Pod security

Learn how to secure pods and containers that are running in your cluster.

Kubernetes is a container orchestration platform. Container images can come from various sources and have different operating system requirements. Some containers are written to be self-contained such that they do not require any host operating system features. Other containers require access to the host operating system, such as the host network or file system.

It is important to identify what features are required so that running containers can be efficiently colocated or isolated from one another.

Pod security policies can be used to enforce container image security for the pods in your cluster. A pod security policy is a cluster level resource that controls the security sensitive aspects of pod specification and the set of conditions that must be met for a pod to be admitted into the cluster. The pod security policy is applied to the namespace by creating a ClusterRoleBinding or RoleBinding with the respective pod security policy ClusterRole for all ServiceAccounts in the namespace. Pod security policies allow cluster administrators to create pod isolation policies, and assign them to namespaces and worker nodes. For more information about Pod Security Policy, see Pod Security Policy Opens in a new tab.

Important: Multiple Pod Security Policies can be associated with a namespace or ServiceAccount. Pods can resolve to any of the compatible defined policies. For more information about policy order, see Policy Order on the Kubernetes Concepts page Opens in a new tab.

A Kubernetes Pod Opens in a new tab is a set of 1 or more colocated containers. The Pod Admission Controller prevents the creation of a pod if the pod security policy does not allow the privileged feature. The Pod Admission Controller can also set default values in the pod and container, preventing or allowing runtime access to privileged features.

All IBM Cloud Private Cloud Paks provide detailed container security requirements. For more information, see IBM Cloud Private Cloud Pak Security Policy definitions Opens in a new tab.

See Isolation on IBM Cloud Private to learn more about pod isolation.

Predefined pod security policies

IBM Cloud Private provides predefined policies that you can apply to your pod by associating them to a namespace during namespace creation. These predefined pod security policies apply to most of the IBM content charts. The following list shows the types and descriptions that range from the most restrictive to the least restrictive:

For more details about the policy definitions, see the IBM Cloud Pak Pod Security Policy Definitions Opens in a new tab.

If you install {{site.data.keyword.icpp_notm}} version 3.1.2 or later as a new installation, the default pod security policy setting is the ibm-restricted-psp policy, which is applied to all of the existing and newly created namespaces. If you upgrade to version 3.1.2 or later from an earlier version, the default pod security is the ibm-anyuid-hostpath-psp policy, which is unrestricted and is applied by default to all of the existing and newly created namespaces. The upgraded settings are unrestricted to prevent any disruptions with access issues on the applications and pods that are already running in your cluster.

You can also use the IBM Cloud Private CLI commands to view the current settings of the cluster, and to toggle the pod security policy between restricted and unrestricted modes. See IBM Cloud Private CLI cm commands (cm) for more information about using these commands.

You can view the pod security policy CLI command settings information in the IBM Cloud Private management console by selecting the settings icon on the Pod Security page.

The namespace overview page shows the pod security policies for every namespace. See Namespaces for more information about namespaces.

When you create a namespace, you can now associate the pod security policy to the namespace, which can be used to deploy content or a chart. See Creating a namespace for more details about associating a pod security policy to a namespace.

The pod security policy requirements are displayed on the chart configuration page to help facilitate namespace selection and deployment. See Deploying Helm charts in the Catalog

Customized pod security policies

You can also create your own pod security policies.

See the following topics to manage your pod security policy: