Manage Security Policies With Kyverno¶
This section will walk you through securing your EKF deployment using Kyverno policies.
- Official Kyverno documentation.
By default, EKF comes with a set of Kyverno policies that harden the cluster security. Specifically, it comes with two Pod security policies that prevent users from obtaining elevated privileges, namely:
Disallow Host Namespaces
Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces. This policy ensures fields which make use of these host namespaces are unset or set to
Disallow Privileged Containers
Privileged mode disables most security mechanisms and must not be allowed. This policy ensures Pods do not call for privileged mode.
Follow Along: Try to create a Pod that violates these polices and see it fail.
Specify a user namespace:root@rok-tools:~# export NAMESPACE=<NAMESPACE>
<NAMESPACE>with the namespace of a user. For example:root@rok-tools:~# export NAMESPACE=kubeflow-user
Save the Pod manifest provided below in
pod.yaml. Choose one of the following options based on the policy you want to test.host-ns-pod.yaml
1 apiVersion: v1 2 kind: Pod 3 metadata: 4-7 4 name: test-kyverno-policy 5 spec: 6 hostNetwork: true 7 containers: 8 - name: busybox 9 image: busybox:1.32.1 10 command: ["/bin/sh", "-c", "hostname -f && sleep infinity"]privileged-pod.yaml 1 apiVersion: v1 2 kind: Pod 3 metadata: 4-8 4 name: test-kyverno-policy 5 spec: 6 containers: 7 - name: busybox 8 image: busybox:1.32.1 9 command: ['sh', '-c', 'blkid && sleep infinity'] 10 securityContext: 11 privileged: true
Apply the manifest and watch the system forbid this action with a message describing the rule that was violated:root@rok-tools:~# kubectl apply -f pod.yaml Error from server: error when creating "pod.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: resource Pod/kubeflow-user/privileged was blocked due to the following policies disallow-host-namespaces: host-namespaces: 'validation error: Sharing the host namespaces is disallowed. The fields spec.hostNetwork, spec.hostIPC, and spec.hostPID must be unset or set to `false`. Rule host-namespaces failed at path /spec/hostNetwork/'root@rok-tools:~# kubectl apply -f pod.yaml Error from server: error when creating "pod.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: resource Pod/kubeflow-user/privileged was blocked due to the following policies disallow-privileged-containers: privileged-containers: 'validation error: Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged and spec.initContainers[*].securityContext.privileged must be unset or set to `false`. Rule privileged-containers failed at path /spec/containers/0/securityContext/privileged/'
EKF deploys the aforementioned policies in all user namespaces, as they are part of the skel resources that Rok deploys.
You can disable the existing polices or enable your own, in all or specific namespaces. The guides below describe how you can do that.