Customizing capability in migrating pod security admission

JayJay-K

6/5/24, 7:31 AM

From my understanding, in the pod security admission(PSA), there is no customization feature. We can only select one of the security levels (privileged, baseline or restricted)

Now, there is a pod which uses capability CAP_NET_ADMIN only. But, as you know, the 'baseline' level of PSA doesn't include CAP_NET_ADMIN. As a result, should this pod be created with 'privileged' level? Is my understanding correct? Is this an only way to setup this pod with PSA? I wonder it, because I think it's not good for security.

Could you please share your opinions about it?

1 + 0

security

migration

kubernetes

Score:0

Server

faizan

6/7/24, 12:38 PM

The default security levels provided by pod security policies cannot be changed directly and are pre-defined. To define your custom policies, you can use solutions like kyverno and define your own policy which combines the "baseline" policy with an exception to include "CAP_NET_ADMIN" capability. Any example is given below:

kind: ClusterPolicy
metadata:
  name: customized-baseline-policy
spec:
  background: false
  rules:
    - name: enforce-baseline-policy
      match:
        resources:
          kinds:
            - Pod
      validate:
        message: "The pod does not comply with the customized baseline policy."
        pattern:
          spec:
            containers:
              - securityContext:
                  readOnlyRootFilesystem: true
            hostIPC: false
            hostPID: false
            hostNetwork: false

<ADD MORE POLICIES HERE AS DEFINED IN THE BASELINE POLICY>

      mutate:
        patchStrategicMerge:
          metadata:
            annotations:
              kyverno.io/generated-by: customized-baseline-policy
          spec:
            containers:
              - securityContext:
                  capabilities:
                    add: ["NET_ADMIN"]

+ 2

JayJay-K

6/8/24, 9:05 AM

I appreciate your answer faizan. It can be a nice solution. I have additional question. I thought webhook can be another solution, but in my understanding, when I use webhook, I should develop specific pod and container service for it, and I thought it can be a little bit big task for me. How about kyverno solution? Should I do something like that? Otherwise, in the kyverno solution, can I achieve it by using only YAML for configuration? I will check kyverno, but could you please give quick information? Thanks.

faizan

6/8/24, 3:24 PM

I am not specifically sure about the webhook solutions you are referring to, but kyverno is something you can think of like policy as code, which means that you can define your kubernetes policies using yaml manifest files. It is installed in your cluster as a CRD which means that you can easily manage it and make it a part of your source control. Some examples of kyverno policies are [here](https://kyverno.io/policies/)

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Customizing capability in migrating pod security admission

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.