A pod security policy (PSP) is a Kubernetes resource that is used to validate pod creation requests against a set of rules. This feature can limit the container runtime behavior to enhance security. This topic describes how to create, manage, and associate a PSP to service accounts.
Prerequisites
- A managed or dedicated Kubernetes cluster is created. The cluster version is 1.14.8-aliyun.1 or later. For more information, see Create a cluster of ACK Managed Edition.
- An Alibaba Cloud account or a RAM user that has administrator permissions is used to log on to the Container Service for Kubernetes (ACK) console. For information about how to grant a RAM user administrator permissions, see Assign RBAC roles to a RAM user.
Background information
- A PSP is a cluster-level Kubernetes resource model that is used to validate pod creation requests against a set of rules. To use a policy, you must install and enable the PSP admission controller for kube-apiserver. If a pod fails to meet the conditions defined in a specified policy, kube-apiserver rejects the pod creation request.
- To use a policy, enable the PSP admission controller. For more information, see Enable an admission controller. You must also use RBAC to create a role that has the permission to use the policy and then bind the role to service accounts.
- By default, ACK enables the PSP feature for new managed or dedicated clusters. In this case, you do not have to configure related parameters for kube-apiserver. This reduces the O&M workloads.
- Assume that you have enabled the PSP feature for a cluster. To ensure the smooth running of the cluster, ACK creates a default policy named ack.privileged. This policy does not limit pod creation and is applied to all authenticated users of the cluster. However, we recommend that you create custom policies that grant users the minimum permissions. For example, you can create custom policies to prevent some users from creating privileged pods. You can also set the root file system to read-only or specify a list of host paths that can be used by hostPath volumes.
Create a custom policy
Associate a custom policy with service accounts
Error from server (Forbidden): error when creating xxx: pods "xxx" is forbidden: unable to validate against any pod security policy: []
You can associate a custom policy with specified or all service accounts in a specified
namespace.- Log on to the ACK console.
- In the left-side navigation pane, click Clusters.
- On the Clusters page, click the name of a cluster or click Details in the Actions column. The details page of the cluster appears.
- On the page that appears, choose .
- Click the Association Rules tab, and click Add Association Rule.
- In the Add Association Rule dialog box, specify Namespace, Account, and PSP.
- Click OK.
Disassociate the default policy from service accounts
- After you disassociate the default policy, all service accounts in the kube-system namespace and the system:nodes user group are authorized to use the default policy. This ensures the smooth running of system components and containers.
- All service accounts in a namespace are authorized to use the default policy if no custom policy is associated with the service accounts. This ensures that the containers in the namespace run smoothly.
- For a namespace in which service accounts are associated with a custom policy:
To ensure that the custom policy is effective, after you disassociate the default policy, the services accounts are not authorized to use the default policy. Therefore, before you disassociate the default policy, make sure that the service accounts in the namespace are associated with the desired custom policy.
- For a namespace that is newly created:
The system does not automatically associate the default policy with service accounts in a new namespace. After you create a namespace, we recommend that you create a custom policy and associate it with service accounts in the namespace at the earliest opportunity.
- Log on to the ACK console.
- In the left-side navigation pane, click Clusters.
- On the Clusters page, click the name of a cluster or click Details in the Actions column. The details page of the cluster appears.
- On the page that appears, choose .
- In the PSP Management Guide section, click Disassociate Default PSP.
- In the Disassociate dialog box, click OK.
Enable the PSP admission controller
By default, ACK enables the PSP admission controller for new clusters. To ensure that PSPs take effect in an existing cluster, enable the admission controller for kube-apiserver.
Examples
The following examples show how to create custom policies and associate them with service accounts.