post image January 6, 2022 | 1 min Read

PodSecurityPolicy

**Setup API server to allow PodSecurityPolicy Admission controller''

cat /etc/kubernetes/manifests/kube-apiserver.yaml                                
apiVersion: v1                                                                                      
kind: Pod                                                                                           
metadata:                                                                                           
  annotations:                                                                                      
    kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.156.0.2:6443                
  creationTimestamp: null                                                                           
  labels:                                                                                           
    component: kube-apiserver                                                                       
    tier: control-plane                                                                             
  name: kube-apiserver                                                                              
  namespace: kube-system                                                                            
spec:                                                                                               
  containers:                                                                                       
  - command:                                                                                        
    - kube-apiserver                                                                                
    - --advertise-address=10.156.0.2                                                                
    - --allow-privileged=true                                                                       
    - --encryption-provider-config=/etc/kubernetes/etcd/ec.yaml                                     
    - --anonymous-auth=true                                                                         
    - --authorization-mode=Node,RBAC                                                                
    - --client-ca-file=/etc/kubernetes/pki/ca.crt                                                   
    - --enable-admission-plugins=NodeRestriction,PodSecurityPolicy                                  
    - --enable-bootstrap-token-auth=true                            
...

**Create podsecuritypolicy in cluster''

cat psp.yaml 
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: default
spec:
  allowedCapabilities:
  - NET_ADMIN
  allowPrivilegeEscalation: false
  privileged: false  # Don't allow privileged pods!
  # The rest fills in some required fields.
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'

**Create corresponding role/rolebinding for default serviceaccunt to be able to use PodSecurityPolicy''

k create  role psp-access --verb=use --resource=podsecuritypolicies
k create  rolebinding  psp-access --role psp-access --serviceaccount default:default
k create  deployment  nginx --image=nginx

**Create proxy pod for mTLS''

cat proxy.yaml 
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: proxy
  name: proxy
spec:
  containers:
  - command:
    - ping
    - google.com
    image: bash
    name: base
    resources: {}
  - name: proxy
    image: ubuntu
    command:
    - sh
    - -c
    - 'apt-get update  && apt-get install iptables -y && iptables -L && sleep 1d'
    securityContext:
      capabilities:
        add: ["NET_ADMIN"]
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}


author image

Jan Toth

I have been in DevOps related jobs for past 6 years dealing mainly with Kubernetes in AWS and on-premise as well. I spent quite a lot …

comments powered by Disqus