Overview
We want to configure strict enforcement of rules to limit unauthorized manipulation of our kubernetes cluster.
Pod Security Standards vs Pod Security Policies
The main drawbacks of the PSP are the lack of support for other resource types and a limited list of controls that don't cover some container runtime-specific parameters. PSP is planned to be deprecated in 2021, and a better alternative exists to address the same need. The actual deprecation date has been recently extended from February 1st, 2021 to May 3rd, 2021 to allow vendors that use PSP, such as Azure, to prepare for the change.
PSP is planned to be officially deprecated in Kubernetes version 1.21 and removed in version 1.25.
According to the Kubernetes deprecation policy, older versions will stop getting support nine months after the deprecation of the feature.
Testing Out Violations Base on Pod Security
...
Standard
Privileged
| Code Block |
|---|
|
kubectl label --dry-run=server --overwrite ns --all pod-security.kubernetes.io/enforce=privileged |
| Code Block |
|---|
namespace/default labeled
namespace/kube-node-lease labeled
namespace/kube-public labeled
namespace/kube-system labeled |
Baseline
| Code Block |
|---|
|
kubectl label --dry-run=server --overwrite ns --all pod-security.kubernetes.io/enforce=baseline |
| Code Block |
|---|
Warning: existing pods in namespace "default" violate the new PodSecurity enforce level "baseline:latest"
Warning: fluent-bit-q9d8n: hostPath volumes
namespace/default labeled
namespace/kube-node-lease labeled
namespace/kube-public labeled
Warning: existing pods in namespace "kube-system" violate the new PodSecurity enforce level "baseline:latest"
Warning: etcd-docker-desktop (and 3 other pods): host namespaces, hostPath volumes
Warning: kube-proxy-zggs2: host namespaces, hostPath volumes, privileged
Warning: storage-provisioner (and 1 other pod): hostPath volumes
namespace/kube-system labeled |
Restricted
| Code Block |
|---|
|
kubectl label --dry-run=server --overwrite ns --all pod-security.kubernetes.io/enforce=restricted |
...
From the previous output, you'll notice that applying the privileged Pod Security Standard shows no warnings for any namespaces. However, baseline and restricted standards both have warnings, specifically in the kube-systemnamespace.
Adding Pod Security Standard to your Namespace
Multiple pod security standards can be enabled on any namespace, using labels. Following command will enforce the baseline Pod Security Standard, but warn and audit for restricted Pod Security Standards as per the latest version (default value)
...
| Code Block |
|---|
namespace/default labeled |
References