Red Hat SummitDieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 16. Understanding and managing pod security admission
Pod security admission is an implementation of the Kubernetes pod security standards. Use pod security admission to restrict the behavior of pods.
16.1. Pod security admission and security context constraints
Pod security admission standards and security context constraints are reconciled and enforced by two independent controllers. The two controllers work independently using the following processes to enforce security policies:
-
The security context constraint controller may mutate some security context fields per the pod’s assigned SCC. For example, if the seccomp profile is empty or not set and if the pod’s assigned SCC enforces field to be
seccompProfiles, the controller sets the default type toruntime/default.RuntimeDefault - The security context constraint controller validates the pod’s security context against the matching SCC.
- The pod security admission controller validates the pod’s security context against the pod security standard assigned to the namespace.
16.2. Security context constraint synchronization with pod security standards
OpenShift Container Platform includes Kubernetes pod security admission. Globally, the
privilegedrestrictedIn addition to the global pod security admission control configuration, a controller exists that applies pod security admission control
warnauditNamespaces that are defined as part of the cluster payload have pod security admission synchronization disabled permanently. You can enable pod security admission synchronization on other namespaces as necessary. If an Operator is installed in a user-created
openshift-*The controller examines
ServiceAccountwarnauditNamespace labeling is based on consideration of namespace-local service account privileges.
Applying pods directly might use the SCC privileges of the user who runs the pod. However, user privileges are not considered during automatic labeling.
16.3. Controlling pod security admission synchronization
You can enable or disable automatic pod security admission synchronization for most namespaces.
Namespaces that are defined as part of the cluster payload have pod security admission synchronization disabled permanently. These namespaces include:
-
default -
kube-node-lease -
kube-system -
kube-public -
openshift -
All system-created namespaces that are prefixed with , except for
openshift-openshift-operators
By default, all namespaces that have an
openshift-openshift-*openshift-*openshift-operatorsIf an Operator is installed in a user-created
openshift-*Procedure
For each namespace that you want to configure, set a value for the
label:security.openshift.io/scc.podSecurityLabelSyncTo disable pod security admission label synchronization in a namespace, set the value of the
label tosecurity.openshift.io/scc.podSecurityLabelSync.falseRun the following command:
$ oc label namespace <namespace> security.openshift.io/scc.podSecurityLabelSync=falseTo enable pod security admission label synchronization in a namespace, set the value of the
label tosecurity.openshift.io/scc.podSecurityLabelSync.trueRun the following command:
$ oc label namespace <namespace> security.openshift.io/scc.podSecurityLabelSync=true
NoteUse the
flag to overwrite the value if this label is already set on the namespace.--overwrite
16.4. About pod security admission alerts
A
PodSecurityViolationView the Kubernetes API server audit logs to investigate alerts that were triggered. As an example, a workload is likely to fail admission if global enforcement is set to the
restrictedFor assistance in identifying pod security admission violation audit events, see Audit annotations in the Kubernetes documentation.
16.4.1. Identifying pod security violations
The
PodSecurityViolationmust-gatherpod-security.kubernetes.io/audit-violationsPrerequisites
-
You have installed .
jq -
You have access to the cluster as a user with the role.
cluster-admin
Procedure
To gather the audit logs, enter the following command:
$ oc adm must-gather -- /usr/bin/gather_audit_logsTo output the affected workload details, enter the following command:
$ zgrep -h pod-security.kubernetes.io/audit-violations must-gather.local.<archive_id>/<image_digest_id>/audit_logs/kube-apiserver/*log.gz \ | jq -r 'select((.annotations["pod-security.kubernetes.io/audit-violations"] != null) and (.objectRef.resource=="pods")) | .objectRef.namespace + " " + .objectRef.name' \ | sort | uniq -cReplace
and<archive_id>with the actual path names.<image_digest_id>Example output
1 test-namespace my-pod
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}