Use Pod Security Standards Baseline policy constraints
Policy Controller comes with a default library of constraint templates that you can use with the Pod Security Standards Baseline bundle. This bundle lets you achieve many of the same protections as the Kubernetes Pod Security Standards (PSS) Baseline policy, with the ability to test your policies before enforcing them and exclude coverage of specific resources.
Pod Security Standards Baseline policy bundle constraints
| Constraint Name | Constraint Description | Control Name |
|---|---|---|
| pss-baseline-v2022-hostprocess | Usage of Windows HostProcess | HostProcess |
| pss-baseline-v2022-host-namespaces-hostnetwork | Use of host networking | Host Namespaces |
| pss-baseline-v2022-host-namespaces-host-pid-ipc | Usage of host namespaces | |
| pss-baseline-v2022-privileged-containers | Running of privileged containers | Privileged Containers |
| pss-baseline-v2022-capabilities | Linux capabilities | Capabilities |
| pss-baseline-v2022-hostpath-volumes | Usage of the host filesystem | HostPath Volumes |
| pss-baseline-v2022-host-ports | Usage of host ports | Host Ports (configurable) |
| pss-baseline-v2022-apparmor | The AppArmor profile used by containers | AppArmor |
| pss-baseline-v2022-selinux | The SELinux context of the container | SELinux |
| pss-baseline-v2022-proc-mount-type | The Allowed Proc Mount types for the container | /proc Mount Type |
| pss-baseline-v2022-seccomp | The seccomp profile used by containers | Seccomp |
| pss-baseline-v2022-sysctls | The sysctl profile used by containers | Sysctls |
Before you begin
- Install and initialize the
Google Cloud CLI,
which provides the
gcloudandkubectlcommands used in these instructions. If you use Cloud Shell, Google Cloud CLI comes pre-installed. - Install Policy Controller v.1.14.1 or higher on your cluster with the default library of constraint templates.
Audit Pod Security Standards Baseline policy bundle
Policy Controller lets you enforce policies for your Kubernetes cluster. To help test your workloads and their compliance with regard to the Google recommended best practices outlined in the preceding table, you can deploy these constraints in "audit" mode to reveal violations and more importantly give yourself a chance to fix them before enforcing on your Kubernetes cluster.
You can apply these policies with spec.enforcementAction set to dryrun using kubectl,
kpt,
or
Config Sync.
kubectl
(Optional) Preview the policy constraints with kubectl:
kubectl kustomize https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/pss-baseline-v2022
Apply the policy constraints with kubectl:
kubectl apply -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/pss-baseline-v2022
The output is the following:
k8spspapparmor.constraints.gatekeeper.sh/pss-baseline-v2022-apparmor created k8spspcapabilities.constraints.gatekeeper.sh/pss-baseline-v2022-capabilities created k8spsphostfilesystem.constraints.gatekeeper.sh/pss-baseline-v2022-hostpath-volumes created k8spsphostnamespace.constraints.gatekeeper.sh/pss-baseline-v2022-host-namespaces-host-pid-ipc created k8spsphostnetworkingports.constraints.gatekeeper.sh/pss-baseline-v2022-host-namespaces-hostnetwork created k8spsphostnetworkingports.constraints.gatekeeper.sh/pss-baseline-v2022-host-ports created k8spspprivilegedcontainer.constraints.gatekeeper.sh/pss-baseline-v2022-privileged-containers created k8spspprocmount.constraints.gatekeeper.sh/pss-baseline-v2022-proc-mount-type created k8spspselinuxv2.constraints.gatekeeper.sh/pss-baseline-v2022-selinux created k8spspseccomp.constraints.gatekeeper.sh/pss-baseline-v2022-seccomp created k8spspforbiddensysctls.constraints.gatekeeper.sh/pss-baseline-v2022-sysctls created
Verify that policy constraints have been installed and check if violations exist across the cluster:
kubectl get -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/pss-baseline-v2022
The output is similar to the following:
NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspapparmor.constraints.gatekeeper.sh/pss-baseline-v2022-apparmor 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspcapabilities.constraints.gatekeeper.sh/pss-baseline-v2022-capabilities dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spsphostfilesystem.constraints.gatekeeper.sh/pss-baseline-v2022-hostpath-volumes 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spsphostnamespace.constraints.gatekeeper.sh/pss-baseline-v2022-host-namespaces-host-pid-ipc dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spsphostnetworkingports.constraints.gatekeeper.sh/pss-baseline-v2022-host-namespaces-hostnetwork dryrun 0 k8spsphostnetworkingports.constraints.gatekeeper.sh/pss-baseline-v2022-host-ports dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspprivilegedcontainer.constraints.gatekeeper.sh/pss-baseline-v2022-privileged-containers dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspprocmount.constraints.gatekeeper.sh/pss-baseline-v2022-proc-mount-type 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspselinuxv2.constraints.gatekeeper.sh/pss-baseline-v2022-selinux 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspseccomp.constraints.gatekeeper.sh/pss-baseline-v2022-seccomp dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspforbiddensysctls.constraints.gatekeeper.sh/pss-baseline-v2022-sysctls dryrun 0
(Optional) Adjust the
pss-baseline-v2022-host-portsconstraint to include a minimum restricted known list of ports for your cluster environment:parameters: # A minimum restricted known list can be implemented here. min: 0 max: 0
kpt
Install and setup kpt. kpt is used in these instructions to customize and deploy Kubernetes resources.
Download the Pod Security Standards (PSS) Baseline v2022 policy bundle from GitHub using kpt:
kpt pkg get https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/pss-baseline-v2022
Run the
set-enforcement-actionkpt function to set the policies' enforcement action todryrun:kpt fn eval pss-baseline-v2022 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 \ -- enforcementAction=dryrun
Initialize the working directory with kpt, which creates a resource to track changes:
cd pss-baseline-v2022 kpt live init
(Optional) Adjust the
pss-baseline-v2022-host-portsconstraint file to include a minimum restricted known list of ports for your cluster environment:parameters: # A minimum restricted known list can be implemented here. min: 0 max: 0
Apply the policy constraints with kpt:
kpt live apply
Verify that policy constraints have been installed and check if violations exist across the cluster:
kpt live status --output table --poll-until current
A status of
CURRENTconfirms successful installation of the constraints.
Config Sync
- Install and setup kpt. kpt is used in these instructions to customize and deploy Kubernetes resources.
Operators using Config Sync to deploy policies to their clusters can use the following instructions:
Change into the sync directory for Config Sync:
cd SYNC_ROOT_DIR
To create or append
.gitignorewithresourcegroup.yaml:echo resourcegroup.yaml >> .gitignore
Create a dedicated
policiesdirectory:mkdir -p policies
Download the Pod Security Standards (PSS) Baseline v2022 policy bundle from GitHub using kpt:
kpt pkg get https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/pss-baseline-v2022 policies/pss-baseline-v2022
Run the
set-enforcement-actionkpt function to set the policies' enforcement action todryrun:kpt fn eval policies/pss-baseline-v2022 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=dryrun
(Optional) Adjust the
pss-baseline-v2022-host-portsconstraint file to include a minimum restricted known list of ports for your cluster environment:parameters: # A minimum restricted known list can be implemented here. min: 0 max: 0
(Optional) Preview the policy constraints to be created:
kpt live init policies/pss-baseline-v2022 kpt live apply --dry-run policies/pss-baseline-v2022
The output is the following:
Dry-run strategy: client inventory update started inventory update finished apply phase started k8spspapparmor.constraints.gatekeeper.sh/pss-baseline-v2022-apparmor apply successful k8spspcapabilities.constraints.gatekeeper.sh/pss-baseline-v2022-capabilities apply successful k8spsphostfilesystem.constraints.gatekeeper.sh/pss-baseline-v2022-hostpath-volumes apply successful k8spsphostnamespace.constraints.gatekeeper.sh/pss-baseline-v2022-host-namespaces-host-pid-ipc apply successful k8spsphostnetworkingports.constraints.gatekeeper.sh/pss-baseline-v2022-host-namespaces-hostnetwork apply successful k8spsphostnetworkingports.constraints.gatekeeper.sh/pss-baseline-v2022-host-ports apply successful k8spspprivilegedcontainer.constraints.gatekeeper.sh/pss-baseline-v2022-privileged-containers apply successful k8spspprocmount.constraints.gatekeeper.sh/pss-baseline-v2022-proc-mount-type apply successful k8spspselinuxv2.constraints.gatekeeper.sh/pss-baseline-v2022-selinux apply successful k8spspseccomp.constraints.gatekeeper.sh/pss-baseline-v2022-seccomp apply successful apply phase finished inventory update started inventory update finished apply result: 10 attempted, 10 successful, 0 skipped, 0 failed
If your sync directory for Config Sync uses Kustomize, add
policies/pss-baseline-v2022to your rootkustomization.yaml. Otherwise remove thepolicies/pss-baseline-v2022/kustomization.yamlfile:rm SYNC_ROOT_DIR/policies/pss-baseline-v2022/kustomization.yaml
Push changes to the Config Sync repo:
git add SYNC_ROOT_DIR/pss-baseline-v2022 git commit -m 'Adding Pod Security Standards Baseline audit enforcement' git push
Verify the status of the installation:
watch gcloud beta container fleet config-management status --project PROJECT_ID
A status of
SYNCEDconfirms the installation of the policies.
View policy violations
Once the policy constraints are installed in audit mode, violations on the cluster can be viewed in the UI using the Policy Controller Dashboard.
You can also use kubectl to view violations on the cluster using the following command:
kubectl get constraint -l policycontroller.gke.io/bundleName=pss-baseline-v2022 -o json | jq -cC '.items[]| [.metadata.name,.status.totalViolations]'
If violations are present, a listing of the violation messages per constraint can be viewed with:
kubectl get constraint -l policycontroller.gke.io/bundleName=pss-baseline-v2022 -o json | jq -C '.items[]| select(.status.totalViolations>0)| [.metadata.name,.status.violations[]?]'
Change Pod Security Standards Baseline policy bundle enforcement action
Once you've reviewed policy violations on your cluster, you can consider
changing the enforcement mode so the Admission Controller will either warn on
or even deny block non-compliant resource from getting applied to the cluster.
kubectl
Use kubectl to set the policies' enforcement action to
warn:kubectl get constraint -l policycontroller.gke.io/bundleName=pss-baseline-v2022 -o name | xargs -I {} kubectl patch {} --type='json' -p='[{"op":"replace","path":"/spec/enforcementAction","value":"warn"}]'Verify that policy constraints enforcement action have been updated:
kubectl get constraint -l policycontroller.gke.io/bundleName=pss-baseline-v2022
kpt
Run the
set-enforcement-actionkpt function to set the policies' enforcement action towarn:kpt fn eval -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=warn
Apply the policy constraints:
kpt live apply
Config Sync
Operators using Config Sync to deploy policies to their clusters can use the following instructions:
Change into the sync directory for Config Sync:
cd SYNC_ROOT_DIR
Run the
set-enforcement-actionkpt function to set the policies' enforcement action towarn:kpt fn eval policies/pss-baseline-v2022 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=warn
Push changes to the Config Sync repo:
git add SYNC_ROOT_DIR/policies/pss-baseline-v2022 git commit -m 'Adding Pod Security Standards Baseline policy bundle warn enforcement' git push
Verify the status of the installation:
gcloud alpha anthos config sync repo list --project PROJECT_ID
Your repo showing up in the
SYNCEDcolumn confirms the installation of the policies.
Test policy enforcement
Create a non-compliant resource on the cluster using the following command:
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
namespace: default
name: wp-non-compliant
labels:
app: wordpress
spec:
containers:
- image: wordpress
name: wordpress
ports:
- containerPort: 80
hostPort: 80
name: wordpress
EOF
The admission controller should produce a warning listing out the policy violations that this resource violates, as shown in the following example:
Warning: [pss-baseline-v2022-host-ports] The specified hostNetwork and hostPort are not allowed, pod: wp-non-compliant. Allowed values: {"max": 0, "min": 0}
pod/wp-non-compliant created
Remove Pod Security Standards Baseline policy bundle
If needed, the Pod Security Standards Baseline policy bundle can be removed from the cluster.
kubectl
Use kubectl to remove the policies:
kubectl delete constraint -l policycontroller.gke.io/bundleName=pss-baseline-v2022
kpt
Remove the policies:
kpt live destroy
Config Sync
Operators using Config Sync to deploy policies to their clusters can use the following instructions:
Push changes to the Config Sync repo:
git rm -r SYNC_ROOT_DIR/policies/pss-baseline-v2022 git commit -m 'Removing Pod Security Standards Baseline policies' git push
Verify the status:
gcloud alpha anthos config sync repo list --project PROJECT_ID
Your repo showing up in the
SYNCEDcolumn confirms the removal of the policies.