Starting with vSphere with Tanzu Kubernetes releases v1.25 and onwards. Pod Security Admission (PSA) replaces the original method for pod security using Pod Security Policy (PSP). Tanzu Kubernetes v1.25 had the default security mode set to warn. From Tanzu Kubernetes release v1.26 and onwards, the default security mode changed to enforce with the pod standard set to restricted.
| TKR Version | Default PSA |
|---|---|
| TKR v1.25 | mode: warn | level: restricted mode: audit | level: restricted mode: enforce | level: not set |
| TKR v1.26 and later | mode: enforce | level: restricted |
Both Kubernetes.io and VMware by Broadcom have some good documentation that details PSA. The process is very easy to use and configured by defining lables on namespaces. This new method to define pod security feels much more simple and logical than the older PSP method to use, which I really like.
Without going too deep into PSA on Tanzu, and quite honestly I’m still learning, there are just a few things to note. First there are PSA Modes. We have three modes to choose from, enforce, audit, and warn. This will define what action the control plane will take when a policy violation is detected.
| MODE | Description |
|---|---|
enforce | Security violations cause the pod to be rejected. |
audit | Security violations trigger the addition of an audit annotation to the event recorded in the audit log, but are otherwise allowed. |
warn | Security violations trigger a user-facing warning, but are otherwise allowed. |
Next we have Pod Security Standards (PSS). We have three profiles or levels, priviledged, baseline, and restricted. These will define what the pods are allowed to do. Kubernetes.io has a good detailed list of what each of these profiles encompasses.
| LEVEL | Description |
|---|---|
privileged | Unrestricted control, providing the widest possible level of permissions. This security standard allows for known privilege escalations. |
baseline | Minimally restrictive control which prevents known privilege escalations. This security standard allows the default (minimally specified) pod configuration. |
restricted | Heavily restricted control, following pod hardening best practices. |
Now why do we care about all of this on Tanzu Kubernetes. Well, basically, nothing will want to run out of the box when you deploy a new pod on a TKr v1.26+ cluster. Even the most simplest pods will be forbidden from running due to violating PodSecurity.
kubectl run test --image=nginxdemos/hello -n test
Error from server (Forbidden): pods “test” is forbidden: violates PodSecurity “restricted:latest”: allowPrivilegeEscalation != false (container “test” must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container “test” must set securityContext.capabilities.drop=[“ALL”]), runAsNonRoot != true (pod or container “test” must set securityContext.runAsNonRoot=true), seccompProfile (pod or container “test” must set securityContext.seccompProfile.type to “RuntimeDefault” or “Localhost”)
This security stuff is all quite frustrating isn’t it. 🙂
We have a few options to getting our pods running though. We can configure some security context on our pod or we can change the security level on a namespace. By far the namespace is the quickest and easiest.
It’s just a matter of providing a label on our namespace that defines our enforcement level from the default restricted to either baseline or priviledged. You can initially start with baseline and then move to priviledged if that doesn’t work.
For me, straight to priviledged all the way. 🤠
kubectl label --overwrite ns NAMESPACE pod-security.kubernetes.io/enforce=privileged
When you next go to run a pod in your namespace with this label it should start up fine. Horay
kubectl run test --image=nginxdemos/hello -n test
pod/test created
There’s one frustrating things that I’ve run into time and time again with this new Pod Security Admission method. And that is you obviously need a namespace first to define a label on it, right. Now that might not sound that frustrating until you try to deploy something like an external HELM chart or third party app and realise that it doesn’t want to run because of the default PSA level. Unfortunately I don’t know of an easily (and supported) way to make this change at the cluster level. Please let me know if you know of a way! I’ve seen references to do it against TKGm but not vSphere with Tanzu. And we don’t talk about TKGm right!
Anyway in conclusion, you’re going to want to most likely modify Pod Security Admission on your namespaces after you deploy a TKG cluster on vSphere with Tanzu. So don’t forget.
1 thought on “Tanzu Pod Security Admission (PSA)”