Install aks-preview CLI extension
To use pod security policies, you need the aks-preview CLI extension version 0.4.1 or higher. Install the aks-preview Azure CLI extension using the az extension add command, then check for any available updates using the az extension update command:
$ az extension add --name aks-preview The installed extension 'aks-preview' is in preview. $ az extension update --name aks-preview No updates available for 'aks-preview'. Use --debug for more information. $ az feature register --name PodSecurityPolicyPreview --namespace Microsoft.ContainerService Once the feature 'PodSecurityPolicyPreview' is registered, invoking 'az provider register -n Microsoft.ContainerService' is required to get the change propagated { "id": "/subscriptions/b63b61a0-605d-47e8-b8a6-598e188a00ed/providers/Microsoft.Features/providers/Microsoft.ContainerService/features/PodSecurityPolicyPreview", "name": "Microsoft.ContainerService/PodSecurityPolicyPreview", "properties": { "state": "Registering" }, "type": "Microsoft.Features/providers/features" }
Register pod security policy feature provider
To create or update an AKS cluster to use pod security policies, first enable a feature flag on your subscription. To register the PodSecurityPolicyPreview feature flag, use the az feature register command as shown in the following example:
It takes a few minutes for the status to show Registered. You can check on the registration status using the az feature listcommand:
az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/PodSecurityPolicyPreview')].{Name:name,State:properties.state}"
Name State --------------------------------------------------- ---------- Microsoft.ContainerService/PodSecurityPolicyPreview Registered
When ready, refresh the registration of the Microsoft.ContainerService resource provider using the az provider registercommand:
az provider register --namespace Microsoft.ContainerService
Enable pod security policy on an AKS cluster
$ az aks update \ --resource-group <RESOURCE_GROUP> \ --name <K8S_CLUSTER> \ --enable-pod-security-policy
Example:
$ az aks update \ --resource-group ncyd-perftest7-rg-onprem \ --name ncyd-perftest7-aks-cluster-onprem \ --enable-pod-security-policy
The behavior of this command has been altered by the following extension: aks-preview | Running ..
Install Restrictive Pod Security Policies
kubectl apply -f psp-restrictive.yaml
Next
Install some helm releases and see!
References
Reference | URL |
---|---|
Preview - Secure your cluster using pod security policies in Azure Kubernetes Service (AKS) | https://learn.microsoft.com/en-us/azure/aks/use-pod-security-policies |