Disable Security Policy¶
EKF comes with Kyverno security polices that are enabled in all user namespaces by default. Specifically, these are
disallow-host-namespaces
disallow-privileged-containers
This guide will walk you through disabling the Kyverno policies that are enabled in all user namespaces by default.
Important
You will not delete any policy altogether but rather change the validation
failure action from enforce
to audit
.
See also
- Kyverno validation failure action.
- Default EKF Kyverno polices.
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing EKF deployment.
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsEdit the policy manifest patch and change the
validationFailureAction
attribute fromenforce
toaudit
. Choose one of the following options based on the policy you want to disable.Edit
kubeflow/manifests/common/skel-resources/overlays/deploy/patches/disallow-host-namespaces.yaml
and ensure thatvalidationFailureAction
is set toaudit
:kind: Policy metadata: name: disallow-host-namespaces spec: validationFailureAction: auditEdit
kubeflow/manifests/common/skel-resources/overlays/deploy/patches/disallow-privileged-containers.yaml
and ensure thatvalidationFailureAction
is set toaudit
:kind: Policy metadata: name: disallow-privileged-containers spec: validationFailureAction: auditEnable the corresponding patch.
Edit
kubeflow/manifests/common/skel-resources/overlays/deploy/kustomization.yaml
and enable thedisallow-host-namespaces
patch:patches: - path: patches/disallow-host-namespaces.yamlEdit
kubeflow/manifests/common/skel-resources/overlays/deploy/kustomization.yaml
and enable thedisallow-privileged-containers
patch:patches: - path: patches/disallow-privileged-containers.yamlNote
If the
patches
toplevel directive is missing you go ahead and add it.Commit your changes:
root@rok-tools:~/ops/deployments# git commit \ > -am "Disable Kyverno security policy"Apply the kustomization:
root@rok-tools:~/ops/deployments# rok-deploy --apply \ > kubeflow/manifests/common/skel-resources/overlays/deploy
Verify¶
Specify a user namespace:
root@rok-tools:~/ops/deployments# export NAMESPACE=<NAMESPACE>Replace
<NAMESPACE>
with the namespace of a user. For example:root@rok-tools:~/ops/deployments# export NAMESPACE=kubeflow-userVerify that the policy has action
audit
. Choose one of the following options based on the policy you have disabled.root@rok-tools:~/ops/deployments# kubectl get policies -n ${NAMESPACE?} disallow-host-namespaces NAME BACKGROUND ACTION READY disallow-host-namespaces true audit trueroot@rok-tools:~/ops/deployments# kubectl get policies -n ${NAMESPACE?} disallow-privileged-containers NAME BACKGROUND ACTION READY disallow-privileged-containers true audit trueSave the Pod manifest provided below in
pod.yaml
. Choose one of the following options based on the policy you have disabled.host-ns-pod.yaml1 apiVersion: v1 2 kind: Pod 3 metadata: 4-7 4 name: test-kyverno-policy 5 spec: 6 hostNetwork: true 7 containers: 8 - name: busybox 9 image: busybox:1.32.1 10 command: ["/bin/sh", "-c", "hostname -f && sleep infinity"] privileged-pod.yaml1 apiVersion: v1 2 kind: Pod 3 metadata: 4-8 4 name: test-kyverno-policy 5 spec: 6 containers: 7 - name: busybox 8 image: busybox:1.32.1 9 command: ['sh', '-c', 'blkid && sleep infinity'] 10 securityContext: 11 privileged: true Apply the Pod manifest:
root@rok-tools:~/ops/deployments# kubectl apply -f pod.yaml -n ${NAMESPACE?}Verify that the Pod becomes up-and-running, as you’ve disabled the policy preventing it:
root@rok-tools:~/ops/deployments# kubectl get pods -n ${NAMESPACE?} test-kyverno-policy NAME READY STATUS RESTARTS AGE test-kyverno-policy 1/1 Running 0 46sClean up the test resources:
root@rok-tools:~/ops/deployments# kubectl delete -f pod.yaml -n ${NAMESPACE?} root@rok-tools:~/ops/deployments# rm -f pod.yaml
Summary¶
You have successfully disabled the Kyverno security policies in all user namespaces.
What’s Next¶
Check out the rest options of EKF security using Kyverno.