Applying Pod Security Standard or Creating Pod Security Policy for Kubernetes Cluster
Pod Security Standard should be applied to the namespace if Kubernetes cluster v1.25 and above is used. This helm chart has been certified with baseline security standards with enforce security level. For more details, refer to Pod Security Standards.
- In Kubernetes the Pod Security Policy (PSP) control is implemented as optional (but recommended). Click here for more information on Pod Security Policy. IBM CCS defines a custom Pod Security Policy which is the minimum set of permissions/ capabilities needed to deploy this chart and the Connect Direct for Unix container to function properly. This is the recommended PSP for this chart and it can be created on the cluster by cluster administrator. The PSP and cluster role for this chart is defined below. The cluster administrator can either use the snippets given below or the scripts provided in the Helm chart to create the PSP, cluster role and tie it to the namespace where deployment will be performed. In both the cases, same PSP and cluster role will be created. It is recommended to use the scripts in the Helm chart so that required PSP and cluster role is created without any issue.
- Below is the Custom
PodSecurityPolicy
definition that the cluster admin can use:apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: ibm-connect-direct-psp labels: app: "ibm-connect-direct-psp" spec: privileged: false allowPrivilegeEscalation: true hostPID: false hostIPC: false hostNetwork: false requiredDropCapabilities: allowedCapabilities: - FOWNER - SETUID - SETGID - DAC_OVERRIDE - CHOWN - AUDIT_WRITE - SYS_CHROOT allowedHostPaths: runAsUser: rule: MustRunAsNonRoot runAsGroup: rule: MustRunAs ranges: - min: 1 max: 4294967294 seLinux: rule: MustRunAs supplementalGroups: rule: MustRunAs ranges: - min: 1 max: 4294967294 fsGroup: rule: MustRunAs ranges: - min: 1 max: 4294967294 volumes: - configMap - downwardAPI - emptyDir - nfs - persistentVolumeClaim - projected - secret forbiddenSysctls: - '*'
- Custom ClusterRole for the custom
PodSecurityPolicy
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: "ibm-connect-direct-psp" labels: app: "ibm-connect-direct-psp" rules: - apiGroups: - policy resourceNames: - ibm-connect-direct-psp resources: - podsecuritypolicies verbs: - use
-
From the command line, you can run the setup scripts included in the Helm chart as cluster admin (untar the downloaded Helm chart archive).
ibm-connect-direct/ibm_cloud_pak/pak_extensions/pre-install/clusterAdministration/createSecurityClusterPrereqs.sh
ibm-connect-direct/ibm_cloud_pak/pak_extensions/pre-install/namespaceAdministration/createSecurityNamespacePrereqs.sh <Namespace where deployment will be performed>
Note: If the above scripts are not executable, you will need to make the scripts executable by executing following commands:chmod u+x ibm-connect-direct/ibm_cloud_pak/pak_extensions/pre-install/namespaceAdministration/ createSecurityNamespacePrereqs.sh
chmod u+x ibm-connect-direct/ibm_cloud_pak/pak_extensions/pre-install/clusterAdministration/ createSecurityClusterPrereqs.sh