Skip to content

Files

Latest commit

5ce7018 · May 6, 2024

History

History

pod_security_admission

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
Aug 31, 2022
Nov 12, 2022
Jan 6, 2024
Jan 6, 2024
Jan 6, 2024
Nov 12, 2022
May 4, 2024
Aug 31, 2022
Aug 31, 2022
Aug 31, 2022
Jan 6, 2024

Demo steps

  1. Create a namespace enforces the baseline Pod Security Standards (PSS)
kubectl create ns baseline
kubectl label ns baseline pod-security.kubernetes.io/enforce-version=v1.23 pod-security.kubernetes.io/enforce=baseline
  1. Verify that the privileged pod is blocked by the baseline Pod Security Admission (PSa) check
kubectl run privileged-pod --image=busybox --privileged --dry-run=server -n baseline
Error from server (Forbidden): pods "privileged-pod" is forbidden: violates PodSecurity "baseline:v1.23": privileged (container "privileged-pod" must not set securityContext.privileged=true)
  1. Create the policy that exempts runAsNonRoot control
kubectl apply -f exempt-run-as-non-root.yaml
  1. Create pods and verify the exemption

The pod root-pod-exempted creation will be allowed:

kubectl apply -f root-pod-exempted.yaml -n baseline --dry-run=server

The pod root-pod-forbidden creation will be blocked as the policy does not exempt the nginx container image:

kubectl apply -f root-pod-forbidden.yaml -n baseline --dry-run=server

Beyond that, Kyverno applies the PSS checks to workloads.

kubectl apply -f root-deployment-forbidden.yaml -n baseline --dry-run=server
  1. (optional) Verify the restricted PSa check

Create a namespace that enforces the restricted PSS control:

kubectl create ns restricted
kubectl label ns restricted pod-security.kubernetes.io/enforce-version=v1.23 pod-security.kubernetes.io/enforce=restricted

Create the same pod root-pod-exempted that is allowed in step 4, and it fails the restricted PSa check:

kubectl apply -f root-pod-exempted.yaml -n restricted --dry-run=server
Error from server (Forbidden): error when creating "root-pod-exempted.yaml": pods "root-pod-exempted" is forbidden: violates PodSecurity "restricted:v1.23": runAsNonRoot != true (container "nginx" must not set securityContext.runAsNonRoot=false)

Cleanup

kubectl delete ns baseline restricted
kubectl delete -f exempt-run-as-non-root.yaml