Skip to content
This repository has been archived by the owner on Oct 29, 2021. It is now read-only.

Latest commit

 

History

History
69 lines (57 loc) · 3.17 KB

8.Configure-kube-system-pod-security-policy.md

File metadata and controls

69 lines (57 loc) · 3.17 KB
Raw

8. Configure kube-system Pod Security Policy

In some cases, such as creating pods in kube-system we want the ability to use settings such as hostNetwork: kube-system. Let’s set that up now. While restrictive access is adequate for most pod creations, a permissive policy is required for pods that require elevated access. For example, kube-proxy requires hostNetwork enabled.

Create the permissive policy we’ll use for elevated creation rights.

$ kubectl apply -f psp/permissive.yml
podsecuritypolicy.policy/permissive create
$ kubectl get psp
NAME          PRIV    CAPS   SELINUX    RUNASUSER   FSGROUP    SUPGROUP   READONLYROOTFS   VOLUMES
permissive    true           RunAsAny   RunAsAny    RunAsAny   RunAsAny   false            *
restrictive   false   *      RunAsAny   RunAsAny    RunAsAny   RunAsAny   false            configMap,downwardAPI,emptyDir,persistentVolumeClaim,secret,projected

But this does not imply that it can be used. To do this, create a ClusterRole that allows the use of this security policy.

$ kubectl apply -f psp/psp-permissive.yml
clusterrole.rbac.authorization.k8s.io/psp-permissive created
$ kubectl get -o yaml clusterrole.rbac.authorization.k8s.io/psp-permissive
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"name":"psp-permissive"},"rules":[{"apiGroups":["extensions"],"resourceNames":["permissive"],"resources":["podsecuritypolicies"],"verbs":["use"]}]}
  creationTimestamp: "2019-01-25T12:07:36Z"
  name: psp-permissive
  resourceVersion: "91637"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/psp-permissive
  uid: cda04363-2099-11e9-b5a8-9cb6d0e7e121
rules:
- apiGroups:
  - extensions
  resourceNames:
  - permissive
  resources:
  - podsecuritypolicies
  verbs:
  - use

Create a RoleBinding for kube-system that grants the psp-permissive ClusterRole to relevant controller service accounts:

$ kubectl apply -f rbac/role-binding-controllers-sa-at-kube-system-permissive-psp.yaml
rolebinding.rbac.authorization.k8s.io/permissive-psp-at-kube-system created

Now you can create a pod with hostNetwork: true in the kube-system namespace! An example deployment is as follows:

$ kubectl apply -f examples/nginx-host.yaml -n kube-system
deployment.apps/nginx-deployment created
$ kubectl get deploy,rs,pod -n kube-system
NAME                                     READY   UP-TO-DATE   AVAILABLE   AGE
deployment.extensions/kube-dns           1/1     1            1           23h
deployment.extensions/nginx-deployment   1/1     1            1           12s

NAME                                                DESIRED   CURRENT   READY   AGE
replicaset.extensions/kube-dns-6ccd496668           1         1         1       23h
replicaset.extensions/nginx-deployment-597c4cff45   1         1         1       12s

NAME                                    READY   STATUS    RESTARTS   AGE
pod/kube-dns-6ccd496668-cnlxb           3/3     Running   6          23h
pod/nginx-deployment-597c4cff45-t4txr   1/1     Running   0          12s