Apply Pod Security Standards at the Namespace Level
Note
This tutorial applies only for new clusters.Pod Security Admission is an admission controller that applies
Pod Security Standards
when pods are created. It is a feature GA'ed in v1.25.
In this tutorial, you will enforce the baseline Pod Security Standard,
one namespace at a time.
You can also apply Pod Security Standards to multiple namespaces at once at the cluster level. For instructions, refer to Apply Pod Security Standards at the cluster level.
Before you begin
Install the following on your workstation:
Create cluster
- Create a - kindcluster as follows:- kind create cluster --name psa-ns-level- The output is similar to this: - Creating cluster "psa-ns-level" ... โ Ensuring node image (kindest/node:v1.29.0) ๐ผ โ Preparing nodes ๐ฆ โ Writing configuration ๐ โ Starting control-plane ๐น๏ธ โ Installing CNI ๐ โ Installing StorageClass ๐พ Set kubectl context to "kind-psa-ns-level" You can now use your cluster with: kubectl cluster-info --context kind-psa-ns-level Not sure what to do next? ๐ Check out https://kind.sigs.k8s.io/docs/user/quick-start/
- Set the kubectl context to the new cluster: - kubectl cluster-info --context kind-psa-ns-level- The output is similar to this: - Kubernetes control plane is running at https://127.0.0.1:50996 CoreDNS is running at https://127.0.0.1:50996/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
Create a namespace
Create a new namespace called example:
kubectl create ns example
The output is similar to this:
namespace/example created
Enable Pod Security Standards checking for that namespace
- Enable Pod Security Standards on this namespace using labels supported by built-in Pod Security Admission. In this step you will configure a check to warn on Pods that don't meet the latest version of the baseline pod security standard. - kubectl label --overwrite ns example \ pod-security.kubernetes.io/warn=baseline \ pod-security.kubernetes.io/warn-version=latest
- You can configure multiple pod security standard checks on any namespace, using labels. The following command will - enforcethe- baselinePod Security Standard, but- warnand- auditfor- restrictedPod Security Standards as per the latest version (default value)- kubectl label --overwrite ns example \ pod-security.kubernetes.io/enforce=baseline \ pod-security.kubernetes.io/enforce-version=latest \ pod-security.kubernetes.io/warn=restricted \ pod-security.kubernetes.io/warn-version=latest \ pod-security.kubernetes.io/audit=restricted \ pod-security.kubernetes.io/audit-version=latest
Verify the Pod Security Standard enforcement
- Create a baseline Pod in the - examplenamespace:- kubectl apply -n example -f https://k8s.io/examples/security/example-baseline-pod.yaml- The Pod does start OK; the output includes a warning. For example: - Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") pod/nginx created
- Create a baseline Pod in the - defaultnamespace:- kubectl apply -n default -f https://k8s.io/examples/security/example-baseline-pod.yaml- Output is similar to this: - pod/nginx created
The Pod Security Standards enforcement and warning settings were applied only
to the example namespace. You could create the same Pod in the default
namespace with no warnings.
Clean up
Now delete the cluster which you created above by running the following command:
kind delete cluster --name psa-ns-level
What's next
- Run a shell script to perform all the preceding steps all at once. - Create kind cluster
- Create new namespace
- Apply baselinePod Security Standard inenforcemode while applyingrestrictedPod Security Standard also inwarnandauditmode.
- Create a new pod with the following pod security standards applied