Container Service for Kubernetes (ACK) provides pod security policies that are suitable for registered clusters. You can configure pod security policies for registered clusters in a convenient and flexible manner. This helps the O&M engineers of enterprises better utilize the capabilities provided by ACK pod security policies. This topic describes how to install policy-template-controller and manage policy instances in registered clusters.
Table of contents
Background information
Compared with the pod security policies of Kubernetes, the pod security policies of ACK are suitable for registered clusters. You can configure pod security policies for registered clusters in a convenient and flexible manner. This helps the O&M engineers of enterprises better utilize the capabilities provided by ACK pod security policies.
Prerequisites
A registered cluster that runs 1.16.9-aliyun.1 or later is created and a self-managed cluster is connected to the cluster registration proxy. For more information, see Create a registered cluster and register an external cluster with ACK.
onectl is installed and configured on your on-premises machine. For more information, see Use onectl to manage registered clusters.
If you want to manage pod security policies as a Resource Access Management (RAM) user, make sure that the RAM user has the following permissions: For more information about how to create custom RAM policies, see Create a custom RAM policy.
Parameter
Description
cs:DescribePolicies
Queries a list of policies.
cs:DescribePoliceDetails
Query information about a policy.
cs:DescribePolicyGovernanceInCluster
Queries information about policies in a cluster.
cs:DescribePolicyInstances
Queries a specified policy instance that is deployed in a cluster.
cs:DescribePolicyInstancesStatus
Queries information about policy instances in a cluster.
cs:DeployPolicyInstance
Deploys a policy instance in a cluster.
cs:DeletePolicyInstance
Deletes a policy instance from a cluster.
cs:ModifyPolicyInstance
Modifies a policy instance in a cluster.
Usage notes
Only registered clusters that run 1.16.9-aliyun.1 or later support policy governance.
The policy governance feature can be applied only to Linux nodes.
Custom policies are not supported. All policies in the security policy module are predefined security policies provided by ACK.
You can install the gatekeeper component only from the Add-ons page in the ACK console or by using onectl.
If the gatekeeper component is already installed in your cluster by using other methods, uninstall the component and then reinstall it from the Add-ons page. For more information about the release notes for gatekeeper, see gatekeeper.
Install policy-template-controller
policy-template-controller is a Kubernetes controller that is developed based on the predefined policies of ACK. It helps you better manage policy instances created from different predefined policies and view the status of policy instances in your cluster.
Before you install policy-template-controller, you must install the following components:
gatekeeper: a Kubernetes admission controller that helps you enforce policies executed by the OPA policy engine in your cluster, and allows you to manage the labels of namespaces
logtail-ds: collects the log of blocking events and alerting events that are generated due to violations against policies. logtail-ds also allows you to retrieve logs.
You can use one of the following methods to install gatekeeper, logtail-ds, and policy-template-controller:
Use onectl
Install onectl on your on-premises machine. For more information, see Use onectl to manage registered clusters.
Run the following command to install gatekeeper, logtail-ds, and policy-template-controller:
onectl ram-user grant --addon logtail-ds onectl addon install gatekeeper onectl addon install logtail-ds onectl addon install policy-template-controller
Expected output:
Ram policy ack-one-registered-cluster-policy-logtail-ds granted to ram user ack-one-user-ce313528c3 successfully. Addon gatekeeper, version **** installed. Addon logtail-ds, version **** installed. Addon policy-template-controller, version **** installed.
Use the console
Install gatekeeper and logtail-ds from the Add-ons page in the ACK console. For more information, see Manage components.
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose in the left-side navigation pane.
On the Policy Governance page, click Install. Follow the instructions on the page to install policy-template-controller.
Policies
The following table describes the predefined policies of the policy governance feature. For more information about how to configure the policy parameters and deploy a policy, see Predefined security policies of ACK.
Category | Policy | Description | Severity |
Compliance |
| The secretKeyRef parameter cannot be used to reference Secrets when you specify pod environment variables. | medium |
| Pods in the specified namespaces must be configured with the | low | |
| Resources of the specified types cannot be deployed in the specified namespaces. | low | |
| RoleBindings in the specified namespaces can be used to bind only the specified Roles or ClusterRoles. | high | |
| Specified namespaces cannot be deleted. | medium | |
Infra |
| Pods in the specified namespaces cannot be configured with the shareProcessNamespace parameter. | high |
| The | low | |
| Pods in the specified namespaces must be configured with the | low | |
| Specifies whether Object Storage Service (OSS) buckets in the specified regions can be mounted to pods in the specified namespaces. | low | |
K8s-general |
| Pods in the specified namespaces can pull images only from the specified image repositories. | high |
| Pods in the specified namespaces must be configured with | low | |
| Pods in the specified namespaces must be configured with | high | |
| Pods in the specified namespaces cannot launch ephemeral containers. | medium | |
| LoadBalancer Services cannot be deployed in the specified namespaces. | high | |
| NodePort Services cannot be deployed in the specified namespaces. | high | |
| Pods in the specified namespaces must be configured with resource | low | |
| Services in the specified namespaces cannot use external IP addresses that are not specified in the policy content. | high | |
| Pods in the specified namespaces must be deployed from images whose digests comply with the specified format. | low | |
| Pods in the specified namespaces must have labels that comply with the policy content. | low | |
| Pods in the specified namespaces must be configured with the specified types of readiness probes and liveness probes. | medium | |
| The | high | |
| The | high | |
| Internet-facing LoadBalancer Services cannot be created. | high | |
PSP |
| Pods in the specified namespaces must be configured with the | medium |
| Pods in the specified namespaces must be configured with the | medium | |
| Pods in the specified namespaces must be configured with AppArmor settings. | low | |
| Pods in the specified namespaces must be configured with Linux Capabilities settings. | high | |
| Pods in the specified namespaces must be configured with fsGroup settings that comply with the policy content. | medium | |
| Pods in the specified namespaces cannot use FlexVolume drivers that are not specified in the policy content. | medium | |
| Pods in the specified namespaces cannot use the specified sysctls. | high | |
| hostPath volumes that are mounted to pods in the specified namespaces must meet the specified conditions. | high | |
| Pods in the specified namespaces cannot share the host namespaces. | high | |
| Specifies whether pods in the specified namespaces can use the host network and specified ports. | high | |
| Pods in the specified namespaces cannot run privileged containers. | high | |
| Pods in the specified namespaces must be configured with the Proc Mount type that is specified in the policy content. | low | |
| Pods in the specified namespaces must run with read-only root file systems. | medium | |
| Pods in the specified namespaces cannot be configured with SELinux options that are not specified in the policy content. | low | |
| Pods in the specified namespaces must be configured with the specified seccomp profiles. | low | |
| Only volumes of the specified types can be mounted to pods in the specified namespace. | medium |
View information about policies in a cluster
After you install policy-template-controller, you can perform the following steps to view information about the policies in your cluster.
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose in the left-side navigation pane.
On the Overview tab, you can view information about policies in the cluster.
The following information is displayed:
An overview of policies in the cluster, including the numbers of high severity level policies, high severity level policies that are enabled, medium severity level policies, and medium severity level policies that are enabled. Policies that the system recommends you to enable are also listed.
The numbers of blocking events and alerting events that are generated within the last seven days.
The records of the latest 100 events that are generated within the last 7 days. To view more information about the audit log, click the icon next to Actions within Last 7 Days. In the tooltip that appears, click the hyperlink to go to the Logstore details page in the Log Service console. You can view the log that is stored in the Logstore.
View policies and policy instances in a cluster
To view policies and policy instances in your cluster, perform the following steps:
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose in the left-side navigation pane.
On the My Policies tab, you can view the names of policies in your cluster.
You can view the names of policies in your cluster and the total number of policies, the number of enabled policies, and the number of disabled policies in the upper-right corner of the tab. Enabled policies are displayed above disabled policies in the list. You can view the number of policy instances that are deployed from each policy.
To modify a policy instance, select the policy from which the policy instance is deployed and click the policy name or Modify in the Actions column, and then modify the policy instance configuration.
To delete all policy instances that are deployed from a policy, click Delete in the Actions column.
If no value is displayed in the Instances column, the policy is disabled. To deploy a policy instance from a disabled policy, click Enable in the Actions column.
For more information about policies and their templates, see Predefined security policies of ACK.
Deploy a policy instance
To deploy a policy instance in your cluster, perform the following steps.
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose in the left-side navigation pane.
Click the My Policies tab and then click Create Policy Instance. In the Create Policy Instance dialog box, set the following parameters.
Parameter
Description
Policy Type
Select a policy type. Valid values:
Infra: Policies of this type are used to enforce security control on infrastructure resources.
ompliance: Policies of this type are used to enforce security control based on Kubernetes Benchmark.
PSP: Policies of this type are used as an alternative to the PSP resource.
K8s-general: Policies of this type are used to enforce security control on Kubernetes resources based on the Alibaba Cloud standards of security best practices.
Policy Name
Select the name of the policy that you want to use. For more information, see Policies.
Action
Block: blocks resource deployments that match the policy.
Alert: generates alerts for resource deployments that match the policy. The resource deployments can still be performed.
Applicable Scope
Select the namespaces to which you want to apply the policy instance.
Parameters
If the code editor is empty, it indicates that no parameter is required for the policy.
If parameters are displayed in the code editor, set the parameters based on the description. For more information, see Policies.
Modify a policy instance
To modify a policy instance in your cluster, perform the following steps:
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose in the left-side navigation pane.
On the My Policies tab, select the policy that you want to manage and click the policy name or Modify in the Actions column.
If more than one policy instance is deployed from the policy, click View Instances in the Actions column, select the policy instance that you want to modify, and then click Modify. In the Modify Policy Instance dialog box, modify the parameter settings. For more information about the parameters, see the description of policy parameters.
Delete a policy instance
To delete a policy instance from your cluster, perform the following steps:
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose in the left-side navigation pane.
On the My Policies tab, select the policy from which the policy instance that you want to delete is deployed and click Delete in the Actions column.
To delete all policy instances that are deployed from the policy, click Delete in the Actions column.
To delete a specific policy instance if more than one policy instance is deployed from the policy, click View Instances in the Actions column, find the policy instance that you want to delete, and then click Delete.