• Actualités techniques
• Blockchain
• Business model and startup mistakes
• Devoxx
• Docker and Kubernetes
  • Docker
  • Kubernetes Admin
  • Kubernetes Core
    • Accessing a Kubernetes cluster
    • Acronyms
    • Architecture
    • Configuration
    • Installation
    • Linux Foundation
    • Object types
    • Security and monitoring
      • 1. Authentication
      • 2. Authorization
      • 3. Admission Control
      • Limit and Quota Management
      • Liveness and Readiness Probes
      • Monitoring, Logging, Troubleshooting
      • Network Policies
      • Pod Security Policies
      • Security Context
    • Volumes
  • Kubernetes Ecosystem
• GIT
• GitHub
• Jenkins
• Languages
• Legal aspects
• Management et RH
• Organisation
• Privacy
• RDF
• Reactive and microservices
• Security
• Software Engineering
• Spring
• SQL and NoSQL
• UML
• Web Design

Pod Security Policies

Pod Security Policies documentation
PSP RBAC example (GitHub)

The use of PSPs (Pod Security Policies) may be replaced by Open Policy Agent (often pronounced as "oh-pa") in the future.

In order to apply security settings to multiple Pods and Containers cluster-wide, we can define Pod Security Policies. These policies are cluster-level rules that govern what a pod can do, what they can access, what user they run as, etc.

For instance, if you do not want any of the containers in your cluster to run as the root user, you can define a PSP to that effect. You can also prevent containers from being privileged or use the host network namespace, or the host PID namespace.

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted
spec:
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: MustRunAsNonRoot
  fsGroup:
    rule: RunAsAny

Proudly Powered by Zim 0.75.2.

Template by Etienne Gandrille, based on ZeroFiveEight and using JQuery Toc Plugin.