may access. [Learn more about volumes](https://kubernetes.io/docs/concepts/storage/volumes/).
* The *hostPorts* field, together with related fields like *hostNetwork*, *hostPID* and *hostIPC*, restrict the ports (and other networking capabilities) that a container may access on the host system.
### Next steps: Create pod security policies for your cluster
Learn more about how to create pod security policies by applying any of the [use cases shown in the following guide](https://docs.bitnami.com/tutorials/secure-kubernetes-cluster-psp/).