RKE2 Pod Security Policy

In this post I will show you how you can use Pod Security Policys in RKE2.

Parts of the K8S Security Lab series

Container Runetime Security

• Part1: How to deploy CRI-O with Firecracker?
• Part2: How to deploy CRI-O with gVisor?
• Part3: How to deploy containerd with Firecracker?
• Part4: How to deploy containerd with gVisor?
• Part5: How to deploy containerd with kata containers?

Advanced Kernel Security

• Part1: Hardening Kubernetes with seccomp
• Part2: Linux user namespace management wit CRI-O in Kubernetes
• Part3: Hardening Kubernetes with seccomp

Network Security

• Part1: RKE2 Install With Calico
• Part2: RKE2 Install With Cilium
• Part3: CNI-Genie: network separation with multiple CNI
• Part3: Configurre network wit nmstate operator
• Part3: Kubernetes Network Policy
• Part4: Kubernetes with external Ingress Controller with vxlan
• Part4: Kubernetes with external Ingress Controller with bgp
• Part4: Central authentication with oauth2-proxy
• Part5: Secure your applications with Pomerium Ingress Controller
• Part6: CrowdSec Intrusion Detection System (IDS) for Kubernetes
• Part7: Kubernetes audit logs and Falco

Secure Kubernetes Install

• Part1: Best Practices to keeping Kubernetes Clusters Secure
• Part2: Kubernetes Secure Install
• Part3: Kubernetes Hardening Guide with CIS 1.6 Benchmark
• Part4: Kubernetes Certificate Rotation

User Security

• Part1: How to create kubeconfig?
• Part2: How to create Users in Kubernetes the right way?
• Part3: Kubernetes Single Sign-on with Pinniped OpenID Connect
• Part4: Kubectl authentication with Kuberos Depricated !!
• Part5: Kubernetes authentication with Keycloak and gangway Depricated !!
• Part6: kube-openid-connect 1.0 Depricated !!

Image Security

Part1: Image security Admission Controller

Part2: Image security Admission Controller V2

Part3: Image security Admission Controller V3

Part4: Continuous Image security

Part5: trivy-operator 1.0

Part6: trivy-operator 2.1: Trivy-operator is now an Admisssion controller too!!!

Part7: trivy-operator 2.2: Patch release for Admisssion controller

Part8: trivy-operator 2.3: Patch release for Admisssion controller

Part8: trivy-operator 2.4: Patch release for Admisssion controller

Part8: trivy-operator 2.5: Patch release for Admisssion controller

Part9_ Image Signature Verification with Connaisseur

Part10: Image Signature Verification with Connaisseur 2.0

Part11: Image Signature Verification with Kyverno

Part12: How to use imagePullSecrets cluster-wide??

Part13: Automatically change registry in pod definition

Part14: ArgoCD auto image updater

Pod Security

• Part1: Using Admission Controllers
• Part2: RKE2 Pod Security Policy
• Part3: Kubernetes Pod Security Admission
• Part4: Kubernetes: How to migrate Pod Security Policy to Pod Security Admission?
• Part5: Pod Security Standards using Kyverno
• Part6: Kubernetes Cluster Policy with Kyverno

Secret Security

• Part1: Kubernetes and Vault integration
• Part2: Kubernetes External Vault integration
• Part3: ArgoCD and kubeseal to encript secrets
• Part4: Flux2 and kubeseal to encrypt secrets
• Part5: Flux2 and Mozilla SOPS to encrypt secrets

Monitoring and Observability

• Part6: K8S Logging And Monitoring
• Part7: Install Grafana Loki with Helm3

Backup

• Part1: Backup your Kubernetes Cluster
• Part2: How to Backup Kubernetes to git?

What is a Pod Security Policy?

A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. RBAC Controlls the usable Kubernetes objects for a user but nt the conditions of a specific ofject like allow run as root or not in a container. PSP objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for their related fields. PodSecurityPolicy is an optional admission controller that is enabled by default through the API, thus policies can be deployed without the PSP admission plugin enabled.

PSP examples using RKE2

RKE2 can be ran with or without the profile: cis-1.5 configuration parameter. This will cause it to apply different PodSecurityPolicies (PSPs) at start-up. If running with the cis-1.5 profile, RKE2 will apply a restrictive policy called global-restricted-psp to all namespaces except kube-system. The kube-system namespace needs a less restrictive policy named system-unrestricted-psp in order to launch critical components.

The policies are outlined below.

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: global-restricted-psp
spec:
  privileged: false                # CIS - 5.2.1
  allowPrivilegeEscalation: false  # CIS - 5.2.5
  requiredDropCapabilities:        # CIS - 5.2.7/8/9
    - ALL
  volumes:
    - 'configMap'
    - 'emptyDir'
    - 'projected'
    - 'secret'
    - 'downwardAPI'
    - 'persistentVolumeClaim'
  hostNetwork: false               # CIS - 5.2.4
  hostIPC: false                   # CIS - 5.2.3
  hostPID: false                   # CIS - 5.2.2
  runAsUser:
    rule: 'MustRunAsNonRoot'       # CIS - 5.2.6
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
      - min: 1
        max: 65535
  fsGroup:
    rule: 'MustRunAs'
    ranges:
      - min: 1
        max: 65535
  readOnlyRootFilesystem: false

This PSP disables privileged and allowPrivilegeEscalation and force tu run conatiners with UserID and GroupID betwean 1-65535 threat means you cannot run containers wit UserID/GroupID 0 what is root.

The “system unrestricted policy” is applied. See below.

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: system-unrestricted-psp
spec:
  privileged: true
  allowPrivilegeEscalation: true
  allowedCapabilities:
  - '*'
  volumes:
  - '*'
  hostNetwork: true
  hostPorts:
  - min: 0
    max: 65535
  hostIPC: true
  hostPID: true
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'

Test PSP

Is I try to deploy a Deployment with a container running as root it will fail.

kubectl get deploy,rs,pod
# output
NAME                                READY   UP-TO-DATE   AVAILABLE   AGE
deployment.extensions/alpine-test   0/1     0            0           67s

NAME                                          DESIRED   CURRENT   READY   AGE
replicaset.extensions/alpine-test-85c976cdd   1         0         0       67s

What happened?

kubectl describe replicaset.extensions/alpine-test-85c976cdd | tail -n3
# output
 Type     Reason        Age                    From                   Message
  ----     ------        ----                   ----                   -------
  Warning  FailedCreate  114s (x16 over 4m38s)  replicaset-controller  Error creating: pods "alpine-test-85c976cdd-" is forbidden: unable to validate against any pod security policy: []

Custom PSP

I usually create a restricted rule with allowing the root user in the cobtainer because some operator’s container still use it.

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: allow-root-psp
spec:
  privileged: false                # CIS - 5.2.1
  allowPrivilegeEscalation: false  # CIS - 5.2.5
  requiredDropCapabilities:        # CIS - 5.2.7/8/9
    - ALL
  volumes:
    - 'configMap'
    - 'emptyDir'
    - 'projected'
    - 'secret'
    - 'downwardAPI'
    - 'persistentVolumeClaim'
  hostNetwork: false               # CIS - 5.2.4
  hostIPC: false                   # CIS - 5.2.3
  hostPID: false                   # CIS - 5.2.2
  runAsUser:
    rule: 'MustRunAsNonRoot'       # CIS - 5.2.6
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
  readOnlyRootFilesystem: false

To use this PSP we need to create a ClusterRole.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: allow-root-psp-role
rules:
- apiGroups:
  - policy
  resourceNames:
  - allow-root-psp
  resources:
  - podsecuritypolicies
  verbs:
  - use