All Products
Search
Document Center

Container Service for Kubernetes:Configure and enforce ACK pod security policies

Last Updated:Sep 08, 2023

Compared with the pod security policies of Kubernetes, the pod security policies of Container Service for Kubernetes (ACK) are specialized for Kubernetes applications. You can configure pod security policies of ACK in a convenient and flexible manner. This helps the O&M engineers of enterprises better utilize the capabilities provided by ACK pod security policies. This topic describes how to install policy-template-controller and manage policy instances that are deployed from ACK pod security policies.

Background information

The PodSecurityPolicy (PSP) resource is deprecated as of Kubernetes 1.21. To address this situation, ACK upgrades the former policy management feature that is based on the PSP resource to the new policy governance feature that is based on the Open Policy Agent (OPA) policy engine and the gatekeeper admission controller. The new policy governance feature enables status monitoring, log collection, and log retrieval for policies, and provides a variety of predefined policies that suit more Kubernetes scenarios than PSPs. In addition, the configuration of these policies is easy and flexible, which helps the O&M engineers of enterprises better utilize the capabilities provided by ACK pod security policies.

Prerequisites

  • An ACK standard cluster or ACK dedicated cluster is created. The Kubernetes version is 1.16.9-aliyun.1 or later. For more information, see Create an ACK managed cluster or Create an ACK dedicated cluster.

  • If you want to manage pod security policies as a Resource Access Management (RAM) user, make sure that the RAM user is granted the following permissions:

    • cs:DescribePolicies: queries policies.

    • cs:DescribePoliceDetails: queries information about a policy.

    • cs:DescribePolicyGovernanceInCluster: queries information about policies in a cluster.

    • cs:DescribePolicyInstances: queries a specified policy instance that is deployed in a cluster.

    • cs:DescribePolicyInstancesStatus: queries information about policy instances in a cluster.

    • cs:DeployPolicyInstance: deploys a policy instance in a specified cluster.

    • cs:DeletePolicyInstance: deletes policy instances in a specified cluster.

    • cs:ModifyPolicyInstance: modifies a policy instance in a specified cluster.

    For more information about how to create custom RAM policies, see Create a custom RAM policy.

Considerations

  • The Kubernetes version of your ACK cluster must be 1.16.9-aliyun.1 or later.

  • The policy governance feature can be applied only to Linux nodes.

  • The policy governance feature does not allow you to configure custom policies. You can use only the predefined policies of the policy governance feature.

  • To use the policy governance feature, you must install gatekeeper from the Add-ons page of the ACK console.

    If gatekeeper is installed in other ways, you must uninstall gatekeeper and then install gatekeeper from the Add-ons page of the ACK console. For more information about the release notes for gatekeeper, see gatekeeper.

Install policy-template-controller

policy-template-controller is a policy template controller developed by Alibaba Cloud. policy-template-controller helps you manage policy instances in a cluster.

Before you install policy-template-controller in your cluster, you must install the following components:

  • gatekeeper: an admission controller for Kubernetes that enforces policies executed by the OPA policy engine. gatekeeper helps you manage and enforce policies executed by the OPA policy engine in your cluster, and allows you to manage the labels of namespaces.

  • logtail-ds: collects the log of blocking events and alerting events that are generated due to violations against policies. logtail-ds also allows you to retrieve the log.

For more information about how to install gatekeeper and logtail-ds, see Manage components.

  1. Log on to the ACK console.

  2. In the left-side navigation pane of the ACK console, click Clusters.

  3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.

  4. In the left-side navigation pane of the cluster details page, choose Security > Policy Governance.

    On the Policy Governance page, the system automatically checks whether the required components are installed or updatable, and instructs you to install or update the component on the page.

Policies

The following table describes the predefined policies of the policy governance feature. For more information about how to configure the policy parameters and deploy a policy, see Predefined security policies of ACK.

Category

Policy

Description

Severity

CIS-K8s

ACKNoEnvVarSecrets

The secretKeyRef parameter cannot be used to reference Secrets when you specify pod environment variables.

medium

ACKPodsRequireSecurityContext

Pods in the specified namespaces must be configured with the securityContext parameter.

low

ACKRestrictNamespaces

Resources of the specified types cannot be deployed in the specified namespaces.

low

ACKRestrictRoleBindings

RoleBindings in the specified namespaces can be used to bind only the specified Roles or ClusterRoles.

high

ACKNamespacesDeleteProtection

Specified namespaces cannot be deleted.

medium

Infra

ACKBlockProcessNamespaceSharing

Pods in the specified namespaces cannot be configured with the shareProcessNamespace parameter.

high

ACKEmptyDirHasSizeLimit

The sizelimit parameter must be configured when you mount emptyDir volumes.

low

ACKLocalStorageRequireSafeToEvict

Pods in the specified namespaces must be configured with the "cluster-autoscaler.kubernetes.io/safe-to-evict": "true" annotation. By default, autoscaler does not evict pods that are mounted with hostPath volumes or emptyDir volumes during automatic scaling activities. To enable autoscaler to evict these pods, you must add this annotation to the configurations of the pods.

low

ACKOSSStorageLocationConstraint

Specifies whether Object Storage Service (OSS) buckets in the specified regions can be mounted to pods in the specified namespaces.

low

K8s-general

ACKAllowedRepos

Pods in the specified namespaces can pull images only from the specified image repositories.

high

ACKBlockAutoinjectServiceEnv

Pods in the specified namespaces must be configured with enableServiceLinks: false, which specifies that Service IP addresses are not injected to pod environment variables.

low

ACKBlockAutomountToken

Pods in the specified namespaces must be configured with automountServiceAccountToken: false, which specifies that service accounts are not automatically mounted.

high

ACKBlockEphemeralContainer

Pods in the specified namespaces cannot launch ephemeral containers.

medium

ACKBlockLoadBalancer

LoadBalancer Services cannot be deployed in the specified namespaces.

high

ACKBlockNodePort

NodePort Services cannot be deployed in the specified namespaces.

high

ACKContainerLimits

Pods in the specified namespaces must be configured with resource limits.

low

ACKExternalIPs

Services in the specified namespaces cannot use external IP addresses that are not specified in the policy content.

high

ACKImageDigests

Pods in the specified namespaces must be deployed from images whose digests comply with the specified format.

low

ACKRequiredLabels

Pods in the specified namespaces must have labels that comply with the policy content.

low

ACKRequiredProbes

Pods in the specified namespaces must be configured with the specified types of readiness probes and liveness probes.

medium

ACKCheckNginxPath

The spec.rules[].http.paths[].path parameter in the Ingress configuration cannot contain risky settings. We recommend that you enable this policy for ingress-nginx versions earlier than 1.2.1.

high

ACKCheckNginxAnnotation

The metadata.annotations parameter in the Ingress configuration cannot contain risky settings. We recommend that you enable this policy for ingress-nginx versions earlier than 1.2.1.

high

ACKBlockInternetLoadBalancer

Internet-facing LoadBalancing Services cannot be created.

high

PSP

ACKPSPAllowPrivilegeEscalationContainer

Pods in the specified namespaces must be configured with the allowPrivilegeEscalation parameter.

medium

ACKPSPAllowedUsers

Pods in the specified namespaces must be configured with the user, group, supplementalGroups, and fsGroup settings.

medium

ACKPSPAppArmor

Pods in the specified namespaces must be configured with AppArmor settings.

low

ACKPSPCapabilities

Pods in the specified namespaces must be configured with Linux Capabilities settings.

high

ACKPSPFSGroup

Pods in the specified namespaces must be configured with fsGroup settings that comply with the policy content.

medium

ACKPSPFlexVolumes

Pods in the specified namespaces cannot use FlexVolume drivers that are not specified in the policy content.

medium

ACKPSPForbiddenSysctls

Pods in the specified namespaces cannot use the specified sysctls.

high

ACKPSPHostFilesystem

hostPath volumes that are mounted to pods in the specified namespaces must meet the specified conditions.

high

ACKPSPHostNamespace

Pods in the specified namespaces cannot share the host namespaces.

high

ACKPSPHostNetworkingPorts

Specifies whether pods in the specified namespaces can use the host network and specified ports.

high

ACKPSPPrivilegedContainer

Pods in the specified namespaces cannot run privileged containers.

high

ACKPSPProcMount

Pods in the specified namespaces must be configured with the Proc Mount type that is specified in the policy content.

low

ACKPSPReadOnlyRootFilesystem

Pods in the specified namespaces must run with read-only root file systems.

medium

ACKPSPSELinuxV2

Pods in the specified namespaces cannot be configured with SELinux options that are not specified by the allowedSELinuxOptions parameter.

low

ACKPSPSeccomp

Pods in the specified namespaces must be configured with the specified seccomp profiles.

low

ACKPSPVolumeTypes

Only volumes of the specified types can be mounted to pods in the specified namespace.

medium

View information about policies in a cluster

After you install policy-template-controller, you can perform the following steps to view information about policies in your cluster.

  1. Log on to the ACK console.

  2. In the left-side navigation pane of the ACK console, click Clusters.

  3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.

  4. In the left-side navigation pane of the cluster details page, choose Security > Policy Governance.

  5. On the Overview tab, you can view information about policies in the cluster.

    The following information is displayed:

    • An overview of policies in the cluster, including the numbers of high severity level policies, high severity level policies that are enabled, medium severity level policies, and medium severity level policies that are enabled. Policies that the system recommends you to enable are also listed.

    • The numbers of blocking events and alerting events that are generated within the last seven days.

    • The records of the latest 100 events that are generated within the last 7 days. To view more information about the audit log, click the 未知icon next to Actions within Last 7 Days. In the tooltip that appears, click the hyperlink to go to the Logstore details page in the Log Service console. You can view the log that is stored in the Logstore.策略实施总览

View policies and policy instances in a cluster

To view policies and policy instances in your cluster, perform the following steps:

  1. Log on to the ACK console.

  2. In the left-side navigation pane of the ACK console, click Clusters.

  3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.

  4. In the left-side navigation pane of the cluster details page, choose Security > Policy Governance.

  5. On the My Policies tab, you can view the names of policies in your cluster.

    You can view the names of policies in your cluster, and the total number of policies, the number of enabled policies, and the number of disabled policies in the upper-right corner of the tab. Enabled policies are displayed above disabled policies in the list. You can view the number of policy instances that are deployed from each policy.策略规则说明

    • To modify a policy instance, select the policy from which the policy instance is deployed and click the policy name or Modify in the Actions column, and then modify the policy instance configuration.

    • To delete all policy instances that are deployed from a policy, click Delete in the Actions column.

    • If the number of policy instances that are deployed from a policy is 0, the policy is disabled. To deploy a policy instance from a disabled policy, click Enable in the Actions column.

    For more information about policies and their templates, see Predefined security policies of ACK.

Deploy a policy instance

To deploy a policy instance in your cluster, perform the following steps.

  1. Log on to the ACK console.

  2. In the left-side navigation pane of the ACK console, click Clusters.

  3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.

  4. In the left-side navigation pane of the cluster details page, choose Security > Policy Governance.

  5. On the My Policies tab, click Create Policy Instance.

    In the Create Policy Instance dialog box, set the parameters. The following table describes the parameters.

    Parameter

    Description

    Policy Type

    Select a policy type. Valid values:

    • Infra: Policies of this type are used to enforce security control on infrastructure resources.

    • CIS-K8s: Policies of this type are used to enforce security control based on the Center for Internet Security (CIS) Kubernetes Benchmark.

    • PSP: Policies of this type are used as an alternative to the PSP resource.

    • K8s-general: Policies of this type are used to enforce security control on Kubernetes resources based on the Alibaba Cloud standards of security best practices.

    Action

    • Block: blocks resource deployments that match the policy.

    • Alert: generates alerts for resource deployments that match the policy. The resource deployments can still be performed.

    Policy Name

    Select the name of the policy that you want to use. For more information, see Policies.

    Applicable Scope

    Select the namespaces to which you want to apply the policy instance.

    Parameters

    • If the code editor is empty, it indicates that no parameter is required for the policy.

    • If parameters are displayed in the code editor, set the parameters based on the description. For more information, see Policies.

Modify a policy instance

To modify a policy instance in your cluster, perform the following steps:

  1. Log on to the ACK console.

  2. In the left-side navigation pane of the ACK console, click Clusters.

  3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.

  4. In the left-side navigation pane of the cluster details page, choose Security > Policy Governance.

  5. On the My Policies tab, select the policy that you want to manage and click the policy name or Modify in the Actions column.

    If more than one policy instance is deployed from the policy, click View Instances in the Actions column, select the policy instance that you want to modify, and then click Modify. In the Modify Policy Instance dialog box, modify the parameter settings. For more information about the parameters, see the description of policy parameters.修改策略实例

Delete a policy instance

To delete a policy instance from your cluster, perform the following steps:

  1. Log on to the ACK console.

  2. In the left-side navigation pane of the ACK console, click Clusters.

  3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.

  4. In the left-side navigation pane of the cluster details page, choose Security > Policy Governance.

  5. On the My Policies tab, select the policy from which the policy instance you want to delete is deployed and click Delete in the Actions column.

    • To delete all policy instances that are deployed from the policy, click Delete in the Actions column.

    • To delete a specific policy instance if more than one policy instance is deployed from the policy, click View Instances in the Actions column, find the policy instance that you want to delete, and then click Delete.