k8s default policies

k8s config files are long, use common default policies to shorten them

SEAN K.H. LIAO

k8s default policies

k8s config files are long, use common default policies to shorten them

common config

Kubernetes config files are long/verbose enough as it is and a lot of the time it's just the same boilerplate repeated over and over.

todo

PodPreset currently in alpha, for volumes and env

NetworkPolicy needs support from CNI

Wishlist: readiness/liveliness probe and securitycontext

resources

LimitRange can set per namespace defaults and limits on resource requests and limits. This is nice in that it fails closed, ie the default is applied unless explicitly overrriden.

Note: policies do not get retroactively applied.

 1apiVersion: v1
 2kind: LimitRange
 3metadata:
 4  name: default-limitrange
 5spec:
 6  limits:
 7    - type: Container
 8      default:
 9        cpu: 100m
10        memory: 100Mi
11      defaultRequest:
12        cpu: 50m
13        memory: 50Mi
14      # min:
15      # max:

security

PodSecurutyPolicy is tied to service accounts, one can be bound to the default service account. This is less nice as specifying a different service account will bypass this policy. Instead policies have to be enforced by an Admission Controller.

Note: default and additional capabilities

 1apiVersion: policy/v1beta1
 2kind: PodSecurityPolicy
 3metadata:
 4  annotations:
 5    seccomp.security.alpha.kubernetes.io/allowedProfileNames: "runtime/default"
 6    seccomp.security.alpha.kubernetes.io/defaultProfileName: "runtime/default"
 7    apparmor.security.beta.kubernetes.io/allowedProfileNames: "runtime/default"
 8    apparmor.security.beta.kubernetes.io/defaultProfileName: "runtime/default"
 9  name: default-security
10spec:
11  # # user
12  runAsGroup:
13    rule: "MustRunAs"
14    ranges:
15      - min: 1
16        max: 65535
17  runAsUser:
18    rule: "MustRunAsNonRoot"
19  fsGroup:
20    rule: "MustRunAs"
21    ranges:
22      - min: 1
23        max: 65535
24  supplementalGroups:
25    rule: "MustRunAs"
26    ranges:
27      - min: 1
28        max: 65535
29  # # privilege
30  privileged: false
31  allowPrivilegeEscalation: false
32  defaultAllowPrivilegeEscalation: false
33  # # host
34  hostIPC: false
35  hostNetwork: false
36  hostPID: false
37  hostPorts: []
38  # allowedHostPaths: []
39  # allowedProcMountTypes: []
40  # allowedUnsafeSysctls: []
41  # forbiddenSysctls: []
42  seLinux:
43    rule: "RunAsAny"
44  # # capabilities
45  # allowedCapabilities:
46  # defaultAddCapabilities:
47  requiredDropCapabilities:
48    - ALL
49    # # Default set from Docker, without DAC_OVERRIDE or CHOWN
50    # - FOWNER
51    # - FSETID
52    # - KILL
53    # - SETGID
54    # - SETUID
55    # - SETPCAP
56    # - NET_BIND_SERVICE
57    # - NET_RAW
58    # - SYS_CHROOT
59    # - MKNOD
60    # - AUDIT_WRITE
61    # - SETFCAP
62  # # filesystem
63  readOnlyRootFilesystem: false
64  volumes: [] # may want to relax this for configMap / persistentVolumeClaim / ...
65---
66apiVersion: rbac.authorization.k8s.io/v1
67kind: Role
68metadata:
69  name: default-security
70rules:
71  - apiGroups:
72      - policy
73    resources:
74      - podsecuritypolicies
75    verbs:
76      - use
77    resourceNames:
78      - default-security
79---
80apiVersion: rbac.authorization.k8s.io/v1beta1
81kind: RoleBinding
82metadata:
83  name: default-security
84roleRef:
85  apiGroup: rbac.authorization.k8s.io
86  kind: Role
87  name: default-security
88subjects:
89  - kind: ServiceAccount
90    name: default