The ACK security policy management feature provides security policy rules suitable for Kubernetes container scenarios. A new policy has been added to restrict pods to inject ASM Sidecar, which further enhances the security of clusters connected to ASM. This topic describes how to enable the forced injection of Sidecar policy in an ACK cluster and demonstrates the effects after this policy is enabled.
Background
Policy governance
PSP is marked as Deprecated in Kubernetes 1.21 and later. Therefore, ACK optimizes the PSP-based policy governance feature. ACK uses OPA as a Gatekeeper admission controller to extend features, such as policy governance status monitoring, log collection, and log retrieval. In addition, a variety of policy libraries are provided to allow you to use more security policies that target Kubernetes scenarios. You can directly configure security policies in the console, which greatly simplifies policy governance configuration.
The following describes the main policies:
Infra: Policies of this type are used to enforce security control on infrastructure resources.
Compliance: Policies of this type are customized based on Kubernetes compliance standards, such as Alibaba Cloud Kubernetes Security Hardening.
PSP: Policies of this type are used to substitute the PSP resource.
K8s-general: Policies of this type are used to enforce security control on Kubernetes resources based on the standards of Alibaba Cloud security best practices.
Sidecar injection
If you install a sidecar proxy in the pod of an application, an independent container is created in the pod to provide the features of the sidecar proxy. To make full use of these features, each service in your application requires a sidecar proxy to run in the pod of the service. The sidecar proxy intercepts all inbound and outbound HTTP traffic of the service and communicates with the Pilot component on the Istio control plane of the corresponding ASM instance.
Prerequisites
The cluster runs Kubernetes 1.16 or later. For more information about how to update an ACK cluster, see Manually update ACK clusters.
When you manage security policies as a Resource Access Management (RAM) user, make sure that the RAM user is granted the following permissions:
cs:DescribePolicies: queries policies.cs:DescribePoliceDetails: queries information about a policy.cs:DescribePolicyGovernanceInCluster: queries information about policies in a cluster.cs:DescribePolicyInstances: queries a policy instance that is deployed in a cluster.cs:DescribePolicyInstancesStatus: queries information about policy instances in a cluster.cs:DeployPolicyInstance: deploys a policy instance in a cluster.cs:DeletePolicyInstance: deletes policy instances in a cluster.cs:ModifyPolicyInstance: modifies a policy instance in a cluster.
For more information about how to create custom RAM policies, see Create a custom RAM policy.
Configuration methods
After a cluster is added to an ASM instance, namespace-level automatic injection is not enabled by default. If automatic injection is enabled in the cluster, you may fail to create pods in related namespaces or the cluster will receive high-risk security alerts after pod creation, and corresponding alert logs will be generated. The following figure shows the configuration process:
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose .
On the Policy Governance page, install or upgrade the component (if needed) as prompted, and then perform the following operations as needed.
Enable the forced injection policy from the security policy list.
Click the My Policies tab to view the names of all deployed policies in the cluster.
Find the ASMSidecarInjectionEnforced policy in the Policy Name column, and click Enable in the Actions column.
Configure the following parameters, and then click Create:
Parameter
Description
Action
You can select one of the following options based on your business requirements:
Block: blocks resource deployments that match the policy.
Alert: generates alerts for resource deployments that match the policy. The resource deployments can still be performed.
Applicable Scope
Select the namespaces to which you want to apply the policy instance. You can also select all namespaces (not recommended).
Parameters
Leave this parameter unspecified.
Create a policy instance.
Click the My Policies tab, and then click Create Policy Instance. In the Create Policy Instance dialog box, configure the following parameters.
Parameter
Description
Policy Type
Select infra. For more information, see Predefined security policies of ACKPredefined security policies of ACK.
Policy Name
Based on the selected policy type, select ASMSidecarInjectionEnforced from the Policy Name drop-down list.
Action
You can select one of the following options based on your business requirements:
Block: blocks resource deployments that match the policy.
Alert: generates alerts for resource deployments that match the policy. The resource deployments can still be performed.
Applicable Scope
Select the namespaces to which you want to apply the policy instance. You can also select all namespaces (not recommended).
Parameters
Leave this parameter unspecified.
Verify the policy.
Automatic injection is not enabled for the default namespace and the forced injection policy is enabled for ACK with Action set to Block.
View the workload.
The following figure shows that the pod has failed to be created.
Click the Overview tab. In the Actions within Last 7 Days section, blocking records are displayed.
Edit the policy and select Action as Alert.
Redeploy the HTTPBin application.
View the workload.
The following figure shows that the application is deployed successfully.
Click the Overview tab. In the Actions within Last 7 Days section, alerting records are displayed.
