Get Started

Ready to get your hands dirty? Build a simple Kubernetes cluster that runs "Hello World" for Node.js.

Documentation

Learn how to use Kubernetes with the use of walkthroughs, samples, and reference documentation. You can even help contribute to the docs!

Community

If you need help, you can connect with other Kubernetes users and the Kubernetes authors, attend community events, and watch video presentations from around the web.

Blog

Read the latest news for Kubernetes and the containers space in general, and get technical how-tos hot off the presses.

Interested in hacking on the core Kubernetes code base?

View On Github

Explore the community

Reference Documentation

Design docs, concept definitions, and references for APIs and CLIs.

Documentation for Kubernetes v1.5 is no longer actively maintained. The version you are currently viewing is a static snapshot. For up-to-date documentation, see the latest version.

Kubernetes Resource Types (New Docs Style)

Version 1.5

Kubernetes API (New Docs Style)

Version 1.5

Kubectl Commands (New Docs Style)

Version 1.5

Kubernetes API

Kubernetes API Overview

Accessing the API

Overview

Authenticating

Using Authorization Plugins

Using Admission Controllers

Managing Service Accounts

Kubernetes API Operations

Kubernetes API Definitions

Well-Known Labels, Annotations and Taints

Kubernetes API Swagger Spec

Autoscaling API

Autoscaling API Operations

Autoscaling API Definitions

Batch API

Batch API Operations

Batch API Definitions

Apps API

Apps API Operations

Apps API Definitions

Extensions API

Extensions API Operations

Extensions API Definitions

kubectl CLI

kubectl Overview

kubectl for Docker Users

kubectl Usage Conventions

kubectl Commands

kubectl certificate approve

kubectl certificate deny

kubectl cluster-info

kubectl cluster-info dump

kubectl completion

kubectl config

kubectl config current-context

kubectl config delete-cluster

kubectl config delete-context

kubectl config get-clusters

kubectl config get-contexts

kubectl config set-cluster

kubectl config set-context

kubectl config set-credentials

kubectl config set

kubectl config unset

kubectl config use-context

kubectl create configmap

kubectl create deployment

kubectl create namespace

kubectl create quota

kubectl create secret docker-registry

kubectl create secret

kubectl create secret generic

kubectl create secret tls

kubectl create serviceaccount

kubectl create service clusterip

kubectl create service loadbalancer

kubectl create service nodeport

kubectl rolling-update

kubectl rollout

kubectl rollout history

kubectl rollout pause

kubectl rollout resume

kubectl rollout status

kubectl set resources

Superseded and Deprecated Commands

kubectl stop

Kubernetes Components

kube-apiserver

kube-controller-manager

kube-proxy

kube-scheduler

kubelet

Overview

Master-Node communication

TLS bootstrapping

Kubelet authentication/authorization

Glossary

Annotations

Daemon Sets

Deployments

Horizontal Pod Autoscaling

Pod Security Policies

Replica Sets

Replication Controller

Third Party Resources

Volumes

Kubernetes Design Docs

Kubernetes Architecture

Kubernetes Design Overview

Kubernetes Identity and Access Management

Kubernetes OpenVSwitch GRE/VxLAN networking

Security Contexts

Security in Kubernetes

Edit This Page

Pod Security Policies

Objects of type PodSecurityPolicy govern the ability to make requests on a pod that affect the SecurityContext that will be applied to a pod and container.

See PodSecurityPolicy proposal for more information.

What is a Pod Security Policy?
Strategies
Admission
Creating a Pod Security Policy
Getting a list of Pod Security Policies
Editing a Pod Security Policy
Deleting a Pod Security Policy
Enabling Pod Security Policies
Working With RBAC

What is a Pod Security Policy?

A Pod Security Policy is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system. They allow an administrator to control the following:

Running of privileged containers.
Capabilities a container can request to be added.
The SELinux context of the container.
The user ID.
The use of host namespaces and networking.
Allocating an FSGroup that owns the pod’s volumes
Configuring allowable supplemental groups
Requiring the use of a read only root file system
Controlling the usage of volume types

Pod Security Policies are comprised of settings and strategies that control the security features a pod has access to. These settings fall into three categories:

Controlled by a boolean: Fields of this type default to the most restrictive value.
Controlled by an allowable set: Fields of this type are checked against the set to ensure their value is allowed.
Controlled by a strategy: Items that have a strategy to provide a mechanism to generate the value and a mechanism to ensure that a specified value falls into the set of allowable values.

Strategies

RunAsUser

MustRunAs - Requires a *range* to be configured. Uses the first value of the range as the default. Validates against the configured range.
MustRunAsNonRoot - Requires that the pod be submitted with a non-zero *runAsUser* or have the USER directive defined in the image. No default provided.
RunAsAny - No default provided. Allows any *runAsUser* to be specified.

SELinuxContext

MustRunAs - Requires *seLinuxOptions* to be configured if not using pre-allocated values. Uses *seLinuxOptions* as the default. Validates against *seLinuxOptions*.
RunAsAny - No default provided. Allows any *seLinuxOptions* to be specified.

SupplementalGroups

MustRunAs - Requires at least one range to be specified. Uses the minimum value of the first range as the default. Validates against all ranges.
RunAsAny - No default provided. Allows any *supplementalGroups* to be specified.

FSGroup

MustRunAs - Requires at least one range to be specified. Uses the minimum value of the first range as the default. Validates against the first ID in the first range.
RunAsAny - No default provided. Allows any *fsGroup* ID to be specified.

Controlling Volumes

The usage of specific volume types can be controlled by setting the volumes field of the PSP. The allowable values of this field correspond to the volume sources that are defined when creating a volume:

azureFile
azureDisk
flocker
flexVolume
hostPath
emptyDir
gcePersistentDisk
awsElasticBlockStore
gitRepo
secret
nfs
iscsi
glusterfs
persistentVolumeClaim
rbd
cinder
cephFS
downwardAPI
fc
configMap
vsphereVolume
quobyte
photonPersistentDisk
projected
portworxVolume
scaleIO
* (allow all volumes)

The recommended minimum set of allowed volumes for new PSPs are configMap, downwardAPI, emptyDir, persistentVolumeClaim, and secret.

Host Network

HostPorts, default empty. List of HostPortRange, defined by min(inclusive) and max(inclusive), which define the allowed host ports.

Admission

Admission control with PodSecurityPolicy allows for control over the creation and modification of resources based on the capabilities allowed in the cluster.

Admission uses the following approach to create the final security context for the pod:

Retrieve all PSPs available for use.
Generate field values for security context settings that were not specified on the request.
Validate the final settings against the available policies.

If a matching policy is found, then the pod is accepted. If the request cannot be matched to a PSP, the pod is rejected.

A pod must validate every field against the PSP.

Creating a Pod Security Policy

Here is an example Pod Security Policy. It has permissive settings for all fields

`psp.yaml`
`apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: permissive spec: seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny hostPorts: - min: 8000 max: 8080 volumes: - '*'`

psp.yaml Copy psp.yaml to clipboard

apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
  name: permissive
spec:
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  hostPorts:
  - min: 8000
    max: 8080
  volumes:
  - '*'

Create the policy by downloading the example file and then running this command:

$ kubectl create -f ./psp.yaml
podsecuritypolicy "permissive" created

Getting a list of Pod Security Policies

To get a list of existing policies, use kubectl get:

$ kubectl get psp
NAME        PRIV   CAPS  SELINUX   RUNASUSER         FSGROUP   SUPGROUP  READONLYROOTFS  VOLUMES
permissive  false  []    RunAsAny  RunAsAny          RunAsAny  RunAsAny  false           [*]
privileged  true   []    RunAsAny  RunAsAny          RunAsAny  RunAsAny  false           [*]
restricted  false  []    RunAsAny  MustRunAsNonRoot  RunAsAny  RunAsAny  false           [emptyDir secret downwardAPI configMap persistentVolumeClaim]

Editing a Pod Security Policy

To modify policy interactively, use kubectl edit:

$ kubectl edit psp permissive

This command will open a default text editor where you will be ably to modify policy.

Deleting a Pod Security Policy

Once you don’t need a policy anymore, simply delete it with kubectl:

$ kubectl delete psp permissive
podsecuritypolicy "permissive" deleted

Enabling Pod Security Policies

In order to use Pod Security Policies in your cluster you must ensure the following

You have enabled the api type extensions/v1beta1/podsecuritypolicy
You have enabled the admission controller PodSecurityPolicy
You have defined your policies

Working With RBAC

In Kubernetes 1.5 and newer, you can use PodSecurityPolicy to control access to privileged containers based on user role and groups. Access to different PodSecurityPolicy objects can be controlled via authorization. To limit access to PodSecurityPolicy objects for pods created via a Deployment, ReplicaSet, etc, the Controller Manager must be run against the secured API port, and must not have superuser permissions.

PodSecurityPolicy authorization uses the union of all policies available to the user creating the pod and the service account specified on the pod. When pods are created via a Deployment, ReplicaSet, etc, it is Controller Manager that creates the pod, so if it is running against the unsecured API port, all PodSecurityPolicy objects would be allowed, and you could not effectively subdivide access. Access to given PSP policies for a user will be effective only when deploying Pods directly. For more details, see the PodSecurityPolicy RBAC example of applying PodSecurityPolicy to control access to privileged containers based on role and groups when deploying Pods directly.

Create an Issue Edit this Page