If you’re looking to take your Kubernetes security to the next level, you’ll want to start working with pod security policies. Here’s a quick introduction to this feature.
Kubernetes is an incredibly powerful container management tool. If you’ve worked with containers long enough, you know that security has to take a central role in the deployment of your apps and services. Without locking down those containers, havoc could be wreaked on your network.
You certainly don’t want that.
So, what can you do? With Kubernetes you should consider establishing pod security policies.
If you’re new to Kubernetes, you might not know what a pod is. Simply stated, a Kubernetes pod is a collection of processes that make up a container, such as:
In other words, a pod is a unit of deployment–either a single container or a number of containers working together.
Now that you understand what a pod is, let’s see what we can do about crafting a security policy.
What is a pod security policy?
The Kubernetes pod security policy is a resource that controls the security of a pod specification. Using the PodSecurityPolicy object definition, you can control things like:
The ability to run privileged containers
Access to volume types
Access to host file systems
Usage of host networking
But how to define the policy? As with almost everything in Kubernetes, this is defined within a YAML file.
How to create a Kubernetes pod security policy
Let’s create a Kubernetes pod security policy that prevents the creation of privileged pods and controls access to volumes. First, we must create the YAML file. From a terminal window, issue the command:
The above file will create a cluster-wide role named psp that can use our new policy we named psp. This will also create a cluster-wide role binding which gives access to the psp:psp role to every authenticated user.
Save and close the file. Create this policy with the command:
kubectl apply -f rbac-psp.yaml
We’ve now created a policy and an RBAC control. Let’s find out if we’re now able to use this new policy. Issue the command:
kubectl auth can-i use psp/psp
The output should say “yes.”
Of course, it should say “yes,” as I am an admin user. But what if we test it with any user? Do that with the command:
kubectl auth can-i use psp/psp --as-group=system:authenticated --as=any-user
You should now see “no” in the response.
You’ve just created a Kubernetes pod security policy, assigned it with RBAC, and tested it to make sure the policy actually works. You’re one step closer to gaining more security with your Kubernetes container deployments.
Cybersecurity Insider Newsletter
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays