This topic describes how to use Kubernetes Pod Security Admission (PSA) with VMware Tanzu Kubernetes Grid Integrated Edition (TKGI).
Note: Support for Kubernetes Pod Security Policy (PSP) has been removed in Kubernetes v1.25.
PSA is the Kubernetes-recommended way to implement security standards. TKGI supports the built-in PSA in Kubernetes. PSA is enabled in TKGI, by default.
For more information on PSA, see Pod Security Admission in the Kubernetes documentation.
You can configure cluster-specific PSA in TKGI by using a Kubernetes profile.
Create the psa-cluster
yaml file containing the following information:
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
configuration:
apiVersion: pod-security.admission.config.k8s.io/v1
kind: PodSecurityConfiguration
defaults:
enforce: ENFORCE-LEVEL
enforce-version: "ENFORCE-VERSION"
audit: AUDIT-LEVEL
audit-version: "AUDIT-VERSION"
warn: WARN-LEVEL
warn-version: "WARN-VERSION"
exemptions:
usernames: []
runtimeClasses: []
namespaces: [kube-system,pks-system,nsx-system,vmware-system-csi,CUSTOM-NAMESPACES]
Where:
ENFORCE-LEVEL
is the level for enforcing the security policy. Use a level that is accepted by Kubernetes, for example, privileged
, baseline
, or restricted
.ENFORCE-VERSION
is the version for enforcing the security policy. VMware strongly recommends using latest
for the enforce version.AUDIT-LEVEL
is the level for auditing a possible security policy violation. Use a level that is accepted by Kubernetes, for example, privileged
, baseline
, or restricted
.AUDIT-VERSION
is the version for auditing a possible security policy violation. VMware strongly recommends using latest
for the audit version.WARN-LEVEL
is the level for triggering a warning for a security policy violation. Use a level that is accepted by Kubernetes, for example, privileged
, baseline
, or restricted
.WARN-VERSION
is the version for the warning that is triggered for a security policy violation. VMware strongly recommends using latest
for the warn version.CUSTOM-NAMESPACES
is the TKGI custom namespaces that you want to exclude.Note: If you had configured any experimental admission control features by using a Kubernetes profile in the previous version of TKGI, you must append it under the plugin
field in the psa-cluster
yaml file.
Create the config-psa-custom
json file containing the following information:
{
"name":"psa-cluster-file",
"description":"PROFILE-DESCRIPTION",
"customizations":[
{
"component":"kube-apiserver",
"file-arguments":{
"admission-control-config-file":"FILE-PATH"
}
}
]
}
Where:
DESCRIPTION
is the decsription for your Kubernetes profile.FILE-PATH
is the path to the psa-cluster.yaml
file.Assign the profile to the cluster. For more iformation, see Assign a Kubernetes Profile to an Existing Cluster.
For more information about configuring and using Kubernetes Profiles with TKGI, see Using Kubernetes Profiles.
For more information about configuring cluster-level PSA, see Enforce Pod Security Standards by Configuring the Built-in Admission Controller in the Kubernetes documentation.
To allow for different customer scenarios and requirements, TKGI does not set default PSA policies for TKGI system namespaces.
To ensure system integrity, VMware recommends securing TKGI system namespaces with PSA policies that are based on the PSA levels listed in the table below.
NoteTo control the PSA security permissions in a TKGI namespace, you must have the privileges to create, update, or patch the namespace. To ensure security of the system, restrict namespace permissions to trusted user accounts.
The following table lists recommended PSA levels for TKGI system namespaces:
TKGI System Namespace | PSA Level |
---|---|
kube-system | Privileged |
nsx-system | Restricted |
pks-system | Privileged |
pks-system-host-monitoring | Restricted |
vmware-system-csi | Baseline |
Customer-defined PSA policies do not change during TKGI cluster upgrade.
The guide Enforce Pod Security Standards with Namespace Labels in the Kubernetes documentation explains how to set PSA polices for namespaces. For example, to enforce the recommended PSA levels for TKGI system namespaces as listed above, run:
kubectl label ns kube-system pod-security.kubernetes.io/enforce=privileged
kubectl label ns nsx-system pod-security.kubernetes.io/enforce=restricted
kubectl label ns pks-system pod-security.kubernetes.io/enforce=privileged
kubectl label ns pks-system-host-monitoring pod-security.kubernetes.io/enforce=restricted
kubectl label ns vmware-system-csi pod-security.kubernetes.io/enforce=baseline
To migrate from PSP to PSA Controller, see Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller in the Kubernetes documentation.