Kubernetesdevops~7 mins

Pod security admission controller in Kubernetes - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Sometimes pods in Kubernetes can run with unsafe settings that might cause security risks. The Pod Security Admission Controller helps by checking pods when they are created and making sure they follow security rules to keep the cluster safe.

When you want to prevent pods from running as root user to avoid privilege escalation.

When you need to enforce that pods do not use host network or host PID to limit access to the node.

When you want to make sure pods have proper security context settings like read-only root filesystem.

When you want to apply different security policies to different namespaces automatically.

When you want to block pods that do not meet your organization's security standards before they start.

Config File - pod-security.yaml

pod-security.yaml

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted
spec:
  privileged: false
  allowPrivilegeEscalation: false
  requiredDropCapabilities:
    - ALL
  volumes:
    - 'configMap'
    - 'emptyDir'
    - 'projected'
    - 'secret'
    - 'downwardAPI'
  hostNetwork: false
  hostIPC: false
  hostPID: false
  runAsUser:
    rule: 'MustRunAsNonRoot'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
      - min: 1
        max: 65535
  fsGroup:
    rule: 'MustRunAs'
    ranges:
      - min: 1
        max: 65535

This file defines a PodSecurityPolicy named 'restricted' that enforces strict security rules:

privileged: false - Pods cannot run in privileged mode.
allowPrivilegeEscalation: false - Prevents privilege escalation.
requiredDropCapabilities: ALL - Drops all Linux capabilities.
volumes - Only allows safe volume types.
hostNetwork, hostIPC, hostPID: false - Disallows access to host networking and IPC.
runAsUser: MustRunAsNonRoot - Pods must run as non-root user.
supplementalGroups and fsGroup - Enforces group IDs for file permissions.

Commands

This command applies the PodSecurityPolicy configuration to the Kubernetes cluster to enforce the security rules defined.

Terminal

kubectl apply -f pod-security.yaml

Expected OutputExpected

podsecuritypolicy.policy/restricted created

This command lists all PodSecurityPolicies currently configured in the cluster to verify that the 'restricted' policy is active.

Terminal

kubectl get podsecuritypolicy

Expected OutputExpected

NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP READONLYROOTFS VOLUMES restricted false ALL RunAsAny MustRunAsNonRoot MustRunAs MustRunAs false configMap,emptyDir,projected,secret,downwardAPI

Creates a new namespace called 'secure-app' where we can enforce the Pod Security Admission Controller policies.

Terminal

kubectl create namespace secure-app

Expected OutputExpected

namespace/secure-app created

Labels the 'secure-app' namespace to enforce the 'restricted' Pod Security Admission Controller policy on all pods created in this namespace.

Terminal

kubectl label namespace secure-app pod-security.kubernetes.io/enforce=restricted

Expected OutputExpected

namespace/secure-app labeled

Attempts to create a pod named 'test-pod' in the 'secure-app' namespace running as root user, which should be blocked by the Pod Security Admission Controller.

Terminal

kubectl run test-pod --image=nginx --namespace=secure-app --restart=Never --overrides='{ "apiVersion": "v1", "spec": { "securityContext": { "runAsUser": 0 } } }'

Expected OutputExpected

Error from server (Forbidden): error when creating "STDIN": pods "test-pod" is forbidden: violates PodSecurity "restricted": running as root is not allowed

Key Concept

If you remember nothing else from this pattern, remember: Pod Security Admission Controller automatically blocks pods that do not meet your security rules before they run.

Common Mistakes

Not labeling the namespace with the correct pod-security.kubernetes.io/enforce label.

Without the label, the Pod Security Admission Controller does not enforce any policy on pods in that namespace.

Always add the correct label to the namespace to activate the desired security policy.

Trying to create pods that run as root when the policy requires non-root users.

Pods running as root violate the security policy and will be rejected by the admission controller.

Set the pod's securityContext to run as a non-root user or omit runAsUser to use defaults.

Applying PodSecurityPolicy without enabling the admission controller in the cluster.

The policies won't be enforced if the admission controller is not enabled in the Kubernetes API server.

Ensure the Pod Security Admission Controller is enabled in your cluster configuration.

Summary

Apply a PodSecurityPolicy YAML file to define security rules for pods.

Label namespaces to enforce these policies automatically on pods created inside them.

Try creating pods that violate the policy to see the admission controller block them.

Use kubectl commands to verify policies and namespace labels.