policy: Add policy to prevent host network usage
The `policy` Kustomize project defines various cluster-wide security policies. Initially, this includes a Validating Admission Policy that prevents pods from using the host's network namespace.
This commit is contained in:
30
policy/README.md
Normal file
30
policy/README.md
Normal file
@@ -0,0 +1,30 @@
|
||||
# Cluster Policies
|
||||
|
||||
## Validating Admission Policy
|
||||
|
||||
To enable (prior to Kubernetes v1.30):
|
||||
|
||||
1. Add the following to `apiServer.extraArgs` in the `ClusterConfiguration` key
|
||||
of the `kubeadm-config` ConfigMap:
|
||||
|
||||
```yaml
|
||||
feature-gates: ValidatingAdmissionPolicy=true
|
||||
runtime-config: admissionregistration.k8s.io/v1beta1=true
|
||||
```
|
||||
2. Redeploy the API servers using `kubeadm`:
|
||||
|
||||
```sh
|
||||
doas kubeadm upgrade apply v1.29.15 --yes
|
||||
```
|
||||
|
||||
|
||||
### disallow-hostnetwork
|
||||
|
||||
This policy prevents pods from running in the host's network namespace. This is
|
||||
especially important because most nodes are connected to the storage network
|
||||
VLAN, so allowing pods to use the host network namespace would give them access
|
||||
to the iSCSI LUNs and NFS shares on the NAS.
|
||||
|
||||
If a trusted pod needs to run in the host's network namespace, its Kubernetes
|
||||
namespace can be listed in the exclusion list of the
|
||||
`disallow-hostnetwork-binding` policy binding resource.
|
||||
43
policy/disallow-hostnetwork.yaml
Normal file
43
policy/disallow-hostnetwork.yaml
Normal file
@@ -0,0 +1,43 @@
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
name: disallow-hostnetwork
|
||||
spec:
|
||||
matchConstraints:
|
||||
resourceRules:
|
||||
- apiGroups:
|
||||
- ''
|
||||
apiVersions:
|
||||
- v1
|
||||
operations:
|
||||
- CREATE
|
||||
- UPDATE
|
||||
resources:
|
||||
- pods
|
||||
validations:
|
||||
- expression: >-
|
||||
!has(object.spec.hostNetwork) || !object.spec.hostNetwork
|
||||
message: >-
|
||||
Pods must not use hostNetwork: true
|
||||
|
||||
---
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicyBinding
|
||||
metadata:
|
||||
name: disallow-hostnetwork-binding
|
||||
spec:
|
||||
policyName: disallow-hostnetwork
|
||||
validationActions:
|
||||
- Deny
|
||||
matchResources:
|
||||
namespaceSelector:
|
||||
matchExpressions:
|
||||
- key: kubernetes.io/metadata.name
|
||||
operator: NotIn
|
||||
values:
|
||||
- calico-system
|
||||
- democratic-csi
|
||||
- keepalived
|
||||
- kube-system
|
||||
- music-assistant
|
||||
- tigera-operator
|
||||
5
policy/kustomization.yaml
Normal file
5
policy/kustomization.yaml
Normal file
@@ -0,0 +1,5 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- disallow-hostnetwork.yaml
|
||||
Reference in New Issue
Block a user