Manage Security Policies With Kyverno

This section will walk you through securing your EKF deployment using Kyverno policies.

See also

By default, EKF comes with a set of Kyverno policies that harden the cluster security. Specifically, it comes with two Pod security policies that prevent users from obtaining elevated privileges, namely:

  1. Disallow Host Namespaces

    Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces. This policy ensures fields which make use of these host namespaces are unset or set to false.

  2. Disallow Privileged Containers

    Privileged mode disables most security mechanisms and must not be allowed. This policy ensures Pods do not call for privileged mode.

Note

Follow Along: Try to create a Pod that violates these polices and see it fail.

  1. Specify a user namespace:

    root@rok-tools:~# export NAMESPACE=<NAMESPACE>

    Replace <NAMESPACE> with the namespace of a user. For example:

    root@rok-tools:~# export NAMESPACE=kubeflow-user
  2. Save the Pod manifest provided below in pod.yaml. Choose one of the following options based on the policy you want to test.

    host-ns-pod.yaml
    1apiVersion: v1
    2kind: Pod
    3metadata:
    4-7
    4 name: test-kyverno-policy
    5spec:
    6 hostNetwork: true
    7 containers:
    8 - name: busybox
    9 image: busybox:1.32.1
    10 command: ["/bin/sh", "-c", "hostname -f && sleep infinity"]
    privileged-pod.yaml
    1apiVersion: v1
    2kind: Pod
    3metadata:
    4-8
    4 name: test-kyverno-policy
    5spec:
    6 containers:
    7 - name: busybox
    8 image: busybox:1.32.1
    9 command: ['sh', '-c', 'blkid && sleep infinity']
    10 securityContext:
    11 privileged: true
  3. Apply the manifest and watch the system forbid this action with a message describing the rule that was violated:

    root@rok-tools:~# kubectl apply -f pod.yaml Error from server: error when creating "pod.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: resource Pod/kubeflow-user/privileged was blocked due to the following policies disallow-host-namespaces: host-namespaces: 'validation error: Sharing the host namespaces is disallowed. The fields spec.hostNetwork, spec.hostIPC, and spec.hostPID must be unset or set to `false`. Rule host-namespaces failed at path /spec/hostNetwork/'
    root@rok-tools:~# kubectl apply -f pod.yaml Error from server: error when creating "pod.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: resource Pod/kubeflow-user/privileged was blocked due to the following policies disallow-privileged-containers: privileged-containers: 'validation error: Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged and spec.initContainers[*].securityContext.privileged must be unset or set to `false`. Rule privileged-containers failed at path /spec/containers/0/securityContext/privileged/'

EKF deploys the aforementioned policies in all user namespaces, as they are part of the skel resources that Rok deploys.

You can disable the existing polices or enable your own, in all or specific namespaces. The guides below describe how you can do that.