All Products
Search

This Product

    Container Service for Kubernetes:Configure ACK pod security policies in registered clusters

    Document Center

    Container Service for Kubernetes:Configure ACK pod security policies in registered clusters

    Last Updated:Apr 22, 2024

    Container Service for Kubernetes (ACK) provides pod security policies that are suitable for registered clusters. You can configure pod security policies for registered clusters in a convenient and flexible manner. This helps the O&M engineers of enterprises better utilize the capabilities provided by ACK pod security policies. This topic describes how to install policy-template-controller and manage policy instances in registered clusters.

    Table of contents

    Background information

    Compared with the pod security policies of Kubernetes, the pod security policies of ACK are suitable for registered clusters. You can configure pod security policies for registered clusters in a convenient and flexible manner. This helps the O&M engineers of enterprises better utilize the capabilities provided by ACK pod security policies.

    Prerequisites

    • A registered cluster that runs 1.16.9-aliyun.1 or later is created and a self-managed cluster is connected to the cluster registration proxy. For more information, see Create a registered cluster and register an external cluster with ACK.

    • onectl is installed and configured on your on-premises machine. For more information, see Use onectl to manage registered clusters.

    • If you want to manage pod security policies as a Resource Access Management (RAM) user, make sure that the RAM user has the following permissions: For more information about how to create custom RAM policies, see Create a custom RAM policy.

      Parameter

      Description

      cs:DescribePolicies

      Queries a list of policies.

      cs:DescribePoliceDetails

      Query information about a policy.

      cs:DescribePolicyGovernanceInCluster

      Queries information about policies in a cluster.

      cs:DescribePolicyInstances

      Queries a specified policy instance that is deployed in a cluster.

      cs:DescribePolicyInstancesStatus

      Queries information about policy instances in a cluster.

      cs:DeployPolicyInstance

      Deploys a policy instance in a cluster.

      cs:DeletePolicyInstance

      Deletes a policy instance from a cluster.

      cs:ModifyPolicyInstance

      Modifies a policy instance in a cluster.

    Usage notes

    • Only registered clusters that run 1.16.9-aliyun.1 or later support policy governance.

    • The policy governance feature can be applied only to Linux nodes.

    • Custom policies are not supported. All policies in the security policy module are predefined security policies provided by ACK.

    • You can install the gatekeeper component only from the Add-ons page in the ACK console or by using onectl.

      If the gatekeeper component is already installed in your cluster by using other methods, uninstall the component and then reinstall it from the Add-ons page. For more information about the release notes for gatekeeper, see gatekeeper.

    Install policy-template-controller

    policy-template-controller is a Kubernetes controller that is developed based on the predefined policies of ACK. It helps you better manage policy instances created from different predefined policies and view the status of policy instances in your cluster.

    Before you install policy-template-controller, you must install the following components:

    • gatekeeper: a Kubernetes admission controller that helps you enforce policies executed by the OPA policy engine in your cluster, and allows you to manage the labels of namespaces

    • logtail-ds: collects the log of blocking events and alerting events that are generated due to violations against policies. logtail-ds also allows you to retrieve logs.

    You can use one of the following methods to install gatekeeper, logtail-ds, and policy-template-controller:

    Use onectl

    1. Install onectl on your on-premises machine. For more information, see Use onectl to manage registered clusters.

    2. Run the following command to install gatekeeper, logtail-ds, and policy-template-controller: 

      onectl ram-user grant --addon logtail-ds
onectl addon install gatekeeper
onectl addon install logtail-ds
onectl addon install policy-template-controller

      Expected output:

      Ram policy ack-one-registered-cluster-policy-logtail-ds granted to ram user ack-one-user-ce313528c3 successfully.
Addon gatekeeper, version **** installed.
Addon logtail-ds, version **** installed.
Addon policy-template-controller, version **** installed.

    Use the console

    Install gatekeeper and logtail-ds from the Add-ons page in the ACK console. For more information, see Manage components.

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, click the name of the cluster that you want to manage and choose Security > Policy Governance in the left-side navigation pane.

    3. On the Policy Governance page, click Install. Follow the instructions on the page to install policy-template-controller.

    Policies

    The following table describes the predefined policies of the policy governance feature. For more information about how to configure the policy parameters and deploy a policy, see Predefined security policies of ACK.

    Category

    Policy

    Description

    Severity

    Compliance

    ACKNoEnvVarSecrets

    The secretKeyRef parameter cannot be used to reference Secrets when you specify pod environment variables.

    medium

    ACKPodsRequireSecurityContext

    Pods in the specified namespaces must be configured with the securityContext parameter.

    low

    ACKRestrictNamespaces

    Resources of the specified types cannot be deployed in the specified namespaces.

    low

    ACKRestrictRoleBindings

    RoleBindings in the specified namespaces can be used to bind only the specified Roles or ClusterRoles.

    high

    ACKNamespacesDeleteProtection

    Specified namespaces cannot be deleted.

    medium

    Infra

    ACKBlockProcessNamespaceSharing

    Pods in the specified namespaces cannot be configured with the shareProcessNamespace parameter.

    high

    ACKEmptyDirHasSizeLimit

    The sizelimit parameter must be configured when you mount emptyDir volumes.

    low

    ACKLocalStorageRequireSafeToEvict

    Pods in the specified namespaces must be configured with the "cluster-autoscaler.kubernetes.io/safe-to-evict": "true" annotation. By default, autoscaler does not evict pods that are mounted with hostPath volumes or emptyDir volumes during automatic scaling activities. To enable autoscaler to evict these pods, you must add this annotation to the configurations of the pods.

    low

    ACKOSSStorageLocationConstraint

    Specifies whether Object Storage Service (OSS) buckets in the specified regions can be mounted to pods in the specified namespaces.

    low

    K8s-general

    ACKAllowedRepos

    Pods in the specified namespaces can pull images only from the specified image repositories.

    high

    ACKBlockAutoinjectServiceEnv

    Pods in the specified namespaces must be configured with enableServiceLinks: false, which specifies that Service IP addresses are not injected to pod environment variables.

    low

    ACKBlockAutomountToken

    Pods in the specified namespaces must be configured with automountServiceAccountToken: false, which specifies that service accounts are not automatically mounted.

    high

    ACKBlockEphemeralContainer

    Pods in the specified namespaces cannot launch ephemeral containers.

    medium

    ACKBlockLoadBalancer

    LoadBalancer Services cannot be deployed in the specified namespaces.

    high

    ACKBlockNodePort

    NodePort Services cannot be deployed in the specified namespaces.

    high

    ACKContainerLimits

    Pods in the specified namespaces must be configured with resource limits.

    low

    ACKExternalIPs

    Services in the specified namespaces cannot use external IP addresses that are not specified in the policy content.

    high

    ACKImageDigests

    Pods in the specified namespaces must be deployed from images whose digests comply with the specified format.

    low

    ACKRequiredLabels

    Pods in the specified namespaces must have labels that comply with the policy content.

    low

    ACKRequiredProbes

    Pods in the specified namespaces must be configured with the specified types of readiness probes and liveness probes.

    medium

    ACKCheckNginxPath

    The spec.rules[].http.paths[].path parameter in the Ingress configuration cannot contain risky settings. We recommend that you enable this policy for ingress-nginx versions earlier than 1.2.1.

    high

    ACKCheckNginxAnnotation

    The metadata.annotations parameter in the Ingress configuration cannot contain risky settings. We recommend that you enable this policy for ingress-nginx versions earlier than 1.2.1.

    high

    ACKBlockInternetLoadBalancer

    Internet-facing LoadBalancer Services cannot be created.

    high

    PSP

    ACKPSPAllowPrivilegeEscalationContainer

    Pods in the specified namespaces must be configured with the allowPrivilegeEscalation parameter.

    medium

    ACKPSPAllowedUsers

    Pods in the specified namespaces must be configured with the user, group, supplementalGroups, and fsGroup settings.

    medium

    ACKPSPAppArmor

    Pods in the specified namespaces must be configured with AppArmor settings.

    low

    ACKPSPCapabilities

    Pods in the specified namespaces must be configured with Linux Capabilities settings.

    high

    ACKPSPFSGroup

    Pods in the specified namespaces must be configured with fsGroup settings that comply with the policy content.

    medium

    ACKPSPFlexVolumes

    Pods in the specified namespaces cannot use FlexVolume drivers that are not specified in the policy content.

    medium

    ACKPSPForbiddenSysctls

    Pods in the specified namespaces cannot use the specified sysctls.

    high

    ACKPSPHostFilesystem

    hostPath volumes that are mounted to pods in the specified namespaces must meet the specified conditions.

    high

    ACKPSPHostNamespace

    Pods in the specified namespaces cannot share the host namespaces.

    high

    ACKPSPHostNetworkingPorts

    Specifies whether pods in the specified namespaces can use the host network and specified ports.

    high

    ACKPSPPrivilegedContainer

    Pods in the specified namespaces cannot run privileged containers.

    high

    ACKPSPProcMount

    Pods in the specified namespaces must be configured with the Proc Mount type that is specified in the policy content.

    low

    ACKPSPReadOnlyRootFilesystem

    Pods in the specified namespaces must run with read-only root file systems.

    medium

    ACKPSPSELinuxV2

    Pods in the specified namespaces cannot be configured with SELinux options that are not specified in the policy content.

    low

    ACKPSPSeccomp

    Pods in the specified namespaces must be configured with the specified seccomp profiles.

    low

    ACKPSPVolumeTypes

    Only volumes of the specified types can be mounted to pods in the specified namespace.

    medium

    View information about policies in a cluster

    After you install policy-template-controller, you can perform the following steps to view information about the policies in your cluster.

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, click the name of the cluster that you want to manage and choose Security > Policy Governance in the left-side navigation pane.

    3. On the Overview tab, you can view information about policies in the cluster.

      The following information is displayed:

      • An overview of policies in the cluster, including the numbers of high severity level policies, high severity level policies that are enabled, medium severity level policies, and medium severity level policies that are enabled. Policies that the system recommends you to enable are also listed.

      • The numbers of blocking events and alerting events that are generated within the last seven days.

      • The records of the latest 100 events that are generated within the last 7 days. To view more information about the audit log, click the 未知 icon next to Actions within Last 7 Days. In the tooltip that appears, click the hyperlink to go to the Logstore details page in the Log Service console. You can view the log that is stored in the Logstore.策略实施总览

    View policies and policy instances in a cluster

    To view policies and policy instances in your cluster, perform the following steps:

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, click the name of the cluster that you want to manage and choose Security > Policy Governance in the left-side navigation pane.

    3. On the My Policies tab, you can view the names of policies in your cluster.

      You can view the names of policies in your cluster and the total number of policies, the number of enabled policies, and the number of disabled policies in the upper-right corner of the tab. Enabled policies are displayed above disabled policies in the list. You can view the number of policy instances that are deployed from each policy.

      • To modify a policy instance, select the policy from which the policy instance is deployed and click the policy name or Modify in the Actions column, and then modify the policy instance configuration.

      • To delete all policy instances that are deployed from a policy, click Delete in the Actions column.

      • If no value is displayed in the Instances column, the policy is disabled. To deploy a policy instance from a disabled policy, click Enable in the Actions column.

      For more information about policies and their templates, see Predefined security policies of ACK.

    Deploy a policy instance

    To deploy a policy instance in your cluster, perform the following steps.

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, click the name of the cluster that you want to manage and choose Security > Policy Governance in the left-side navigation pane.

    3. Click the My Policies tab and then click Create Policy Instance. In the Create Policy Instance dialog box, set the following parameters.

      Parameter

      Description

      Policy Type

      Select a policy type. Valid values:

      • Infra: Policies of this type are used to enforce security control on infrastructure resources.

      • ompliance: Policies of this type are used to enforce security control based on Kubernetes Benchmark.

      • PSP: Policies of this type are used as an alternative to the PSP resource.

      • K8s-general: Policies of this type are used to enforce security control on Kubernetes resources based on the Alibaba Cloud standards of security best practices.

      Policy Name

      Select the name of the policy that you want to use. For more information, see Policies.

      Action

      • Block: blocks resource deployments that match the policy.

      • Alert: generates alerts for resource deployments that match the policy. The resource deployments can still be performed.

      Applicable Scope

      Select the namespaces to which you want to apply the policy instance.

      Parameters

      • If the code editor is empty, it indicates that no parameter is required for the policy.

      • If parameters are displayed in the code editor, set the parameters based on the description. For more information, see Policies.

    Modify a policy instance

    To modify a policy instance in your cluster, perform the following steps:

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, click the name of the cluster that you want to manage and choose Security > Policy Governance in the left-side navigation pane.

    3. On the My Policies tab, select the policy that you want to manage and click the policy name or Modify in the Actions column.

      If more than one policy instance is deployed from the policy, click View Instances in the Actions column, select the policy instance that you want to modify, and then click Modify. In the Modify Policy Instance dialog box, modify the parameter settings. For more information about the parameters, see the description of policy parameters.

    Delete a policy instance

    To delete a policy instance from your cluster, perform the following steps:

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, click the name of the cluster that you want to manage and choose Security > Policy Governance in the left-side navigation pane.

    3. On the My Policies tab, select the policy from which the policy instance that you want to delete is deployed and click Delete in the Actions column.

      • To delete all policy instances that are deployed from the policy, click Delete in the Actions column.

      • To delete a specific policy instance if more than one policy instance is deployed from the policy, click View Instances in the Actions column, find the policy instance that you want to delete, and then click Delete.