Modal Title
Cloud Native Ecosystem Containers Edge Computing Microservices Networking Serverless Storage
Cloud Native Skill Gaps are Killing Your Gains 
May 22nd 2023 7:15am, by Victoria Wright
A Boring Kubernetes Release
May 19th 2023 12:23pm, by Alex Williams
Why Upgrade to Observability from Application Monitoring?
May 19th 2023 11:49am, by George Hamilton
How Otomi Helped the City of Utrecht Move to Kubernetes
May 15th 2023 10:00am, by Sander Rodenhuis
RabbitMQ Is Boring, and I Love It
May 15th 2023 6:30am, by Josh Long
Red Hat Podman Container Engine Gets a Desktop Interface
May 23rd 2023 7:30am, by Joab Jackson
Scan Container Images for Vulnerabilities with Docker Scout
May 20th 2023 6:00am, by Jack Wallen
Container or VM? How to Choose the Right Option in 2023
May 17th 2023 8:42am, by Andrew Sullivan and Alex Handy
How Otomi Helped the City of Utrecht Move to Kubernetes
May 15th 2023 10:00am, by Sander Rodenhuis
Deploy an On-Premises Bitwarden Server with Docker
May 6th 2023 6:00am, by Jack Wallen
Gothenburg, Sweden Used Open Source IoT to Drastically Cut Water Waste
May 23rd 2023 6:58am, by Alex Handy
Building a Plant Monitoring Tool with IoT
May 8th 2023 9:27am, by Zoe Steinkamp
How to Choose and Model Time Series Databases
Apr 28th 2023 3:00am, by Robert Kimani
How to Optimize Queries for Time Series Data
Apr 27th 2023 12:00pm, by Robert Kimani
Calyptia Core 2.0 Tackles Fleet Management for Observability
Apr 26th 2023 6:49am, by Jelani Harper
RabbitMQ Is Boring, and I Love It
May 15th 2023 6:30am, by Josh Long
How OpenSearch Visualizes Jaeger's Distributed Tracing
May 11th 2023 10:00am, by Derek Ho and Jonah Kowall
Spring Cloud Gateway: The Swiss Army Knife of Cloud Development
May 8th 2023 6:47am, by Juergen Sussner
Return of the Monolith: Amazon Dumps Microservices for Video Monitoring
May 4th 2023 7:23am, by Joab Jackson
Cloud Native Basics: 4 Concepts to Know 
Apr 27th 2023 9:42am, by Khallai Taylor
How to Decide Between a Layer 2 or Layer 3 Network
Apr 25th 2023 10:00am, by Gino Dion
Linkerd Service Mesh Update Addresses More Demanding User Base
Apr 11th 2023 6:17am, by Joab Jackson and Alex Williams
Wireshark Celebrates 25th Anniversary with a New Foundation
Mar 28th 2023 5:00am, by Joab Jackson
This Week in Computing: Malware Gone Wild
Mar 25th 2023 7:10am, by Joab Jackson
JWTs: Connecting the Dots: Why, When and How
Mar 20th 2023 7:10am, by Michal Trojanowski
Microsoft Fabric Defragments Analytics, Enters Public Preview
May 23rd 2023 8:00am, by Andrew Brust
Forrester on WebAssembly for Developers: Frontend to Backend
May 17th 2023 6:00am, by Loraine Lawson
Return of the Monolith: Amazon Dumps Microservices for Video Monitoring
May 4th 2023 7:23am, by Joab Jackson
IBM's Quiet Approach to AI, Wasm and Serverless
May 4th 2023 6:00am, by Loraine Lawson
Cloud Control Planes for All: Implement Internal Platforms with Crossplane
Apr 13th 2023 10:00am, by Bassam Tabbara
Boost DevOps Maturity with a Data Lakehouse
May 17th 2023 10:20am, by Guido Deinhammer
Vercel Offers Postgres, Redis Options for Frontend Developers
May 1st 2023 9:00am, by Loraine Lawson
Why We Need an Inter-Cloud Data Standard
Apr 27th 2023 8:19am, by Aaron Schneider
We Designed Our Chips with First Pass Success — and So Can You
Apr 26th 2023 10:00am, by Parag Madhani
ACID Transactions Change the Game for Cassandra Developers
Apr 26th 2023 8:33am, by Aaron Ploetz
Frontend Development Software Development Typescript WebAssembly Cloud Services Data Machine Learning Security
Microsoft One-ups Google with Copilot Stack for Developers
May 24th 2023 11:45am, by
How to Start a Software Project: A Guide for Junior Devs
May 20th 2023 7:00am, by
Dev News: Trouble in npm, Vue 3.3 and Cloudflare Updates
May 20th 2023 5:00am, by
Generative AI Thread Runs Through Google’s New Products
May 19th 2023 12:37pm, by
AI Improves Developer Workflow, Says Gradle Dev Evangelist
May 19th 2023 10:00am, by
Microsoft One-ups Google with Copilot Stack for Developers
May 24th 2023 11:45am, by
Detect and Mitigate Common Attack Techniques for Containers
May 24th 2023 10:55am, by
Lineaje Unveils SBOM360 Hub for Software Bills of Materials
May 24th 2023 8:46am, by
AppSec 'Worst Practices' with Tanya Janca 
May 24th 2023 8:08am, by
FAQ: What Is Automated Incident Response?
May 24th 2023 6:04am, by
Dev News: Angular v16, plus Node.js and TypeScript Updates
Apr 22nd 2023 4:00am, by
This Week in Computing: Malware Gone Wild
Mar 25th 2023 7:10am, by
TypeScript 5.0: New Decorators Standard, Smaller npm
Mar 24th 2023 11:25am, by
JavaScript or WebAssembly: Which Is More Energy Efficient and Faster?
Jan 30th 2023 9:51am, by
What TypeScript Brings to Node.js
Dec 26th 2022 3:00am, by
Could WebAssembly Be the Key to Decreasing Kubernetes Use?
May 22nd 2023 6:00am, by
Forrester on WebAssembly for Developers: Frontend to Backend
May 17th 2023 6:00am, by
Dev News: Dart 3 Meets Wasm, Flutter 3.10, and Qwik ‘Streamable JavaScript’
May 13th 2023 9:00am, by
Our WebAssembly Experiment: Extending NGINX Agent
May 11th 2023 8:21am, by
A Workaround to WebAssembly’s Endpoint Compatibility Issues?
May 8th 2023 8:00am, by
Microsoft Fabric Defragments Analytics, Enters Public Preview
May 23rd 2023 8:00am, by
A Boring Kubernetes Release
May 19th 2023 12:23pm, by
Optimizing Mastodon Performance with Sidekiq and Redis Enterprise
May 18th 2023 10:30am, by and
Datadog’s $65M Bill and Why Developers Should Care
May 17th 2023 10:56am, by
Google Goes Gaga for AI Developer Tools
May 12th 2023 8:12am, by
Better Data Logistics Is the Key to Effective Machine Learning
May 24th 2023 10:00am, by
Microsoft Fabric Defragments Analytics, Enters Public Preview
May 23rd 2023 8:00am, by
Gothenburg, Sweden Used Open Source IoT to Drastically Cut Water Waste
May 23rd 2023 6:58am, by
What Is Unstructured Data?
May 22nd 2023 9:35am, by
Observability: Working with Metrics, Logs and Traces
May 22nd 2023 8:23am, by
AI Talk at KubeCon
May 24th 2023 1:36pm, by
Better Data Logistics Is the Key to Effective Machine Learning
May 24th 2023 10:00am, by
FAQ: What Is Automated Incident Response?
May 24th 2023 6:04am, by
The Benefits and Limitations of AI for Service Optimization
May 23rd 2023 10:00am, by
Economists Show AI Bringing Positive Impact to Workplaces
May 21st 2023 6:00am, by
Detect and Mitigate Common Attack Techniques for Containers
May 24th 2023 10:55am, by
Lineaje Unveils SBOM360 Hub for Software Bills of Materials
May 24th 2023 8:46am, by
AppSec 'Worst Practices' with Tanya Janca 
May 24th 2023 8:08am, by
Tracy Ragan: My Favorite Open Source Security Projects
May 22nd 2023 12:52pm, by
Scan Container Images for Vulnerabilities with Docker Scout
May 20th 2023 6:00am, by
Platform Engineering Operations CI/CD Tech Life DevOps Kubernetes Observability Service Mesh
Developer Platforms: Key Findings from a Forrester Snapshot
May 19th 2023 10:52am, by Aeris Stewart
How Otomi Helped the City of Utrecht Move to Kubernetes
May 15th 2023 10:00am, by Sander Rodenhuis
IBM Cloud CTO: Pros Outweigh the Cons with Platform Engineering
May 5th 2023 6:00am, by Loraine Lawson
Infrastructure as Code or Cloud Platforms — You Decide!
May 2nd 2023 9:34am, by Venkat Thiruvengadam
KubeCon Panel: How Platform Engineering Benefits Developers
Apr 28th 2023 8:51am, by Loraine Lawson
AI Talk at KubeCon
May 24th 2023 1:36pm, by Alex Williams
Better Data Logistics Is the Key to Effective Machine Learning
May 24th 2023 10:00am, by Michael Tanenbaum
Red Hat Ansible Gets Event-Triggered Automation, AI Assist on Playbooks
May 24th 2023 6:22am, by Joab Jackson
FAQ: What Is Automated Incident Response?
May 24th 2023 6:04am, by Ariel Russo
The Benefits and Limitations of AI for Service Optimization
May 23rd 2023 10:00am, by Prabjoth Saimbhi
Is DevOps Tool Complexity Slowing Down Developer Velocity?
May 17th 2023 6:29am, by Heather Joslyn and Lawrence E Hecht
AI Has Become Integral to the Software Delivery Lifecycle
May 12th 2023 11:01am, by Richard MacManus
4 Core Principles of GitOps
May 11th 2023 2:17pm, by Alex Williams
5 Version-Control Tools Game Developers Should Know About
May 9th 2023 10:00am, by Sharone Zitzman
Mitigate Risk Beyond the Supply Chain with Runtime Monitoring
May 8th 2023 10:00am, by Mike Long
AppSec 'Worst Practices' with Tanya Janca 
May 24th 2023 8:08am, by Taylor Armerding
Overcoming the Kubernetes Skills Gap with ChatGPT Assistance
May 23rd 2023 11:00am, by Dev Nag
Cloud Native Skill Gaps are Killing Your Gains 
May 22nd 2023 7:15am, by Victoria Wright
Economists Show AI Bringing Positive Impact to Workplaces
May 21st 2023 6:00am, by David Cassel
Tech Works: Why Burnout and Layoffs Hit Some People Harder
May 19th 2023 9:00am, by Jennifer Riggins
How to Start a Software Project: A Guide for Junior Devs
May 20th 2023 7:00am, by David Eastman
AI Improves Developer Workflow, Says Gradle Dev Evangelist
May 19th 2023 10:00am, by Richard MacManus
Guardrails Can Be the Common Language to Bring Dev and Ops Together
May 18th 2023 7:04am, by Cortney Nickerson
Boost DevOps Maturity with a Data Lakehouse
May 17th 2023 10:20am, by Guido Deinhammer
Is DevOps Tool Complexity Slowing Down Developer Velocity?
May 17th 2023 6:29am, by Heather Joslyn and Lawrence E Hecht
Overcoming the Kubernetes Skills Gap with ChatGPT Assistance
May 23rd 2023 11:00am, by Dev Nag
Could WebAssembly Be the Key to Decreasing Kubernetes Use?
May 22nd 2023 6:00am, by Loraine Lawson
A Boring Kubernetes Release
May 19th 2023 12:23pm, by Alex Williams
Guardrails Can Be the Common Language to Bring Dev and Ops Together
May 18th 2023 7:04am, by Cortney Nickerson
HashiCorp Vault Operator Manages Kubernetes Secrets
May 18th 2023 6:00am, by Heather Joslyn
Red Hat Ansible Gets Event-Triggered Automation, AI Assist on Playbooks
May 24th 2023 6:22am, by Joab Jackson
Observability: Working with Metrics, Logs and Traces
May 22nd 2023 8:23am, by Jessica Wachtel
Why Upgrade to Observability from Application Monitoring?
May 19th 2023 11:49am, by George Hamilton
Datadog’s $65M Bill and Why Developers Should Care
May 17th 2023 10:56am, by Loraine Lawson
How OpenSearch Visualizes Jaeger's Distributed Tracing
May 11th 2023 10:00am, by Derek Ho and Jonah Kowall
Linkerd Service Mesh Update Addresses More Demanding User Base
Apr 11th 2023 6:17am, by Joab Jackson and Alex Williams
How to Create Zero Trust Architecture for Service Mesh
Mar 27th 2023 7:00am, by Joe Fay
Ambient Mesh: Sidestepping the Sidecar
Mar 1st 2023 8:44am, by Jeff Goldman
Service Mesh Demand for Kubernetes Shifts to Security
Oct 27th 2022 11:04am, by B. Cameron Gain
AmeriSave Moved Its Microservices to the Cloud with Traefik's Dynamic Reverse Proxy
Sep 8th 2022 2:02pm, by Ann R. Thryft
Kubernetes / Security

Tutorial: Create a Kubernetes Pod Security Policy

This tutorial will walk you through the basics of creating a Kubernetes pod security policy. From there, you will have a launchpad from which you can continue your exploration and education into the crafting solid and secure deployments.
May 5th, 2020 12:35pm by
Featued image for: Tutorial: Create a Kubernetes Pod Security Policy
Feature image via Pixabay.

Kubernetes is the go-to container management tool for most enterprise-level businesses. But there are so many bits and pieces that come into play, security can become an issue. Not only do you have to ensure the systems your containers are deployed upon have well-established security controls, you also have to deploy those containers and pods with a strict eye on security. If not, you run the risk of exposure to data theft and other losses.

To that end, you must use every caution you can when deploying to your Kubernetes cluster. One thing that should be considered a must is the pod security policy. I want to walk you through the basics of creating a Kubernetes pod security policy. From there, you will have a launchpad from which you can continue your exploration and education into the crafting solid and secure deployments.

But first…

What Is a Kubernetes Pod?

Before we dive into the security policy, you might need to first understand what a pod is (if not, feel free to skip this section). For those that do need this information, know that a pod, in its simplest form, is a collection of processes that make up a container. These processes can include:

  • Storage resources.
  • Unique network IP addresses.
  • Configuration options that dictate how a container should run.

These pieces come together (in one collection or another) as a unit for deployment. This unit can be in the form of a single container or a number of containers working together (such as WordPress, NGINX, and MySQL). Each of those containers will have configuration options of their own, but they come together to work as a cohesive whole — a Pod.

The problem with this is that, without the means to manage the security of the collective whole, you’re going to have to manage the security of the individual bits. This led the Kubernetes developers to create the…wait for it…

The Pod Security Policy

With a Pod Security Policy, Kubernetes admins can control the security of a pod specification. But it’s more than that. Pod Security Policies are configurations that define specific security conditions that a pod must meet, in order to be accepted into a cluster. If the conditions are not met, said pod will be rejected. By making use of the PodSecurityPolicy object definition, it is possible to control the likes of:

  • A pod’s ability to run privileged containers.
  • A pod’s ability to use privilege escalation.
  • A pod’s access to volume types.
  • A pod’s access to host file systems.
  • A pod’s usage of host networking objects and configurations.

But how is a pod security policy defined?

Let’s dive into…

Creating a Kubernetes Pod Security Policy

The pod security policy is defined within a YAML file. That YAML file is then applied, with the help of the kubectl command, to define the new policy.

Let’s create a new pod security policy. This policy will do the following (by way of the RunAsAny rule, which is more permissive than the runAsUser option):

  • Disable a pod’s ability to run a privileged container.
  • Allow the use of SELinux.
  • Allow the use of Linux groups.
  • Allow users to run container entry points with a different username.
  • Allow the use of fsGroup (volumes that support ownership management).

To create the necessary YAML file, issue the command (you can name the file whatever you like, so long as it ends with the .yaml extension):

nano no-privilege.yaml

In that new file, paste the following:


Remember, as this is a YAML file, your indentation must be consistent (otherwise the file will fail).

Save and close the file.

To apply the newly created policy, issue the command:

kubectl apply -f no-privelege.yaml

The above command will report back the following:

podsecurity.policy/no-privilege created

Your pod security policy is now in place. Should you decide you need to change that particular policy, you can edit the YAML file and re-run the command to update the changes. You can also create as many policies as you need (creating different YAML files and applying them in a similar fashion as you did above).

You can verify that your policy is in place with the command:

kubectl get psp no-privilege

The above command will print out the policy, as defined in the YAML file (Figure 1).

Figure 1: Our new pod security policy is in place.

Now that you have your pod security policy created you need to know…

How to Assign a Pod Security Policy

With the help of Role-Based Access Control (RBAC), you can assign a pod security policy to a deployment. Let’s say we want to create a cluster-wide role, named no-privilege, which will make use of the policy by the same name.

To do this, we’ll create a new YAML file that will not only create the cluster-wide role (using the ClusterRole definition), it will also create a cluster binding to grant access to the no-privilege role to every authenticated user. To do this, create the new file with the command:

nano rbac-noprivilege.yaml

In that file, paste the following:


Save and close the file. Apply the role with the command:

kubectl apply -f rbac-noprivilege.yaml

The above command will print out:


Now you can check to make sure you’re able to use the new policy with the command:

kubectl auth can-i use no-privilege/no-privilege

The output should report, “yes.”

Let’s check to see if any user can use the new policy with the command:

kubectl auth can-i use no-privilege/no-privilege --as-group=system:authenticated --as=any-user

The output of the above command should report, “no.”

That’s it. You’ve created and applied your first Kubernetes pod security policy. With the help of this technique, you can greatly enhance the security of your Kubernetes deployments.

Group Created with Sketch.
SHARE THIS STORY
RELATED STORIES
Maximizing Kubernetes Efficiency with OpenTelemetry Tracing A Workaround to WebAssembly’s Endpoint Compatibility Issues? Can eBPF Agent in Kubernetes Be the Key to Better Observability? Kubernetes Community: A Guide to Open Source Localization A Boring Kubernetes Release
RELATED STORIES
GitOps as an Evolution of Kubernetes Does GitOps Provide the Key Fix for Kubernetes' Complexity? Could WebAssembly Be the Key to Decreasing Kubernetes Use? Container or VM? How to Choose the Right Option in 2023 Kubernetes Community: A Guide to Open Source Localization
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.