Kubernetes Pod Security Admission

upgrade my k8s production cluster from v1.24.4 t v1.25.0

September 5, 2022

2-Minute Read

Today I upgraded my production kubernetes cluster from v1.24.4 to v1.25.0 and encountered a problem during the upgrade. Because the PodSecurityPolicy api was removed from kube apiserver, and by instead of Pod Security Admission (PSA), so I needed to merge PodSecurityPolicy into PSA. At this time I did some research on PSA.

PSA has been defined as a stable interface in v1.25.0 and the PodSecurity controller is enabled by default. the PSA controller forces pods to run in an environment with specific permissions by creating permissions rules in namespace, and all pods under that namespace will have access to the host environment restricted to that permission.

pod security levels:

privileged: Have system-level privileges

apiVersion: v1
kind: Namespace
metadata:
  name: my-privileged-namespace
  labels:
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/enforce-version: latest

baseline: Basic permissions to meet the runtime permissions of most pods - readmore

apiVersion: v1
kind: Namespace
metadata:
  name: my-baseline-namespace
  labels:
    pod-security.kubernetes.io/enforce: baseline
    pod-security.kubernetes.io/enforce-version: latest
    pod-security.kubernetes.io/warn: baseline
    pod-security.kubernetes.io/warn-version: latest

restricted: Very tightly restricted permissions - readmore

apiVersion: v1
kind: Namespace
metadata:
  name: my-restricted-namespace
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/enforce-version: latest
    pod-security.kubernetes.io/warn: restricted
    pod-security.kubernetes.io/warn-version: latest

The kubernetes controller defines the privilege levels of pods by tagging namespaces, where the security modes are enforce, audit, and warn.

Enforce: Pods that violate the privilege level will be denied to run
Audit: The information of the pod that violates the privilege level will be recorded in the audit log, but it will run as normal.
Warn: If a pod violates the privilege level, the cluster only issues a warning.

namespace label define:

# The per-mode level label indicates which policy level to apply for the mode.
#
# MODE must be one of `enforce`, `audit`, or `warn`.
# LEVEL must be one of `privileged`, `baseline`, or `restricted`.
pod-security.kubernetes.io/<MODE>: <LEVEL>

# Optional: per-mode version label that can be used to pin the policy to the
# version that shipped with a given Kubernetes minor version (for example v1.25).
#
# MODE must be one of `enforce`, `audit`, or `warn`.
# VERSION must be a valid Kubernetes minor version, or `latest`.
pod-security.kubernetes.io/<MODE>-version: <VERSION>

Sculpting in time

Kubernetes Pod Security Admission

Recent Posts

My Tasks Plan

2023 New Plans

Where Is the Consciousness Come From

ROBOMASTER DEVELOPMENT BOARD FLASH UNDER LINUX

Introduction Transformer Model From Math Perspective

Kinematic Model of Mecanum Wheel

Creativity Need to Cross Boundaries

RUN LLaMA LLM on Raspberry Pi Cluster

Compile Ros2 Humble for Raspberry Pi Zero W

Categories

About