|
|
||
|---|---|---|
| .. | ||
| bindings.yaml | ||
| pod.yaml | ||
| pod_priv.yaml | ||
| policies.yaml | ||
| README.md | ||
| roles.yaml | ||
PSP RBAC Example
This example demonstrates the usage of PodSecurityPolicy to control access to privileged containers based on role and groups.
Prerequisites
The server must be started to enable the appropriate APIs and flags
- allow privileged containers
- allow security contexts
- enable RBAC and accept any token
- enable PodSecurityPolicies
- use the PodSecurityPolicy admission controller
If you are using the local-up-cluster.sh script you may enable these settings with the following syntax
PSP_ADMISSION=true ALLOW_PRIVILEGED=true ALLOW_SECURITY_CONTEXT=true ALLOW_ANY_TOKEN=true ENABLE_RBAC=true RUNTIME_CONFIG="extensions/v1beta1=true,extensions/v1beta1/podsecuritypolicy=true" hack/local-up-cluster.sh
Using the protected port
It is important to note that this example uses the following syntax to test with RBAC
--server=https://127.0.0.1:6443: when performing requests this ensures that the protected port is used so that RBAC will be enforced--token={user}/{group(s)}: this syntax allows a request to specify the username and groups to use for testing. It relies on theALLOW_ANY_TOKENsetting.
Creating the policies, roles, and bindings
Policies
The first step to enforcing cluster constraints via PSP is to create your policies. In this
example we will use two policies, restricted and privileged. For simplicity, the only difference
between these policies is the ability to run a privileged container.
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: privileged
spec:
fsGroup:
rule: RunAsAny
privileged: true
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- '*'
---
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
spec:
fsGroup:
rule: RunAsAny
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- '*'
To create these policies run
$ kubectl --server=https://127.0.0.1:6443 --token=foo/system:masters create -f examples/podsecuritypolicy/rbac/policies.yaml
podsecuritypolicy "privileged" created
podsecuritypolicy "restricted" created
Roles and bindings
In order to a PodSecurityPolicy a user must have the ability to perform the use verb on the policy.
The use verb is a special verb that grants access to use the policy while
not allowing any other access. This verb is specific to PodSecurityPolicy.
To enable the use access we will create cluster roles. In this example we will provide the roles:
restricted-psp-user: this role allows theuseverb on therestrictedpolicy onlyprivileged-psp-user: this role allows theuseverb on theprivilegedpolicy only
To associate roles with users we will use groups via a RoleBinding. This example uses
the following groups:
privileged: this group is bound to theprivilegedPSProle andrestrictedPSProle which gives users in this group access to both policies.restricted: this group is bound to therestrictedPSProlesystem:authenticated: this is a system group for any authenticated user. It is bound to theeditrole which is already provided by the cluster.
To create these roles and bindings run
$ kubectl --server=https://127.0.0.1:6443 --token=foo/system:masters create -f examples/podsecuritypolicy/rbac/roles.yaml
clusterrole "restricted-psp-user" created
clusterrole "privileged-psp-user" created
$ kubectl --server=https://127.0.0.1:6443 --token=foo/system:masters create -f examples/podsecuritypolicy/rbac/bindings.yaml
clusterrolebinding "privileged-psp-users" created
clusterrolebinding "restricted-psp-users" created
clusterrolebinding "edit" created
Testing access
Restricted user can create non-privileged pods
Create the pod
$ kubectl --server=https://127.0.0.1:6443 --token=foo/restricted-psp-users create -f examples/podsecuritypolicy/rbac/pod.yaml
pod "nginx" created
Check the PSP that allowed the pod
$ kubectl get pod nginx -o yaml | grep psp
kubernetes.io/psp: restricted
Restricted user cannot create privileged pods
Delete the existing pod
$ kubectl delete pod nginx
pod "nginx" deleted
Create the privileged pod
$ kubectl --server=https://127.0.0.1:6443 --token=foo/restricted-psp-users create -f examples/podsecuritypolicy/rbac/pod_priv.yaml
Error from server (Forbidden): error when creating "examples/podsecuritypolicy/rbac/pod_priv.yaml": pods "nginx" is forbidden: unable to validate against any pod security policy: [spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]
Privileged user can create non-privileged pods
$ kubectl --server=https://127.0.0.1:6443 --token=foo/privileged-psp-users create -f examples/podsecuritypolicy/rbac/pod.yaml
pod "nginx" created
Check the PSP that allowed the pod. Note, this could be the restricted or privileged PSP since both allow
for the creation of non-privileged pods.
$ kubectl get pod nginx -o yaml | egrep "psp|privileged"
kubernetes.io/psp: privileged
privileged: false
Privileged user can create privileged pods
Delete the existing pod
$ kubectl delete pod nginx
pod "nginx" deleted
Create the privileged pod
$ kubectl --server=https://127.0.0.1:6443 --token=foo/privileged-psp-users create -f examples/podsecuritypolicy/rbac/pod_priv.yaml
pod "nginx" created
Check the PSP that allowed the pod.
$ kubectl get pod nginx -o yaml | egrep "psp|privileged"
kubernetes.io/psp: privileged
privileged: true