Skip to content

Commit

Permalink
Merge pull request #30351 from liggitt/podsecurity-beta
Browse files Browse the repository at this point in the history
Podsecurity beta updates
  • Loading branch information
k8s-ci-robot authored Nov 11, 2021
2 parents 14a003c + 4b77847 commit 9dbee0d
Show file tree
Hide file tree
Showing 6 changed files with 82 additions and 12 deletions.
37 changes: 31 additions & 6 deletions content/en/docs/concepts/security/pod-security-admission.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,13 @@ min-kubernetes-server-version: v1.22

<!-- overview -->

{{< feature-state for_k8s_version="v1.22" state="alpha" >}}
{{< feature-state for_k8s_version="v1.23" state="beta" >}}

The Kubernetes [Pod Security Standards](/docs/concepts/security/pod-security-standards/) define
different isolation levels for Pods. These standards let you define how you want to restrict the
behavior of pods in a clear, consistent fashion.

As an Alpha feature, Kubernetes offers a built-in _Pod Security_ {{< glossary_tooltip
As an Beta feature, Kubernetes offers a built-in _Pod Security_ {{< glossary_tooltip
text="admission controller" term_id="admission-controller" >}}, the successor
to [PodSecurityPolicies](/docs/concepts/policy/pod-security-policy/). Pod security restrictions
are applied at the {{< glossary_tooltip text="namespace" term_id="namespace" >}} level when pods
Expand All @@ -32,15 +32,40 @@ The PodSecurityPolicy API is deprecated and will be

<!-- body -->

## Enabling the Alpha feature
## Enabling the `PodSecurity` admission plugin

Setting pod security controls by namespace is an alpha feature. You must enable the `PodSecurity`
[feature gate](/docs/reference/command-line-tools-reference/feature-gates/) in order to use it.
In v1.23, the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
is a Beta feature and is enabled by default.

In v1.22, the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
is an Alpha feature and must be enabled in `kube-apiserver` in order to use the built-in admission plugin.

```shell
--feature-gates="...,PodSecurity=true"
```

## Alternative: installing the `PodSecurity` admission webhook

For environments where the built-in `PodSecurity` admission plugin cannot be used,
either because the cluster is older than v1.22, or the `PodSecurity` feature cannot be enabled,
the `PodSecurity` admission logic is also available as a Beta [validating admission webhook](https://git.k8s.io/pod-security-admission/webhook).

A pre-built container image, certificate generation scripts, and example manifests
are available at [https://git.k8s.io/pod-security-admission/webhook](https://git.k8s.io/pod-security-admission/webhook).

To install:
```shell
git clone git@github.com:kubernetes/pod-security-admission.git
cd pod-security-admission/webhook
make certs
kubectl apply -k .
```

{{< note >}}
The generated certificate is valid for 2 years. Before it expires,
regenerate the certificate or remove the webhook in favor of the built-in admission plugin.
{{< /note >}}

## Pod Security levels

Pod Security admission places requirements on a Pod's [Security
Expand All @@ -52,7 +77,7 @@ page for an in-depth look at those requirements.

## Pod Security Admission labels for namespaces

Provided that you have enabled this feature, you can configure namespaces to define the admission
Once the feature is enabled or the webhook is installed, you can configure namespaces to define the admission
control mode you want to use for pod security in each namespace. Kubernetes defines a set of
{{< glossary_tooltip term_id="label" text="labels" >}} that you can set to define which of the
predefined Pod Security Standard levels you want to use for a namespace. The label you select
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -698,7 +698,7 @@ admission plugin, which allows preventing pods from running on specifically tain

### PodSecurity {#podsecurity}

{{< feature-state for_k8s_version="v1.22" state="alpha" >}}
{{< feature-state for_k8s_version="v1.23" state="beta" >}}

This is the replacement for the deprecated [PodSecurityPolicy](#podsecuritypolicy) admission controller
defined in the next section. This admission controller acts on creation and modification of the pod and
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,8 @@ different Kubernetes components.
| `PodAffinityNamespaceSelector` | `true` | Beta | 1.22 | |
| `PodOverhead` | `false` | Alpha | 1.16 | 1.17 |
| `PodOverhead` | `true` | Beta | 1.18 | |
| `PodSecurity` | `false` | Alpha | 1.22 | |
| `PodSecurity` | `false` | Alpha | 1.22 | 1.22 |
| `PodSecurity` | `true` | Beta | 1.23 | |
| `PreferNominatedNode` | `false` | Alpha | 1.21 | 1.21 |
| `PreferNominatedNode` | `true` | Beta | 1.22 | |
| `ProbeTerminationGracePeriod` | `false` | Alpha | 1.21 | 1.21 |
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,52 @@ You can configure this admission controller to set cluster-wide defaults and [ex

{{% version-check %}}

- Enable the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features).
- Ensure the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features) is enabled.

## Configure the Admission Controller

{{< tabs name="PodSecurityConfiguration_example_1" >}}
{{% tab name="pod-security.admission.config.k8s.io/v1beta1" %}}
```yaml
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
configuration:
apiVersion: pod-security.admission.config.k8s.io/v1beta1
kind: PodSecurityConfiguration
# Defaults applied when a mode label is not set.
#
# Level label values must be one of:
# - "privileged" (default)
# - "baseline"
# - "restricted"
#
# Version label values must be one of:
# - "latest" (default)
# - specific version like "v{{< skew latestVersion >}}"
defaults:
enforce: "privileged"
enforce-version: "latest"
audit: "privileged"
audit-version: "latest"
warn: "privileged"
warn-version: "latest"
exemptions:
# Array of authenticated usernames to exempt.
usernames: []
# Array of runtime class names to exempt.
runtimeClassNames: []
# Array of namespaces to exempt.
namespaces: []
```
{{< note >}}
v1beta1 configuration requires v1.23+. For v1.22, use v1alpha1.
{{< /note >}}
{{% /tab %}}
{{% tab name="pod-security.admission.config.k8s.io/v1alpha1" %}}
```yaml
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
Expand Down Expand Up @@ -51,4 +93,6 @@ plugins:
runtimeClassNames: []
# Array of namespaces to exempt.
namespaces: []
```
```
{{% /tab %}}
{{< /tabs >}}
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ Namespaces can be labeled to enforce the [Pod Security Standards](/docs/concepts

{{% version-check %}}

- Enable the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features).
- Ensure the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features) is enabled.

## Requiring the `baseline` Pod Security Standard with namespace labels

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ admission controller. This can be done effectively using a combination of dry-ru

{{% version-check %}}

- Enable the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features).
- Ensure the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features) is enabled.

<!-- body -->

Expand Down

0 comments on commit 9dbee0d

Please sign in to comment.