sigs.k8s.io/cluster-api@v1.7.1/docs/book/src/security/pod-security-standards.md (about) 1 # Pod Security Standards 2 3 Pod Security Admission allows applying [Pod Security Standards] during creation of pods at the cluster level. 4 5 The flavor `development-topology` for the Docker provider used in [Quick Start](../user/quick-start.md) already includes a basic Pod Security Standard configuration. 6 It is using ClusterClass variables and patches to inject the configuration. 7 8 ## Adding a basic Pod Security Standards configuration to a ClusterClass 9 10 By adding the following variables and patches Pod Security Standards can be added to every ClusterClass which references a [Kubeadm based control plane](../tasks/control-plane/kubeadm-control-plane.md). 11 12 ### Adding the variables to a ClusterClass 13 14 ```yaml 15 apiVersion: cluster.x-k8s.io/v1beta1 16 kind: ClusterClass 17 spec: 18 variables: 19 - name: podSecurityStandard 20 required: false 21 schema: 22 openAPIV3Schema: 23 type: object 24 properties: 25 enabled: 26 type: boolean 27 default: true 28 description: "enabled enables the patches to enable Pod Security Standard via AdmissionConfiguration." 29 enforce: 30 type: string 31 default: "baseline" 32 description: "enforce sets the level for the enforce PodSecurityConfiguration mode. One of privileged, baseline, restricted." 33 pattern: "privileged|baseline|restricted" 34 audit: 35 type: string 36 default: "restricted" 37 description: "audit sets the level for the audit PodSecurityConfiguration mode. One of privileged, baseline, restricted." 38 pattern: "privileged|baseline|restricted" 39 warn: 40 type: string 41 default: "restricted" 42 description: "warn sets the level for the warn PodSecurityConfiguration mode. One of privileged, baseline, restricted." 43 pattern: "privileged|baseline|restricted" 44 ... 45 ``` 46 47 * The version field in Pod Security Admission Config defaults to `latest`. 48 * The `kube-system` namespace is exempt from Pod Security Standards enforcement, because it runs control-plane pods that need higher privileges. 49 50 ### Adding the patches to a ClusterClass 51 52 The following snippet contains the patch to be added to the ClusterClass. 53 54 Due to [limitations of ClusterClass with patches](../tasks/experimental-features/cluster-class/write-clusterclass.md#json-patches-tips--tricks) there are two versions for this patch. 55 56 {{#tabs name:"tab-configuration-patches" tabs:"Add to existing slice,Create slice"}} 57 {{#tab Append}} 58 59 Use this patch if the following keys **already exist** inside the `KubeadmControlPlaneTemplate` referred by the ClusterClass: 60 61 - `.spec.template.spec.kubeadmConfigSpec.clusterConfiguration.apiServer.extraVolumes` 62 - `.spec.template.spec.kubeadmConfigSpec.files` 63 64 ```yaml 65 apiVersion: cluster.x-k8s.io/v1beta1 66 kind: ClusterClass 67 spec: 68 ... 69 patches: 70 - name: podSecurityStandard 71 description: "Adds an admission configuration for PodSecurity to the kube-apiserver." 72 definitions: 73 - selector: 74 apiVersion: controlplane.cluster.x-k8s.io/v1beta1 75 kind: KubeadmControlPlaneTemplate 76 matchResources: 77 controlPlane: true 78 jsonPatches: 79 - op: add 80 path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs" 81 value: 82 admission-control-config-file: "/etc/kubernetes/kube-apiserver-admission-pss.yaml" 83 - op: add 84 path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraVolumes/-" 85 value: 86 name: admission-pss 87 hostPath: /etc/kubernetes/kube-apiserver-admission-pss.yaml 88 mountPath: /etc/kubernetes/kube-apiserver-admission-pss.yaml 89 readOnly: true 90 pathType: "File" 91 - op: add 92 path: "/spec/template/spec/kubeadmConfigSpec/files/-" 93 valueFrom: 94 template: | 95 content: | 96 apiVersion: apiserver.config.k8s.io/v1 97 kind: AdmissionConfiguration 98 plugins: 99 - name: PodSecurity 100 configuration: 101 apiVersion: pod-security.admission.config.k8s.io/v1{{ if semverCompare "< v1.25" .builtin.controlPlane.version }}beta1{{ end }} 102 kind: PodSecurityConfiguration 103 defaults: 104 enforce: "{{ .podSecurity.enforce }}" 105 enforce-version: "latest" 106 audit: "{{ .podSecurity.audit }}" 107 audit-version: "latest" 108 warn: "{{ .podSecurity.warn }}" 109 warn-version: "latest" 110 exemptions: 111 usernames: [] 112 runtimeClasses: [] 113 namespaces: [kube-system] 114 path: /etc/kubernetes/kube-apiserver-admission-pss.yaml 115 enabledIf: "{{ .podSecurityStandard.enabled }}" 116 ... 117 ``` 118 119 {{#/tab }} 120 {{#tab Create}} 121 122 123 Use this patches if the following keys **do not** exist inside the `KubeadmControlPlaneTemplate` referred by the ClusterClass: 124 125 - `.spec.template.spec.kubeadmConfigSpec.clusterConfiguration.apiServer.extraVolumes` 126 - `.spec.template.spec.kubeadmConfigSpec.files` 127 128 > **Attention:** Existing values inside the `KubeadmControlPlaneTemplate` at the mentioned keys will be replaced by this patch. 129 130 ```yaml 131 apiVersion: cluster.x-k8s.io/v1beta1 132 kind: ClusterClass 133 spec: 134 ... 135 patches: 136 - name: podSecurityStandard 137 description: "Adds an admission configuration for PodSecurity to the kube-apiserver." 138 definitions: 139 - selector: 140 apiVersion: controlplane.cluster.x-k8s.io/v1beta1 141 kind: KubeadmControlPlaneTemplate 142 matchResources: 143 controlPlane: true 144 jsonPatches: 145 - op: add 146 path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs" 147 value: 148 admission-control-config-file: "/etc/kubernetes/kube-apiserver-admission-pss.yaml" 149 - op: add 150 path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraVolumes" 151 value: 152 - name: admission-pss 153 hostPath: /etc/kubernetes/kube-apiserver-admission-pss.yaml 154 mountPath: /etc/kubernetes/kube-apiserver-admission-pss.yaml 155 readOnly: true 156 pathType: "File" 157 - op: add 158 path: "/spec/template/spec/kubeadmConfigSpec/files" 159 valueFrom: 160 template: | 161 - content: | 162 apiVersion: apiserver.config.k8s.io/v1 163 kind: AdmissionConfiguration 164 plugins: 165 - name: PodSecurity 166 configuration: 167 apiVersion: pod-security.admission.config.k8s.io/v1{{ if semverCompare "< v1.25" .builtin.controlPlane.version }}beta1{{ end }} 168 kind: PodSecurityConfiguration 169 defaults: 170 enforce: "{{ .podSecurity.enforce }}" 171 enforce-version: "latest" 172 audit: "{{ .podSecurity.audit }}" 173 audit-version: "latest" 174 warn: "{{ .podSecurity.warn }}" 175 warn-version: "latest" 176 exemptions: 177 usernames: [] 178 runtimeClasses: [] 179 namespaces: [kube-system] 180 path: /etc/kubernetes/kube-apiserver-admission-pss.yaml 181 enabledIf: "{{ .podSecurityStandard.enabled }}" 182 ... 183 ``` 184 185 {{#/tab }} 186 {{#/tabs }} 187 188 189 [Pod Security Standards]: https://kubernetes.io/docs/concepts/security/pod-security-standards 190 191 ### Create a secure Cluster using the ClusterClass 192 193 After adding the variables and patches the Pod Security Standards would be applied by default. 194 It is also possible to disable this patch or configure different levels for the configuration 195 using variables. 196 197 ```yaml 198 apiVersion: cluster.x-k8s.io/v1beta1 199 kind: Cluster 200 metadata: 201 name: "my-cluster" 202 spec: 203 ... 204 topology: 205 ... 206 class: my-secure-cluster-class 207 variables: 208 - name: podSecurityStandard 209 value: 210 enabled: true 211 enforce: "restricted" 212 ```