This story is about one of the many ways to secure kubernetes cluster. By default users and service accounts are authorized to create pods, which is good in the testing environment but in a production environment, it can cause huge problems. To restrict users and service accounts access, pod security will be used.
Overview
This section provides basic guidelines before hands-on with pod security policy on minikube cluster.
Pre-Requisites
Readers must understand these concepts to better understand Pod Security Policy. List of pre-requisites are given below:
Pod Security Policy
Pod Security Policies (admission controller) enables authorization policies for pod creation and update, for users and service accounts. It is a cluster-level resource that controls security sensitive aspects of the pod specification.
Admission Controller
An admission controller intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized. It validates the requests for appropriateness like whether a controller is authorized to create pods in privileged mode to access to resources like hostNetwork etc.
Policy
It is a YAML file containing authorization rules for resources.
Policy Definition Guidelines
Policies are of two types restrictive(to restrict resources access) and permissive(to enable resources access).
Pod Security Policy should be implemented in this pattern:
- Create a
restrictivepolicy for references/resources whose access should be restricted in the cluster. - Create a
permissivepolicy for reference(s)/resource(s) whose access needs to be enabled for the users or service accounts based on the requirements.
Example
This section will provide guidelines on how to enable and implement pod security policy.
1. Enabling Pod Security Policy
PSP is not enabled by default. PSP can be enabled by appending PodSecurityPolicy keyword in the --enable-admission-plugins element of spec.containers.command list, provided in /etc/kubernetes/manifests/kube-apiserver.yaml file.
Example
— enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,PodSecurityPolicy
Keypoint
Although Pod Security Policy is enabled in the cluster but without any
policiesit will cause pod creation(including re-creating pods from a scheduling event) tofail.
Testing
Use the deployment manifest given below to check whether a pod can be created with the absence of PSP policy.
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
namespace: default
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.15.4Use this command to create the deployment:
$ sudo kubectl deploy -f <file-name>.yamlUse this command to check whether the pod is created or not
kubectl get pods,replicasets,deploymentsOutput
$ sudo kubectl get po,rs,deploy
It can be seen that deployment and replica sets controller is running but the pod is not created due to the absence of PSP policy.
2. Defining Policies
We will define two policies.
- Restrictive policy
It is the default restrictive policy to restrict resources access:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restrictive
spec:
privileged: false
hostNetwork: false
allowPrivilegeEscalation: false
defaultAllowPrivilegeEscalation: false
hostPID: false
hostIPC: false
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- 'configMap'
- 'downwardAPI'
- 'emptyDir'
- 'persistentVolumeClaim'
- 'secret'
- 'projected'
allowedCapabilities:
- '*'2. Permissive Policy
It is a permissive policy that enables access to resources. Multiple permissive policies can be defined to enable access to multiple resources and later use that policy with service accounts based on the use case.
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: permissive
spec:
privileged: true
hostNetwork: true
hostIPC: true
hostPID: true
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
hostPorts:
- min: 0
max: 65535
volumes:
- '*'Above two policies can be applied using the commands given below:
$ sudo kubectl apply -f <default-restrictive-policy>.yaml$ sudo kubectl apply -f <permissive-policy>.yaml
To check whether policies are created or not.
$ sudo kubectl get psp
To apply policies in our cluster we will create cluster role and cluster role binding.
Cluster Roles
Restrictive cluster role for the restrictive policy.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: psp-restrictive
rules:
- apiGroups:
- extensions
resources:
- podsecuritypolicies
resourceNames:
- restrictive
verbs:
- usePermissive cluster role for the permissive policy.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: psp-permissive
rules:
- apiGroups:
- extensions
resources:
- podsecuritypolicies
resourceNames:
- permissive
verbs:
- useCreate the above cluster roles using the command given below:
$ sudo kubectl apply -f <cluster-role-for-restrictive-access>.yaml$ sudo kubectl apply -f <cluster-role-for-permissive-access>.yaml
Cluster Role Bindings
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: psp-default
subjects:
- kind: Group
name: system:serviceaccounts
namespace: kube-system
roleRef:
kind: ClusterRole
name: psp-restrictive
apiGroup: rbac.authorization.k8s.ioThe above role binding will bind the restrictive cluster role with all system service accounts.
To apply this binding use the command given below:
$ sudo kubectl apply -f <restrictive-cluster-role-binding>.yamlTesting
As the policies have been defined and attached with service accounts, we will try to recreate the previous deployment to check whether pods will be created or not.
First of all, delete the previous deployment:
$ sudo kubectl delete deploy nginx-deployment$ sudo kubectl get po,rs,deploy
Recreate the deployment:
$ sudo kubectl apply -f nginx-deployment.yaml$ sudo kubectl get po,rs,deploy
Keypoint
It can be seen that pod has been created because policies have been defined.
3. Breaking Policy Rules
In this section, we will create a deployment that will use a privileged resource “hostNetwork” that has been restricted by restrictive policy.
First of all, delete the previous deployment:
$ sudo kubectl delete deploy nginx-deployment$ sudo kubectl get po,rs,deploy
Create a new deployment using the manifest and command given below:
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-hostnetwork-deployment
namespace: kube-system
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.15.4
hostNetwork: true$ sudo kubectl apply -f nginx-host-network-deployment.yaml$ sudo kubectl get po,rs,deploy
It can be seen that the replica set controller wasn’t able to create a new pod because:
Error creating: pods “nginx-hostnetwork-deployment-fd75d78b-” is forbidden: unable to validate against any pod security policy: [spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used]
Keypoint
It means that when we tried to create a new deployment that tried to access the restricted resource, it wasn’t allowed to be created because of the restrictive policy.
4. Creating a deployment with privileged access
In this section, we will provide privileged rights to some controllers (daemon-set-controller, replicaset-controller, job-controller) by assigning permissive policy to controller’s service account.
First, we will create role binding
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: psp-permissive
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: psp-permissive
subjects:
- kind: ServiceAccount
name: daemon-set-controller
namespace: kube-system
- kind: ServiceAccount
name: replicaset-controller
namespace: kube-system
- kind: ServiceAccount
name: job-controller
namespace: kube-systemTo apply the above role binding use the command given below:
$ sudo kubectl apply -f <permissive-role-binding>.yamlWe will recreate the deployment that will try to use the resource that is restricted by restrictive policy. The only difference between current and previous deployment is that it is being deployed in kube-system namespace instead of default namespace because we have applied permissive policy on the kube-system namespace.
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-hostnetwork-deployment
namespace: kube-system
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.15.4
hostNetwork: trueTo create the above deployment we will use the command given below:
$ sudo kubectl apply -f <nignx-deployment>.yamlTo check whether pods are created or not use the command given below:
$ sudo kubectl get po,rs,deploy -n kube-system
Keypoint
It can been seen that nginx-hostnetwork-deployment pod has been deployed in the kube-system namespace becuase of the privilaged access given to controllers in the kube-system namespace.
Summary
Above tutorial depicts that Pod Security Policy is a way to secure the pod creation process in k8s cluster by using the PSP authorization policies.
