Disable Security Policy

EKF comes with Kyverno security polices that are enabled in all user namespaces by default. Specifically, these are

  • disallow-host-namespaces
  • disallow-privileged-containers

This guide will walk you through disabling the Kyverno policies that are enabled in all user namespaces by default.

Important

You will not delete any policy altogether but rather change the validation failure action from enforce to audit.

See also

What You’ll Need

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Edit the policy manifest patch and change the validationFailureAction attribute from enforce to audit. Choose one of the following options based on the policy you want to disable.

    Edit kubeflow/manifests/common/skel-resources/overlays/deploy/patches/disallow-host-namespaces.yaml and ensure that validationFailureAction is set to audit:

    kind: Policy metadata: name: disallow-host-namespaces spec: validationFailureAction: audit

    Edit kubeflow/manifests/common/skel-resources/overlays/deploy/patches/disallow-privileged-containers.yaml and ensure that validationFailureAction is set to audit:

    kind: Policy metadata: name: disallow-privileged-containers spec: validationFailureAction: audit
  3. Enable the corresponding patch.

    Edit kubeflow/manifests/common/skel-resources/overlays/deploy/kustomization.yaml and enable the disallow-host-namespaces patch:

    patches: - path: patches/disallow-host-namespaces.yaml

    Edit kubeflow/manifests/common/skel-resources/overlays/deploy/kustomization.yaml and enable the disallow-privileged-containers patch:

    patches: - path: patches/disallow-privileged-containers.yaml

    Note

    If the patches toplevel directive is missing you go ahead and add it.

  4. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit \ > -am "Disable Kyverno security policy"
  5. Apply the kustomization:

    root@rok-tools:~/ops/deployments# rok-deploy --apply \ > kubeflow/manifests/common/skel-resources/overlays/deploy

Verify

  1. Specify a user namespace:

    root@rok-tools:~/ops/deployments# export NAMESPACE=<NAMESPACE>

    Replace <NAMESPACE> with the namespace of a user. For example:

    root@rok-tools:~/ops/deployments# export NAMESPACE=kubeflow-user
  2. Verify that the policy has action audit. Choose one of the following options based on the policy you have disabled.

    root@rok-tools:~/ops/deployments# kubectl get policies -n ${NAMESPACE?} disallow-host-namespaces NAME BACKGROUND ACTION READY disallow-host-namespaces true audit true
    root@rok-tools:~/ops/deployments# kubectl get policies -n ${NAMESPACE?} disallow-privileged-containers NAME BACKGROUND ACTION READY disallow-privileged-containers true audit true
  3. Save the Pod manifest provided below in pod.yaml. Choose one of the following options based on the policy you have disabled.

    host-ns-pod.yaml
    1apiVersion: v1
    2kind: Pod
    3metadata:
    4-7
    4 name: test-kyverno-policy
    5spec:
    6 hostNetwork: true
    7 containers:
    8 - name: busybox
    9 image: busybox:1.32.1
    10 command: ["/bin/sh", "-c", "hostname -f && sleep infinity"]
    privileged-pod.yaml
    1apiVersion: v1
    2kind: Pod
    3metadata:
    4-8
    4 name: test-kyverno-policy
    5spec:
    6 containers:
    7 - name: busybox
    8 image: busybox:1.32.1
    9 command: ['sh', '-c', 'blkid && sleep infinity']
    10 securityContext:
    11 privileged: true
  4. Apply the Pod manifest:

    root@rok-tools:~/ops/deployments# kubectl apply -f pod.yaml -n ${NAMESPACE?}
  5. Verify that the Pod becomes up-and-running, as you’ve disabled the policy preventing it:

    root@rok-tools:~/ops/deployments# kubectl get pods -n ${NAMESPACE?} test-kyverno-policy NAME READY STATUS RESTARTS AGE test-kyverno-policy 1/1 Running 0 46s
  6. Clean up the test resources:

    root@rok-tools:~/ops/deployments# kubectl delete -f pod.yaml -n ${NAMESPACE?} root@rok-tools:~/ops/deployments# rm -f pod.yaml

Summary

You have successfully disabled the Kyverno security policies in all user namespaces.

What’s Next

Check out the rest options of EKF security using Kyverno.