Dustin C. Hatch
5c6a77c47c
The `policy` Kustomize project defines various cluster-wide security policies. Initially, this includes a Validating Admission Policy that prevents pods from using the host's network namespace.
31 lines
944 B
Markdown
31 lines
944 B
Markdown
# Cluster Policies
|
|
|
|
## Validating Admission Policy
|
|
|
|
To enable (prior to Kubernetes v1.30):
|
|
|
|
1. Add the following to `apiServer.extraArgs` in the `ClusterConfiguration` key
|
|
of the `kubeadm-config` ConfigMap:
|
|
|
|
```yaml
|
|
feature-gates: ValidatingAdmissionPolicy=true
|
|
runtime-config: admissionregistration.k8s.io/v1beta1=true
|
|
```
|
|
2. Redeploy the API servers using `kubeadm`:
|
|
|
|
```sh
|
|
doas kubeadm upgrade apply v1.29.15 --yes
|
|
```
|
|
|
|
|
|
### disallow-hostnetwork
|
|
|
|
This policy prevents pods from running in the host's network namespace. This is
|
|
especially important because most nodes are connected to the storage network
|
|
VLAN, so allowing pods to use the host network namespace would give them access
|
|
to the iSCSI LUNs and NFS shares on the NAS.
|
|
|
|
If a trusted pod needs to run in the host's network namespace, its Kubernetes
|
|
namespace can be listed in the exclusion list of the
|
|
`disallow-hostnetwork-binding` policy binding resource.
|