Creating Pod Security Policy for Kubernetes Cluster
- In Kubernetes the Pod Security Policy (PSP) control is implemented as optional (but recommended). Click here for more information on Pod Security Policy. Based on your organization security policy, you may need to decide the pod security policy for your Kubernetes cluster. The IBM Connect Direct for UNIX chart defines a custom Pod Security Policy which is the minimum set of permissions/ capabilities needed to deploy this chart and the Connect Direct for Unix container to function properly. This is the recommended PSP for this chart and it can be created on the cluster by cluster administrator. The PSP and cluster role for this chart is defined below. The cluster administrator can either use the snippets given below or the scripts provided in the Helm chart to create the PSP, cluster role and tie it to the namespace where deployment will be performed. In both the cases, same PSP and cluster role will be created. It is recommended to use the scripts in the Helm chart so that required PSP and cluster role is created without any issue.
- Below is the Custom
PodSecurityPolicy
definition that the cluster admin can use:apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: ibm-connect-direct-psp labels: app: "ibm-connect-direct-psp" spec: privileged: false allowPrivilegeEscalation: true hostPID: false hostIPC: false hostNetwork: false requiredDropCapabilities: allowedCapabilities: - FOWNER - SETUID - SETGID - DAC_OVERRIDE - CHOWN - IPC_OWNER - AUDIT_WRITE - IPC_LOCK - SYS_CHROOT allowedHostPaths: runAsUser: rule: MustRunAsNonRoot runAsGroup: rule: MustRunAs ranges: - min: 1 max: 4294967294 seLinux: rule: RunAsAny supplementalGroups: rule: MustRunAs ranges: - min: 1 max: 4294967294 fsGroup: rule: MustRunAs ranges: - min: 1 max: 4294967294 volumes: - configMap - emptyDir - projected - secret - downwardAPI - persistentVolumeClaim - nfs forbiddenSysctls: - '*'
- Custom ClusterRole for the custom
PodSecurityPolicy
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: "ibm-connect-direct-psp" labels: app: "ibm-connect-direct-psp" rules: - apiGroups: - policy resourceNames: - ibm-connect-direct-psp resources: - podsecuritypolicies verbs: - use
-
From the command line, you can run the setup scripts included in the Helm chart as cluster admin (untar the downloaded Helm chart archive).
ibm-connect-direct/ibm_cloud_pak/pak_extensions/pre-install/clusterAdministration/createSecurityClusterPrereqs.sh
ibm-connect-direct/ibm_cloud_pak/pak_extensions/pre-install/namespaceAdministration/createSecurityNamespacePrereqs.sh <Namespace where deployment will be performed>
Note: If the above scripts are not executable, you will need to make the scripts executable by executing following commands:ibm-connect-direct/ibm_cloud_pak/pak_extensions/pre-install/namespaceAdministration/ createSecurityNamespacePrereqs.sh
ibm-connect-direct/ibm_cloud_pak/pak_extensions/pre-install/clusterAdministration/ createSecurityClusterPrereqs.sh