Tutorial for pod security admission

PushkarJ · PushkarJ · commit 15e99a237fa3 · 2021-11-18T17:55:01.000-08:00
diff --git a/content/en/docs/tutorials/_index.md b/content/en/docs/tutorials/_index.md
@@ -57,6 +57,11 @@ Before walking through each tutorial, you may want to bookmark the
 
 * [Using Source IP](/docs/tutorials/services/source-ip/)
 
+## Pod Security
+
+* [Applying Pod Security Standards at Cluster level](/docs/tutorials/pod-security/cluster-level-pss/)
+* [Applying Pod Security Standards at Namespace level](/docs/tutorials/pod-security/ns-level-pss/)
+
 ## {{% heading "whatsnext" %}}
 
 If you would like to write a tutorial, see
diff --git a/content/en/docs/tutorials/pod-security/_index.md b/content/en/docs/tutorials/pod-security/_index.md
@@ -0,0 +1,5 @@
+---
+title: "Pod Security"
+weight: 40
+---
+
diff --git a/content/en/docs/tutorials/pod-security/cluster-level-pss.md b/content/en/docs/tutorials/pod-security/cluster-level-pss.md
@@ -0,0 +1,271 @@
+---
+title: Applying Pod Security Standards at Cluster level
+content_type: tutorial
+weight: 10
+---
+
+{{% alert title="Disclaimer" %}}
+This tutorial applies only for new clusters.
+{{% /alert %}}
+
+## {{% heading "prerequisites" %}}
+
+Install the following on your workstation:
+
+- [KinD](https://kind.sigs.k8s.io/docs/user/quick-start/#installation)
+- [kubectl](https://kubernetes.io/docs/tasks/tools/)
+
+# Finding the right Pod Security Standard
+
+As of
+v1.23, [Pod Security Admission](/docs/concepts/security/pod-security-admission/)
+allows usage of
+built-in [Pod Security Standards](/docs/concepts/security/pod-security-standards/)
+that can be set in three different modes: `enforce`, `audit`, `warn`.
+
+Following steps allows gathering information about which Pod Security Standards
+will be most appropriate to apply:
+
+1. Create a cluster without any pod security standard applied:
+
+    ```
+    $ kind create cluster --name psa-wo-cluster-pss --image kindest/node:latest
+    Creating cluster "psa-wo-cluster-pss" ...
+    ✓ Ensuring node image (kindest/node:latest) 🖼
+    ✓ Preparing nodes 📦  
+    ✓ Writing configuration 📜
+    ✓ Starting control-plane 🕹️
+    ✓ Installing CNI 🔌
+    ✓ Installing StorageClass 💾
+    Set kubectl context to "kind-psa-wo-cluster-pss"
+    You can now use your cluster with:
+    
+    kubectl cluster-info --context kind-psa-wo-cluster-pss
+    
+    Thanks for using kind! 😊
+    
+    ```
+
+2. Switch kubectl context to point it to this new cluster
+    ```
+    $ kubectl cluster-info --context kind-psa-wo-cluster-pss
+    Kubernetes control plane is running at https://127.0.0.1:61350
+    CoreDNS is running at https://127.0.0.1:61350/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
+    
+    To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
+    ```
+
+3. Let's look at existing namespaces in the cluster:
+
+    ```
+    $ kubectl get ns   
+    NAME                 STATUS   AGE
+    default              Active   9m30s
+    kube-node-lease      Active   9m32s
+    kube-public          Active   9m32s
+    kube-system          Active   9m32s
+    local-path-storage   Active   9m26s
+    ```
+
+4. Use `--dry-run=server` to understand what happens when different pod security
+   standard are applied:
+
+    ```
+    $ kubectl label --dry-run=server --overwrite ns --all \                    
+    pod-security.kubernetes.io/enforce=privileged
+    namespace/default labeled
+    namespace/kube-node-lease labeled
+    namespace/kube-public labeled
+    namespace/kube-system labeled
+    namespace/local-path-storage labeled
+    
+    
+    $ kubectl label --dry-run=server --overwrite ns --all \
+    pod-security.kubernetes.io/enforce=baseline
+    namespace/default labeled
+    namespace/kube-node-lease labeled
+    namespace/kube-public labeled
+    Warning: existing pods in namespace "kube-system" violate the new PodSecurity enforce level "baseline:latest"
+    Warning: etcd-psa-wo-cluster-pss-control-plane (and 3 other pods): host namespaces, hostPath volumes
+    Warning: kindnet-vzj42: non-default capabilities, host namespaces, hostPath volumes
+    Warning: kube-proxy-m6hwf: host namespaces, hostPath volumes, privileged
+    namespace/kube-system labeled
+    namespace/local-path-storage labeled
+    
+    
+    $ kubectl label --dry-run=server --overwrite ns --all \
+    pod-security.kubernetes.io/enforce=restricted
+    namespace/default labeled
+    namespace/kube-node-lease labeled
+    namespace/kube-public labeled
+    Warning: existing pods in namespace "kube-system" violate the new PodSecurity enforce level "restricted:latest"
+    Warning: coredns-7bb9c7b568-hsptc (and 1 other pod): unrestricted capabilities, runAsNonRoot != true, seccompProfile
+    Warning: etcd-psa-wo-cluster-pss-control-plane (and 3 other pods): host namespaces, hostPath volumes, allowPrivilegeEscalation != false, unrestricted capabilities, restricted volume types, runAsNonRoot != true
+    Warning: kindnet-vzj42: non-default capabilities, host namespaces, hostPath volumes, allowPrivilegeEscalation != false, unrestricted capabilities, restricted volume types, runAsNonRoot != true, seccompProfile
+    Warning: kube-proxy-m6hwf: host namespaces, hostPath volumes, privileged, allowPrivilegeEscalation != false, unrestricted capabilities, restricted volume types, runAsNonRoot != true, seccompProfile
+    namespace/kube-system labeled
+    Warning: existing pods in namespace "local-path-storage" violate the new PodSecurity enforce level "restricted:latest"
+    Warning: local-path-provisioner-d6d9f7ffc-lw9lh: allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, seccompProfile
+    namespace/local-path-storage labeled
+    ```
+
+It seems like `privileged` Pod Security Standard when applied, shows no warnings
+for any namespaces. However, `baseline` and `restricted` standards both have
+more warnings specifically on `kube-system` namespace.
+
+# Setting modes, versions and standards
+
+For the purposes of this tutorial, `baseline` standard will be `enforced` as per
+`latest` version whereas `restricted` standard will be applied in
+`warn` and `audit` mode. Baseline Pod Security Standard provides a convenient
+middle ground that allows keeping the exemption list short and prevents known
+privilege escalations.
+
+However, to prevent pods from failing in `kube-system`, this namespace will be
+exempt from the cluster level Pod Security Standards applied.
+
+_Notes_:
+
+1. Based on risk posture applied to a cluster, a more strict Pod Security
+   Standard like `restricted` could be a better choice.
+2. This exemption for `kube-system` namespace, allows pods to run as
+   `privileged` in this namespace. So, it is recommended to apply strict RBAC
+   policies that limit access to `kube-system` following least privilege
+   principle.
+
+Let's create a configuration file that can be consumed by built-in Pod Security
+Admission Controller to implement these Pod Security Standards:
+
+```
+$ mkdir -p /tmp/pss
+$ cat <<EOF > /tmp/pss/cluster-level-pss.yaml 
+apiVersion: apiserver.config.k8s.io/v1
+kind: AdmissionConfiguration
+plugins:
+- name: PodSecurity
+  configuration:
+    apiVersion: pod-security.admission.config.k8s.io/v1beta1
+    kind: PodSecurityConfiguration
+    defaults:
+      enforce: "baseline"
+      enforce-version: "latest"
+      audit: "restricted"
+      audit-version: "latest"
+      warn: "restricted"
+      warn-version: "latest"
+    exemptions:
+      usernames: []
+      runtimeClasses: []
+      namespaces: [kube-system]
+EOF
+```
+
+# Configure the API server
+
+Let's configure API server to consume this file during cluster creation:
+
+```
+$ cat <<EOF > /tmp/pss/cluster-config.yaml 
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+- role: control-plane
+  kubeadmConfigPatches:
+  - |
+    kind: ClusterConfiguration
+    apiServer:
+        extraArgs:
+          admission-control-config-file: /etc/config/cluster-level-pss.yaml
+        extraVolumes:
+          - name: accf
+            hostPath: /etc/config
+            mountPath: /etc/config
+            readOnly: false
+            pathType: "DirectoryOrCreate"
+  extraMounts:
+  - hostPath: /tmp/pss
+    containerPath: /etc/config
+    # optional: if set, the mount is read-only.
+    # default false
+    readOnly: false
+    # optional: if set, the mount needs SELinux relabeling.
+    # default false
+    selinuxRelabel: false
+    # optional: set propagation mode (None, HostToContainer or Bidirectional)
+    # see https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation
+    # default None
+    propagation: None
+EOF
+```
+
+_Note_: Please ensure that when using Docker Desktop with KinD, the `/tmp`
+directory is added as a Shared Directory under
+`Preferences -> Resources -> File Sharing` (as seen on Docker Desktop for Mac)
+
+# Create cluster with Pod Security Standards
+
+Now we are ready to create a cluster that consumes these pod security standards
+configured with pod security admission controller:
+
+```
+$ kind create cluster --name psa-with-cluster-pss --image kindest/node:latest --config /tmp/pss/cluster-config.yaml
+Creating cluster "psa-with-cluster-pss" ...
+ ✓ Ensuring node image (kindest/node:latest) 🖼 
+ ✓ Preparing nodes 📦  
+ ✓ Writing configuration 📜 
+ ✓ Starting control-plane 🕹️ 
+ ✓ Installing CNI 🔌 
+ ✓ Installing StorageClass 💾 
+Set kubectl context to "kind-psa-with-cluster-pss"
+You can now use your cluster with:
+
+kubectl cluster-info --context kind-psa-with-cluster-pss
+
+Have a question, bug, or feature request? Let us know! https://kind.sigs.k8s.io/#community 🙂
+
+
+$ kubectl cluster-info --context kind-psa-with-cluster-pss
+Kubernetes control plane is running at https://127.0.0.1:63855
+CoreDNS is running at https://127.0.0.1:63855/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
+
+To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
+```
+
+# Create pod
+
+Creating a pod with minimal configuration in default namespace should now be
+successful with warnings for `restricted` pod security standards:
+
+```
+$ cat <<EOF > /tmp/pss/nginx-pod.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+    - image: nginx
+      name: nginx
+      ports:
+        - containerPort: 80
+EOF
+
+
+$ kubectl apply -f /tmp/pss/nginx-pod.yaml
+Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
+pod/nginx created
+```
+
+# Bringing it all together
+
+Running the commands in this
+[gist](https://gist.github.com/PushkarJ/9f7a0045f4bec31097bdd1e9db0f2f6e)
+that were discussed in this tutorial will do all these steps in one go:
+
+1. Create a Pod Security Standards based cluster level Configuration
+2. Create a file to let API server consumes this configuration
+3. Create a cluster that creates an API server with this configuration
+4. Set kubectl context to this new cluster
+5. Create a minimal pod yaml file
+6. Apply this file to create a Pod in the new cluster
+
diff --git a/content/en/docs/tutorials/pod-security/ns-level-pss.md b/content/en/docs/tutorials/pod-security/ns-level-pss.md

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +title: "Pod Security"
 +weight: 40
 +---
++