Creating a custom pod security policy

You can either use a predefined policy from IBM Cloud Paks or create a custom pod security policy in YAML. You can also create a custom pod security policy by using the IBM® Cloud Private console.

Create a pod security policy in YAML

You can create a pod security policy by creating a YAML file from the management console. Complete the following steps to create a pod security policy in YAML:

1. Review the IBM Cloud Pak Security Policy Definitions README file.
2. From the IBM Cloud Pak README, select a predefined pod security policy to view the contents that are required for the pod security policy.

3. Copy the contents of the pod security policy that you selected. The YAML contents might resemble the following output:

   cat <<EOF | kubectl create -f -
   apiVersion: extensions/v1beta1
   kind: PodSecurityPolicy
   metadata:
    name: appsales-anyuid-psp
   spec:
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: false
    allowedCapabilities:
    - CHOWN
    - DAC_OVERRIDE
    - SETGID
    - SETUID
    - NET_BIND_SERVICE
    seLinux:
      rule: RunAsAny
    supplementalGroups:
      rule: RunAsAny
    runAsUser:
      rule: RunAsAny
    fsGroup:
      rule: RunAsAny
    volumes:
    - configMap
    - secret
   ---
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRole
   metadata:
    name: appsales-anyuid-psp-clusterrole
   rules:
   - apiGroups:
    - extensions
    resourceNames:
    - appsales-anyuid-psp
    resources:
    - podsecuritypolicies
    verbs:
    - use
   EOF
   

4. In the ClusterRole section of the YAML file, you must specify the pod security policy name for the following parameters:

   • Enter the name of the pod security policy with the suffix -clusterrole for themetadata.name parameter.
   • Enter the name of the pod security policy for the rules[].apiGroups.resourceNames[] parameter.

5. Click Create resource and paste the contents of the pod security policy.

6. To create the policy, click Create.
7. Create a namespace and assign the policy that you created to the new namespace. For more information, see Creating a namespace for the required steps.

A pod security policy that is bound to a namespace is created in YAML.

Create a custom pod security policy from the management console

If you do not use a predefined pod security policy, you can create a custom pod security policy from the management console. Complete the following steps to create a custom pod security policy that can be bound to a namespace:

1. Log in to your IBM Cloud Private cluster.
2. From the navigation menu, click Manage > Resource Security > Pod Security.
3. From the Pod Security page, click Create Pod Security Policy.

4. In the Create Pod Security dialog box, provide the following policy details:

   • General tab
     • Name - The name of the policy that you want to create.
     • Type - The type of policy that you are creating from the following options:
       • Privileged - Grants pod containers almost the same level of access as a process that runs on the host.
     • Host network - Allows pods to share the node network namespace.
     • Host PID - Allows pod containers to share the host process ID namespace.
     • Host IPC - Allows pod containers to share the host IPC namespace.
     • Read only root filesystem - Requires containers to run with a read-only root filesystem.
       • Host ports tab
     • Range of host ports - Add the range of host ports that are accessible on your host network namespace. There are no accessible ports when nothing is added.
       • Volumes and file systems tab
     • Volume - Provide the name of an available volume or input (*) to select all available volumes.
       • Allocating an FSGroup that owns the pod's volumes - Selects whether you want to specify which group can run the pod, or any group can run it.
       • Users and groups tab
     • Run container as user - Specify the limit of the user access to run the container.
       • Configuring allowable supplemental groups - Specifies whether to limit supplemental groups that can access the policy.
       • SELinux tab
     • SELinux context of the container - Specify whether specific SELinux options are required, or if it can run with any options.
       • Capabilities tab
     • Specify any capability that you want to require, allow, or drop from the container.

5. When you finish customizing your pod security policy, you can click the JSON mode slider to view the JSON mode of your pod security policy. Your pod security policy might resemble the following output:

   {
    "kind": "PodSecurityPolicy",
    "apiVersion": "extensions/v1beta1",
    "metadata": {
       "name": "appsales-anyuid-psp"
    }
    "spec": {
      "fsGroup": {
        "rule": "RunAsAny"
      },
      "runAsUser": {
         "rule": "RunAsAny",
         "ranges": [
         {
          "min": *,
          "max": *
          }
         ]
       }, 
       "seLinux": {
         "rule": "RunAsAny",
         "seLinuxOptions": {
          "level": "-",
          "type": "-",
          "user": "-",
          "role": "-"
     },
     "supplementalGroups": {
        "rule": "RunAsAny"
         "ranges": [
        {
          "min": *,
          "max": *
        }
      ]
     },
   
      "privileged": "false"
      "readOnlyRootFilesystem": "false"
      "allowedCapabilities": [
        "CHOWN"
      - "DAC_OVERRIDE"
      - "SETGID"
      - "SETUID"
      - "NET_BIND_SERVICE"
   

6. Click Create.

7. Click the Options icon () to edit the JSON mode of your pod security policy.

After you create the pod security policy, you can bind the policy to a namespace. For more information, see Creating namespaces with pod security binding. If you use the management console to create a new namespace, the pod security policy is automatically bound to the namespace. The pod security policy can be bound by any user, service account, or namespace.