Skip to content

Pod Security Policy (PSP)

Security is critical for organizations of all sizes. Rafay provides a number of security capabilities (both native and turnkey integrations with 3rd party) that users can incorporate into their core architecture and design.

The Rafay platform provides support for the following as part of the core offering: secrets, certificates, registry pull secrets, RBAC, SSO integration etc. Pod Security Policies (PSP) is a key building block for k8s security as well.

Overview

PSPs are cluster-wide resources that control security sensitive aspects of pod specification. PSP objects define a set of conditions that a pod must run with in order to be "allowed" into the cluster.

Important

It is strongly recommended that users use PSPs with care and understanding. If used improperly, it is possible to make a cluster "unusable".

PSP Capabilities

Pod Security Policies allow you to control:

  • The running of privileged containers
  • Usage of host namespaces
  • Usage of host networking and ports
  • Usage of volume types
  • Usage of the host filesystem
  • A white list of Flexvolume drivers
  • The allocation of an FSGroup that owns the pod’s volumes
  • Requirements for use of a read only root file system
  • The user and group IDs of the container
  • Escalations of root privileges
  • Linux capabilities, SELinux context, AppArmor, seccomp, sysctl profile

Official Kubernetes documentation on PSPs

Important

For capabilities beyond what PSPs support, users can use OPA Gatekeeper using a curated recipe provided by Rafay.

Out of Box PSPs

Every Org and Project comes pre-populated with "two" PSPs that can be considered two extreme book ends.

  • Restricted (highly restrictive and locked down)
  • Privileged (open and permissive)

The default PSP is always the "Privileged" PSP. If required, admins can change the default for their Organization by updating the default.

Default PSPs

Create PSP

Admins can create and manage the lifecycle of custom PSPs per project. They can then leverage the PSPs in cluster blueprints.

As an Admin - Click on "New PSP" - Follow the instructions in the PSP Wizard which is organized in logical sections

General

Create PSP Wizard

Host Namespaces

Create PSP Wizard

Volumes and File Systems

Create PSP Wizard

Users & Groups

Create PSP Wizard

SE Linux and Capabilities

Create PSP Wizard

Using PSPs in Blueprint

PSPs can be used as part of a cluster blueprint.

  • Select the list of PSPs that need to be used
  • Select "cluster scoped" for Policy Type
  • The PSP will be applied as part of the blueprint update on the cluster

PSP in Blueprint

Note

In an upcoming update, the policy type will be expanded to support "namespace-scoped" PSPs as well.