Enabling Pod Security Policies

What is a Pod Security Policy

Pod Security Policies are in-cluster Kubernetes resources that provides ways of securing pods. The official Pod Security Policy of the official Kubernetes docs provides a great deal of helpful information and a walkthrough of how to use them, and is highly recommended reading. For the purposes of this documentation, we really just want to focus on getting them running on your Crit cluster.

Configuration

The APIServer has quite a few admission plugins enabled by default, however, the PodSecurityPolicy plugin must be enabled when configuring the APIServer with the enable-admission-plugin option:

apiVersion: crit.sh/v1alpha2
kind: ControlPlaneConfiguration
kubeAPIServer:
  extraArgs:
    enable-admission-plugins: PodSecurityPolicy

enable-admission-plugin can be provided a comma-delimited list of admission plugins to enable. While the order that admission plugins run does matter, it does not matter for this particular option as it simply enables the plugin.

The admission plugin SecurityContextDeny must NOT be enabled along with PodSecurityPolicy. In the case that PodSecurityPolicy is enabled, the usage completely supplants the functionality provided by SecurityContextDeny.