Loading Posts...

How To Work With Google Kubernetes Engine POD Security Policies

I’m a big fan of a Google Cloud Platform and Google Kubernetes Engine aka GKE, I have published few post previously about how to getting started working with those and you can go through those posts if you are new to these technologies, in this post let’s see how to work with Google Kubernetes engine POD Security policies. This is the Role Based Access Control aka RBAC in Google Kubernetes Engine.

I know you already know that you can spin up a Kubernetes Cluster within few minutes with GKE and my Kubernetes cluster was ready in couple of minutes. You can easily connect to the cluster with the cloud shell with the connect button

Kubernetes Engine POD Security Policies : Connect to the cluster

Copied the command and connected to the cluster with “Run in Cloud Shell” button

Kubernetes Engine POD Security Policies : Connect to shell

Pasted command and hit return key to connect to the endpoint

Kubernetes Engine POD Security Policies : Connect with the command

Checked the cluster node status

kubectl get nodes
Kubernetes Engine POD Security Policies : Node status

I have created a new cluster name space called “tcnamespace

kubectl create namespace [NAMESPACE_NAME]
Kubernetes Engine POD Security Policies : Create a namespace

Basically, three yams files should be created for POD Security Policy, Cluster Role and Cluster Role Binding functions, we can use the Cloud Shell Editor to create these files

Kubernetes Engine POD Security Policies : Create YAML files

Here are the create files in the Cloud Shell

Here is the POD Security Policy YAML content, this POD Security policy prevents the creation of privileged PODs.

What Are Privileged PODs?

Privileged PODs are useful to utilize the Linux capabilities such as manipulating the Host Networking stack and accessing the host resources and devices. In the Privileged mode processes which are running inside the container have the same capabilities such as the processes outside the container which can leverage some management capabilities

apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
  name: tc-gke-psp
spec:
  privileged: false  # Prevents creation of privileged Pods
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'

Cluster Role YAML output

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tc-gke-clusterrole
rules:
- apiGroups:
  - extensions
  resources:
  - podsecuritypolicies
  resourceNames:
  - tc-gke-psp
  verbs:
  - use

Cluster Role Binding YAML output

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: tc-gke-RoleBinding
  namespace: tcnamespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: tc-gke-clusterrole
subjects:
# Example: All service accounts in my-namespace
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:serviceaccounts
# Example: A specific service account in my-namespace
- kind: ServiceAccount # Omit apiGroup
  name: default
  namespace: tcnamespace

Verified the location of the files in the Cloud Shell

Kubernetes Engine POD Security Policies : Created files

Applied the POD Security Policy YAML

kubectl apply -f [FILE_NAME]
Kubernetes Engine POD Security Policies : Apply PSP

If you are executing the Cluster role YAML file you might be able to see the below forbidden error message:

Error from server (Forbidden): error when creating “tc-gke-cluster-role.yaml”: clusterroles.rbac.authorization.k8s.io “tc-gke-clusterrole” is forbidden: attempt to gra

nt extra privileges: [{[use] [extensions] [podsecuritypolicies] [tc-gke-psp] []}] user=&{emailid  [system:authenticated] map[user-assertion.cloud.google
.com:[AKUJVpky8qCuEEeAoA3kRSPOHXsXVHVxKuT7G/QHeK+x0DLrz3Rw4PSybMNrUBZTY78h0aGN8KwuHPjl81ItpNPu4DIkviPUtwMOA8pCjxGXHSSx1PmiLyirSuWvJn8v2oN0OelPY0D7JRAGPiHijGkhfTzAPP0k+/+kJtJboEmjtonaNnhFG+eKmwJHiIO/sSP40egcFYJGqV5msuiSg6mW5shXNvccVJrs5uHVAh4=]]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}] ruleResolutionErrors=[]

To over come with this you need to create a cluster admin role binding to your account, account ID is a case sensitive and type your gmail id in lowercase, and execute the below command

kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user [EMAIL_ADDRESS_IN_LOWERCASE]
Kubernetes Engine POD Security Policies : Admin role binding

Applied the file using below command

kubectl create -f [CLUSTER_ROLE_FILE_NAME]
Kubernetes Engine POD Security Policies : apply cluster role

Applied the Cluster Role Binding YAML as well

kubectl apply -f [CLUSTER_ROLE_BINDING_FILE]
Kubernetes Engine POD Security Policies : apply role binding

After successfully applying these three YAML files, POD Security policy should be enabled, make sure to specify the zone/region in the command and otherwise it’ll get failed. Used the below gcloud beta command to enable the POD Security

gcloud beta container clusters update [CLUSTER_NAME] --zone [ZONE_NAME] --enable-pod-security-policy 
Kubernetes Engine POD Security Policies : container update

Let command to complete the process and it might take sometime

Kubernetes Engine POD Security Policies : enable POD Security Policy

Use Of The Above Command

In my case I have the pre configured cluster otherwise you can create the cluster at the time of applying the POD Security. Use below command for to create a cluster

gcloud beta container clusters create [CLUSTER_NAME] --zone [ZONE_NAME] --enable-pod-security-policy

To disable the applied POD Security policy use the below command

gcloud beta container clusters update [CLUSTER_NAME] --zone [ZONE_NAME] --no-enable-pod-security-policy 
Click to rate this post!
[Total: 9 Average: 5]

Aruna Lakmal

Associate Technical Specialist at Pearson, Sri Lanka. Technology junky, enthusiast, a VMware vExpert and a blogger with more than 7 years of Experience in Information Technology more focusing on VMware Virtualization, Microsoft and Datacenter Technologies.

Get Updates Directly To Your Inbox!

   

Leave a Comment

Loading Posts...