Pod Security Policy can be used to control the security aspects of the pod deployments. This document walks you through an example deployment using nginx unprivileged container.
-
Kubernetes v1.14 or above.
- On Kubernetes versions lower than v1.14
runAsGroupdoes not work
- On Kubernetes versions lower than v1.14
-
Quobyte CSI driver deployment with PSP policies.
-
PodSecurityPolicyadmission plugin must be enabled. Edit/etc/kubernetes/manifests/kube-apiserver.yamlon master nodes and append--enable-admission-pluginswith PodSecurityPolicy. After that, restart the nodes or kube-apiserver pods. -
User and Group specified in PSP must exist on the host nodes.
-
Nginx PSP Demo pod requires
-
Hosts with nginx user (UID: 5050) and group (GID:5050). These UID and GID are used in the example PSP. Create nginx user and group.
sudo groupadd -g 5050 nginx; sudo useradd -u 5050 -g 5050 nginx -
Volume with at least read and execute permissions for the
nginxuser. Volume permissions can be configured in StorageClass asaccessModefor dynamically provisioned volumes.
-
-
All the example commands should be executed from the root directory of Quobyte CSI. Please get the Quobyte CSI example files and change to root directory.
git clone https://github.com/quobyte/quobyte-csi.git cd quobyte-csi
Let us dive in and create an example PSP with restricted access. Using the example psp, we can deploy unprivileged nginx pod.
-
Create
quobytenamespacekubectl create ns quobyte
-
Create Quobyte admin secret (credentials are required for dynamic volume provision)
kubectl create -f example/quobyte-admin-credentials.yaml
-
Review and create storage class
kubectl create -f example/psp/StorageClass-PSP.yaml
-
Create a namespace
psp-exampleto run the nginx pod nginx userkubectl create namespace psp-example
-
Create a service account
psp-userinpsp-examplenamespacekubectl create serviceaccount -n psp-example psp-user
-
Create aliases for kubectl commands.
kubectl-adminis the admin user andkubectl-useris the service accountpsp-userin the namespacepsp-example.# Admin user in the namespace "psp-example" alias kubectl-admin='kubectl -n psp-example' # psp-user in the namespace "psp-example" alias kubectl-user='kubectl --as=system:serviceaccount:psp-example:psp-user -n psp-example'
-
Update UID and GID in example PSP definition and create PSP.
kubectl create -f example/psp/psp-example-definition.yaml
-
Create Role and RoleBindings for the
psp-userinpsp-examplenamespacekubectl-admin create -f example/psp/psp-example-roles.yaml
-
Verify
psp-usercan access the pod security policyexample-pspkubectl-user auth can-i use psp/example-psp
The above command should output
yesfor user to be able to deploy pods. -
Create PVC
kubectl-user create -f example/psp/pvc-dynamic-provision-psp.yaml
-
Create Pod with the created PVC
kubectl-user create -f example/psp/nginx-demo-pod-with-psp.yaml
-
Wait for the pod to be in running state
kubectl get po -w | grep 'nginx-psp-demo'
-
Verify user UID/GID inside created pod
kubectl-admin exec -it nginx-psp-demo -- id -
Copy index file into the pod
Unfortunately,
kubectl cpdoes not work with non-root users. This should be done manually.Connect to the pod
kubectl-admin exec -it nginx-psp-demo -- bashCreate
index.htmlcat > /usr/share/nginx/html/index.html <<EOF <!DOCTYPE html> <html> <head> <title>Welcome to Quobyte CSI!</title> </head> <body> <h1>Welcome to Quobyte CSI!</h1> <p>This file is retrieved from the mounted Quobyte volume.</p> <p><em>Thank you for using Quobyte.</em></p> </body> </html> EOF
Please verify file permissions on the created index.html and exit from the pod.
ls -l /usr/share/nginx/html/index.html exit -
Access the index page from the command line
curl http://$(kubectl-user get pods nginx-psp-demo -o yaml | grep 'podIP:' | awk '{print $2}'):8080The above command should retrieve the Quobyte CSI welcome page (in raw html format).