This topic describes how to use Kubernetes Pod Security Admission (PSA) with VMware Tanzu Kubernetes Grid Integrated Edition (TKGI).

Note

Support for Kubernetes Pod Security Policy (PSP) has been removed in Kubernetes v1.25.

About Pod Security Admission

PSA is the Kubernetes-recommended way to implement security standards. TKGI supports the built-in PSA in Kubernetes. PSA is enabled in TKGI, by default.

In TKGI, you can configure PSA in a cluster or in a custom namespace.

For more information on PSA, see Pod Security Admission in the Kubernetes documentation.

Pod Security Admission in a TKGI Cluster

You can configure cluster-specific PSA in TKGI by using a Kubernetes profile.

  1. Create the psa-cluster yaml file containing the following information:

    apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
  configuration:
    apiVersion: pod-security.admission.config.k8s.io/v1
    kind: PodSecurityConfiguration
    defaults:
      enforce: ENFORCE-LEVEL
      enforce-version: "ENFORCE-VERSION"
      audit: AUDIT-LEVEL
      audit-version: "AUDIT-VERSION"
      warn: WARN-LEVEL
      warn-version: "WARN-VERSION"
    exemptions:
      usernames: []
      runtimeClasses: []
      namespaces: [kube-system,pks-system,nsx-system,vmware-system-csi,CUSTOM-NAMESPACES]

    Where:

    • ENFORCE-LEVEL is the level for enforcing the security policy. Use a level that is accepted by Kubernetes, for example, privileged, baseline, or restricted.
    • ENFORCE-VERSION is the version for enforcing the security policy. VMware strongly recommends using latest for the enforce version.
    • AUDIT-LEVEL is the level for auditing a possible security policy violation. Use a level that is accepted by Kubernetes, for example, privileged, baseline, or restricted.
    • AUDIT-VERSION is the version for auditing a possible security policy violation. VMware strongly recommends using latest for the audit version.
    • WARN-LEVEL is the level for triggering a warning for a security policy violation. Use a level that is accepted by Kubernetes, for example, privileged, baseline, or restricted.
    • WARN-VERSION is the version for the warning that is triggered for a security policy violation. VMware strongly recommends using latest for the warn version.
    • CUSTOM-NAMESPACES is the TKGI custom namespaces that you want to exclude.

    Note: If you had configured any experimental admission control features by using a Kubernetes profile in the previous version of TKGI, you must append it under the plugin field in the psa-cluster yaml file.

  2. Create the config-psa-custom json file containing the following information:

    {
  "name":"psa-cluster-file",
  "description":"PROFILE-DESCRIPTION",
  "customizations":[
      {
          "component":"kube-apiserver",
          "file-arguments":{
              "admission-control-config-file":"FILE-PATH"
          }
      }
  ]
}

    Where:

    • DESCRIPTION is the decsription for your Kubernetes profile.
    • FILE-PATH is the path to the psa-cluster.yaml file.

  3. Assign the profile to the cluster. For more iformation, see Assign a Kubernetes Profile to an Existing Cluster.

For more information about configuring and using Kubernetes Profiles with TKGI, see Using Kubernetes Profiles.

For more information about configuring cluster-level PSA, see Enforce Pod Security Standards by Configuring the Built-in Admission Controller in the Kubernetes documentation.

Pod Security Admission in a TKGI Custom Namespace

To allow for different customer scenarios and requirements, TKGI does not set default PSA policies for TKGI system namespaces.

To ensure system integrity, VMware recommends securing TKGI system namespaces with PSA policies that are based on the PSA levels listed in the table below.

Note

To control the PSA security permissions in a TKGI namespace, you must have the privileges to create, update, or patch the namespace. To ensure security of the system, restrict namespace permissions to trusted user accounts.

The following table lists recommended PSA levels for TKGI system namespaces:

TKGI System Namespace PSA Level
kube-system Privileged
nsx-system Restricted
pks-system Privileged
pks-system-host-monitoring Restricted
vmware-system-csi Baseline

Customer-defined PSA policies do not change during TKGI cluster upgrade.

The guide Enforce Pod Security Standards with Namespace Labels in the Kubernetes documentation explains how to set PSA polices for namespaces. For example, to enforce the recommended PSA levels for TKGI system namespaces as listed above, run:

kubectl label ns kube-system pod-security.kubernetes.io/enforce=privileged
kubectl label ns nsx-system  pod-security.kubernetes.io/enforce=restricted
kubectl label ns pks-system  pod-security.kubernetes.io/enforce=privileged
kubectl label ns pks-system-host-monitoring  pod-security.kubernetes.io/enforce=restricted
kubectl label ns vmware-system-csi  pod-security.kubernetes.io/enforce=baseline

Migrate from PSP to PSA Controller

To migrate from PSP to PSA Controller, see Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller in the Kubernetes documentation.

check-circle-line exclamation-circle-line close-line
Scroll to top icon