Understand pod security policies

In Kubernetes, a pod security policy is represented by a PodSecurityPolicy resource. This resource lists the conditions a pod must meet in order to run in the cluster. Here’s an example of a pod security policy, expressed in YAML:

apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  privileged: false
  runAsUser:
    rule: MustRunAsNonRoot
  seLinux:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - 'nfs'
  hostPorts:
  - min: 100
    max: 100

Briefly, this pod security policy implements the following security rules:

• Disallow containers running in privileged mode
• Disallow containers that require root privileges
• Disallow containers that access volumes apart from NFS volumes
• Disallow containers that access host ports apart from port 100

Let’s look at the broad structure of a pod security policy.

• The metadata section of the policy specifies its name.
• The spec section of the policy outlines the key criteria a pod must fulfil in order to be allowed to run.

Here is a brief description of the main options available (you can find more details in the official Kubernetes documentation):

• The privileged field indicates whether to allow containers that use privileged mode. Learn more about privileged mode.
  • The runAsUser field defines which users a container can run as. Most commonly, it is used to prevent pods from running as the root user.
  • The seLinux field defines the Security-Enhanced Linux (SELinux) security context for containers and only allows containers that match that context. Learn more about SELinux.
  • The supplementalGroups and fsGroup fields define the user groups or fsGroup-owned volumes that a container may access. Learn more about fsGroups and supplemental groups.
  • The volumes field defines the type(s) of volumes a container may access. Learn more about volumes.
  • The hostPorts field, together with related fields like hostNetwork, hostPID and hostIPC, restrict the ports (and other networking capabilities) that a container may access on the host system.

Next steps: Create pod security policies for your cluster

Learn more about how to create pod security policies by applying any of the use cases shown in the following guide.