Use Pod Security Policy constraints

Policy Controller comes with a default library of constraint templates that can be used with the Pod Security Policy bundle to achieve many of the same protections as Kubernetes Pod Security Policy (PSP), with the added ability to test your policies before enforcing them and exclude coverage of specific resources.

The bundle includes these constraints which provide parameters which map to the following Kubernetes Pod Security Policy (PSP) Field Names (Control IDs):

Constraint Name Constraint Description Control ID
psp-v2022-psp-allow-privilege-escalation Restricting escalation to root privileges allowPrivilegeEscalation
psp-v2022-psp-apparmor The AppArmor profile used by containers annotations
psp-v2022-psp-capabilities Linux capabilities allowedCapabilities, requiredDropCapabilities
psp-v2022-flexvolume-drivers Allow specific FlexVolume drivers allowedFlexVolumes
psp-v2022-psp-forbidden-sysctls The sysctl profile used by containers forbiddenSysctls
psp-v2022-psp-fsgroup Allocating an FSGroup that owns the pod's volumes fsGroup
psp-v2022-psp-host-filesystem Usage of the host filesystem allowedHostPaths
psp-v2022-psp-host-namespace Usage of host namespaces hostPID, hostIPC
psp-v2022-psp-host-network-ports Usage of host networking and ports hostNetwork, hostPorts
psp-v2022-psp-privileged-container Running of privileged containers privileged
psp-v2022-psp-proc-mount The Allowed Proc Mount types for the container allowedProcMountTypes
psp-v2022-psp-readonlyrootfilesystem Requiring the use of a read-only root file system readOnlyRootFilesystem
psp-v2022-psp-seccomp The seccomp profile used by containers annotations
psp-v2022-psp-selinux-v2 The SELinux context of the container seLinux
psp-v2022-psp-pods-allowed-user-ranges The user and group IDs of the container runAsUser, runAsGroup, supplementalGroups, fsGroup
psp-v2022-psp-volume-types Usage of volume types volumes

Before you begin

  1. Install and initialize the Google Cloud CLI, which provides the gcloud and kubectl commands used in these instructions. If you use Cloud Shell, Google Cloud CLI comes pre-installed.
  2. Install Policy Controller on your cluster with the default library of constraint templates.

Audit Pod Security Policy policy bundle

Policy Controller lets you enforce policies for your Kubernetes cluster. To help test your workloads and their compliance with regard to the Google recommended best practices outlined in the preceding table, you can deploy these constraints in "audit" mode to reveal violations and more importantly give yourself a chance to fix them before enforcing on your Kubernetes cluster.

You can apply these policies with spec.enforcementAction set to dryrun using kubectl, kpt, or Config Sync.

kubectl

  1. (Optional) Preview the policy constraints with kubectl:

    kubectl kustomize https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/psp-v2022
    
  2. Apply the policy constraints with kubectl:

    kubectl apply -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/psp-v2022
    

    The output is the following:

    k8spspallowprivilegeescalationcontainer.constraints.gatekeeper.sh/psp-v2022-psp-allow-privilege-escalation created
    k8spspallowedusers.constraints.gatekeeper.sh/psp-v2022-psp-pods-allowed-user-ranges created
    k8spspapparmor.constraints.gatekeeper.sh/psp-v2022-psp-apparmor created
    k8spspcapabilities.constraints.gatekeeper.sh/psp-v2022-psp-capabilities created
    k8spspfsgroup.constraints.gatekeeper.sh/psp-v2022-psp-fsgroup created
    k8spspflexvolumes.constraints.gatekeeper.sh/psp-v2022-psp-flexvolume-drivers created
    k8spspforbiddensysctls.constraints.gatekeeper.sh/psp-v2022-psp-forbidden-sysctls created
    k8spsphostfilesystem.constraints.gatekeeper.sh/psp-v2022-psp-host-filesystem created
    k8spsphostnamespace.constraints.gatekeeper.sh/psp-v2022-psp-host-namespace created
    k8spsphostnetworkingports.constraints.gatekeeper.sh/psp-v2022-psp-host-network-ports created
    k8spspprivilegedcontainer.constraints.gatekeeper.sh/psp-v2022-psp-privileged-container created
    k8spspprocmount.constraints.gatekeeper.sh/psp-v2022-psp-proc-mount created
    k8spspreadonlyrootfilesystem.constraints.gatekeeper.sh/psp-v2022-psp-readonlyrootfilesystem created
    k8spspselinuxv2.constraints.gatekeeper.sh/psp-v2022-psp-selinux-v2 created
    k8spspseccomp.constraints.gatekeeper.sh/psp-v2022-psp-seccomp created
    k8spspvolumetypes.constraints.gatekeeper.sh/psp-v2022-psp-volume-types created
    
  3. Verify that policy constraints have been installed and check if violations exist across the cluster:

    kubectl get -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/psp-v2022
    

    The output is similar to the following:

    NAME                                                                                                         ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspallowprivilegeescalationcontainer.constraints.gatekeeper.sh/psp-v2022-psp-allow-privilege-escalation   dryrun               0
    
    NAME                                                                                  ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspallowedusers.constraints.gatekeeper.sh/psp-v2022-psp-pods-allowed-user-ranges   dryrun               0
    
    NAME                                                              ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspapparmor.constraints.gatekeeper.sh/psp-v2022-psp-apparmor                        0
    
    NAME                                                                      ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspcapabilities.constraints.gatekeeper.sh/psp-v2022-psp-capabilities   dryrun               0
    
    NAME                                                            ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspfsgroup.constraints.gatekeeper.sh/psp-v2022-psp-fsgroup                        0
    
    NAME                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspflexvolumes.constraints.gatekeeper.sh/psp-v2022-psp-flexvolume-drivers                        0
    
    NAME                                                                               ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspforbiddensysctls.constraints.gatekeeper.sh/psp-v2022-psp-forbidden-sysctls                        0
    
    NAME                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spsphostfilesystem.constraints.gatekeeper.sh/psp-v2022-psp-host-filesystem                        0
    
    NAME                                                                         ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spsphostnamespace.constraints.gatekeeper.sh/psp-v2022-psp-host-namespace   dryrun               0
    
    NAME                                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spsphostnetworkingports.constraints.gatekeeper.sh/psp-v2022-psp-host-network-ports   dryrun               0
    
    NAME                                                                                     ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspprivilegedcontainer.constraints.gatekeeper.sh/psp-v2022-psp-privileged-container   dryrun               0
    
    NAME                                                                 ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspprocmount.constraints.gatekeeper.sh/psp-v2022-psp-proc-mount                        0
    
    NAME                                                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspreadonlyrootfilesystem.constraints.gatekeeper.sh/psp-v2022-psp-readonlyrootfilesystem                        0
    
    NAME                                                                 ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspselinuxv2.constraints.gatekeeper.sh/psp-v2022-psp-selinux-v2                        0
    
    NAME                                                            ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspseccomp.constraints.gatekeeper.sh/psp-v2022-psp-seccomp   dryrun               0
    
    NAME                                                                     ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspvolumetypes.constraints.gatekeeper.sh/psp-v2022-psp-volume-types                        0
    
  4. (Optional) Adjust the PSP Field Name parameters in the constraint files as required for your cluster environment. For more details check the link for the specific PSP Field Name in the table above. For example in psp-host-network-ports:

    parameters:
      hostNetwork: true
      min: 80
      max: 9000
    

kpt

  1. Install and setup kpt. kpt is used in these instructions to customize and deploy Kubernetes resources.

  2. Download the Pod Security Policy (PSP) v2022 policy bundle from GitHub using kpt:

    kpt pkg get https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/psp-v2022
    
  3. Run the set-enforcement-action kpt function to set the policies' enforcement action to dryrun:

    kpt fn eval psp-v2022 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 \
      -- enforcementAction=dryrun
    
  4. Initialize the working directory with kpt, which creates a resource to track changes:

    cd psp-v2022
    kpt live init
    
  5. (Optional) Adjust the PSP Field Name parameters in the constraint files as required for your cluster environment. For more details check the link for the specific PSP Field Name in the table above. For example in psp-host-network-ports:

    parameters:
      hostNetwork: true
      min: 80
      max: 9000
    
  6. Apply the policy constraints with kpt:

    kpt live apply
    
  7. Verify that policy constraints have been installed and check if violations exist across the cluster:

    kpt live status --output table --poll-until current
    

    A status of CURRENT confirms successful installation of the constraints.

Config Sync

  1. Install and setup kpt. kpt is used in these instructions to customize and deploy Kubernetes resources.

Operators using Config Sync to deploy policies to their clusters can use the following instructions:

  1. Change into the sync directory for Config Sync:

    cd SYNC_ROOT_DIR
    

    To create or append .gitignore with resourcegroup.yaml:

    echo resourcegroup.yaml >> .gitignore
    

  2. Create a dedicated policies directory:

    mkdir -p policies
    
  3. Download the Pod Security Policy (PSP) v2022 policy bundle from GitHub using kpt:

    kpt pkg get https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/psp-v2022 policies/psp-v2022
    
  4. Run the set-enforcement-action kpt function to set the policies' enforcement action to dryrun:

    kpt fn eval policies/psp-v2022 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=dryrun
    
  5. (Optional) Adjust the PSP Field Name parameters in the constraint files as required for your cluster environment. For more details check the link for the specific PSP Field Name in the table above. For example in psp-host-network-ports:

    parameters:
      hostNetwork: true
      min: 80
      max: 9000
    
  6. (Optional) Preview the policy constraints to be created:

    kpt live init policies/psp-v2022
    kpt live apply --dry-run policies/psp-v2022
    

    The output is the following:

    Dry-run strategy: client
    inventory update started
    inventory update finished
    apply phase started
    k8spspallowprivilegeescalationcontainer.constraints.gatekeeper.sh/psp-v2022-psp-allow-privilege-escalation apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch)
    k8spspallowedusers.constraints.gatekeeper.sh/psp-v2022-psp-pods-allowed-user-ranges apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch)
    k8spspapparmor.constraints.gatekeeper.sh/psp-v2022-psp-apparmor apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch)
    k8spspcapabilities.constraints.gatekeeper.sh/psp-v2022-psp-capabilities apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch)
    k8spspfsgroup.constraints.gatekeeper.sh/psp-v2022-psp-fsgroup apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch)
    k8spspflexvolumes.constraints.gatekeeper.sh/psp-v2022-psp-flexvolume-drivers apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch)
    k8spspforbiddensysctls.constraints.gatekeeper.sh/psp-v2022-psp-forbidden-sysctls apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch)
    k8spsphostfilesystem.constraints.gatekeeper.sh/psp-v2022-psp-host-filesystem apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch)
    k8spsphostnamespace.constraints.gatekeeper.sh/psp-v2022-psp-host-namespace apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch)
    k8spsphostnetworkingports.constraints.gatekeeper.sh/psp-v2022-psp-host-network-ports apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch)
    k8spspprivilegedcontainer.constraints.gatekeeper.sh/psp-v2022-psp-privileged-container apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch)
    k8spspprocmount.constraints.gatekeeper.sh/psp-v2022-psp-proc-mount apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch)
    k8spspreadonlyrootfilesystem.constraints.gatekeeper.sh/psp-v2022-psp-readonlyrootfilesystem apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch)
    k8spspselinuxv2.constraints.gatekeeper.sh/psp-v2022-psp-selinux-v2 apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch)
    k8spspseccomp.constraints.gatekeeper.sh/psp-v2022-psp-seccomp apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch)
    k8spspvolumetypes.constraints.gatekeeper.sh/psp-v2022-psp-volume-types apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch)
    apply phase finished
    inventory update started
    inventory update finished
    apply result: 16 attempted, 0 successful, 16 skipped, 0 failed
    
  7. If your sync directory for Config Sync uses Kustomize, add policies/psp-v2022 to your root kustomization.yaml. Otherwise remove the policies/psp-v2022/kustomization.yaml file:

    rm SYNC_ROOT_DIR/policies/psp-v2022/kustomization.yaml
    
  8. Push changes to the Config Sync repo:

    git add SYNC_ROOT_DIR/policies/psp-v2022
    git commit -m 'Adding Pod Security Policy audit enforcement'
    git push
    
  9. Verify the status of the installation:

    watch gcloud beta container fleet config-management status --project PROJECT_ID
    

    A status of SYNCED confirms the installation of the policies.

View policy violations

Once the policy constraints are installed in audit mode, violations on the cluster can be viewed in the UI using the Policy Controller Dashboard.

You can also use kubectl to view violations on the cluster using the following command:

kubectl get constraint -l policycontroller.gke.io/bundleName=psp-v2022 -o json | jq -cC '.items[]| [.metadata.name,.status.totalViolations]'

If violations are present, a listing of the violation messages per constraint can be viewed with:

kubectl get constraint -l policycontroller.gke.io/bundleName=psp-v2022 -o json | jq -C '.items[]| select(.status.totalViolations>0)| [.metadata.name,.status.violations[]?]'

Change Pod Security Policy policy bundle enforcement action

Once you've reviewed policy violations on your cluster, you can consider changing the enforcement mode so the Admission Controller will either warn on or even deny block non-compliant resource from getting applied to the cluster.

kubectl

  1. Use kubectl to set the policies' enforcement action to warn:

    kubectl get constraint -l policycontroller.gke.io/bundleName=psp-v2022 -o name | xargs -I {} kubectl patch {} --type='json' -p='[{"op":"replace","path":"/spec/enforcementAction","value":"warn"}]'
    
  2. Verify that policy constraints enforcement action have been updated:

    kubectl get constraint -l policycontroller.gke.io/bundleName=psp-v2022
    

kpt

  1. Run the set-enforcement-action kpt function to set the policies' enforcement action to warn:

    kpt fn eval -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=warn
    
  2. Apply the policy constraints:

    kpt live apply
    

Config Sync

Operators using Config Sync to deploy policies to their clusters can use the following instructions:

  1. Change into the sync directory for Config Sync:

    cd SYNC_ROOT_DIR
    
  2. Run the set-enforcement-action kpt function to set the policies' enforcement action to warn:

    kpt fn eval policies/psp-v2022 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=warn
    
  3. Push changes to the Config Sync repo:

    git add SYNC_ROOT_DIR/policies/psp-v2022
    git commit -m 'Adding Pod Security Policy policy bundle warn enforcement'
    git push
    
  4. Verify the status of the installation:

    gcloud alpha anthos config sync repo list --project PROJECT_ID
    

    Your repo showing up in the SYNCED column confirms the installation of the policies.

Test policy enforcement

Create a non-compliant resource on the cluster using the following command:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  namespace: default
  name: wp-non-compliant
  labels:
    app: wordpress
spec:
  containers:
    - image: wordpress
      name: wordpress
      ports:
      - containerPort: 80
        name: wordpress
EOF

The admission controller should produce a warning listing out the policy violations that this resource violates, as shown in the following example:

Warning: [psp-v2022-psp-pods-allowed-user-ranges] Container wordpress is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {"ranges": [{"max": 200, "min": 100}], "rule": "MustRunAs"}
Warning: [psp-v2022-psp-pods-allowed-user-ranges] Container wordpress is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {"ranges": [{"max": 200, "min": 100}], "rule": "MustRunAs"}
Warning: [psp-v2022-psp-pods-allowed-user-ranges] Container wordpress is attempting to run without a required securityContext/runAsUser
Warning: [psp-v2022-psp-pods-allowed-user-ranges] Container wordpress is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {"ranges": [{"max": 200, "min": 100}], "rule": "MustRunAs"}
Warning: [psp-v2022-psp-allow-privilege-escalation] Privilege escalation container is not allowed: wordpress
Warning: [psp-v2022-psp-seccomp] Seccomp profile 'not configured' is not allowed for container 'wordpress'. Found at: no explicit profile found. Allowed profiles: {"RuntimeDefault", "docker/default", "runtime/default"}
Warning: [psp-v2022-psp-capabilities] container <wordpress> is not dropping all required capabilities. Container must drop all of ["must_drop"] or "ALL"
Warning: [psp-v2022-psp-readonlyrootfilesystem] only read-only root filesystem container is allowed: wordpress
pod/wp-non-compliant created

Remove Pod Security Policy policy bundle

If needed, the Pod Security Policy policy bundle can be removed from the cluster.

kubectl

  • Use kubectl to remove the policies:

    kubectl delete constraint -l policycontroller.gke.io/bundleName=psp-v2022
    

kpt

  • Remove the policies:

    kpt live destroy
    

Config Sync

Operators using Config Sync to deploy policies to their clusters can use the following instructions:

  1. Push changes to the Config Sync repo:

    git rm -r SYNC_ROOT_DIR/policies/psp-v2022
    git commit -m 'Removing PSP policies'
    git push
    
  2. Verify the status:

    gcloud alpha anthos config sync repo list --project PROJECT_ID
    

    Your repo showing up in the SYNCED column confirms the removal of the policies.