Traditionally I would have prevented root/UID 0 containers from running in kubernetes using pod security policies. However it seems that in 1.21 PSPs have been deprecated. Are there any other recommended ways to prevent these from running at a cluster level?
Asked
Active
Viewed 108 times
1
-
Well, did you read [their handy blog post](https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/#what-does-this-mean-for-you), wherein they cited using OPA Gatekeeper to enforce cluster-wide policies like that? – mdaniel Sep 30 '21 at 14:57
1 Answers
0
As @mdaniel comments suggests, it's worth reading PodSecurityPolicy Deprecation: Past, Present, and Future article, where you will find that Kubernetes team recommends using Gatekeeper Policy Library for complex binding rules.
For more details I'd recommend to read:
- Official Gatekeeper documentation
- Using Gatekeeper as a drop-in Pod Security Policy replacement in Amazon EKS article
You can setup Gatekeeper at a cluster level:
scopeaccepts*,Cluster, orNamespacedwhich determines if cluster-scoped and/or namesapced-scoped resources are selected. (defaults to*)
For you usage, you will probably find Gatekeeper Constraint users to be useful. Check examples in the samples folder.
Mikolaj S.
- 208
- 1
- 7
-
-
Currently looking at the correct policy to use to enforce this. Will update if I get anywhere – thewire247 Oct 13 '21 at 09:20