Pod Security admission (PSA) is enabled by default in v1.23 and later, as it graduated to beta. Pod Security Admission is an admission controller that applies Pod Security Standards when pods are created. In this tutorial, you will enforce the baseline
Pod Security Standard, one namespace at a time.
You can also apply Pod Security Standards to multiple namespaces at once at the cluster level. For instructions, refer to Apply Pod Security Standards at the cluster level.
Install the following on your workstation:
Create a KinD
cluster as follows:
kind create cluster --name psa-ns-level --image kindest/node:v1.23.0
The output is similar to this:
Creating cluster "psa-ns-level" ...
â Ensuring node image (kindest/node:v1.23.0) đŧ
â Preparing nodes đĻ
â Writing configuration đ
â Starting control-plane đšī¸
â Installing CNI đ
â Installing StorageClass đž
Set kubectl context to "kind-psa-ns-level"
You can now use your cluster with:
kubectl cluster-info --context kind-psa-ns-level
Not sure what to do next? đ
Check out https://kind.sigs.k8s.io/docs/user/quick-start/
Set the kubectl context to the new cluster:
kubectl cluster-info --context kind-psa-ns-level
The output is similar to this:
Kubernetes control plane is running at https://127.0.0.1:50996
CoreDNS is running at https://127.0.0.1:50996/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
Create a new namespace called example
:
kubectl create ns example
The output is similar to this:
namespace/example created
Enable Pod Security Standards on this namespace using labels supported by built-in Pod Security Admission. In this step we will warn on baseline pod security standard as per the latest version (default value)
kubectl label --overwrite ns example \
pod-security.kubernetes.io/warn=baseline \
pod-security.kubernetes.io/warn-version=latest
Multiple pod security standards can be enabled on any namespace, using labels. Following command will enforce
the baseline
Pod Security Standard, but warn
and audit
for restricted
Pod Security Standards as per the latest version (default value)
kubectl label --overwrite ns example \
pod-security.kubernetes.io/enforce=baseline \
pod-security.kubernetes.io/enforce-version=latest \
pod-security.kubernetes.io/warn=restricted \
pod-security.kubernetes.io/warn-version=latest \
pod-security.kubernetes.io/audit=restricted \
pod-security.kubernetes.io/audit-version=latest
Create a minimal pod in example
namespace:
cat <<EOF > /tmp/pss/nginx-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
EOF
Apply the pod spec to the cluster in example
namespace:
kubectl apply -n example -f /tmp/pss/nginx-pod.yaml
The output is similar to this:
Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
pod/nginx created
Apply the pod spec to the cluster in default
namespace:
kubectl apply -n default -f /tmp/pss/nginx-pod.yaml
Output is similar to this:
pod/nginx created
The Pod Security Standards were applied only to the example
namespace. You could create the same Pod in the default
namespace with no warnings.
Run kind delete cluster -name psa-ns-level
to delete the cluster created.
baseline
Pod Security Standard in enforce
mode while applying restricted
Pod Security Standard also in warn
and audit
mode.
Š 2022 The Kubernetes Authors
Documentation Distributed under CC BY 4.0.
https://kubernetes.io/docs/tutorials/security/ns-level-pss/