PodSecurityPolicies are a great way to enforce chosen security standards within a cluster. In this lab, you will have the opportunity to practice your skills with PodSecurityPolicies by preventing users from running privileged containers.
Successfully complete this lab by achieving the following learning objectives:
- Enable the Use of PodSecurityPolicies in the Cluster
Configure the API server to validate incoming Pods using PodSecurityPolicies.
- Create a PodSecurityPolicy to Allow Only Non-Privileged Pods
Create a PodSecurityPolicy that allows for Pods that do not use privileged mode for any containers, but blocks Pods that use privileged mode.
- Create a RBAC Setup to Apply the PodSecurityPolicy in the auth Namespace
Create a RBAC setup that will allow Pods in the
authNamespace to use the PodSecurityPolicy.
There are two Pod manifests in
/home/cloud_user, one for a Pod that uses privileged mode and one for a Pod that does not. You can use these to test your setup. Your final configuration should allow the non-privileged Pod and block the privileged Pod.
These two Pods both use a ServiceAccount in the
auth-sa. You can use this ServiceAccount as part of your RBAC setup.