@lijiang

Sculpting in time

Do one thing and do it well.
Every story has a beginning and an end.

Kubernetes Pod Security Admission

upgrade my k8s production cluster from v1.24.4 t v1.25.0

2-Minute Read

Today I upgraded my production kubernetes cluster from v1.24.4 to v1.25.0 and encountered a problem during the upgrade. Because the PodSecurityPolicy api was removed from kube apiserver, and by instead of Pod Security Admission (PSA), so I needed to merge PodSecurityPolicy into PSA. At this time I did some research on PSA.

PSA has been defined as a stable interface in v1.25.0 and the PodSecurity controller is enabled by default. the PSA controller forces pods to run in an environment with specific permissions by creating permissions rules in namespace, and all pods under that namespace will have access to the host environment restricted to that permission.

pod security levels:

  1. privileged: Have system-level privileges
apiVersion: v1
kind: Namespace
metadata:
  name: my-privileged-namespace
  labels:
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/enforce-version: latest
  1. baseline: Basic permissions to meet the runtime permissions of most pods - readmore
apiVersion: v1
kind: Namespace
metadata:
  name: my-baseline-namespace
  labels:
    pod-security.kubernetes.io/enforce: baseline
    pod-security.kubernetes.io/enforce-version: latest
    pod-security.kubernetes.io/warn: baseline
    pod-security.kubernetes.io/warn-version: latest
  1. restricted: Very tightly restricted permissions - readmore
apiVersion: v1
kind: Namespace
metadata:
  name: my-restricted-namespace
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/enforce-version: latest
    pod-security.kubernetes.io/warn: restricted
    pod-security.kubernetes.io/warn-version: latest

The kubernetes controller defines the privilege levels of pods by tagging namespaces, where the security modes are enforce, audit, and warn.

  1. Enforce: Pods that violate the privilege level will be denied to run

  2. Audit: The information of the pod that violates the privilege level will be recorded in the audit log, but it will run as normal.

  3. Warn: If a pod violates the privilege level, the cluster only issues a warning.

namespace label define:

# The per-mode level label indicates which policy level to apply for the mode.
#
# MODE must be one of `enforce`, `audit`, or `warn`.
# LEVEL must be one of `privileged`, `baseline`, or `restricted`.
pod-security.kubernetes.io/<MODE>: <LEVEL>

# Optional: per-mode version label that can be used to pin the policy to the
# version that shipped with a given Kubernetes minor version (for example v1.25).
#
# MODE must be one of `enforce`, `audit`, or `warn`.
# VERSION must be a valid Kubernetes minor version, or `latest`.
pod-security.kubernetes.io/<MODE>-version: <VERSION>

Recent Posts

Categories

About

Keep thinking, Stay curious
Always be sensitive to new things