How to configure container security policies in registered clusters - Container Service for Kubernetes

Registered clusters provide flexible and easy-to-configure policy rules that are suitable for a wide range of Kubernetes scenarios. These rules help enterprise security and operations management personnel better use policy administration capabilities. This topic describes how to install the policy administration component and manage policy instances in a registered cluster.

Background information
Prerequisites
Usage notes
Install the policy administration component
Policy rule library overview
View the current policy administration status of the cluster
View the policy list and deployed policy instances in the cluster
Create a policy instance
Modify a policy instance
Delete a policy instance

Background information

Compared with the original PodSecurityPolicy (PSP) policies, the container security policies for registered clusters provide flexible and easy-to-configure policy rules that are suitable for a wider range of Kubernetes scenarios. These rules help enterprise security and operations management personnel better use policy administration capabilities.

Prerequisites

You have created a registered cluster that runs version 1.16.9-aliyun.1 or later and connected a self-managed Kubernetes cluster to it. For more information, see Create a registered cluster and connect a cluster from a data center.
You have installed and configured onectl on your on-premises machine. For more information, see Manage registered clusters using onectl.

If you use a RAM user to manage policies, the RAM user must have the required RAM authorization. For more information about how to create a custom policy, see Use RAM to grant access permissions to clusters and cloud resources.

Parameter	Description
`cs:DescribePolicies`	Lists the policy rules in the policy library.
`cs:DescribePoliceDetails`	Obtains the details of a policy rule template.
`cs:DescribePolicyGovernanceInCluster`	Obtains the details of policy administration in a cluster.
`cs:DescribePolicyInstances`	Obtains a list of policy instances that are deployed in a cluster.
`cs:DescribePolicyInstancesStatus`	Obtains the deployment status of instances that correspond to different policy types in the cluster.
`cs:DeployPolicyInstance`	Deploys a policy rule instance in a specified cluster.
`cs:DeletePolicyInstance`	Deletes a policy rule instance from a specified cluster.
`cs:ModifyPolicyInstance`	Modifies a policy rule instance in a specified cluster.

Usage notes

This feature is supported only for registered clusters that run version 1.16.9-aliyun.1 or later.
This feature is applicable only to Linux nodes.
Custom policy rules are not supported. All rules are from the built-in ACK rule library.
You can install the gatekeeper component only using the Add-ons page in the ACK console or onectl.
If the gatekeeper component is already installed in your cluster by other means, uninstall the component before reinstalling it from the Component Management page. For the gatekeeper release notes, see gatekeeper.

Install the policy administration component

The policy-template-controller component is a Kubernetes controller developed based on Alibaba Cloud policy templates. It helps you manage policy instances that are deployed from different policy templates and the overall administration status of the cluster.

Before you install the policy-template-controller component, you must install the following components.

Gatekeeper component: a Kubernetes admission controller based on the Open Policy Agent (OPA) policy engine. It helps you manage and apply OPA policies in your cluster and implement features such as namespace tag management.
logtail-ds log component: used to collect and retrieve logs about blocking or alerting events that are generated due to violations of policy constraints.

You can use one of the following methods to install the Gatekeeper, logtail-ds, and policy administration components.

Install using onectl

Install onectl on your on-premises machine. For more information, see Use onectl to manage registered clusters.

Run the following command to install the required components.

onectl ram-user grant --addon logtail-ds
onectl addon install gatekeeper
onectl addon install logtail-ds
onectl addon install policy-template-controller

Expected output:

Ram policy ack-one-registered-cluster-policy-logtail-ds granted to ram user ack-one-user-ce313528c3 successfully.
Addon gatekeeper, version **** installed.
Addon logtail-ds, version **** installed.
Addon policy-template-controller, version **** installed.

Install from the console

You can install the Gatekeeper and logtail-ds components from the Component Management page. For more information, see Manage components.

Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, find the cluster you want and click its name. In the left-side pane, choose Security > Policy Governance.
On the Policy Governance page, click Install and follow the prompts to install the policy administration component.

Policy rule library overview

Container Service for Kubernetes (ACK) provides built-in policy rule libraries. The following table describes the policy categories and provides brief descriptions. For more information about the parameter configuration and template usage of the policy rule library, see Predefined security policies of ACK.

Category	Policy	Description	Severity
Compliance	`ACKNoEnvVarSecrets`	Prevents Secrets from being mounted to the environment variables of application pods using secretKeyRef.	medium
	`ACKPodsRequireSecurityContext`	Requires that all containers in a pod must be configured with the `securitycontext` field.	low
	`ACKRestrictNamespaces`	Restricts resource deployments to specified namespaces in the cluster.	low
	`ACKRestrictRoleBindings`	Restricts the rolebindings in specified namespaces to use only the Roles or ClusterRoles within a specified scope.	high
	`ACKNamespacesDeleteProtection`	Prevents specified namespaces from being accidentally deleted.	medium
Infra	`ACKBlockProcessNamespaceSharing`	Prevents applications that are deployed in a specified scope of the cluster from using shareProcessNamespace.	high
	`ACKEmptyDirHasSizeLimit`	Requires that volumes of the emptyDir type must have `sizelimit` specified.	low
	`ACKLocalStorageRequireSafeToEvict`	Requires that pods deployed within a specified scope of the cluster must have the `"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"` annotation. By default, `autoscaler` does not evict pods that use HostPath or EmptyDir volumes during cluster auto scaling. To allow these pods to be evicted, you must add this annotation to the pods.	low
	`ACKOSSStorageLocationConstraint`	Restricts deployments in specified namespaces to use only Alibaba Cloud OSS PVs in a specified region.	low
K8s-general	`ACKAllowedRepos`	Prevents application pods that are deployed in a specified scope of the cluster from pulling images that are not in the whitelist.	high
	`ACKBlockAutoinjectServiceEnv`	Requires that applications are configured with `enableServiceLinks: false` to prevent Service IP addresses from being exposed in pod environment variables.	low
	`ACKBlockAutomountToken`	Requires that applications are configured with the `automountServiceAccountToken: false` field to prevent `serviceaccount` from being automatically mounted.	high
	`ACKBlockEphemeralContainer`	Prevents ephemeral containers from being started in application pods within a specified scope of the cluster.	medium
	`ACKBlockLoadBalancer`	Prevents Services of the LoadBalancer type from being deployed in a specified scope of the cluster.	high
	`ACKBlockNodePort`	Prevents Services of the NodePort type from being used in a specified scope of the cluster.	high
	`ACKContainerLimits`	Requires that application pods in a specified scope of the cluster are configured with resource `limits`.	low
	`ACKExternalIPs`	Prevents Service instances in a specified scope of the cluster from using externalIPs that are not in the whitelist.	high
	`ACKImageDigests`	Prevents images that do not conform to the digest format from being deployed in a specified scope of the cluster.	low
	`ACKRequiredLabels`	Prevents applications that do not have the specified labels from being deployed in a specified scope of the cluster.	low
	`ACKRequiredProbes`	Requires that pods deployed in a specified scope of the cluster are configured with specified types of readinessProbe and livenessProbe.	medium
	`ACKCheckNginxPath`	Prevents risky configurations from being used in the `spec.rules[].http.paths[].path` field of Ingress instances. We recommend that you enable this policy for ingress-nginx versions earlier than 1.2.1.	high
	`ACKCheckNginxAnnotation`	Prevents risky configurations from being used in the `metadata.annotations` field of Ingress instances. We recommend that you enable this policy for ingress-nginx versions earlier than 1.2.1.	high
	`ACKBlockInternetLoadBalancer`	Prevents the creation of LoadBalancer Services that use the Internet.	high
PSP	`ACKPSPAllowPrivilegeEscalationContainer`	Requires that pods deployed in a specified scope of the cluster are configured with the `allowPrivilegeEscalation` parameter.	medium
	`ACKPSPAllowedUsers`	Restricts the startup `user`, `group`, `supplementalGroups`, and `fsGroup` in pods that are deployed in a specified scope of the cluster.	medium
	`ACKPSPAppArmor`	Requires that pods deployed in a specified scope of the cluster are configured with AppArmor.	low
	`ACKPSPCapabilities`	Requires that pods deployed in a specified scope of the cluster are configured with Linux Capabilities.	high
	`ACKPSPFSGroup`	Requires that pods deployed in a specified scope of the cluster are configured with fsGroup.	medium
	`ACKPSPFlexVolumes`	Restricts the FlexVolume driver configuration for pods that are deployed in a specified scope of the cluster.	medium
	`ACKPSPForbiddenSysctls`	Restricts the forbidden Sysctl scope for pods that are deployed in a specified scope of the cluster.	high
	`ACKPSPHostFilesystem`	Restricts the scope of host directories that can be mounted to pods deployed in a specified scope of the cluster.	high
	`ACKPSPHostNamespace`	Restricts whether pods deployed in a specified scope of the cluster are allowed to share host namespaces.	high
	`ACKPSPHostNetworkingPorts`	Restricts pods deployed in a specified scope of the cluster from using the host network and specified ports.	high
	`ACKPSPPrivilegedContainer`	Prevents privileged containers from being started in pods that are deployed in a specified scope of the cluster.	high
	`ACKPSPProcMount`	Restricts the Proc types that can be mounted to pods deployed in a specified scope of the cluster.	low
	`ACKPSPReadOnlyRootFilesystem`	Requires that pods deployed in a specified scope of the cluster use read-only root file systems.	medium
	`ACKPSPSELinuxV2`	Requires that pods deployed in a specified scope of the cluster must use the SELinux configuration specified in the AllowedSELinuxOptions parameter.	low
	`ACKPSPSeccomp`	Requires that pods deployed in a specified scope of the cluster use the specified Seccomp profiles.	low
	`ACKPSPVolumeTypes`	Restricts pods deployed in a specified scope of the cluster to use only the specified volume mount types.	medium

View the current policy administration status of the cluster

For a cluster where policy administration components are installed, you can perform the following steps to view the current policy administration status of the cluster.

Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, find the cluster you want and click its name. In the left-side pane, choose Security > Policy Governance.
On the Overview tab, you can view the current policy administration status of the cluster.
The following information is displayed:
- An overview of enabled policies. This includes the total number of policies, the number of enabled important and medium mitigation policies, and a list of recommended policies to enable.
- Statistics about blocking and alerting events that occurred in the last 7 days.
- By default, the table on this page displays the 100 most recent block or alert logs from the last 7 days. To view more audit logs, click the icon next to Actions within Last 7 Days. In the resulting pop-up window, click the Simple Log Service link to open the Simple Log Service console and view all logs in the specified Logstore.

View the policy list and deployed policy instances in the cluster

You can perform the following steps to view the policy list and the total number of policy instances that are deployed in the cluster.

Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, find the cluster you want and click its name. In the left-side pane, choose Security > Policy Governance.
On the My Policies tab, you can view the names of all deployable policies in the cluster.
This list displays the names of all deployable policies. The upper-right corner of the table shows the counts for All, Enabled policies, and Disabled policies. Enabled policies are listed at the top of the table. The Policy Instances column shows the number of instances deployed in the cluster for each policy.
- To modify the configuration of a policy instance, click Modify in the Actions column or click the link in the Policy Name column.
- In the Actions column, click Delete to delete all deployed instances of the policy in the cluster.
- If the list of policy instances is empty, the policy has not been deployed to the cluster. You can click Enable in the Actions column to configure the parameters and then deploy the policy instance.
For more information about policy descriptions and sample templates, see Predefined security policies of ACK.

Create a policy instance

You can perform the following steps to create a policy instance in a specified cluster.

Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, find the cluster you want and click its name. In the left-side pane, choose Security > Policy Governance.

On the My Policies tab, click Create Policy Instance. In the Create Policy Instance dialog box, configure the parameters.

Parameter	Description
Policy Type	First, select a policy type. The following major types are available: Infra: Policies of this type are related to resources at the infrastructure layer. Compliance: Policies of this type are customized based on Kubernetes compliance specifications. PSP: Policies of this type are used as an alternative to Pod Security Policy (PSP). K8s-general: General policies of this type are used for security hardening and constraints on Kubernetes resource configurations based on security best practices.
Policy Name	Based on the selected policy type, select the name of the policy template to be deployed from the Policy Name drop-down list. For more information, see Policy rule library overview.
Action	Block: The deployment of specified resources that violate the policy rules is blocked. Alert: The specified resources that violate the policy rules can still be deployed. Only alert logs for the corresponding violation audit are generated.
Applicable Scope	Select the specified namespaces in the cluster where the policy instance is implemented.
Parameters	If the parameter configuration input box is empty by default, it indicates that the rule does not require parameter configuration. If the input box contains a parameter template that needs to be configured, refer to the policy parameter description to configure the parameters in the specified format. For more information, see Policy rule library overview.

Modify a policy instance

You can perform the following steps to modify a deployed policy instance in a specified cluster.

Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, find the cluster you want and click its name. In the left-side pane, choose Security > Policy Governance.
On the My Policies tab, click Modify in the Actions column for the target policy.
When more than one policy instance is deployed in the cluster, you can click View Instances in the Actions column, select the instance to modify, click Modify for the policy, and then modify its configuration in the Modify Policy Instance dialog box. For more information, see Description of policy parameters.

Delete a policy instance

You can perform the following steps to delete a policy instance from a specified cluster.

Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, find the cluster you want and click its name. In the left-side pane, choose Security > Policy Governance.
On the My Policies tab, in the Actions column for the target policy, click Delete.
- Click Delete to remove all instances of the corresponding policy from the cluster.
- If more than one policy instance is deployed in the cluster, you can click View Instances in the Actions column, select the target instance, and then click Delete.

Container Service for Kubernetes:Configure container security policies in registered clusters

Table of contents