0

From my understanding, in the pod security admission(PSA), there is no customization feature. We can only select one of the security levels (privileged, baseline or restricted)

Now, there is a pod which uses capability CAP_NET_ADMIN only. But, as you know, the 'baseline' level of PSA doesn't include CAP_NET_ADMIN. As a result, should this pod be created with 'privileged' level? Is my understanding correct? Is this an only way to setup this pod with PSA? I wonder it, because I think it's not good for security.

Could you please share your opinions about it?

JayJay-K
  • 1
  • 1

1 Answers1

0

The default security levels provided by pod security policies cannot be changed directly and are pre-defined. To define your custom policies, you can use solutions like kyverno and define your own policy which combines the "baseline" policy with an exception to include "CAP_NET_ADMIN" capability. Any example is given below:

kind: ClusterPolicy
metadata:
  name: customized-baseline-policy
spec:
  background: false
  rules:
    - name: enforce-baseline-policy
      match:
        resources:
          kinds:
            - Pod
      validate:
        message: "The pod does not comply with the customized baseline policy."
        pattern:
          spec:
            containers:
              - securityContext:
                  readOnlyRootFilesystem: true
            hostIPC: false
            hostPID: false
            hostNetwork: false

<ADD MORE POLICIES HERE AS DEFINED IN THE BASELINE POLICY>

      mutate:
        patchStrategicMerge:
          metadata:
            annotations:
              kyverno.io/generated-by: customized-baseline-policy
          spec:
            containers:
              - securityContext:
                  capabilities:
                    add: ["NET_ADMIN"]
faizan
  • 98
  • 4
  • I appreciate your answer faizan. It can be a nice solution. I have additional question. I thought webhook can be another solution, but in my understanding, when I use webhook, I should develop specific pod and container service for it, and I thought it can be a little bit big task for me. How about kyverno solution? Should I do something like that? Otherwise, in the kyverno solution, can I achieve it by using only YAML for configuration? I will check kyverno, but could you please give quick information? Thanks. – JayJay-K Jun 08 '23 at 09:05
  • I am not specifically sure about the webhook solutions you are referring to, but kyverno is something you can think of like policy as code, which means that you can define your kubernetes policies using yaml manifest files. It is installed in your cluster as a CRD which means that you can easily manage it and make it a part of your source control. Some examples of kyverno policies are [here](https://kyverno.io/policies/) – faizan Jun 08 '23 at 15:24