Sunday, September 15, 2019

Kubernetes Pod Security Policies



Start minikube with RBAC and admission-plugins enabled
$ minikube start --extra-config=apiserver.authorization-mode=Node,RBAC --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy
# or
$ minikube start --extra-config=apiserver.authorization-mode=Node,RBAC --extra-config=apiserver.Admission.PluginNames=PodSecurityPolicy

These commands are not working on my Mac machine, looks like API Server issue as it is not accepting any requests (might not be up).

Create namespace and Service Account
$ kubectl create namespace praveend-psp kubectl create sa test-psp-sa -n praveend-psp

Policy definitions
$ cat praveend_psp.yaml apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: praveend-psp spec: privileged: false # Don't allow privileged pods! # The rest fills in some required fields. allowPrivilegeEscalation: false seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny volumes: - '*' $ cat clusterR.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: psp-test-cr rules: - apiGroups: [""] resources: ["podsecuritypolicies"] resourceNames: - praveend-psp verbs: - use $ cat clusterRB.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cluster-admin-rb roleRef: kind: ClusterRole name: psp-test-cr apiGroup: rbac.authorization.k8s.io subjects: # Authorize specific service accounts: - kind: ServiceAccount name: test-psp-sa namespace: praveend-psp


Create PodSecurityPolicy, ClusterRole and ClusterRoleBinding. ClusterRoleBinding is between ClusterRole/Role and Service Account, User, Group ets.
$ kubectl create -f praveend_psp.yaml -n praveend-psp
 $ kubectl create -f clusterR.yaml -n praveend-psp 
$ kubectl create -f clusterRB.yaml -n praveend-psp

Check if we have proper authentication to create PodSecurityPolicy in praveend-psp namespace
$ kubectl auth can-i use podsecuritypolicy/praveend-psp -n praveend-psp

Create Pod in test-psp-minikube namespace
$ kubectl -n test-psp-minikube create -f- <


Create privileged Pod in praveend-psp namespace
$ kubectl -n test-psp-minikube delete -f- <true EOF


References
  1. https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
  2. https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#how-do-i-turn-on-an-admission-control-plug-in
  3. https://kubernetes.io/docs/concepts/policy/pod-security-policy/

No comments:

Post a Comment