starlingx/docs
Code Issues Proposed changes
df365480a3
docs/doc/source/security/kubernetes/pod-security-policies.rst
Ron Stone 398041b403 pod security policies updates 
New content: Minor Usability Enhancement to Default Pod Security Policies
Implemented patchset 2 comment
Implemented patchset 3 comments

Signed-off-by: Ron Stone <ronald.stone@windriver.com>
Change-Id: I82d31f412c47bfecf4601169400bf090ceda636c
Signed-off-by: Ron Stone <ronald.stone@windriver.com>
2021-04-15 08:35:55 -04:00

2.3 KiB
Raw Blame History

Pod Security Policies

enable fine-grained authorization of pod creation and updates.

control access to security sensitive aspects of Pod specifications such as running of privileged containers, use of host filesystem, running as root, etc. define a set of conditions that a pod must run with, in order to be accepted into the system, as well as defaults for the related fields. are assigned to users through Kubernetes RoleBindings. See https://kubernetes.io/docs/concepts/policy/pod-security-policy/ for details.

When enabled, Pod security policy checking will authorize all Kubernetes API commands against the which the issuer of the command has access to. If there are no defined in the system or the issuer does not have access to any , the Pod security policy checking will fail to authorize the command.

provides a system service-parameter to enable Pod security policy checking. Setting this parameter also creates:

  • Two (privileged and restricted) such that users with cluster-admin role (which has access to all resources) has to authorize against.
  • Two corresponding roles for specifying access to these (privileged-psp-user and restricted-psp-user), for binding to other non-admin type subjects.
  • A RoleBinding for the kube-system namespace of the privileged-psp-user Role to serviceAccounts in kubesystem, such that privileged Deployments/ReplicaSets/etc. can be created by any user with access to Deployments/ReplicaSets/etc. in the kube-system namespace (e.g. user with cluster-admin role).
  • A ClusterRoleBinding of the restricted-psp-user Role to any authenticated user, such that at least restricted Pods can be created by any authenticated user in any namespaces that user has access to based on other [Cluster]RoleBindings.
  • A ClusterRoleBinding of the restricted-psp-user Role to serviceAccounts in kube-system, such that at least restricted Deployments/ReplicaSets/etc. can be created by any authenticated user in any namespaces that user has access to based on other [Cluster]RoleBindings.