Pod Security Admission Controller¶
Pod Security Admission (PSA) Controller is the PSP replacement, and this document describes the PSA functionality, which is ‘beta’ quality in Kubernetes v1.24 .
The PSA admission controller acts on creation and modification of the pod and determines if it should be admitted based on the requested security context and the policies defined by Pod Security Standards.
Pod Security levels¶
Pod Security Admission levels refer to the 3 policies defined by the Pod Security Standards: privileged, baseline, and restricted.
- Privileged
Unrestricted policy, providing the widest possible level of permissions. This policy allows for known privilege escalations. It aims at system- and infrastructure-level workloads managed by privileged, trusted users.
- Baseline
Minimally restrictive policy which prevents known privilege escalations. It aims at ease of adoption for common containerized workloads for non-critical applications.
- Restricted
Heavily restricted policy, following current Pod hardening best practices. It is targeted at operators and developers of security-critical applications, as well as lower-trust users.
Pod Security Admission labels for namespaces¶
Pod security restrictions are applied at the namespace level.
With PSA feature enabled, namespaces can be configured to define the admission control mode to be used for pod security in each namespace. Kubernetes defines a set of labels to set predefined Pod Security levels for a namespace. The label will define what action the controller control plane takes if a potential violation is detected.
A namespace can configure any or all modes, or set different levels for different modes. The modes are:
- enforce
Policy violations will cause the pod to be rejected.
- audit
Policy violations will trigger the addition of an audit annotation to the event recorded in the Kubernetes audit log but are otherwise allowed.
- warn
Policy violations will trigger a user-facing warning but are otherwise allowed.
For each mode, there are two labels that determine the policy used.
This is a generic namespace configuration using labels.
# label indicates which policy level to apply for the mode.
#
# MODE must be one of `enforce`, `audit`, or `warn`.
# LEVEL must be one of `privileged`, `baseline`, or `restricted`.
pod-security.kubernetes.io/<MODE>: <LEVEL>
# Optional: per-mode version label can be used to pin the policy to the
# version that shipped with a given Kubernetes minor version (e.g. v1.24).
#
# MODE must be one of `enforce`, `audit`, or `warn`.
# VERSION must be a valid Kubernetes minor version, or `latest`.
pod-security.kubernetes.io/<MODE>-version: <VERSION>
For more information refer to https://kubernetes.io/docs/concepts/security/pod-security-admission/.
Enable Pod Security Admission¶
To enable PSA, Pod Security feature gate must be enabled.
Starting with Kubernetes 1.24 version, Pod Security feature gate is enabled by default.
For Kubernetes version 1.22, Pod Security feature gate can be enabled using
option feature-gates
in bootstrap overrides file, localhost.yml
. As the
example shown below:
apiserver_extra_args:
feature-gates: "TTLAfterFinished=true,HugePageStorageMediumSize=true,RemoveSelfLink=false,MemoryManager=true,PodSecurity=true"
See Kubernetes Custom Configuration for more details on kubernetes
configuration, apiserver_extra_args
and apiserver_extra_volumes
.
Configure defaults for the Pod Security Admission Controller¶
The PSA controller can be configured with default security polices and exemptions at bootstrap time.
The Default PSA controller configuration will apply to namespaces that are
not configured with the pod-security.kubernetes.io
labels to specify a
security level and mode. For example if you display the namespace description
using kubectl describe namespace <namespace>
and the
pod-security.kubernetes.io
labels are not displayed, then the behavior of
the namespace will follow the default PSA labels’ level, mode and version
configuration set with Pod Security plugin of the AdmissionConfiguration
resource.
To configure cluster-wide
default policies and/or exemptions, the
Pod Security plugin of the AdmissionConfiguration resource can be used. The
AdmissionConfiguration resource is configurable at bootstrap time with the
api-server_extra_args
and apiserver_extra_volumes
overrides in the
localhost.yml
file.
Any policy that is applied via namespace labels will take precedence.
Example of configuration added to localhost.yml
:
apiserver_extra_args:
admission-control-config-file: "/etc/kubernetes/admission-control-config-file.yaml"
apiserver_extra_volumes:
- name: admission-control-config-file
mountPath: "/etc/kubernetes/admission-control-config-file.yaml"
pathType: "File"
readOnly: true
content: |
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
configuration:
apiVersion: pod-security.admission.config.k8s.io/v1beta1
kind: PodSecurityConfiguration
defaults:
enforce: "privileged"
enforce-version: "latest"
audit: "privileged"
audit-version: "latest"
warn: "privileged"
warn-version: "latest"
See Kubernetes Custom Configuration for more details on kubernetes
configuration, apiserver_extra_args
and apiserver_extra_volumes
.
The generic definition of the AdmissionConfiguration
resource can be found
at
https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/.
Platform namespaces configuration¶
In preparation for PSA controller full support, namespace labels have been
added to all the namespaces used by the platform. System namespaces, such as
kube-system
, deployment
, as well as application namespaces such as,
cert-manager
have been created by default with privileged label levels.
The following labels configuration is applied by default to Platform namespaces:
controller-0:~$ kubectl describe namespace kube-system
Name: kube-system
Labels: kubernetes.io/metadata.name=kube-system
pod-security.kubernetes.io/audit=privileged
pod-security.kubernetes.io/audit-version=latest
pod-security.kubernetes.io/enforce=privileged
pod-security.kubernetes.io/enforce-version=latest
pod-security.kubernetes.io/warn=privileged
pod-security.kubernetes.io/warn-version=latest
Annotations: <none>
Status: Active
No resource quota.
No LimitRange resource
Pod Security Admission Controller - Usage Example¶
This page walks through a usage example of PSA where you will:
Create a namespace for each of the 3 security policies levels: privileged, baseline and restricted.
Create a yaml file with a privileged pod configuration.
Create a privileged pod in all 3 namespaces.
The pod creation will only be successful in the privileged namespace.
controller-0:~$ vi baseline-ns.yaml
apiVersion: v1
kind: Namespace
metadata:
name: baseline-ns
labels:
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/enforce-version: v1.24
pod-security.kubernetes.io/warn: baseline
pod-security.kubernetes.io/warn-version: v1.24
pod-security.kubernetes.io/audit: baseline
pod-security.kubernetes.io/audit-version: v1.24
controller-0:~$ kubectl apply -f baseline-ns.yaml
controller-0:~$ vi privileged-ns.yaml
apiVersion: v1
kind: Namespace
metadata:
name: privileged-ns
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce-version: v1.24
pod-security.kubernetes.io/warn: privileged
pod-security.kubernetes.io/warn-version: v1.24
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/audit-version: v1.24
controller-0:~$ kubectl apply -f privileged-ns.yaml
controller-0:~$ vi restricted-ns.yaml
apiVersion: v1
kind: Namespace
metadata:
name: restricted-ns
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: v1.24
pod-security.kubernetes.io/warn: restricted
pod-security.kubernetes.io/warn-version: v1.24
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/audit-version: v1.24
controller-0:~$ kubectl apply -f restricted-ns.yaml
controller-0:~$ vi privileged-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: privileged
spec:
containers:
- name: pause
image: k8s.gcr.io/pause
securityContext:
privileged: true
controller-0:~$ kubectl -n privileged-ns apply -f privileged-pod.yaml
pod/privileged created
controller-0:~$ kubectl -n baseline-ns apply -f privileged-pod.yaml
Error from server (Failure): error when creating "privileged-pod.yaml": privileged (container "pause" must not set securityContext.privileged=true)
controller-0:~$ kubectl -n restricted-ns apply -f privileged-pod.yaml
Error from server (Failure): error when creating "privileged-pod.yaml": privileged (container "pause" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "pause" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "pause" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "pause" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "pause" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
controller-0:~$
For more information refer to https://kubernetes.io/docs/concepts/security/pod-security-admission/.