Versions Compared

Old Version 7

changes.mady.by.user John

Saved on

compared with

New Version Current

changes.mady.by.user John

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
themeEmacs
az provider register --namespace Microsoft.ContainerService
Code Block


Enable pod security policy on an AKS cluster

...

Code Block
The behavior of this command has been altered by the following extension: aks-preview
 | Running ..: aks-preview
 | Running ..
Code Block
...
Code Block
collapsetrue
{
  "aadProfile": {
    "adminGroupObjectIDs": [
      "485f87b2-3798-4021-a719-260f5b147f93",
      "a3b0f3b2-9d9d-42bd-90e0-f9a02388450d"
    ],
    "adminUsers": null,
    "clientAppId": null,
    "enableAzureRbac": false,
    "managed": true,
    "serverAppId": null,
    "serverAppSecret": null,
    "tenantId": "5d471751-9675-428d-917b-70f44f9630b0"
  },
  "addonProfiles": {
    "omsagent": {
      "config": null,
      "enabled": false,
      "identity": null
    }
  },
  "agentPoolProfiles": [
    {
      "availabilityZones": [
        "2",
        "3",
        "1"
      ],
      "capacityReservationGroupId": null,
      "count": 5,
      "creationData": null,
      "currentOrchestratorVersion": "1.22.6",
      "enableAutoScaling": true,
      "enableCustomCaTrust": false,
      "enableEncryptionAtHost": false,
      "enableFips": false,
      "enableNodePublicIp": false,
      "enableUltraSsd": false,
      "gpuInstanceProfile": null,
      "hostGroupId": null,
      "kubeletConfig": null,
      "kubeletDiskType": "OS",
      "linuxOsConfig": null,
      "maxCount": 10,
      "maxPods": 30,
      "messageOfTheDay": null,
      "minCount": 5,
      "mode": "System",
      "name": "agentpool",
      "networkProfile": null,
      "nodeImageVersion": "AKSUbuntu-1804gen2containerd-2022.08.29",
      "nodeLabels": {
        "app": "system-apps",
        "environment": "dev",
        "nodepool-type": "system",
        "nodepoolos": "linux"
      },
      "nodePublicIpPrefixId": null,
      "nodeTaints": null,
      "orchestratorVersion": "1.22.6",
      "osDiskSizeGb": 128,
      "osDiskType": "Managed",
      "osSku": "Ubuntu",
      "osType": "Linux",
      "podSubnetId": null,
      "powerState": {
        "code": "Running"
      },
      "provisioningState": "Succeeded",
      "proximityPlacementGroupId": null,
      "scaleDownMode": null,
      "scaleSetEvictionPolicy": null,
      "scaleSetPriority": null,
      "spotMaxPrice": null,
      "tags": {
        "customer_id": "2001",
        "customer_name": "ncyd_ott_team1_performance_test",
        "env": "Test"
      },
      "type": "VirtualMachineScaleSets",
      "upgradeSettings": {
        "maxSurge": null
      },
      "vmSize": "Standard_B4ms",
      "vnetSubnetId": "/subscriptions/b63b61a0-605d-47e8-b8a6-598e188a00ed/resourceGroups/ncyd-perftest7-rg-onprem/providers/Microsoft.Network/virtualNetworks/ncyd-perftest7-vnet-aks-onprem/subnets/ncyd-snet-aks-onprem",
      "windowsProfile": null,
      "workloadRuntime": null
    }
  ],
  "apiServerAccessProfile": {
    "authorizedIpRanges": [
      "131.228.66.0/27",
      "62.67.214.96/27",
      "131.228.2.0/27",
      "131.228.48.0/24",
      "131.228.32.160/27",
      "131.228.56.0/24"
    ],
    "disableRunCommand": null,
    "enablePrivateCluster": null,
    "enablePrivateClusterPublicFqdn": null,
    "enableVnetIntegration": null,
    "privateDnsZone": null,
    "subnetId": null
  },
  "autoScalerProfile": {
    "balanceSimilarNodeGroups": "false",
    "expander": "random",
    "maxEmptyBulkDelete": "10",
    "maxGracefulTerminationSec": "600",
    "maxNodeProvisionTime": "15m",
    "maxTotalUnreadyPercentage": "45",
    "newPodScaleUpDelay": "0s",
    "okTotalUnreadyCount": "3",
    "scaleDownDelayAfterAdd": "10m",
    "scaleDownDelayAfterDelete": "10s",
    "scaleDownDelayAfterFailure": "3m",
    "scaleDownUnneededTime": "10m",
    "scaleDownUnreadyTime": "20m",
    "scaleDownUtilizationThreshold": "0.5",
    "scanInterval": "10s",
    "skipNodesWithLocalStorage": "false",
    "skipNodesWithSystemPods": "true"
  },
  "autoUpgradeProfile": {
    "upgradeChannel": "none"
  },
  "azureMonitorProfile": null,
  "azurePortalFqdn": "ncyd-perftest7-rg-onprem-cluster-b1336f8d.portal.hcp.eastus.azmk8s.io",
  "creationData": null,
  "currentKubernetesVersion": "1.22.6",
  "disableLocalAccounts": false,
  "diskEncryptionSetId": null,
  "dnsPrefix": "ncyd-perftest7-rg-onprem-cluster",
  "enableNamespaceResources": null,
  "enablePodSecurityPolicy": true,
  "enableRbac": true,
  "extendedLocation": null,
  "fqdn": "ncyd-perftest7-rg-onprem-cluster-b1336f8d.hcp.eastus.azmk8s.io",
  "fqdnSubdomain": null,
  "guardrailsProfile": {
    "excludedNamespaces": null,
    "level": "Off",
    "systemExcludedNamespaces": null,
    "version": null
  },
  "httpProxyConfig": null,
  "id": "/subscriptions/b63b61a0-605d-47e8-b8a6-598e188a00ed/resourcegroups/ncyd-perftest7-rg-onprem/providers/Microsoft.ContainerService/managedClusters/ncyd-perftest7-aks-cluster-onprem",
  "identity": {
    "principalId": "932c5f94-0e21-46b6-b928-e21baaca4129",
    "tenantId": "1dfd8600-97de-4250-8886-f30a219194cf",
    "type": "SystemAssigned",
    "userAssignedIdentities": null
  },
  "identityProfile": {
    "kubeletidentity": {
      "clientId": "c5d81b39-0e63-4332-94d7-a56dc029f3c6",
      "objectId": "0e100f94-d28e-44f0-a83a-62fb8ea8bdd4",
      "resourceId": "/subscriptions/b63b61a0-605d-47e8-b8a6-598e188a00ed/resourcegroups/ncyd-perftest7-rg-onprem-nrg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ncyd-perftest7-aks-cluster-onprem-agentpool"
    }
  },
  "ingressProfile": null,
  "kubernetesVersion": "1.22.6",
  "linuxProfile": {
    "adminUsername": "ubuntu",
    "ssh": {
      "publicKeys": [
        {
          "keyData": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDjdGa7NMOAEj/qAZIl525C2cWEcoVB7W+ER0zeD8lxUgHrR6Vv5jijQgA4hvzR6Llbu+rvHhkipz91XRYK6awfOVyaJeRUiQL3AtIb2j1f1vpzd92Kt7OWZHDgXMJnyZZ7nPmlQoL0pxhpITJto+8IL6ond0aAAJuHYRcUf9nu7LB/L5NyhPrr8Ug4/wjSdL2BCo2EcEdNDr1cw8G+rvGJWNvOtK4Hm9NP3KoJPMeyI4OXKUb3l4qvI6tyVNls29ltdoGoiCLgOGPH2aW+PmPrDYtBYqdAngAINPlNX8Cq/r1XC1k8Ioqj42PhTtkuEu4QaQE6B4KD7pHtICJKuOt9WOT67ImJ0Vek2n72057jWttw0FDMPU5+Ocgw8hD1CwDxCKjVOWn7blrB6p2ZhXrF+dO/9JiHEbfe+pUleHx/7uLBqsq/UpddYdrWeN3/QzNm++gKEhOM5COwjNeVUo9TBdAHDhLw73qXhmCGU/ckiUv1AZN+7ve7XPUyIRNRaF0= sairxa@C001424.local"
        }
      ]
    }
  },
  "location": "eastus",
  "maxAgentPools": 100,
  "name": "ncyd-perftest7-aks-cluster-onprem",
  "networkProfile": {
    "dnsServiceIp": "10.255.0.10",
    "dockerBridgeCidr": "172.17.0.1/16",
    "ebpfDataplane": null,
    "ipFamilies": [
      "IPv4"
    ],
    "kubeProxyConfig": null,
    "loadBalancerProfile": {
      "allocatedOutboundPorts": null,
      "backendPoolType": "nodeIPConfiguration",
      "effectiveOutboundIPs": [
        {
          "id": "/subscriptions/b63b61a0-605d-47e8-b8a6-598e188a00ed/resourceGroups/ncyd-perftest7-rg-onprem-nrg/providers/Microsoft.Network/publicIPAddresses/2407dcc0-83f9-45f1-8522-5c8f4141e656",
          "resourceGroup": "ncyd-perftest7-rg-onprem-nrg"
        }
      ],
      "enableMultipleStandardLoadBalancers": null,
      "idleTimeoutInMinutes": null,
      "managedOutboundIPs": {
        "count": 1,
        "countIpv6": null
      },
      "outboundIPs": null,
      "outboundIpPrefixes": null
    },
    "loadBalancerSku": "Standard",
    "natGatewayProfile": null,
    "networkMode": null,
    "networkPlugin": "azure",
    "networkPluginMode": null,
    "networkPolicy": "azure",
    "outboundType": "loadBalancer",
    "podCidr": null,
    "podCidrs": null,
    "serviceCidr": "10.255.0.0/16",
    "serviceCidrs": [
      "10.255.0.0/16"
    ]
  },
  "nodeResourceGroup": "ncyd-perftest7-rg-onprem-nrg",
  "oidcIssuerProfile": {
    "enabled": false,
    "issuerUrl": null
  },
  "podIdentityProfile": null,
  "powerState": {
    "code": "Running"
  },
  "privateFqdn": null,
  "privateLinkResources": null,
  "provisioningState": "Succeeded",
  "publicNetworkAccess": "Enabled",
  "resourceGroup": "ncyd-perftest7-rg-onprem",
  "securityProfile": {
    "azureKeyVaultKms": null,
    "customCaTrustCertificates": null,
    "defender": null,
    "imageCleaner": null,
    "nodeRestriction": null,
    "workloadIdentity": null
  },
  "servicePrincipalProfile": {
    "clientId": "msi",
    "secret": null
  },
  "sku": {
    "name": "Basic",
    "tier": "Free"
  },
  "storageProfile": {
    "blobCsiDriver": null,
    "diskCsiDriver": {
      "enabled": true,
      "version": "v1"
    },
    "fileCsiDriver": {
      "enabled": true
    },
    "snapshotController": {
      "enabled": true
    }
  },
  "systemData": null,
  "tags": {
    "customer_id": "2001",
    "customer_name": "ncyd_ott_team1_performance_test",
    "env": "Test"
  },
  "type": "Microsoft.ContainerService/ManagedClusters",
  "windowsProfile": {
    "adminPassword": null,
    "adminUsername": "azureuser",
    "enableCsiProxy": true,
    "gmsaProfile": null,
    "licenseType": null
  },
  "workloadAutoScalerProfile": {
    "keda": null,
    "verticalPodAutoscaler": null
  }
}

...

Install Restrictive Pod Security Policies

Code Block
themeEmacs
kubectl apply -f vi psp-restrictive.yaml
true
Code Block
languageyml
titlepsp-restrictive.yaml
collapse
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: privileged
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
  labels:
    addonmanager.kubernetes.io/mode: EnsureExists
spec:
  privileged: true
  allowPrivilegeEscalation: true
  allowedCapabilities:
  - "*"
  volumes:
  - "*"
  hostNetwork: true
  hostPorts:
  - min: 0
    max: 65535
  hostIPC: true
  hostPID: true
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted
  labels:
    addonmanager.kubernetes.io/mode: EnsureExists
spec:
  privileged: false
  allowPrivilegeEscalation: false
  requiredDropCapabilities:
    - ALL
  volumes:
    - 'configMap'
    - 'emptyDir'
    - 'projected'
    - 'secret'
    - 'downwardAPI'
    - 'persistentVolumeClaim'
  hostNetwork: false
  hostIPC: false
  hostPID: false
  runAsUser:
    rule: 'MustRunAsNonRoot'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
      # Forbid adding the root group.
      - min: 1
        max: 65535
  fsGroup:
    rule: 'MustRunAs'
    ranges:
      # Forbid adding the root group.
      - min: 1
        max: 65535
  readOnlyRootFilesystem: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: psp:privileged
  labels:
    addonmanager.kubernetes.io/mode: EnsureExists
rules:
- apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
  - privileged
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: psp:restricted
  labels:
    addonmanager.kubernetes.io/mode: EnsureExists
rules:
- apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
  - restricted
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: default:restricted
  labels:
    addonmanager.kubernetes.io/mode: EnsureExists
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: psp:restricted
subjects:
- kind: Group
  name: system:authenticated
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: default:privileged
  namespace: kube-system
  labels:
    addonmanager.kubernetes.io/mode: EnsureExists
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: psp:privileged
subjects:
- kind: Group
  name: system:masters
  apiGroup: rbac.authorization.k8s.io
- kind: Group
  name: system:nodes
  apiGroup: rbac.authorization.k8s.io
- kind: Group
  name: system:serviceaccounts:kube-system
  apiGroup: rbac.authorization.k8s.io
Code Block
themeEmacs
kubectl apply -f psp-restrictive.yaml


Next

Install some helm releases and see!

...