PodSecurityPolicies are a great way to enforce chosen security standards within a cluster. In this lab, you will have the opportunity to practice your skills with PodSecurityPolicies by preventing users from running privileged containers.
Successfully complete this lab by achieving the following learning objectives:
- Enable the Use of PodSecurityPolicies in the Cluster
Configure the API server to validate incoming Pods using PodSecurityPolicies.
- Create a PodSecurityPolicy to Allow Only Non-Privileged Pods
Create a PodSecurityPolicy that allows for Pods that do not use privileged mode for any containers, but blocks Pods that use privileged mode.
- Create an RBAC Setup to Apply the PodSecurityPolicy in the auth Namespace
Create an RBAC setup that will allow Pods in the
authNamespace to use the PodSecurityPolicy.
There are two Pod manifests in
/home/cloud_user: one for a Pod that uses privileged mode and one for a Pod that does not. You can use these to test your setup. Your final configuration should allow the non-privileged Pod and block the privileged Pod.
These two Pods both use a ServiceAccount in the
auth-sa. You can use this ServiceAccount as part of your RBAC setup.