Loading Posts...

How To Work With Google Kubernetes Engine POD Security Policies

I’m a big fan of a Google Cloud Platform and Google Kubernetes Engine aka GKE, I have published few post previously about how to getting started working with those and you can go through those posts if you are new to these technologies, in this post let’s see how to work with Google Kubernetes engine POD Security policies. This is the Role Based Access Control aka RBAC in Google Kubernetes Engine.

I know you already know that you can spin up a Kubernetes Cluster within few minutes with GKE and my Kubernetes cluster was ready in couple of minutes. You can easily connect to the cluster with the cloud shell with the connect button

Kubernetes Engine POD Security Policies : Connect to the cluster

Copied the command and connected to the cluster with “Run in Cloud Shell” button

Kubernetes Engine POD Security Policies : Connect to shell

Pasted command and hit return key to connect to the endpoint

Kubernetes Engine POD Security Policies : Connect with the command

Checked the cluster node status

Kubernetes Engine POD Security Policies : Node status

I have created a new cluster name space called “tcnamespace

Kubernetes Engine POD Security Policies : Create a namespace

Basically, three yams files should be created for POD Security Policy, Cluster Role and Cluster Role Binding functions, we can use the Cloud Shell Editor to create these files

Kubernetes Engine POD Security Policies : Create YAML files

Here are the create files in the Cloud Shell

Here is the POD Security Policy YAML content, this POD Security policy prevents the creation of privileged PODs.

What Are Privileged PODs?

Privileged PODs are useful to utilize the Linux capabilities such as manipulating the Host Networking stack and accessing the host resources and devices. In the Privileged mode processes which are running inside the container have the same capabilities such as the processes outside the container which can leverage some management capabilities

Cluster Role YAML output

Cluster Role Binding YAML output

Verified the location of the files in the Cloud Shell

Kubernetes Engine POD Security Policies : Created files

Applied the POD Security Policy YAML

Kubernetes Engine POD Security Policies : Apply PSP

If you are executing the Cluster role YAML file you might be able to see the below forbidden error message:

Error from server (Forbidden): error when creating “tc-gke-cluster-role.yaml”: clusterroles.rbac.authorization.k8s.io “tc-gke-clusterrole” is forbidden: attempt to gra

nt extra privileges: [{[use] [extensions] [podsecuritypolicies] [tc-gke-psp] []}] user=&{emailid  [system:authenticated] map[user-assertion.cloud.google
.com:[AKUJVpky8qCuEEeAoA3kRSPOHXsXVHVxKuT7G/QHeK+x0DLrz3Rw4PSybMNrUBZTY78h0aGN8KwuHPjl81ItpNPu4DIkviPUtwMOA8pCjxGXHSSx1PmiLyirSuWvJn8v2oN0OelPY0D7JRAGPiHijGkhfTzAPP0k+/+kJtJboEmjtonaNnhFG+eKmwJHiIO/sSP40egcFYJGqV5msuiSg6mW5shXNvccVJrs5uHVAh4=]]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}] ruleResolutionErrors=[]

To over come with this you need to create a cluster admin role binding to your account, account ID is a case sensitive and type your gmail id in lowercase, and execute the below command

Kubernetes Engine POD Security Policies : Admin role binding

Applied the file using below command

Kubernetes Engine POD Security Policies : apply cluster role

Applied the Cluster Role Binding YAML as well

Kubernetes Engine POD Security Policies : apply role binding

After successfully applying these three YAML files, POD Security policy should be enabled, make sure to specify the zone/region in the command and otherwise it’ll get failed. Used the below gcloud beta command to enable the POD Security

Kubernetes Engine POD Security Policies : container update

Let command to complete the process and it might take sometime

Kubernetes Engine POD Security Policies : enable POD Security Policy

Use Of The Above Command

In my case I have the pre configured cluster otherwise you can create the cluster at the time of applying the POD Security. Use below command for to create a cluster

To disable the applied POD Security policy use the below command

How To Work With Google Kubernetes Engine POD Security Policies
5 (100%) 6 vote[s]

Aruna Lakmal

Associate Technical Lead at Pearson, Sri Lanka. Technology junky, enthusiast, a VMware vExpert and a blogger with more than 6 years of Experience in Information Technology more focusing on VMware Virtualization, Microsoft and Datacenter Technologies.

Get Updates Directly To Your Inbox!

   

Leave a Reply

Loading Posts...