Pod security policies

Pod security policy is an attemp to improve security defaults in Kubernetes for applications to allow operators to set presets for it.

About two years ago we have started investigation for using them in Cloud Foundry Container Runtime. We took it seriously because we didn’t want to break existing users and make the transition painless. At that time, Kubernetes documentation was not as good as right now so we had to learn some things in a hard way.

We have started the Pod Security Policies due to CIS benchmark for Kubernetes. You might take a look there, it covers lots of things, but before you start implementing it, you have to understand the reasons behind each point and how the features interact with each other. This leads to my first point.

  1. Enabling pod security policies requires you to allow users to modify some security aspects in their application. You will have to remove the SecurityContextDeny. This contradicted the benchmark before and has been fixed recently.
  2. The pod security policies can mutate the pod definition by setting the user id or seccomp annotation if those are not specified.
  3. The policies are chosen alphabetically and if your pod does not specify some of the properties, more strict policy might be chosen. For example, the policy that specifies run with non-root might be chosen if your pod does not specify which user it will run with. As a result, you can create some very restrictive policy with lots of letters a at the beginning and assign it to all service accounts to catch the applications that has not specified proper pod security policy and properties.
  4. You can check which security context the pod will use by checking the pod annotations and that is the only way to find out. It is not possible to assign specific pod to specific policy.
  5. The only way to validate that policy satisfies the application is to deploy them.

Reading code for a long time, writing code for even longer.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Painless Spring boot tutorial with Maven Kotlin & MongoDB

Application Lifecycle Management

What is a Turing test and how to run one with Slack

Scrum, Design Thinking & Innovation

What is the f*** SolGang Pandas!?

GraalVM 21.2 with lots of native image usability improvements

Add task laugh make story.

My First CLI Project

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Oleksandr Slynko

Oleksandr Slynko

Reading code for a long time, writing code for even longer.

More from Medium

OPA Gatekeeper Library example allow image pull policy

Newsletter of Carlos Santana — Issue #37

Fairwinds Insights Release Notes 6.7.0–7.1.0: Spotlight on Reducing Kubernetes Alert Fatigue

How to Diagnose OOMKilled Error in Kubernetes Application