enforce/disable root pod execution on EKS cluster wide

Question

What's the best method to enforce/block root containers running in an EKS cluster running managed nodes and applied to all namespaces (except kube-system) v1.22+ ? I tried the below but root containers are still able to run. Is this the latest method https://kubernetes.io/docs/tutorials/security/cluster-level-pss/?

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: pod-security
spec:
  privileged: true
  seLinux:
    rule: 'MustRunAs'
    ranges:
      - min: 1
        max: 65535
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
      - min: 1
        max: 65535
  runAsUser:
    rule: 'MustRunAs'
    ranges:
      - min: 1
        max: 65535
  fsGroup:
    rule: 'MustRunAs'
    ranges:
      - min: 1
        max: 65535
  volumes:
  - '*'

score 1 · Accepted Answer · answered Oct 05 '22 at 01:27

1

The answer is use a tool like kyverno or datree and enforce policies and audit them from the cluster build point

https://kyverno.io/policies/pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers/

answered Oct 05 '22 at 01:27

risail

509
5
14
37

score 0 · Answer 2 · answered Sep 27 '22 at 16:02

0

I saw that you can use MustRunAsNonRoot here, but PSP are deprecated (https://kubernetes.io/docs/concepts/security/pod-security-policy/).

Also there is another post which talked about PSP and how to enforce it in AWS.

I hope it helps you!

answered Sep 27 '22 at 16:02

Max

64
5

that link is for AKS not EKS. agree with you on PSP – risail Sep 28 '22 at 14:09

enforce/disable root pod execution on EKS cluster wide

2 Answers2