Enabling pod isolation

Pod isolation is enabled automatically for IBM® Cloud Private.

If you are upgrading from version 3.1.1 to 3.1.2, additional steps must be performed to enable a globally default, restricted pod security policy for all users and service accounts.

To enable the restricted pod security policy setting with the IBM Cloud Private command line, complete the following steps:

1. Log in to IBM Cloud Private with cloudctl as a cluster administrator.

2. Verify that the value for the pod security policy default is set to unrestricted. Run the following command:

    cloudctl cm psp-default-get
   

   Your output might resemble the following content:

    Default PSP:        unrestricted
   

3. Enable the restricted default pod security policy. Run the following command:

    cloudctl cm psp-default-set restricted
    OK
   

   The following changes are made to your cluster:

   1. All PodSecurityPolicy and ClusterRoleBinding resources are created or repaired.
   2. The unrestricted ClusterRoleBinding ibm-anyuid-hostpath-psp-users is removed.
   3. The restricted ClusterRoleBinding ibm-restricted-psp-users, is created. This maps the ibm-restricted-psp PodSecurityPolicy to all users in the cluster, including all service accounts.
   4. For any namespace that does not have an explicit RoleBinding or ClusterRoleBinding to a PodSecurityPolicy is bound to the ibm-anyuid-hostpath-clusterrole using a RoleBinding. This preserves compatibility for any workloads.