Creating Pod Security Policy for Kubernetes Cluster

  • In Kubernetes the Pod Security Policy (PSP) control is implemented as optional (but recommended). Click here for more information on Pod Security Policy. Based on your organization security policy, you may need to decide the pod security policy for your Kubernetes cluster. The IBM Connect Direct for UNIX chart defines a custom Pod Security Policy which is the minimum set of permissions/ capabilities needed to deploy this chart and the Connect Direct for Unix container to function properly. This is the recommended PSP for this chart and it can be created on the cluster by cluster administrator. The PSP and cluster role for this chart is defined below. The cluster administrator can either use the snippets given below or the scripts provided in the Helm chart to create the PSP, cluster role and tie it to the namespace where deployment will be performed. In both the cases, same PSP and cluster role will be created. It is recommended to use the scripts in the Helm chart so that required PSP and cluster role is created without any issue.
  • Below is the Custom PodSecurityPolicy definition that the cluster admin can use:
    apiVersion: policy/v1beta1
    kind: PodSecurityPolicy
    metadata:
      name: ibm-connect-direct-psp
      labels:
        app: "ibm-connect-direct-psp"
    spec:
      privileged: false
      allowPrivilegeEscalation: true
      hostPID: false
      hostIPC: false
      hostNetwork: false
      requiredDropCapabilities:
      allowedCapabilities:
      - FOWNER
      - SETUID
      - SETGID
      - DAC_OVERRIDE
      - CHOWN
      - IPC_OWNER
      - AUDIT_WRITE
      - IPC_LOCK
      - SYS_CHROOT
      allowedHostPaths:
      runAsUser:
        rule: MustRunAsNonRoot
      runAsGroup:
        rule: MustRunAs
        ranges:
        - min: 1
          max: 4294967294
      seLinux:
        rule: RunAsAny
      supplementalGroups:
        rule: MustRunAs
        ranges:
        - min: 1
          max: 4294967294
      fsGroup:
        rule: MustRunAs
        ranges:
        - min: 1
          max: 4294967294
      volumes:
      - configMap
      - emptyDir
      - projected
      - secret
      - downwardAPI
      - persistentVolumeClaim
      - nfs
      forbiddenSysctls:
      - '*'
  • Custom ClusterRole for the custom PodSecurityPolicy
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: "ibm-connect-direct-psp"
      labels:
        app: "ibm-connect-direct-psp"
    rules:
    - apiGroups:
      - policy
      resourceNames:
      - ibm-connect-direct-psp
      resources:
      - podsecuritypolicies
      verbs:
      - use
  • From the command line, you can run the setup scripts included in the Helm chart as cluster admin (untar the downloaded Helm chart archive).
    ibm-connect-direct/ibm_cloud_pak/pak_extensions/pre-install/clusterAdministration/createSecurityClusterPrereqs.sh
    ibm-connect-direct/ibm_cloud_pak/pak_extensions/pre-install/namespaceAdministration/createSecurityNamespacePrereqs.sh <Namespace where deployment will be performed>
    Note: If the above scripts are not executable, you will need to make the scripts executable by executing following commands:
    ibm-connect-direct/ibm_cloud_pak/pak_extensions/pre-install/namespaceAdministration/
    createSecurityNamespacePrereqs.sh
    ibm-connect-direct/ibm_cloud_pak/pak_extensions/pre-install/clusterAdministration/
    createSecurityClusterPrereqs.sh