Skip to content
Permalink
Browse files

Add support for psp

  • Loading branch information...
otnielvh committed Jul 29, 2019
1 parent c8a3710 commit 3b34d56c920642f14db904e08fe50340608b9451
Showing with 111 additions and 0 deletions.
  1. +23 −0 docs/examples/psp/README.md
  2. +87 −0 docs/examples/psp/psp.yaml
  3. +1 −0 mkdocs.yml
@@ -0,0 +1,23 @@
# Pod Security Policy (PSP)

In most clusters today, by default, all resources (e.g. Deployments and ReplicatSets)
have permissions to create pods.
Kubernetes however provides a more fine-grained authorization policy called
[Pod Security Policy (PSP)](https://kubernetes.io/docs/concepts/policy/pod-security-policy/).

PSP allows the cluster owner to define the permission of each object, for example creating a pod.
If you have PSP enabled on the cluster, and you deploy ingress-nginx,
you will need to provide the Deployment with the permissions to create pods.

Before applying any objects, first apply the PSP permissions by running:
```console
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/psp/psp.yaml
```

Now that the pod security policy is applied, we can continue as usual by applying the
[mandatory.yaml](../../../deploy/static/mandatory.yaml)
according to the [Installation Guide](../../deploy/index.md).

Note: PSP permissions must be granted before to the creation of the Deployment and the ReplicaSet.
If the Deployment or ReplicaSet already exist, they will receive the PSP permissions
only after deleting them and reapplying mandatory.yaml.
@@ -0,0 +1,87 @@
apiVersion: v1
kind: Namespace
metadata:
name: ingress-nginx

---

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
annotations:
# Assumes apparmor available
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
name: ingress-nginx
spec:
allowedCapabilities:
- NET_BIND_SERVICE
allowPrivilegeEscalation: true
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
hostIPC: false
hostNetwork: false
hostPID: false
hostPorts:
- min: 80
max: 65535
privileged: false
readOnlyRootFilesystem: false
runAsUser:
rule: 'MustRunAsNonRoot'
ranges:
- min: 33
max: 65535
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
volumes:
- 'configMap'
- 'downwardAPI'
- 'emptyDir'
- 'projected'
- 'secret'

---

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ingress-nginx-psp
namespace: ingress-nginx
rules:
- apiGroups:
- policy
resourceNames:
- ingress-nginx
resources:
- podsecuritypolicies
verbs:
- use

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ingress-nginx-psp
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx-psp
subjects:
- kind: ServiceAccount
name: default
- kind: ServiceAccount
name: nginx-ingress-serviceaccount
@@ -87,3 +87,4 @@ nav:
- Rewrite: "examples/rewrite/README.md"
- Static IPs: "examples/static-ip/README.md"
- TLS termination: "examples/tls-termination/README.md"
- Pod Security Policy (PSP): "examples/psp/README.md"

0 comments on commit 3b34d56

Please sign in to comment.
You can’t perform that action at this time.