Objects of type
podsecuritypolicy govern the ability
to make requests on a pod that affect the
SecurityContext that will be
applied to a pod and container.
See PodSecurityPolicy proposal for more information.
A Pod Security Policy is a cluster-level resource that controls the
actions that a pod can perform and what it has the ability to access. The
PodSecurityPolicy objects define a set of conditions that a pod must
run with in order to be accepted into the system. They allow an
administrator to control the following:
Pod Security Policies are comprised of settings and strategies that control the security features a pod has access to. These settings fall into three categories:
*range*to be configured. Uses the first value of the range as the default. Validates against the configured range.
*runAsUser*or have the
USERdirective defined in the image. No default provided.
*runAsUser*to be specified.
*seLinuxOptions*to be configured if not using pre-allocated values. Uses
*seLinuxOptions*as the default. Validates against
*seLinuxOptions*to be specified.
*supplementalGroups*to be specified.
*fsGroup*ID to be specified.
The usage of specific volume types can be controlled by setting the volumes field of the PSP. The allowable values of this field correspond to the volume sources that are defined when creating a volume:
The recommended minimum set of allowed volumes for new PSPs are configMap, downwardAPI, emptyDir, persistentVolumeClaim, and secret.
Admission control with
PodSecurityPolicy allows for control over the creation of resources
based on the capabilities allowed in the cluster.
Admission uses the following approach to create the final security context for the pod:
If a matching policy is found, then the pod is accepted. If the request cannot be matched to a PSP, the pod is rejected.
A pod must validate every field against the PSP.
Here is an example Pod Security Policy. It has permissive settings for all fields
Create the policy by downloading the example file and then running this command:
$ kubectl create -f ./psp.yaml podsecuritypolicy "permissive" created
Once you don’t need a policy anymore, simply delete it with
$ kubectl delete psp permissive podsecuritypolicy "permissive" deleted
In order to use Pod Security Policies in your cluster you must ensure the following
Use PodSecurityPolicy to control access to privileged containers based on role and groups. (see more details).