Compared with the pod security policies of Kubernetes, the pod security policies of Container Service for Kubernetes (ACK) are specialized for Kubernetes applications. You can configure pod security policies of ACK in a convenient and flexible manner. This helps the O&M engineers of enterprises better utilize the capabilities provided by ACK pod security policies. This topic describes how to install policy-template-controller and manage policy instances that are deployed from ACK pod security policies.

Background information

The PodSecurityPolicy (PSP) resource is deprecated as of Kubernetes 1.21. To address this situation, ACK upgrades the former policy management feature that is based on the PSP resource to the new policy governance feature that is based on the Open Policy Agent (OPA) policy engine and the gatekeeper admission controller. The new policy governance feature enables status monitoring, log collection, and log retrieval for policies, and provides a variety of predefined policies that suit more Kubernetes scenarios than PSPs. In addition, the configuration of these policies is easy and flexible, which helps the O&M engineers of enterprises better utilize the capabilities provided by ACK pod security policies.

Prerequisites

  • An ACK standard cluster or ACK dedicated cluster is created. The Kubernetes version is 1.16.9-aliyun.1 or later. For more information, see Create an ACK managed cluster or Create an ACK dedicated cluster.
  • If you want to manage pod security policies as a Resource Access Management (RAM) user, make sure that the RAM user is granted the following permissions:
    • cs:DescribePolicies: queries policies.
    • cs:DescribePoliceDetails: queries information about a policy.
    • cs:DescribePolicyGovernanceInCluster: queries information about policies in a cluster.
    • cs:DescribePolicyInstances: queries a specified policy instance that is deployed in a cluster.
    • cs:DescribePolicyInstancesStatus: queries information about policy instances in a cluster.
    • cs:DeployPolicyInstance: deploys a policy instance in a specified cluster.
    • cs:DeletePolicyInstance: deletes policy instances in a specified cluster.
    • cs:ModifyPolicyInstance: modifies a policy instance in a specified cluster.

    For more information about how to create custom RAM policies, see Create a custom RAM policy.

Considerations

  • The Kubernetes version of your ACK cluster must be 1.16.9-aliyun.1 or later.
  • The policy governance feature can be applied only to Linux nodes.
  • The policy governance feature does not allow you to configure custom policies. You can use only the predefined policies of the policy governance feature.
  • To use the policy governance feature, you must install gatekeeper from the Add-ons page of the ACK console.

    If gatekeeper is installed in other ways, you must uninstall gatekeeper and then install gatekeeper from the Add-ons page of the ACK console. For more information about the release notes for gatekeeper, see gatekeeper.

Install policy-template-controller

policy-template-controller is a policy template controller developed by Alibaba Cloud. policy-template-controller helps you manage policy instances in a cluster.

Before you install policy-template-controller in your cluster, you must install the following components:
  • gatekeeper: an admission controller for Kubernetes that enforces policies executed by the OPA policy engine. gatekeeper helps you manage and enforce policies executed by the OPA policy engine in your cluster, and allows you to manage the labels of namespaces.
  • logtail-ds: collects the log of blocking events and alerting events that are generated due to violations against policies. logtail-ds also allows you to retrieve the log.
For more information about how to install gatekeeper and logtail-ds, see Manage system components.
  1. Log on to the ACK console.
  2. In the left-side navigation pane of the ACK console, click Clusters.
  3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
  4. In the left-side navigation pane of the cluster details page, choose Security > Policy Governance.
    On the Policy Governance page, the system automatically checks whether the required components are installed or upgradable, and instructs you to install or upgrade the component on the page.

Policies

The following table describes the predefined policies of the policy governance feature. For more information about how to set the parameters of a policy and deploy a policy, see Predefined security policies of ACK.

Category Policy Description Severity
CIS-K8s ACKNoEnvVarSecrets The secretKeyRef parameter cannot be used to reference Secrets when you specify pod environment variables. medium
ACKPodsRequireSecurityContext Pods in the specified namespaces must be configured with the securityContext parameter. low
ACKRestrictNamespaces Resources of the specified types cannot be deployed in the specified namespaces. low
ACKRestrictRoleBindings RoleBindings in the specified namespaces can be used to bind only the specified Roles or ClusterRoles. high
Infra ACKBlockProcessNamespaceSharing Pods in the specified namespaces cannot be configured with the shareProcessNamespace parameter. high
ACKEmptyDirHasSizeLimit The sizelimit parameter must be configured when you mount emptyDir volumes. low
ACKLocalStorageRequireSafeToEvict Pods in the specified namespaces must be configured with the "cluster-autoscaler.kubernetes.io/safe-to-evict": "true" annotation. By default, autoscaler does not evict pods that are mounted with hostPath volumes or emptyDir volumes during automatic scaling activities. To enable autoscaler to evict these pods, you must add this annotation to the configurations of the pods. low
ACKOSSStorageLocationConstraint Specifies whether Object Storage Service (OSS) buckets in the specified regions can be mounted to pods in the specified namespaces. low
K8s-general ACKAllowedRepos Pods in the specified namespaces can pull images only from the specified image repositories. high
ACKBlockAutoinjectServiceEnv Pods in the specified namespaces must be configured with enableServiceLinks: false, which specifies that Service IP addresses are not injected to pod environment variables. low
ACKBlockAutomountToken Pods in the specified namespaces must be configured with automountServiceAccountToken: false, which specifies that service accounts are not automatically mounted. high
ACKBlockEphemeralContainer Pods in the specified namespaces cannot launch ephemeral containers. medium
ACKBlockLoadBalancer LoadBalancer Services cannot be deployed in the specified namespaces. high
ACKBlockNodePort NodePort Services cannot be deployed in the specified namespaces. high
ACKContainerLimits Pods in the specified namespaces must be configured with resource limits. low
ACKExternalIPs Services in the specified namespaces cannot use external IP addresses that are not specified in the policy content. high
ACKImageDigests Pods in the specified namespaces must be deployed from images whose digests comply with the specified format. low
ACKRequiredLabels Pods in the specified namespaces must have labels that comply with the policy content. low
ACKRequiredProbes Pods in the specified namespaces must be configured with the specified types of readiness probes and liveness probes. medium
ACKCheckNginxPath The spec.rules[].http.paths[].path parameter in the Ingress configuration cannot contain risky settings. We recommend that you enable this policy for ingress-nginx versions earlier than 1.2.1. high
ACKCheckNginxAnnotation The metadata.annotations parameter in the Ingress configuration cannot contain risky settings. We recommend that you enable this policy for ingress-nginx versions earlier than 1.2.1. high
PSP ACKPSPAllowPrivilegeEscalationContainer Pods in the specified namespaces must be configured with the allowPrivilegeEscalation parameter. medium
ACKPSPAllowedUsers Pods in the specified namespaces must be configured with the user, group, supplementalGroups, and fsGroup settings. medium
ACKPSPAppArmor Pods in the specified namespaces must be configured with AppArmor settings. low
ACKPSPCapabilities Pods in the specified namespaces must be configured with Linux Capabilities settings. high
ACKPSPFSGroup Pods in the specified namespaces must be configured with fsGroup settings that comply with the policy content. medium
ACKPSPFlexVolumes Pods in the specified namespaces cannot use FlexVolume drivers that are not specified in the policy content. medium
ACKPSPForbiddenSysctls Pods in the specified namespaces cannot use the specified sysctls. high
ACKPSPHostFilesystem hostPath volumes that are mounted to pods in the specified namespaces must meet the specified conditions. high
ACKPSPHostNamespace Pods in the specified namespaces cannot share the host namespaces. high
ACKPSPHostNetworkingPorts Specifies whether pods in the specified namespaces can use the host network and specified ports. high
ACKPSPPrivilegedContainer Pods in the specified namespaces cannot run privileged containers. high
ACKPSPProcMount Pods in the specified namespaces must be configured with the Proc Mount type that is specified in the policy content. low
ACKPSPReadOnlyRootFilesystem Pods in the specified namespaces must run with read-only root file systems. medium
ACKPSPSELinuxV2 Pods in the specified namespaces cannot be configured with SELinux options that are not specified by the allowedSELinuxOptions parameter. low
ACKPSPSeccomp Pods in the specified namespaces must be configured with the specified seccomp profiles. low
ACKPSPVolumeTypes Only volumes of the specified types can be mounted to pods in the specified namespace. medium

View information about policies in a cluster

After you install policy-template-controller, you can perform the following steps to view information about policies in your cluster.

  1. Log on to the ACK console.
  2. In the left-side navigation pane of the ACK console, click Clusters.
  3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
  4. In the left-side navigation pane of the cluster details page, choose Security > Policy Governance.
  5. On the Overview tab, you can view information about policies in the cluster.
    The following information is displayed:
    • An overview of policies in the cluster, including the numbers of high severity level policies, high severity level policies that are enabled, medium severity level policies, and medium severity level policies that are enabled. Policies that the system recommends you to enable are also listed.
    • The numbers of blocking events and alerting events that are generated within the last seven days.
    • The records of the latest 100 events that are generated within the last 7 days. To view more information about the audit log, click the Unknown icon next to Actions within Last 7 Days. In the tooltip that appears, click the hyperlink to go to the Logstore details page in the Log Service console. You can view the log that is stored in the Logstore.

View policies and policy instances in a cluster

To view policies and policy instances in your cluster, perform the following steps:

  1. Log on to the ACK console.
  2. In the left-side navigation pane of the ACK console, click Clusters.
  3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
  4. In the left-side navigation pane of the cluster details page, choose Security > Policy Governance.
  5. On the My Policies tab, you can view the names of policies in your cluster.
    You can view the names of policies in your cluster, and the total number of policies, the number of enabled policies, and the number of disabled policies in the upper-right corner of the tab. Enabled policies are displayed above disabled policies in the list. You can view the number of policy instances that are deployed from each policy. Policy description
    • To modify a policy instance, select the policy from which the policy instance is deployed and click the policy name or Modify in the Actions column, and then modify the policy instance configuration.
    • To delete all policy instances that are deployed from a policy, click Delete in the Actions column.
    • If the number of policy instances that are deployed from a policy is 0, the policy is disabled. To deploy a policy instance from a disabled policy, click Enable in the Actions column.
    For more information about policies and their templates, see Predefined security policies of ACK.

Deploy a policy instance

To deploy a policy instance in your cluster, perform the following steps.

  1. Log on to the ACK console.
  2. In the left-side navigation pane of the ACK console, click Clusters.
  3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
  4. In the left-side navigation pane of the cluster details page, choose Security > Policy Governance.
  5. On the My Policies tab, click Create Policy Instance.
    In the Create Policy Instance dialog box, set the parameters. The following table describes the parameters.
    Parameter Description
    Policy Type Select a policy type. Valid values:
    • Infra: Policies of this type are used to enforce security control on infrastructure resources.
    • CIS-K8s: Policies of this type are used to enforce security control based on the Center for Internet Security (CIS) Kubernetes Benchmark.
    • PSP: Policies of this type are used as an alternative to the PSP resource.
    • K8s-general: Policies of this type are used to enforce security control on Kubernetes resources based on the Alibaba Cloud standards of best security practices.
    Action
    • Block: blocks resource deployments that match the policy.
    • Alert: generates alerts for resource deployments that match the policy. The resource deployments can still be performed.
    Policy Name Select the name of the policy that you want to use. For more information, see Policies.
    Applicable Scope Select the namespaces to which you want to apply the policy instance.
    Parameters
    • If the code editor is empty, it indicates that no parameter is required for the policy.
    • If parameters are displayed in the code editor, set the parameters based on the description. For more information, see Policies.

Modify a policy instance

To modify a policy instance in your cluster, perform the following steps:

  1. Log on to the ACK console.
  2. In the left-side navigation pane of the ACK console, click Clusters.
  3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
  4. In the left-side navigation pane of the cluster details page, choose Security > Policy Governance.
  5. On the My Policies tab, select the policy that you want to manage and click the policy name or Modify in the Actions column.
    If more than one policy instance is deployed from the policy, click View Instances in the Actions column, select the policy instance that you want to modify, and then click Modify. In the Modify Policy Instance dialog box, modify the parameter settings. For more information about the parameters, see the description of policy parameters.

Delete a policy instance

To delete a policy instance from your cluster, perform the following steps:

  1. Log on to the ACK console.
  2. In the left-side navigation pane of the ACK console, click Clusters.
  3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
  4. In the left-side navigation pane of the cluster details page, choose Security > Policy Governance.
  5. On the My Policies tab, select the policy from which the policy instance you want to delete is deployed and click Delete in the Actions column.
    • To delete all policy instances that are deployed from the policy, click Delete in the Actions column.
    • To delete a specific policy instance if more than one policy instance is deployed from the policy, click View Instances in the Actions column, find the policy instance that you want to delete, and then click Delete.