Chapter 10. Pod and Container Security
When it comes to pod security via the Kubernetes API, you have two main options at your disposal: PodSecurityPolicy and RuntimeClass. In this chapter, we review the purpose and use of each API and provide best practices for their use.
PodSecurityPolicy API
Note
The PodSecurityPolicy API is under active development. As of Kubernetes 1.15, this API was in beta. Please visit the upstream documentation for the latest updates on the feature state.
This cluster-wide resource creates a single place to define and manage
all of the security-sensitive fields found in pod specifications. Prior to
the creation of the PodSecurityPolicy resource, cluster administrators and/or
users would need to independently define individual SecurityContext
settings for their workloads or enable bespoke admission controllers on
the cluster to enforce some aspects of pod security.
Does all of this sound too easy? PodSecurityPolicy is surprisingly difficult to implement effectively and will more often than not get turned off or evaded in other ways. We do, however, strongly suggest taking the time to fully understand PodSecurityPolicy because it’s one of the single most effective means to reduce your attack surface area by limiting what can run on your cluster and with what level of privilege.
Enabling PodSecurityPolicy
Along with the resource API, a corresponding admission controller must be enabled to enforce the conditions defined in the PodSecurityPolicy resource. ...
Get Kubernetes Best Practices now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
