Creating Pod Security Policy for Kubernetes Cluster
- In Kubernetes, the Pod Security Policy (PSP) control is implemented as optional (but recommended). Click here for more information on Pod Security Policy. Based on your organization security policy, you may need to decide the pod security policy for your Kubernetes cluster. The IBM Sterling Secure Proxy chart defines a custom Pod Security Policy which is the minimum set of permissions/ capabilities needed to deploy this chart and the SSP container to function properly. This is the recommended PSP for this chart and it can be created on the cluster by cluster administrator. The PSP and cluster role for this chart is defined below. The cluster administrator can either use the snippets given below or the scripts provided in the Helm chart to create the PSP, cluster role and tie it to the namespace where deployment will be performed. In both the cases, same PSP and cluster role will be created. It is recommended to use the scripts in the Helm chart so that required PSP and cluster role is created without any issue.
- The cluster admin can use the following Custom Configuration Manager PodSecurityPolicy
definition:
apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: ibm-ssp-cm-psp labels: app: "ibm-ssp-cm-psp" spec: privileged: false allowPrivilegeEscalation: true hostPID: false hostIPC: false hostNetwork: false requiredDropCapabilities: - KILL - MKNOD - SETFCAP - FSETID - NET_BIND_SERVICE - SYS_CHROOT - SETPCAP - NET_RAW allowedCapabilities: - CHOWN - SETGID - SETUID - DAC_OVERRIDE - FOWNER allowedHostPaths: runAsUser: rule: MustRunAsNonRoot runAsGroup: rule: MustRunAs ranges: - min: 1 max: 4294967294 seLinux: rule: RunAsAny supplementalGroups: rule: MustRunAs ranges: - min: 1 max: 4294967294 fsGroup: rule: MustRunAs ranges: - min: 1 max: 4294967294 volumes: - configMap - emptyDir - projected - secret - downwardAPI - persistentVolumeClaim - nfs forbiddenSysctls: - '*'
- The cluster admin can use the following Custom Engine PodSecurityPolicy definition:
apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: ibm-ssp-engine-psp labels: app: "ibm-ssp-engine-psp" spec: privileged: false allowPrivilegeEscalation: true hostPID: false hostIPC: false hostNetwork: false requiredDropCapabilities: - KILL - MKNOD - SETFCAP - FSETID - NET_BIND_SERVICE - SYS_CHROOT - SETPCAP - NET_RAW allowedCapabilities: - CHOWN - SETGID - SETUID - DAC_OVERRIDE - FOWNER allowedHostPaths: runAsUser: rule: MustRunAsNonRoot runAsGroup: rule: MustRunAs ranges: - min: 1 max: 4294967294 seLinux: rule: RunAsAny supplementalGroups: rule: MustRunAs ranges: - min: 1 max: 4294967294 fsGroup: rule: MustRunAs ranges: - min: 1 max: 4294967294 volumes: - configMap - emptyDir - projected - secret - downwardAPI - persistentVolumeClaim - nfs forbiddenSysctls: - '*'
- The cluster admin can use the following Custom Perimeter Server PodSecurityPolicy definition
apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: ibm-ssp-ps-psp labels: app: "ibm-ssp-ps-psp" spec: privileged: false allowPrivilegeEscalation: true hostPID: false hostIPC: false hostNetwork: false requiredDropCapabilities: - KILL - MKNOD - SETFCAP - FSETID - NET_BIND_SERVICE - SYS_CHROOT - SETPCAP - NET_RAW allowedCapabilities: - CHOWN - SETGID - SETUID - DAC_OVERRIDE - FOWNER allowedHostPaths: runAsUser: rule: MustRunAsNonRoot runAsGroup: rule: MustRunAs ranges: - min: 1 max: 4294967294 seLinux: rule: RunAsAny supplementalGroups: rule: MustRunAs ranges: - min: 1 max: 4294967294 fsGroup: rule: MustRunAs ranges: - min: 1 max: 4294967294 volumes: - configMap - emptyDir - projected - secret - downwardAPI - persistentVolumeClaim - nfs forbiddenSysctls: - '*'
- Custom Cluster Role for Custom Configuration Manager
PodSecurityPolicy
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: "ibm-ssp-cm-psp" labels: app: "ibm-ssp-cm-psp" rules: - apiGroups: - policy resourceNames: - ibm-ssp-cm-psp resources: - podsecuritypolicies verbs: - use
- Custom Cluster Role for Custom Engine
PodSecurityPolicy
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: "ibm-ssp-engine-psp" labels: app: "ibm-ssp-engine-psp" rules: - apiGroups: - policy resourceNames: - ibm-ssp-engine-psp resources: - podsecuritypolicies verbs: - use
- Custom Cluster Role for Custom Perimeter Server
PodSecurityPolicy
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: "ibm-ssp-ps-psp" labels: app: "ibm-ssp-ps-psp" rules: - apiGroups: - policy resourceNames: - ibm-ssp-ps-psp resources: - podsecuritypolicies verbs: - use
- From the command line, you can run the setup scripts included in the Helm chart as cluster admin
(untar the downloaded Helm chart
archive)
<chart-name>/ibm_cloud_pak/pak_extensions/pre- install/clusterAdministration/createSecurityClusterPrereqs.sh
<chart-name>/ibm_cloud_pak/pak_extensions/pre- install/namespaceAdministration/createSecurityNamespacePrereqs.sh <Namespace where deployment will be performed>
Note: If the above scripts are not executable, you will need to make the scripts executable by executing following commands:chmod u+x <chart-name>/ibm_cloud_pak/pak_extensions/pre-install/clusterAdministration/createSecurityClusterPrereqs.sh
chmod u+x <chart-name>/ibm_cloud_pak/pak_extensions/pre-install/namespaceAdministration/createSecurityNamespacePrereqs.sh