Kubernetes Cluster Wide Security Policy Configuration
-
Upload
bpradipt -
Category
Technology
-
view
128 -
download
2
Transcript of Kubernetes Cluster Wide Security Policy Configuration
![Page 2: Kubernetes Cluster Wide Security Policy Configuration](https://reader035.fdocuments.us/reader035/viewer/2022062823/58ce7e401a28ab210a8b4f97/html5/thumbnails/2.jpg)
Kubernetes Components
![Page 3: Kubernetes Cluster Wide Security Policy Configuration](https://reader035.fdocuments.us/reader035/viewer/2022062823/58ce7e401a28ab210a8b4f97/html5/thumbnails/3.jpg)
Kubernetes Authentication and Authorization
![Page 4: Kubernetes Cluster Wide Security Policy Configuration](https://reader035.fdocuments.us/reader035/viewer/2022062823/58ce7e401a28ab210a8b4f97/html5/thumbnails/4.jpg)
Container Security Policies
• What ?• Can the container process run as
‘root’ user ?• Can the user run a ‘privileged’
container ?• What ‘capabilities’ should be
allowed for the container ?• …
• How ?• How the cluster admin can enforce
container security ?
• Kubernetes provides Pod Security Policy for enforcing cluster wide security policies.
![Page 5: Kubernetes Cluster Wide Security Policy Configuration](https://reader035.fdocuments.us/reader035/viewer/2022062823/58ce7e401a28ab210a8b4f97/html5/thumbnails/5.jpg)
Example Policy Don’t allow process(es) inside the container to run as the ‘root’ user
POD should meet the following criteria:• The POD container image(s) should have USER attribute definedOR• The POD YAML file should explicitly specify the non-root USER ID as part of securityContext
noroot.yaml pod.yaml
![Page 6: Kubernetes Cluster Wide Security Policy Configuration](https://reader035.fdocuments.us/reader035/viewer/2022062823/58ce7e401a28ab210a8b4f97/html5/thumbnails/6.jpg)
References• https://kubernetes.io/docs/user-guide/pod-security-policy/• cloudgeekz.com/1204/docker-cluster-kubernetes-policies.html• https://www.katacoda.com/bpradipt/scenarios/kubernetes-podsecuri
typolicy