Use security policies to impose constraints on your clusters that define what pods can do and which resources they have access to.

For a manageable security posture, VMware Tanzu Mission Control allows you to exercise control over activity in the clusters in your organization with security policies that govern certain aspects of pod execution in the cluster. These aspects, which are described in Pod Security Standards in the Kubernetes documentation, include privileged containers, volume types, privilege escalation, and Linux capabilities. Although security policies in Tanzu Mission Control are not implemented using the Kubernetes native PodSecurityPolicy object, the security-sensitive aspects of the pod specification that they control is the same.

Security policies in Tanzu Mission Control are implemented using the Gatekeeper project from Open Policy Agent (OPA Gatekeeper). For more information, see the OPA Gatekeeper documentation.

Note:

Current Kubernetes security policy standards (k8s v1.23+) can be found here: https://kubernetes.io/docs/concepts/security/pod-security-standards/.

As per these standards, in restricted/strict policy mode, runAsNonRoot should always be true and runAsUser can be undefined or non-zero.

However, in strict security-policy mode, Tanzu Mission Control does not enforce runAsNonRoot and enforces runAsUser to be non-zero (undefined is not allowed).

Note:

This feature is only available in the advanced version of Tanzu Mission Control.

Inheritance and Precedence

Because security policies control how pods are deployed on a cluster, they apply to the clusters hierarchy (infrastructure view) rather than the namespace hierarchy (application view). You can implement security policies on a single cluster, on a cluster group, or at the organizational level, and they are inherited down through the hierarchy.

In contrast to native Kubernetes pod security policies, where the least restrictive policy takes precedence, security policies in Tanzu Mission Control enforce all aspects of all applied policies, each to the most restrictive extent defined. You cannot relax the constraints of an inherited security policy by implementing a less restrictive policy on a child object.

What Happens When You Add a Security Policy

When you add a security policy, Tanzu Mission Control applies the policy to each cluster impacted by the policy. If this is the first security policy for a cluster, Tanzu Mission Control installs an extension in the cluster, and then applies the policy.