GK2 - Apply Pod Security Standards to the Kubernetes Cluster

1. Choose Pod Security Standard :

• To create a cluster with no Pod Security Standards applied using the kind command line tool, you can run the following command:

kind create cluster --name psa-wo-cluster-pss --image kindest/node:v1.24.0

• You can then use the kubectl command line tool to access the cluster by running the following command:

kubectl cluster-info --context kind-psa-wo-cluster-pss

• To get a list of namespaces in a Kubernetes cluster, you can use the kubectl command line tool with the get command and the ns (namespace) resource.

kubectl get ns

2. Pre-Checks Prior To Applying the Security Standards :

• To apply the "privileged" Pod Security Standard to all namespaces in the cluster, you can use the following command. This will show you what would happen if the "privileged" Pod Security Standard were applied to all namespaces in the cluster, without actually making any changes. The output of the command will show which namespaces would be labeled, and whether any existing pods in those namespaces would violate the new Pod Security Standard.

kubectl label --dry-run=server --overwrite ns --all \
pod-security.kubernetes.io/enforce=privileged

• To apply the "baseline" Pod Security Standards using the following commands.

kubectl label --dry-run=server --overwrite ns --all \
pod-security.kubernetes.io/enforce=baseline

• To apply the "restricted" Pod Security Standards using the following commands.

kubectl label --dry-run=server --overwrite ns --all \
pod-security.kubernetes.io/enforce=restricted

3. Apply the Security Standards :

• We will see how to apply Pod Security Standards at the cluster level, meaning that the standards will apply to all namespaces in the cluster.
• The process involves creating a configuration file that specifies the Pod Security Standards to be applied and the mode in which they should be applied (i.e., "enforce", "warn", or "audit").
• This configuration file is then passed to the API server when the cluster is created, using the --config flag of the kind create cluster command.
• The configuration file specifies the "baseline" standard to be applied in "enforce" mode and the "restricted" standard to be applied in both "warn" and "audit" mode.
• Additionally, the kube-system namespace is exempt from having these standards applied.
• Once the cluster is created, the Pod Security Admission controller will use the configuration file to enforce the specified Pod Security Standards on all pods that are created in the cluster.
• If a pod violates one of the standards, it will either be rejected (if the standard is applied in "enforce" mode), logged as a warning (if the standard is applied in "warn" mode), or logged as an audit event (if the standard is applied in "audit" mode).

• To apply the "baseline" standard in "enforce" mode to all namespaces, you can use the following command:

kubectl label --overwrite ns --all \
pod-security.kubernetes.io/enforce=baseline:latest

• To apply the "restricted" standard in "warn" mode to all namespaces, you can use the following command:

kubectl label --overwrite ns --all \
pod-security.kubernetes.io/warn=restricted:latest

• To apply the "restricted" standard in "audit" mode to all namespaces, you can use the following command:

kubectl label --overwrite ns --all \
pod-security.kubernetes.io/audit=restricted:latest

• To exempt the kube-system namespace from having Pod Security Standards applied, you can simply remove the labels that you applied to this namespace.

kubectl label ns kube-system pod-security.kubernetes.io/enforce-

• You can create a config file that can be used by the Pod Security Admission Controller to implement these Pod Security Standards. This config file defines the Pod Security Standards that should be applied to your cluster. It specifies that the baseline standard should be applied in enforce mode, and the restricted standard should be applied in both warn and audit mode. It also exempts the kube-system namespace from having Pod Security Standards applied. 

mkdir -p /tmp/pss
cat <<EOF > /tmp/pss/cluster-level-pss.yaml 
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
  configuration:
    apiVersion: pod-security.admission.config.k8s.io/v1
    kind: PodSecurityConfiguration
    defaults:
      enforce: "baseline"
      enforce-version: "latest"
      audit: "restricted"
      audit-version: "latest"
      warn: "restricted"
      warn-version: "latest"
    exemptions:
      usernames: []
      runtimeClasses: []
      namespaces: [kube-system]
EOF

• Use the above config file to create a new Kubernetes cluster using KinD. It specifies that the API server should consume the cluster-level-pss.yaml file for Pod Security Admission. The kubeadmConfigPatches field is used to add the admission-control-config-file argument to the API server's command line arguments. This argument specifies the path to the Pod Security Admission configuration file that the API server should use.

cat <<EOF > /tmp/pss/cluster-config.yaml 
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
  kubeadmConfigPatches:
  - |
    kind: ClusterConfiguration
    apiServer:
        extraArgs:
          admission-control-config-file: /etc/config/cluster-level-pss.yaml
        extraVolumes:
          - name: accf
            hostPath: /etc/config
            mountPath: /etc/config
            readOnly: false
            pathType: "DirectoryOrCreate"
  extraMounts:
  - hostPath: /tmp/pss
    containerPath: /etc/config
    # optional: if set, the mount is read-only.
    # default false
    readOnly: false
    # optional: if set, the mount needs SELinux relabeling.
    # default false
    selinuxRelabel: false
    # optional: set propagation mode (None, HostToContainer or Bidirectional)
    # see https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation
    # default None
    propagation: None
EOF

• Create Kubernetes cluster which will use the Pod Security Admission to apply the Pod Security Standards.

 kind create cluster --name psa-with-cluster-pss --image kindest/node:v1.24.0 --config /tmp/pss/cluster-config.yaml

• Set the kubectl context to the new cluster:

 kubectl cluster-info --context kind-psa-with-cluster-pss

• Create the  Pod specification

cat <<EOF > /tmp/pss/nginx-pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
    - image: nginx
      name: nginx
      ports:
        - containerPort: 80
EOF

• Create the Pod using kubectl using the above pod specification file.

 kubectl apply -f /tmp/pss/nginx-pod.yaml

4. Delete the Cluster :

kind delete cluster --name psa-with-cluster-pss

kind delete cluster --name psa-wo-cluster-pss

Additional Posts you might want to read from this Blog -

• How To Setup Spark Scala SBT in Eclipse

• How To Set up Apache Spark & PySpark in Windows 10

• How to Send Large Messages in Kafka ?

• Fix Spark Error – “org.apache.spark.SparkException: Failed to get broadcast_0_piece0 of broadcast_0”

• How to Handle Bad or Corrupt records in Apache Spark ?

• How to use Broadcast Variable in Spark ?

• How to log an error in Python ?

• How to Code Custom Exception Handling in Python ?

• How to Handle Errors and Exceptions in Python ?

• How To Fix – “Ssl: Certificate_Verify_Failed” Error in Python ?

• GCP Google Cloud CLI – gcloud commands

• Jupyter NoteBook Tutorial , Shortcut and Command Cheatsheet

• Dataframe Operation Examples in PySpark

• How To Enable – Idempotent Producer in Kafka ?

• Fix Kafka Error – “Memory Allocation Error”

• How to Send Large Messages in Kafka ?

• How To Enable Kerberos in Cloudera Hadoop Cluster ? 

• GCP Google Cloud CLI – gcloud commands

• Difference Between Spark Cluster & Client Deployment Modes

• How To Save & Reload a Python Machine Learning Model using Pickle ?

• How To Fix Python Error – UnicodeEncodeError: ‘ascii’ codec can’t encode character’

• How to Handle Bad or Corrupt records in Apache Spark ?

• How to Handle Errors and Exceptions in Python ?

• List of Kafka Commands Cheatsheet

• How To Mask – Confidential Info in Kafka Connect Logs ?

• How To Create A Kerberos Keytab File ?

• How To Enable Kerberos in Cloudera Hadoop Cluster ?

kubectl get pod security policy ,readonlyrootfilesystem kubernetes ,kubernetes pod security policy ,kubernetes pod security policy best practices ,kubernetes allowprivilegeescalation ,pod security policy deprecated ,pod security kubernetes io enforce privileged ,kubernetes pod security context ,kubernetes pod security best practices ,pod security policy in kubernetes ,pod security kubernetes ,kubernetes pod security standards ,kubectl get pod security policy ,pod security policy deprecated ,pod security kubernetes io enforce privileged ,kubernetes pod security policy best practices ,pod security standards example ,pod security admission controller ,kubernetes security ,How do I apply for a pod security policy ,How do you secure pods in Kubernetes ,How do I check my pod security standards ,How do you manage security in Kubernetes cluster ,apply pod security standards kubernetes cluster ,pod security admission controller ,pod security configuration ,kubernetes pod security standards ,kubernetes cluster pod security ,enforce pod security standards kubernetes ,audit pod security standards kubernetes ,warn pod security standards kubernetes ,pod security exemptions kubernetes ,kubernetes pod security admission control