I’m a big fan of a Google Cloud Platform and Google Kubernetes Engine aka GKE, I have published few post previously about how to getting started working with those and you can go through those posts if you are new to these technologies, in this post let’s see how to work with Google Kubernetes engine POD Security policies. This is the Role Based Access Control aka RBAC in Google Kubernetes Engine.
I know you already know that you can spin up a Kubernetes Cluster within few minutes with GKE and my Kubernetes cluster was ready in couple of minutes. You can easily connect to the cluster with the cloud shell with the connect button
Copied the command and connected to the cluster with “Run in Cloud Shell” button
Pasted command and hit return key to connect to the endpoint
Checked the cluster node status
kubectl get nodes
I have created a new cluster name space called “tcnamespace“
kubectl create namespace [NAMESPACE_NAME]
Basically, three yams files should be created for POD Security Policy, Cluster Role and Cluster Role Binding functions, we can use the Cloud Shell Editor to create these files
Here are the create files in the Cloud Shell
Here is the POD Security Policy YAML content, this POD Security policy prevents the creation of privileged PODs.
What Are Privileged PODs?
Privileged PODs are useful to utilize the Linux capabilities such as manipulating the Host Networking stack and accessing the host resources and devices. In the Privileged mode processes which are running inside the container have the same capabilities such as the processes outside the container which can leverage some management capabilities
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: tc-gke-psp
spec:
privileged: false # Prevents creation of privileged Pods
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'Cluster Role YAML output
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tc-gke-clusterrole
rules:
- apiGroups:
- extensions
resources:
- podsecuritypolicies
resourceNames:
- tc-gke-psp
verbs:
- useCluster Role Binding YAML output
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tc-gke-RoleBinding
namespace: tcnamespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tc-gke-clusterrole
subjects:
# Example: All service accounts in my-namespace
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccounts
# Example: A specific service account in my-namespace
- kind: ServiceAccount # Omit apiGroup
name: default
namespace: tcnamespaceVerified the location of the files in the Cloud Shell
Applied the POD Security Policy YAML
kubectl apply -f [FILE_NAME]
If you are executing the Cluster role YAML file you might be able to see the below forbidden error message:
Error from server (Forbidden): error when creating “tc-gke-cluster-role.yaml”: clusterroles.rbac.authorization.k8s.io “tc-gke-clusterrole” is forbidden: attempt to gra
nt extra privileges: [{[use] [extensions] [podsecuritypolicies] [tc-gke-psp] []}] user=&{emailid [system:authenticated] map[user-assertion.cloud.google
.com:[AKUJVpky8qCuEEeAoA3kRSPOHXsXVHVxKuT7G/QHeK+x0DLrz3Rw4PSybMNrUBZTY78h0aGN8KwuHPjl81ItpNPu4DIkviPUtwMOA8pCjxGXHSSx1PmiLyirSuWvJn8v2oN0OelPY0D7JRAGPiHijGkhfTzAPP0k+/+kJtJboEmjtonaNnhFG+eKmwJHiIO/sSP40egcFYJGqV5msuiSg6mW5shXNvccVJrs5uHVAh4=]]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}] ruleResolutionErrors=[]
To over come with this you need to create a cluster admin role binding to your account, account ID is a case sensitive and type your gmail id in lowercase, and execute the below command
kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user [EMAIL_ADDRESS_IN_LOWERCASE]
Applied the file using below command
kubectl create -f [CLUSTER_ROLE_FILE_NAME]
Applied the Cluster Role Binding YAML as well
kubectl apply -f [CLUSTER_ROLE_BINDING_FILE]
After successfully applying these three YAML files, POD Security policy should be enabled, make sure to specify the zone/region in the command and otherwise it’ll get failed. Used the below gcloud beta command to enable the POD Security
gcloud beta container clusters update [CLUSTER_NAME] --zone [ZONE_NAME] --enable-pod-security-policy 
Let command to complete the process and it might take sometime
Use Of The Above Command
In my case I have the pre configured cluster otherwise you can create the cluster at the time of applying the POD Security. Use below command for to create a cluster
gcloud beta container clusters create [CLUSTER_NAME] --zone [ZONE_NAME] --enable-pod-security-policyTo disable the applied POD Security policy use the below command
gcloud beta container clusters update [CLUSTER_NAME] --zone [ZONE_NAME] --no-enable-pod-security-policy 
