Manage Security Policies With Kyverno¶
This section will walk you through securing your EKF deployment using Kyverno policies.
- Official Kyverno documentation.
By default, EKF comes with a set of Kyverno policies that harden the cluster security. Specifically, it comes with two Pod security policies that prevent users from obtaining elevated privileges, namely:
Disallow Host Namespaces
Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces. This policy ensures fields which make use of these host namespaces are unset or set to
Disallow Privileged Containers
Privileged mode disables most security mechanisms and must not be allowed. This policy ensures Pods do not call for privileged mode.
Follow Along: Try to create a Pod that violates these polices and see it fail.
Specify a user namespace:root@rok-tools:~# export NAMESPACE=<NAMESPACE>
<NAMESPACE>with the namespace of a user. For example:root@rok-tools:~# export NAMESPACE=kubeflow-user
Save the Pod manifest provided below in
pod.yaml. Choose one of the following options based on the policy you want to test.
Apply the manifest and watch the system forbid this action with a message describing the rule that was violated:
EKF deploys the aforementioned policies in all user namespaces, as they are part of the skel resources that Rok deploys.
You can disable the existing polices or enable your own, in all or specific namespaces. The guides below describe how you can do that.