Enabling Pod Security Policies
What is a Pod Security Policy
Pod Security Policies are in-cluster Kubernetes resources that provides ways of securing pods. The official Pod Security Policy of the official Kubernetes docs provides a great deal of helpful information and a walkthrough of how to use them, and is highly recommended reading. For the purposes of this documentation, we really just want to focus on getting them running on your Crit cluster.
Configuration
The APIServer has quite a few admission plugins enabled by default, however, the PodSecurityPolicy
plugin must be enabled when configuring the APIServer with the enable-admission-plugin
option:
apiVersion: crit.sh/v1alpha2
kind: ControlPlaneConfiguration
kubeAPIServer:
extraArgs:
enable-admission-plugins: PodSecurityPolicy
enable-admission-plugin
can be provided a comma-delimited list of admission plugins to enable. While the order that admission plugins run does matter, it does not matter for this particular option as it simply enables the plugin.
The admission plugin SecurityContextDeny
must NOT be enabled along with PodSecurityPolicy
. In the case that PodSecurityPolicy
is enabled, the usage completely supplants the functionality provided by SecurityContextDeny
.