Configure and enforce ACK pod security policies - Container Service for Kubernetes

Background information

The PodSecurityPolicy (PSP) resource is deprecated as of Kubernetes 1.21. To address this situation, ACK upgrades the former policy management feature that is based on the PSP resource to the new policy governance feature that is based on the Open Policy Agent (OPA) policy engine and the gatekeeper admission controller. The new policy governance feature enables status monitoring, log collection, and log retrieval for policies, and provides a variety of predefined policies that suit more Kubernetes scenarios than PSPs. In addition, the configuration of these policies is easy and flexible, which helps the O&M engineers of enterprises better utilize the capabilities provided by ACK pod security policies.

Prerequisites

An ACK standard cluster or ACK dedicated cluster is created. The Kubernetes version is 1.16.9-aliyun.1 or later. For more information, see Create an ACK managed cluster or Create an ACK dedicated cluster.
If you want to manage pod security policies as a Resource Access Management (RAM) user, make sure that the RAM user is granted the following permissions:
- cs:DescribePolicies: queries policies.
- cs:DescribePoliceDetails: queries information about a policy.
- cs:DescribePolicyGovernanceInCluster: queries information about policies in a cluster.
- cs:DescribePolicyInstances: queries a specified policy instance that is deployed in a cluster.
- cs:DescribePolicyInstancesStatus: queries information about policy instances in a cluster.
- cs:DeployPolicyInstance: deploys a policy instance in a specified cluster.
- cs:DeletePolicyInstance: deletes policy instances in a specified cluster.
- cs:ModifyPolicyInstance: modifies a policy instance in a specified cluster.
For more information about how to create custom RAM policies, see Create a custom RAM policy.

Considerations

The Kubernetes version of your ACK cluster must be 1.16.9-aliyun.1 or later.
The policy governance feature can be applied only to Linux nodes.
The policy governance feature does not allow you to configure custom policies. You can use only the predefined policies of the policy governance feature.
To use the policy governance feature, you must install gatekeeper from the Add-ons page of the ACK console.
If gatekeeper is installed in other ways, you must uninstall gatekeeper and then install gatekeeper from the Add-ons page of the ACK console. For more information about the release notes for gatekeeper, see gatekeeper.

Install policy-template-controller

policy-template-controller is a policy template controller developed by Alibaba Cloud. policy-template-controller helps you manage policy instances in a cluster.

Before you install policy-template-controller in your cluster, you must install the following components:

gatekeeper: an admission controller for Kubernetes that enforces policies executed by the OPA policy engine. gatekeeper helps you manage and enforce policies executed by the OPA policy engine in your cluster, and allows you to manage the labels of namespaces.
logtail-ds: collects the log of blocking events and alerting events that are generated due to violations against policies. logtail-ds also allows you to retrieve the log.

For more information about how to install gatekeeper and logtail-ds, see Manage system components.

Log on to the ACK console.
In the left-side navigation pane of the ACK console, click Clusters.
On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
In the left-side navigation pane of the cluster details page, choose Security > Policy Governance.
On the Policy Governance page, the system automatically checks whether the required components are installed or upgradable, and instructs you to install or upgrade the component on the page.

Policies

The following table describes the predefined policies of the policy governance feature. For more information about how to set the parameters of a policy and deploy a policy, see Predefined security policies of ACK.


Category	Policy	Description	Severity
CIS-K8s	`ACKNoEnvVarSecrets`	The secretKeyRef parameter cannot be used to reference Secrets when you specify pod environment variables.	medium
	`ACKPodsRequireSecurityContext`	Pods in the specified namespaces must be configured with the `securityContext` parameter.	low
	`ACKRestrictNamespaces`	Resources of the specified types cannot be deployed in the specified namespaces.	low
	`ACKRestrictRoleBindings`	RoleBindings in the specified namespaces can be used to bind only the specified Roles or ClusterRoles.	high
Infra	`ACKBlockProcessNamespaceSharing`	Pods in the specified namespaces cannot be configured with the shareProcessNamespace parameter.	high
	`ACKEmptyDirHasSizeLimit`	The `sizelimit` parameter must be configured when you mount emptyDir volumes.	low
	`ACKLocalStorageRequireSafeToEvict`	Pods in the specified namespaces must be configured with the `"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"` annotation. By default, `autoscaler` does not evict pods that are mounted with hostPath volumes or emptyDir volumes during automatic scaling activities. To enable autoscaler to evict these pods, you must add this annotation to the configurations of the pods.	low
	`ACKOSSStorageLocationConstraint`	Specifies whether Object Storage Service (OSS) buckets in the specified regions can be mounted to pods in the specified namespaces.	low
K8s-general	`ACKAllowedRepos`	Pods in the specified namespaces can pull images only from the specified image repositories.	high
	`ACKBlockAutoinjectServiceEnv`	Pods in the specified namespaces must be configured with `enableServiceLinks: false`, which specifies that Service IP addresses are not injected to pod environment variables.	low
	`ACKBlockAutomountToken`	Pods in the specified namespaces must be configured with `automountServiceAccountToken: false`, which specifies that `service accounts` are not automatically mounted.	high
	`ACKBlockEphemeralContainer`	Pods in the specified namespaces cannot launch ephemeral containers.	medium
	`ACKBlockLoadBalancer`	LoadBalancer Services cannot be deployed in the specified namespaces.	high
	`ACKBlockNodePort`	NodePort Services cannot be deployed in the specified namespaces.	high
	`ACKContainerLimits`	Pods in the specified namespaces must be configured with resource `limits`.	low
	`ACKExternalIPs`	Services in the specified namespaces cannot use external IP addresses that are not specified in the policy content.	high
	`ACKImageDigests`	Pods in the specified namespaces must be deployed from images whose digests comply with the specified format.	low
	`ACKRequiredLabels`	Pods in the specified namespaces must have labels that comply with the policy content.	low
	`ACKRequiredProbes`	Pods in the specified namespaces must be configured with the specified types of readiness probes and liveness probes.	medium
	`ACKCheckNginxPath`	The `spec.rules[].http.paths[].path` parameter in the Ingress configuration cannot contain risky settings. We recommend that you enable this policy for ingress-nginx versions earlier than 1.2.1.	high
	`ACKCheckNginxAnnotation`	The `metadata.annotations` parameter in the Ingress configuration cannot contain risky settings. We recommend that you enable this policy for ingress-nginx versions earlier than 1.2.1.	high
PSP	`ACKPSPAllowPrivilegeEscalationContainer`	Pods in the specified namespaces must be configured with the `allowPrivilegeEscalation` parameter.	medium
	`ACKPSPAllowedUsers`	Pods in the specified namespaces must be configured with the `user`, `group`, `supplementalGroups`, and `fsGroup` settings.	medium
	`ACKPSPAppArmor`	Pods in the specified namespaces must be configured with AppArmor settings.	low
	`ACKPSPCapabilities`	Pods in the specified namespaces must be configured with Linux Capabilities settings.	high
	`ACKPSPFSGroup`	Pods in the specified namespaces must be configured with fsGroup settings that comply with the policy content.	medium
	`ACKPSPFlexVolumes`	Pods in the specified namespaces cannot use FlexVolume drivers that are not specified in the policy content.	medium
	`ACKPSPForbiddenSysctls`	Pods in the specified namespaces cannot use the specified sysctls.	high
	`ACKPSPHostFilesystem`	hostPath volumes that are mounted to pods in the specified namespaces must meet the specified conditions.	high
	`ACKPSPHostNamespace`	Pods in the specified namespaces cannot share the host namespaces.	high
	`ACKPSPHostNetworkingPorts`	Specifies whether pods in the specified namespaces can use the host network and specified ports.	high
	`ACKPSPPrivilegedContainer`	Pods in the specified namespaces cannot run privileged containers.	high
	`ACKPSPProcMount`	Pods in the specified namespaces must be configured with the Proc Mount type that is specified in the policy content.	low
	`ACKPSPReadOnlyRootFilesystem`	Pods in the specified namespaces must run with read-only root file systems.	medium
	`ACKPSPSELinuxV2`	Pods in the specified namespaces cannot be configured with SELinux options that are not specified by the allowedSELinuxOptions parameter.	low
	`ACKPSPSeccomp`	Pods in the specified namespaces must be configured with the specified seccomp profiles.	low
	`ACKPSPVolumeTypes`	Only volumes of the specified types can be mounted to pods in the specified namespace.	medium

View information about policies in a cluster

After you install policy-template-controller, you can perform the following steps to view information about policies in your cluster.

Log on to the ACK console.
In the left-side navigation pane of the ACK console, click Clusters.
On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
In the left-side navigation pane of the cluster details page, choose Security > Policy Governance.
On the Overview tab, you can view information about policies in the cluster.
The following information is displayed:
- An overview of policies in the cluster, including the numbers of high severity level policies, high severity level policies that are enabled, medium severity level policies, and medium severity level policies that are enabled. Policies that the system recommends you to enable are also listed.
- The numbers of blocking events and alerting events that are generated within the last seven days.
- The records of the latest 100 events that are generated within the last 7 days. To view more information about the audit log, click the icon next to Actions within Last 7 Days. In the tooltip that appears, click the hyperlink to go to the Logstore details page in the Log Service console. You can view the log that is stored in the Logstore.

View policies and policy instances in a cluster

To view policies and policy instances in your cluster, perform the following steps:

Log on to the ACK console.
In the left-side navigation pane of the ACK console, click Clusters.
On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
In the left-side navigation pane of the cluster details page, choose Security > Policy Governance.
On the My Policies tab, you can view the names of policies in your cluster.
You can view the names of policies in your cluster, and the total number of policies, the number of enabled policies, and the number of disabled policies in the upper-right corner of the tab. Enabled policies are displayed above disabled policies in the list. You can view the number of policy instances that are deployed from each policy.
- To modify a policy instance, select the policy from which the policy instance is deployed and click the policy name or Modify in the Actions column, and then modify the policy instance configuration.
- To delete all policy instances that are deployed from a policy, click Delete in the Actions column.
- If the number of policy instances that are deployed from a policy is 0, the policy is disabled. To deploy a policy instance from a disabled policy, click Enable in the Actions column.
For more information about policies and their templates, see Predefined security policies of ACK.

Deploy a policy instance

To deploy a policy instance in your cluster, perform the following steps.

Log on to the ACK console.
In the left-side navigation pane of the ACK console, click Clusters.
On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
In the left-side navigation pane of the cluster details page, choose Security > Policy Governance.

On the My Policies tab, click Create Policy Instance.

In the Create Policy Instance dialog box, set the parameters. The following table describes the parameters.


Parameter	Description
Policy Type	Select a policy type. Valid values: Infra: Policies of this type are used to enforce security control on infrastructure resources. CIS-K8s: Policies of this type are used to enforce security control based on the Center for Internet Security (CIS) Kubernetes Benchmark. PSP: Policies of this type are used as an alternative to the PSP resource. K8s-general: Policies of this type are used to enforce security control on Kubernetes resources based on the Alibaba Cloud standards of best security practices.
Action	Block: blocks resource deployments that match the policy. Alert: generates alerts for resource deployments that match the policy. The resource deployments can still be performed.
Policy Name	Select the name of the policy that you want to use. For more information, see Policies.
Applicable Scope	Select the namespaces to which you want to apply the policy instance.
Parameters	If the code editor is empty, it indicates that no parameter is required for the policy. If parameters are displayed in the code editor, set the parameters based on the description. For more information, see Policies.

Modify a policy instance

To modify a policy instance in your cluster, perform the following steps:

Log on to the ACK console.
In the left-side navigation pane of the ACK console, click Clusters.
On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
In the left-side navigation pane of the cluster details page, choose Security > Policy Governance.
On the My Policies tab, select the policy that you want to manage and click the policy name or Modify in the Actions column.
If more than one policy instance is deployed from the policy, click View Instances in the Actions column, select the policy instance that you want to modify, and then click Modify. In the Modify Policy Instance dialog box, modify the parameter settings. For more information about the parameters, see the description of policy parameters.

Delete a policy instance

To delete a policy instance from your cluster, perform the following steps:

Log on to the ACK console.
In the left-side navigation pane of the ACK console, click Clusters.
On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
In the left-side navigation pane of the cluster details page, choose Security > Policy Governance.
On the My Policies tab, select the policy from which the policy instance you want to delete is deployed and click Delete in the Actions column.
- To delete all policy instances that are deployed from the policy, click Delete in the Actions column.
- To delete a specific policy instance if more than one policy instance is deployed from the policy, click View Instances in the Actions column, find the policy instance that you want to delete, and then click Delete.