Prevent UID 0 containers running Kubernetes

thewire247

1/30/23, 8:24 AM

Traditionally I would have prevented root/UID 0 containers from running in kubernetes using pod security policies. However it seems that in 1.21 PSPs have been deprecated. Are there any other recommended ways to prevent these from running at a cluster level?

0 + 0

kubernetes

mdaniel

1/30/23, 2:57 PM

Well, did you read [their handy blog post](https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/#what-does-this-mean-for-you), wherein they cited using OPA Gatekeeper to enforce cluster-wide policies like that?

Score:0

Server

Mikolaj S.

2/1/23, 9:16 AM

As @mdaniel comments suggests, it's worth reading PodSecurityPolicy Deprecation: Past, Present, and Future article, where you will find that Kubernetes team recommends using Gatekeeper Policy Library for complex binding rules.

For more details I'd recommend to read:

You can setup Gatekeeper at a cluster level:

scope accepts *, Cluster, or Namespaced which determines if cluster-scoped and/or namesapced-scoped resources are selected. (defaults to *)

For you usage, you will probably find Gatekeeper Constraint users to be useful. Check examples in the samples folder.

0 + 0

Wytrzymały Wiktor

2/4/23, 7:34 AM

Hello @thewire247. Have you managed to make it work?

thewire247

2/13/23, 9:20 AM

Currently looking at the correct policy to use to enforce this. Will update if I get anywhere

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Prevent UID 0 containers running Kubernetes

TH: ป้องกันไม่ให้คอนเทนเนอร์ UID 0 เรียกใช้ Kubernetes

RO: Preveniți containerele UID 0 care rulează Kubernetes

RU: Запретить контейнерам с UID 0 запускать Kubernetes

VI: Ngăn chặn các thùng chứa UID 0 chạy Kubernetes

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.