DevOps | Cloud | Analytics | Open Source | Programming





How To Apply Pod Security Standards to the Kubernetes Cluster ?



In this post, we will explore - How To Apply Pod Security Standards to the Kubernetes Cluster. Pod Security is an admission controller that checks new pods against the Kubernetes Pod Security Standards. Pod Security admission (PSA) is enabled by default in Kubernetes v1.23 and later, and has graduated to beta status. Follow the below step by step process to do this.  

1. Choose Pod Security Standard :

Pod Security Admission (PSA) allows you to apply built-in Pod Security Standards using three different modes: "enforce", "audit", and "warn"

  • To create a cluster with no Pod Security Standards applied using the kind command line tool, you can run the following command:
This will create a new cluster named "psa-wo-cluster-pss" using the specified node image. The output of the command will show the progress of the cluster creation process and will inform you when the cluster is ready to use.



kind create cluster --name psa-wo-cluster-pss --image kindest/node:v1.24.0


  • You can then use the kubectl command line tool to access the cluster by running the following command:


kubectl cluster-info --context kind-psa-wo-cluster-pss


  • To get a list of namespaces in a Kubernetes cluster, you can use the kubectl command line tool with the get command and the ns (namespace) resource.


kubectl get ns


This will list all the namespaces in the cluster, along with their status and age.    

2. Pre-Checks Prior To Applying the Security Standards :

To understand what will happen when different Pod Security Standards are applied, you can use the kubectl label command with the --dry-run=server option and the pod-security.kubernetes.io/enforce label.

  • To apply the "privileged" Pod Security Standard to all namespaces in the cluster, you can use the following command. This will show you what would happen if the "privileged" Pod Security Standard were applied to all namespaces in the cluster, without actually making any changes. The output of the command will show which namespaces would be labeled, and whether any existing pods in those namespaces would violate the new Pod Security Standard.


kubectl label --dry-run=server --overwrite ns --all \\
pod-security.kubernetes.io/enforce=privileged


  • To apply the "baseline" Pod Security Standards using the following commands.
The output of these commands will show you what would happen if these Pod Security Standards were applied, and whether any existing pods in the cluster would violate the new standards.



kubectl label --dry-run=server --overwrite ns --all \\
pod-security.kubernetes.io/enforce=baseline


  • To apply the "restricted" Pod Security Standards using the following commands.
The pod-security.kubernetes.io/enforce=restricted label shows what would happen if the "restricted" Pod Security Standard were applied to all namespaces in the cluster. The output will show how the "restricted" standard would be applied to the default, kube-node-lease, and kube-public namespaces, but would generate warnings for the kube-system and local-path-storage namespaces.



kubectl label --dry-run=server --overwrite ns --all \\
pod-security.kubernetes.io/enforce=restricted


3. Apply the Security Standards :

  • We will see how to apply Pod Security Standards at the cluster level, meaning that the standards will apply to all namespaces in the cluster.
  • The process involves creating a configuration file that specifies the Pod Security Standards to be applied and the mode in which they should be applied (i.e., "enforce", "warn", or "audit").
  • This configuration file is then passed to the API server when the cluster is created, using the --config flag of the kind create cluster command.
  • The configuration file specifies the "baseline" standard to be applied in "enforce" mode and the "restricted" standard to be applied in both "warn" and "audit" mode.
  • Additionally, the kube-system namespace is exempt from having these standards applied.
  • Once the cluster is created, the Pod Security Admission controller will use the configuration file to enforce the specified Pod Security Standards on all pods that are created in the cluster.
  • If a pod violates one of the standards, it will either be rejected (if the standard is applied in "enforce" mode), logged as a warning (if the standard is applied in "warn" mode), or logged as an audit event (if the standard is applied in "audit" mode).
To apply the "baseline" Pod Security Standard in "enforce" mode and the "restricted" standard in "warn" and "audit" mode to the latest version, you can use the kubectl label command to set the appropriate labels on the namespaces you want to apply these standards to.  

  • To apply the "baseline" standard in "enforce" mode to all namespaces, you can use the following command:


kubectl label --overwrite ns --all \\
pod-security.kubernetes.io/enforce=baseline:latest


  • To apply the "restricted" standard in "warn" mode to all namespaces, you can use the following command:


kubectl label --overwrite ns --all \\
pod-security.kubernetes.io/warn=restricted:latest


  • To apply the "restricted" standard in "audit" mode to all namespaces, you can use the following command:


kubectl label --overwrite ns --all \\
pod-security.kubernetes.io/audit=restricted:latest


  • To exempt the kube-system namespace from having Pod Security Standards applied, you can simply remove the labels that you applied to this namespace.
e.g. To remove the "enforce" label from the kube-system namespace  use below. This will remove the "enforce" label from the kube-system namespace, exempting it from the Pod Security Standard you applied. You can use similar commands to remove the "warn" and "audit" labels as well.



kubectl label ns kube-system pod-security.kubernetes.io/enforce-


  • You can create a config file that can be used by the Pod Security Admission Controller to implement these Pod Security Standards. This config file defines the Pod Security Standards that should be applied to your cluster. It specifies that the baseline standard should be applied in enforce mode, and the restricted standard should be applied in both warn and audit mode. It also exempts the kube-system namespace from having Pod Security Standards applied. 


mkdir -p /tmp/pss
cat <<EOF > /tmp/pss/cluster-level-pss.yaml 
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
  configuration:
    apiVersion: pod-security.admission.config.k8s.io/v1
    kind: PodSecurityConfiguration
    defaults:
      enforce: "baseline"
      enforce-version: "latest"
      audit: "restricted"
      audit-version: "latest"
      warn: "restricted"
      warn-version: "latest"
    exemptions:
      usernames: []
      runtimeClasses: []
      namespaces: [kube-system]
EOF


  • Use the above config file to create a new Kubernetes cluster using KinD. It specifies that the API server should consume the cluster-level-pss.yaml file for Pod Security Admission. The kubeadmConfigPatches field is used to add the admission-control-config-file argument to the API server's command line arguments. This argument specifies the path to the Pod Security Admission configuration file that the API server should use.


cat <<EOF > /tmp/pss/cluster-config.yaml 
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
  kubeadmConfigPatches:
  - |
    kind: ClusterConfiguration
    apiServer:
        extraArgs:
          admission-control-config-file: /etc/config/cluster-level-pss.yaml
        extraVolumes:
          - name: accf
            hostPath: /etc/config
            mountPath: /etc/config
            readOnly: false
            pathType: "DirectoryOrCreate"
  extraMounts:
  - hostPath: /tmp/pss
    containerPath: /etc/config
    # optional: if set, the mount is read-only.
    # default false
    readOnly: false
    # optional: if set, the mount needs SELinux relabeling.
    # default false
    selinuxRelabel: false
    # optional: set propagation mode (None, HostToContainer or Bidirectional)
    # see https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation
    # default None
    propagation: None
EOF


  • Create Kubernetes cluster which will use the Pod Security Admission to apply the Pod Security Standards.


 kind create cluster --name psa-with-cluster-pss --image kindest/node:v1.24.0 --config /tmp/pss/cluster-config.yaml


  • Set the kubectl context to the new cluster:


 kubectl cluster-info --context kind-psa-with-cluster-pss


  • Create the  Pod specification


cat <<EOF > /tmp/pss/nginx-pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
    - image: nginx
      name: nginx
      ports:
        - containerPort: 80
EOF


  • Create the Pod using kubectl using the above pod specification file.


 kubectl apply -f /tmp/pss/nginx-pod.yaml


4. Delete the Cluster :

If you require to delete the cluster, you just created, do the following -



kind delete cluster --name psa-with-cluster-pss




kind delete cluster --name psa-wo-cluster-pss


Hope this helps.  

Additional Posts you might want to read from this Blog -



kubectl get pod security policy ,readonlyrootfilesystem kubernetes ,kubernetes pod security policy ,kubernetes pod security policy best practices ,kubernetes allowprivilegeescalation ,pod security policy deprecated ,pod security kubernetes io enforce privileged ,kubernetes pod security context ,kubernetes pod security best practices ,pod security policy in kubernetes ,pod security kubernetes ,kubernetes pod security standards ,kubectl get pod security policy ,pod security policy deprecated ,pod security kubernetes io enforce privileged ,kubernetes pod security policy best practices ,pod security standards example ,pod security admission controller ,kubernetes security ,How do I apply for a pod security policy ,How do you secure pods in Kubernetes ,How do I check my pod security standards ,How do you manage security in Kubernetes cluster ,apply pod security standards kubernetes cluster ,pod security admission controller ,pod security configuration ,kubernetes pod security standards ,kubernetes cluster pod security ,enforce pod security standards kubernetes ,audit pod security standards kubernetes ,warn pod security standards kubernetes ,pod security exemptions kubernetes ,kubernetes pod security admission control