From 4b7784728a24bc5c8dcb71c89fcc11e432b3e163 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Wed, 3 Nov 2021 17:43:43 -0400 Subject: [PATCH] PodSecurity beta updates --- .../security/pod-security-admission.md | 37 +++++++++++--- .../admission-controllers.md | 2 +- .../feature-gates.md | 3 +- .../enforce-standards-admission-controller.md | 48 ++++++++++++++++++- .../enforce-standards-namespace-labels.md | 2 +- .../migrate-from-psp.md | 2 +- 6 files changed, 82 insertions(+), 12 deletions(-) diff --git a/content/en/docs/concepts/security/pod-security-admission.md b/content/en/docs/concepts/security/pod-security-admission.md index a1c87767c9be9..933dc62940876 100644 --- a/content/en/docs/concepts/security/pod-security-admission.md +++ b/content/en/docs/concepts/security/pod-security-admission.md @@ -13,13 +13,13 @@ min-kubernetes-server-version: v1.22 -{{< feature-state for_k8s_version="v1.22" state="alpha" >}} +{{< feature-state for_k8s_version="v1.23" state="beta" >}} The Kubernetes [Pod Security Standards](/docs/concepts/security/pod-security-standards/) define different isolation levels for Pods. These standards let you define how you want to restrict the behavior of pods in a clear, consistent fashion. -As an Alpha feature, Kubernetes offers a built-in _Pod Security_ {{< glossary_tooltip +As an Beta feature, Kubernetes offers a built-in _Pod Security_ {{< glossary_tooltip text="admission controller" term_id="admission-controller" >}}, the successor to [PodSecurityPolicies](/docs/concepts/policy/pod-security-policy/). Pod security restrictions are applied at the {{< glossary_tooltip text="namespace" term_id="namespace" >}} level when pods @@ -32,15 +32,40 @@ The PodSecurityPolicy API is deprecated and will be -## Enabling the Alpha feature +## Enabling the `PodSecurity` admission plugin -Setting pod security controls by namespace is an alpha feature. You must enable the `PodSecurity` -[feature gate](/docs/reference/command-line-tools-reference/feature-gates/) in order to use it. +In v1.23, the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) +is a Beta feature and is enabled by default. + +In v1.22, the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) +is an Alpha feature and must be enabled in `kube-apiserver` in order to use the built-in admission plugin. ```shell --feature-gates="...,PodSecurity=true" ``` +## Alternative: installing the `PodSecurity` admission webhook + +For environments where the built-in `PodSecurity` admission plugin cannot be used, +either because the cluster is older than v1.22, or the `PodSecurity` feature cannot be enabled, +the `PodSecurity` admission logic is also available as a Beta [validating admission webhook](https://git.k8s.io/pod-security-admission/webhook). + +A pre-built container image, certificate generation scripts, and example manifests +are available at [https://git.k8s.io/pod-security-admission/webhook](https://git.k8s.io/pod-security-admission/webhook). + +To install: +```shell +git clone git@github.com:kubernetes/pod-security-admission.git +cd pod-security-admission/webhook +make certs +kubectl apply -k . +``` + +{{< note >}} +The generated certificate is valid for 2 years. Before it expires, +regenerate the certificate or remove the webhook in favor of the built-in admission plugin. +{{< /note >}} + ## Pod Security levels Pod Security admission places requirements on a Pod's [Security @@ -52,7 +77,7 @@ page for an in-depth look at those requirements. ## Pod Security Admission labels for namespaces -Provided that you have enabled this feature, you can configure namespaces to define the admission +Once the feature is enabled or the webhook is installed, you can configure namespaces to define the admission control mode you want to use for pod security in each namespace. Kubernetes defines a set of {{< glossary_tooltip term_id="label" text="labels" >}} that you can set to define which of the predefined Pod Security Standard levels you want to use for a namespace. The label you select diff --git a/content/en/docs/reference/access-authn-authz/admission-controllers.md b/content/en/docs/reference/access-authn-authz/admission-controllers.md index 0461c09f53229..7957ff7a4fcfa 100644 --- a/content/en/docs/reference/access-authn-authz/admission-controllers.md +++ b/content/en/docs/reference/access-authn-authz/admission-controllers.md @@ -698,7 +698,7 @@ admission plugin, which allows preventing pods from running on specifically tain ### PodSecurity {#podsecurity} -{{< feature-state for_k8s_version="v1.22" state="alpha" >}} +{{< feature-state for_k8s_version="v1.23" state="beta" >}} This is the replacement for the deprecated [PodSecurityPolicy](#podsecuritypolicy) admission controller defined in the next section. This admission controller acts on creation and modification of the pod and diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 91aa118fa293d..dc369aee3d037 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -159,7 +159,8 @@ different Kubernetes components. | `PodAffinityNamespaceSelector` | `true` | Beta | 1.22 | | | `PodOverhead` | `false` | Alpha | 1.16 | 1.17 | | `PodOverhead` | `true` | Beta | 1.18 | | -| `PodSecurity` | `false` | Alpha | 1.22 | | +| `PodSecurity` | `false` | Alpha | 1.22 | 1.22 | +| `PodSecurity` | `true` | Beta | 1.23 | | | `PreferNominatedNode` | `false` | Alpha | 1.21 | 1.21 | | `PreferNominatedNode` | `true` | Beta | 1.22 | | | `ProbeTerminationGracePeriod` | `false` | Alpha | 1.21 | 1.21 | diff --git a/content/en/docs/tasks/configure-pod-container/enforce-standards-admission-controller.md b/content/en/docs/tasks/configure-pod-container/enforce-standards-admission-controller.md index ef8206b1b6a9b..c2f9fae3f7c1e 100644 --- a/content/en/docs/tasks/configure-pod-container/enforce-standards-admission-controller.md +++ b/content/en/docs/tasks/configure-pod-container/enforce-standards-admission-controller.md @@ -15,10 +15,52 @@ You can configure this admission controller to set cluster-wide defaults and [ex {{% version-check %}} -- Enable the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features). +- Ensure the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features) is enabled. ## Configure the Admission Controller +{{< tabs name="PodSecurityConfiguration_example_1" >}} +{{% tab name="pod-security.admission.config.k8s.io/v1beta1" %}} +```yaml +apiVersion: apiserver.config.k8s.io/v1 +kind: AdmissionConfiguration +plugins: +- name: PodSecurity + configuration: + apiVersion: pod-security.admission.config.k8s.io/v1beta1 + kind: PodSecurityConfiguration + # Defaults applied when a mode label is not set. + # + # Level label values must be one of: + # - "privileged" (default) + # - "baseline" + # - "restricted" + # + # Version label values must be one of: + # - "latest" (default) + # - specific version like "v{{< skew latestVersion >}}" + defaults: + enforce: "privileged" + enforce-version: "latest" + audit: "privileged" + audit-version: "latest" + warn: "privileged" + warn-version: "latest" + exemptions: + # Array of authenticated usernames to exempt. + usernames: [] + # Array of runtime class names to exempt. + runtimeClassNames: [] + # Array of namespaces to exempt. + namespaces: [] +``` + +{{< note >}} +v1beta1 configuration requires v1.23+. For v1.22, use v1alpha1. +{{< /note >}} + +{{% /tab %}} +{{% tab name="pod-security.admission.config.k8s.io/v1alpha1" %}} ```yaml apiVersion: apiserver.config.k8s.io/v1 kind: AdmissionConfiguration @@ -51,4 +93,6 @@ plugins: runtimeClassNames: [] # Array of namespaces to exempt. namespaces: [] -``` \ No newline at end of file +``` +{{% /tab %}} +{{< /tabs >}} diff --git a/content/en/docs/tasks/configure-pod-container/enforce-standards-namespace-labels.md b/content/en/docs/tasks/configure-pod-container/enforce-standards-namespace-labels.md index 9a4c3a44ed4c9..121f9b15e7c54 100644 --- a/content/en/docs/tasks/configure-pod-container/enforce-standards-namespace-labels.md +++ b/content/en/docs/tasks/configure-pod-container/enforce-standards-namespace-labels.md @@ -13,7 +13,7 @@ Namespaces can be labeled to enforce the [Pod Security Standards](/docs/concepts {{% version-check %}} -- Enable the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features). +- Ensure the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features) is enabled. ## Requiring the `baseline` Pod Security Standard with namespace labels diff --git a/content/en/docs/tasks/configure-pod-container/migrate-from-psp.md b/content/en/docs/tasks/configure-pod-container/migrate-from-psp.md index f0ea2d02dfb02..adc8225e23894 100644 --- a/content/en/docs/tasks/configure-pod-container/migrate-from-psp.md +++ b/content/en/docs/tasks/configure-pod-container/migrate-from-psp.md @@ -17,7 +17,7 @@ admission controller. This can be done effectively using a combination of dry-ru {{% version-check %}} -- Enable the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features). +- Ensure the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features) is enabled.