Compared with the pod security policies of Kubernetes, the pod security policies of Container Service for Kubernetes (ACK) are specialized for Kubernetes applications. You can configure pod security policies of ACK in a convenient and flexible manner. This helps the O&M engineers of enterprises better utilize the capabilities provided by ACK pod security policies. This topic describes how to install policy-template-controller and manage policy instances that are deployed from ACK pod security policies.
Background information
The PodSecurityPolicy (PSP) resource is deprecated as of Kubernetes 1.21. To address this situation, ACK upgrades the former policy management feature that is based on the PSP resource to the new policy governance feature that is based on the Open Policy Agent (OPA) policy engine and the gatekeeper admission controller. The new policy governance feature enables status monitoring, log collection, and log retrieval for policies, and provides a variety of predefined policies that suit more Kubernetes scenarios than PSPs. In addition, the configuration of these policies is easy and flexible, which helps the O&M engineers of enterprises better utilize the capabilities provided by ACK pod security policies.
Prerequisites
- An ACK standard cluster or ACK dedicated cluster is created. The Kubernetes version is 1.16.9-aliyun.1 or later. For more information, see Create an ACK managed cluster or Create an ACK dedicated cluster.
- If you want to manage pod security policies as a Resource Access Management (RAM)
user, make sure that the RAM user is granted the following permissions:
cs:DescribePolicies
: queries policies.cs:DescribePoliceDetails
: queries information about a policy.cs:DescribePolicyGovernanceInCluster
: queries information about policies in a cluster.cs:DescribePolicyInstances
: queries a specified policy instance that is deployed in a cluster.cs:DescribePolicyInstancesStatus
: queries information about policy instances in a cluster.cs:DeployPolicyInstance
: deploys a policy instance in a specified cluster.cs:DeletePolicyInstance
: deletes policy instances in a specified cluster.cs:ModifyPolicyInstance
: modifies a policy instance in a specified cluster.
For more information about how to create custom RAM policies, see Create a custom RAM policy.
Considerations
- The Kubernetes version of your ACK cluster must be 1.16.9-aliyun.1 or later.
- The policy governance feature can be applied only to Linux nodes.
- The policy governance feature does not allow you to configure custom policies. You can use only the predefined policies of the policy governance feature.
- To use the policy governance feature, you must install gatekeeper from the Add-ons page of the ACK console.
If gatekeeper is installed in other ways, you must uninstall gatekeeper and then install gatekeeper from the Add-ons page of the ACK console. For more information about the release notes for gatekeeper, see gatekeeper.
Install policy-template-controller
policy-template-controller is a policy template controller developed by Alibaba Cloud. policy-template-controller helps you manage policy instances in a cluster.
- gatekeeper: an admission controller for Kubernetes that enforces policies executed by the OPA policy engine. gatekeeper helps you manage and enforce policies executed by the OPA policy engine in your cluster, and allows you to manage the labels of namespaces.
- logtail-ds: collects the log of blocking events and alerting events that are generated due to violations against policies. logtail-ds also allows you to retrieve the log.
Policies
The following table describes the predefined policies of the policy governance feature. For more information about how to set the parameters of a policy and deploy a policy, see Predefined security policies of ACK.
Category | Policy | Description | Severity |
---|---|---|---|
CIS-K8s | ACKNoEnvVarSecrets |
The secretKeyRef parameter cannot be used to reference Secrets when you specify pod environment variables. | medium |
ACKPodsRequireSecurityContext |
Pods in the specified namespaces must be configured with the securityContext parameter.
|
low | |
ACKRestrictNamespaces |
Resources of the specified types cannot be deployed in the specified namespaces. | low | |
ACKRestrictRoleBindings |
RoleBindings in the specified namespaces can be used to bind only the specified Roles or ClusterRoles. | high | |
Infra | ACKBlockProcessNamespaceSharing |
Pods in the specified namespaces cannot be configured with the shareProcessNamespace parameter. | high |
ACKEmptyDirHasSizeLimit |
The sizelimit parameter must be configured when you mount emptyDir volumes.
|
low | |
ACKLocalStorageRequireSafeToEvict |
Pods in the specified namespaces must be configured with the "cluster-autoscaler.kubernetes.io/safe-to-evict": "true" annotation. By default, autoscaler does not evict pods that are mounted with hostPath volumes or emptyDir volumes during
automatic scaling activities. To enable autoscaler to evict these pods, you must add
this annotation to the configurations of the pods.
|
low | |
ACKOSSStorageLocationConstraint |
Specifies whether Object Storage Service (OSS) buckets in the specified regions can be mounted to pods in the specified namespaces. | low | |
K8s-general | ACKAllowedRepos |
Pods in the specified namespaces can pull images only from the specified image repositories. | high |
ACKBlockAutoinjectServiceEnv |
Pods in the specified namespaces must be configured with enableServiceLinks: false , which specifies that Service IP addresses are not injected to pod environment variables.
|
low | |
ACKBlockAutomountToken |
Pods in the specified namespaces must be configured with automountServiceAccountToken: false , which specifies that service accounts are not automatically mounted.
|
high | |
ACKBlockEphemeralContainer |
Pods in the specified namespaces cannot launch ephemeral containers. | medium | |
ACKBlockLoadBalancer |
LoadBalancer Services cannot be deployed in the specified namespaces. | high | |
ACKBlockNodePort |
NodePort Services cannot be deployed in the specified namespaces. | high | |
ACKContainerLimits |
Pods in the specified namespaces must be configured with resource limits .
|
low | |
ACKExternalIPs |
Services in the specified namespaces cannot use external IP addresses that are not specified in the policy content. | high | |
ACKImageDigests |
Pods in the specified namespaces must be deployed from images whose digests comply with the specified format. | low | |
ACKRequiredLabels |
Pods in the specified namespaces must have labels that comply with the policy content. | low | |
ACKRequiredProbes |
Pods in the specified namespaces must be configured with the specified types of readiness probes and liveness probes. | medium | |
ACKCheckNginxPath |
The spec.rules[].http.paths[].path parameter in the Ingress configuration cannot contain risky settings. We recommend
that you enable this policy for ingress-nginx versions earlier than 1.2.1.
|
high | |
ACKCheckNginxAnnotation |
The metadata.annotations parameter in the Ingress configuration cannot contain risky settings. We recommend
that you enable this policy for ingress-nginx versions earlier than 1.2.1.
|
high | |
PSP | ACKPSPAllowPrivilegeEscalationContainer |
Pods in the specified namespaces must be configured with the allowPrivilegeEscalation parameter.
|
medium |
ACKPSPAllowedUsers |
Pods in the specified namespaces must be configured with the user , group , supplementalGroups , and fsGroup settings.
|
medium | |
ACKPSPAppArmor |
Pods in the specified namespaces must be configured with AppArmor settings. | low | |
ACKPSPCapabilities |
Pods in the specified namespaces must be configured with Linux Capabilities settings. | high | |
ACKPSPFSGroup |
Pods in the specified namespaces must be configured with fsGroup settings that comply with the policy content. | medium | |
ACKPSPFlexVolumes |
Pods in the specified namespaces cannot use FlexVolume drivers that are not specified in the policy content. | medium | |
ACKPSPForbiddenSysctls |
Pods in the specified namespaces cannot use the specified sysctls. | high | |
ACKPSPHostFilesystem |
hostPath volumes that are mounted to pods in the specified namespaces must meet the specified conditions. | high | |
ACKPSPHostNamespace |
Pods in the specified namespaces cannot share the host namespaces. | high | |
ACKPSPHostNetworkingPorts |
Specifies whether pods in the specified namespaces can use the host network and specified ports. | high | |
ACKPSPPrivilegedContainer |
Pods in the specified namespaces cannot run privileged containers. | high | |
ACKPSPProcMount |
Pods in the specified namespaces must be configured with the Proc Mount type that is specified in the policy content. | low | |
ACKPSPReadOnlyRootFilesystem |
Pods in the specified namespaces must run with read-only root file systems. | medium | |
ACKPSPSELinuxV2 |
Pods in the specified namespaces cannot be configured with SELinux options that are not specified by the allowedSELinuxOptions parameter. | low | |
ACKPSPSeccomp |
Pods in the specified namespaces must be configured with the specified seccomp profiles. | low | |
ACKPSPVolumeTypes |
Only volumes of the specified types can be mounted to pods in the specified namespace. | medium |
View information about policies in a cluster
After you install policy-template-controller, you can perform the following steps to view information about policies in your cluster.
View policies and policy instances in a cluster
To view policies and policy instances in your cluster, perform the following steps:
Deploy a policy instance
To deploy a policy instance in your cluster, perform the following steps.
Modify a policy instance
To modify a policy instance in your cluster, perform the following steps:
Delete a policy instance
To delete a policy instance from your cluster, perform the following steps: