Disable Security Policy¶
EKF comes with Kyverno security polices that are enabled in all user namespaces by default. Specifically, these are
disallow-host-namespacesdisallow-privileged-containers
This guide will walk you through disabling the Kyverno policies that are enabled in all user namespaces by default.
Important
You will not delete any policy altogether but rather change the validation
failure action from enforce to audit.
See also
- Kyverno validation failure action.
- Default EKF Kyverno polices.
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing EKF deployment.
Procedure¶
Go to your GitOps repository, inside your
rok-toolsmanagement environment:root@rok-tools:~# cd ~/ops/deploymentsEdit the policy manifest patch and change the
validationFailureActionattribute fromenforcetoaudit. Choose one of the following options based on the policy you want to disable.Edit
kubeflow/manifests/common/skel-resources/overlays/deploy/patches/disallow-host-namespaces.yamland ensure thatvalidationFailureActionis set toaudit:kind: Policy metadata: name: disallow-host-namespaces spec: validationFailureAction: auditEdit
kubeflow/manifests/common/skel-resources/overlays/deploy/patches/disallow-privileged-containers.yamland ensure thatvalidationFailureActionis set toaudit:kind: Policy metadata: name: disallow-privileged-containers spec: validationFailureAction: auditEnable the corresponding patch.
Edit
kubeflow/manifests/common/skel-resources/overlays/deploy/kustomization.yamland enable thedisallow-host-namespacespatch:patches: - path: patches/disallow-host-namespaces.yamlEdit
kubeflow/manifests/common/skel-resources/overlays/deploy/kustomization.yamland enable thedisallow-privileged-containerspatch:patches: - path: patches/disallow-privileged-containers.yamlNote
If the
patchestoplevel directive is missing you go ahead and add it.Commit your changes:
root@rok-tools:~/ops/deployments# git commit \ > -am "Disable Kyverno security policy"Apply the kustomization:
root@rok-tools:~/ops/deployments# rok-deploy --apply \ > kubeflow/manifests/common/skel-resources/overlays/deploy
Verify¶
Specify a user namespace:
root@rok-tools:~/ops/deployments# export NAMESPACE=<NAMESPACE>Replace
<NAMESPACE>with the namespace of a user. For example:root@rok-tools:~/ops/deployments# export NAMESPACE=kubeflow-userVerify that the policy has action
audit. Choose one of the following options based on the policy you have disabled.root@rok-tools:~/ops/deployments# kubectl get policies -n ${NAMESPACE?} disallow-host-namespaces NAME BACKGROUND ACTION READY disallow-host-namespaces true audit trueroot@rok-tools:~/ops/deployments# kubectl get policies -n ${NAMESPACE?} disallow-privileged-containers NAME BACKGROUND ACTION READY disallow-privileged-containers true audit trueSave the Pod manifest provided below in
pod.yaml. Choose one of the following options based on the policy you have disabled.host-ns-pod.yaml
1 apiVersion: v1 2 kind: Pod 3 metadata: 4-7 4 name: test-kyverno-policy 5 spec: 6 hostNetwork: true 7 containers: 8 - name: busybox 9 image: busybox:1.32.1 10 command: ["/bin/sh", "-c", "hostname -f && sleep infinity"] privileged-pod.yaml
1 apiVersion: v1 2 kind: Pod 3 metadata: 4-8 4 name: test-kyverno-policy 5 spec: 6 containers: 7 - name: busybox 8 image: busybox:1.32.1 9 command: ['sh', '-c', 'blkid && sleep infinity'] 10 securityContext: 11 privileged: true Apply the Pod manifest:
root@rok-tools:~/ops/deployments# kubectl apply -f pod.yaml -n ${NAMESPACE?}Verify that the Pod becomes up-and-running, as you’ve disabled the policy preventing it:
root@rok-tools:~/ops/deployments# kubectl get pods -n ${NAMESPACE?} test-kyverno-policy NAME READY STATUS RESTARTS AGE test-kyverno-policy 1/1 Running 0 46sClean up the test resources:
root@rok-tools:~/ops/deployments# kubectl delete -f pod.yaml -n ${NAMESPACE?} root@rok-tools:~/ops/deployments# rm -f pod.yaml
Summary¶
You have successfully disabled the Kyverno security policies in all user namespaces.
What’s Next¶
Check out the rest options of EKF security using Kyverno.