A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.
Source: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
Expectation: Failure
Copy the contents of the Privileged Deployment and then run the following command in the cluster:
kubectl apply -f ./deploy-privileged.yaml
This will create your deployment in the example
namespace but the pod will not start up.
The Pod hasn't started - Check either the Deployment or Replica Set for output:
kubectl get deploy -o yaml
kubectl get rs -o yaml
Error will look something like the following:
Error creating: pods "<podID>" is forbidden: unable to validate against any pod security policy: [spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]
Expectation: Success
Copy the contents of the non-Privileged Deployment and then run the following command in the cluster:
kubectl apply -f ./deploy-non-privileged.yaml
This will create your deployment in the example
namespace but this time the pod will start up with no errors.
Expectation : Success
To enable the privileged deployment to successfully run within the cluster we'll need to do the following:
- Create PodSecurityPolicy Resource
- Create ServiceAccount
- Create ClusterRole
- Create RoleBinding
To do this simply kubectl apply -f <file>
for each of these items.
Validate the Service Account we've created indeed has been granted correct access to use the Pod Security Policy allowing privileged pods:
k auth can-i use podsecuritypolicy/psp.example --as=system:serviceaccount:example:example-psp-sa
The expected response is yes
, however, if the response is no
then there is an issue with potentially any of the following:
- ServiceAccount Name Doesn't Match
- PodSecurityPolicy Is Missing Specified Access
- Namespace Name in the command Doesn't Match the Actual Namespace
- RoleBinding Must Be Deployed In Same Namespace As Service Account
Assuming your result was yes
we can apply the privileged deployment with the requested permissions:
Apply Privileged Deployment:
kubectl apply -f ./deploy-privileged.yaml
Congratulations!! Your Pod should be starting with the request permissions whilst using PodSecurityPolicies within the cluster.