Prevent Privileged Containers in Kubernetes with PodSecurityPolicies

30 minutes
  • 3 Learning Objectives

About this Hands-on Lab

PodSecurityPolicies are a great way to enforce chosen security standards within a cluster. In this lab, you will have the opportunity to practice your skills with PodSecurityPolicies by preventing users from running privileged containers.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Enable the Use of PodSecurityPolicies in the Cluster

Configure the API server to validate incoming Pods using PodSecurityPolicies.

Create a PodSecurityPolicy to Allow Only Non-Privileged Pods

Create a PodSecurityPolicy that allows for Pods that do not use privileged mode for any containers, but blocks Pods that use privileged mode.

Create an RBAC Setup to Apply the PodSecurityPolicy in the auth Namespace

Create an RBAC setup that will allow Pods in the auth Namespace to use the PodSecurityPolicy.

There are two Pod manifests in /home/cloud_user: one for a Pod that uses privileged mode and one for a Pod that does not. You can use these to test your setup. Your final configuration should allow the non-privileged Pod and block the privileged Pod.

These two Pods both use a ServiceAccount in the auth Namespace called auth-sa. You can use this ServiceAccount as part of your RBAC setup.

Additional Resources

Your company, SecuriCorp, is using Kubernetes to run various applications. You have created a self-service environment for use by your developers, and many of your team members are regularly creating Pods in the cluster.

Per your documented security policy, you have instructed the team not to create Pods which run containers in privileged mode. However, over time, some team members must have forgotten this policy, and a few such privileged containers were created. To make matters worse, some team members are copying and pasting a Pod configuration that uses privileged containers, and that configuration is being used for containers that do not even need privileged mode!

Help the team follow security best practices by using a PodSecurityPolicy to prevent the creation of privileged containers in the auth namespace.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?