Pod Security Policy

Starting from IBM Cloud Private 3.1.1, a set of predefined Pod Security Policies (PSP) is supplied to control the security level of the pods and containers in your cluster. For more details about ICP's Pod Security Policies see the Pod Security page in the IBM Cloud Private documentation.

The Netcool/OMNIbus Probe charts specify the PodSecurityPolicy requirement to be bound to the target namespace prior to installation.

You can either choose a predefined PodSecurityPolicy or have your cluster administrator create a custom PodSecurityPolicy for you. Refer to the chart README or chart Overview page on the ICP Console to determine the predefined PodSecurityPolicy required by the chart.

If you have a namespace which is bound to the required predefined PodSecurityPolicy, you may proceed with the chart installation. Otherwise, you can create the prerequisite resources using one of the following methods described in the sections that follow:
  • Using the ICP Console
  • Using the command line with the scripts provided with the package

Creating prerequisite resources for PodSecurityPolicy using the ICP Console

Each chart specifies the resources required such as PodSecurityPolicy, ClusterRole and RoleBinding in the chart's README page. You can use the definition to create the resources by following the steps below which use the ibm-netcool-prod chart as an example:

  1. Login as a Cluster Administrator.
  2. Click on the Catalog button on the top of the top menu.
  3. Select a Helm Chart or Cloud Pak to install.
  4. On the Overview page, scroll down to the PodSecurityPolicy Requirements section. In this section, the PodSecurityPolicy, ClusterRole and RoleBinding YAML definitions are defined.
  5. Select and copy the PodSecurityPolicy YAML definition from the README page.
  6. Click on the Create resource button on the top menu.
  7. In the Create resource window, overlay and paste the PodSecurityPolicy. (Optionally, update the name of the PodSecurityPolicy. This is specified by the metadata.name attribute.) Then click Create.
  8. Select and copy the contents of the ClusterRole YAML.
  9. Click on the Create resource button on the top menu.
  10. In the Create resource window, overlay and paste the ClusterRole. (Optionally, update the name of the ClusterRole. This is specified by the metadata.name attribute.) Then click Create.
  11. If you want to create a new namespace to bind the custom PodSecurityPolicy above, select Menu > Manage > Namespaces. Enter a name for the namespace and then select the PodSecurityPolicy created above, and click Create.
  12. You need to create a RoleBinding resource for the service accounts in the current namespace. Select and copy the RoleBinding YAML definition from the README page.
  13. Click on the Create resource button on the top menu.
  14. In the Create resource window, overlay and paste the RoleBinding. Update the namespace by replacing {{ NAMESPACE }} in the template with the actual namespace. (Optionally, update the name of the RoleBinding. This is specified by the metadata.name attribute.) Then click Create.
  15. You can now install the chart in the namespace with the custom PodSecurityPolicy.

Creating prerequisite resources for PodSecurityPolicy using the command line

To create the prerequisite resources for PodSecurityPolicy from the command line, use the following steps:

  1. Extract the pre-installation scripts from the archive under the ibm_cloud_pak/pak_extension directory. The following example shows how to extract the scripts from the ibm-noi-probe-3.9.3-x86.tgz archive.
    $ tar -xvf ibm-noi-probe-3.9.3-x86.tgz ibm_cloud_pak
  2. As a cluster administrator, run the createSecurityClusterPrereqs.sh script. This script creates the PodSecurityPolicy and ClusterRole resources. The following example command runs the script on a namespace called my-probe-namespace:
    $ cd ibm_cloud_pak/pak_extensions
$ ./pre-install/clusterAdministration/createSecurityClusterPrereqs.sh my-probe-namespace
  3. As an administrator or cluster administrator, run the namespace scoped createSecurityNamespacePrereqs.sh script and provide the target namespace as an argument. This script creates the RoleBinding resource for service accounts in the target namespace. The namespace must be created prior to running this script. The following example command runs the script on a namespace called my-probe-namespace.
    $ cd ibm_cloud_pak/pak_extensions
$ ./pre-install/namespaceAdministration/createSecurityNamespacePrereqs.sh my-probe-namespace
  4. You can now install the chart in the namespace with the custom PodSecurityPolicy.

Cleaning up prerequisite resources created using the command line

You can clean up the custom prerequisite resources created for the PodSecurityPolicy by using the cleanup scripts provided in the archive under the ibm_cloud_pak/pak_extension directory as described in the following steps:

  1. As a cluster administrator, run the cluster administration cleanup script included under pak_extensions to clean up cluster scoped resources when appropriate.
    $ cd ibm_cloud_pak/pak_extensions
$ ./post-delete/clusterAdministration/deleteSecurityClusterPrereqs.sh
  2. As a Cluster Administrator, run the namespace administration cleanup script included under pak_extensions to clean up namespace scoped resources when appropriate. The namespace must be provided as an argument when running the script as shown in the following example.
    $ cd ibm_cloud_pak/pak_extensions
$ ./post-delete/namespaceAdministration/deleteSecurityNamespacePrereqs.sh my-probe-namespace
  3. Optionally, as a Cluster Administrator, you can delete the namespace created if there are no other helm releases installed on it.