starlingx/docs
Code Issues Proposed changes
docs/doc/source/security/kubernetes/pod-security-policies.rst
Elisamara Aoki Goncalves 35152799b9 Support for Pod Security Admission Controller - Tech Preview 
Added new sections referring to Pod security admission controller

Depends-On: https://review.opendev.org/c/starlingx/docs/+/847094

Story: 2009833
Task: 45631

Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com>
Change-Id: Icbd36b28501edf767a96007d066303da2d0609f4
2022-06-27 23:16:41 -03:00

2.9 KiB
Raw Blame History

Pod Security Policies

enable fine-grained authorization of pod creation and updates.

control access to security sensitive aspects of Pod specifications such as running of privileged containers, use of host filesystem, running as root, etc. define a set of conditions that a pod must run with, in order to be accepted into the system, as well as defaults for the related fields. are assigned to users through Kubernetes RoleBindings. See https://kubernetes.io/docs/concepts/policy/pod-security-policy/ for details.

When enabled, Pod security policy checking will authorize all Kubernetes API commands against the which the issuer of the command has access to. If there are no defined in the system or the issuer does not have access to any , the Pod security policy checking will fail to authorize the command.

provides a system service-parameter to enable Pod security policy checking. Setting this parameter also creates:

  • Two (privileged and restricted) such that users with cluster-admin role (which has access to all resources) has to authorize against.
  • Two corresponding roles for specifying access to these (privileged-psp-user and restricted-psp-user), for binding to other non-admin type subjects.
  • A RoleBinding for the kube-system namespace of the privileged-psp-user Role to serviceAccounts in kubesystem, such that privileged Deployments/ReplicaSets/etc. can be created by any user with access to Deployments/ReplicaSets/etc. in the kube-system namespace (e.g. user with cluster-admin role).
  • A ClusterRoleBinding of the restricted-psp-user Role to any authenticated user, such that at least restricted Pods can be created by any authenticated user in any namespaces that user has access to based on other [Cluster]RoleBindings.
  • A ClusterRoleBinding of the restricted-psp-user Role to serviceAccounts in kube-system, such that at least restricted Deployments/ReplicaSets/etc. can be created by any authenticated user in any namespaces that user has access to based on other [Cluster]RoleBindings.

PodSecurityPolicy (PSP) is deprecated as of Kubernetes v1.21 and will be removed in v1.25. PSP will continue to be fully functional until being removed in v1.25.

Since first introduced PSP has shown some serious usability problems.

The way PSPs are applied to Pods has proven confusing especially when trying to use them. It is easy to accidentally grant broader permissions than intended, and difficult to inspect which PSPs apply in a certain situation.

As a beta feature, Kubernetes offers a built-in Pod Security Admission (PSA) controller, the successor to PSP. See Technology Preview - Pod Security Admission Controller <pod-security-admission-controller-8e9e6994100f>.