Use security policies to impose constraints on your clusters that define what pods can do and which resources they have access to.

For a manageable security posture, VMware Tanzu Mission Control allows you to exercise control over activity in the clusters in your organization with security policies that govern certain aspects of pod execution in the cluster. These aspects, which are described in Pod Security Policies in the Kubernetes documentation, include privileged containers, volume types, privilege escalation, and Linux capabilities. Although security policies in Tanzu Mission Control are not implemented using the Kubernetes native PodSecurityPolicy object, the security-sensitive aspects of the pod specification that they control is the same.

Security policies in Tanzu Mission Control are implemented using the Gatekeeper project from Open Policy Agent (OPA Gatekeeper). For more information, see the OPA Gatekeeper documentation.

Inheritance and Precedence

Because security policies control how pods are deployed on a cluster, they apply to the clusters hierarchy (infrastructure view) rather than the namespace hierarchy (application view). You can implement security policies on a single cluster, on a cluster group, or at the organizational level, and they are inherited down through the hierarchy.

In contrast to native Kubernetes pod security policies, where the least restrictive policy takes precedence, security policies in Tanzu Mission Control enforce all aspects of all applied policies, each to the most restrictive extent defined. You cannot relax the constraints of an inherited security policy by implementing a less restrictive policy on a child object.

Coexistence with Existing PSPs on the Cluster

When implementing a security policy through Tanzu Mission Control, you have the option of disabling native Kubernetes pod security policies implemented on the cluster.

When you disable native pod security policies in a security policy, any Kubernetes native pod security policies that are implemented on the cluster are temporarily disabled. This applies to all clusters that are impacted by the security policy. For example, if you implement a security policy on a cluster group, all clusters in that cluster group are impacted. If you subsequently decide to allow the native policies, you can modify the security policy and deselect this option.

Additionally, due to policy inheritance, you can have multiple security policies that govern a single cluster. So, if any security policies that impact a cluster disable native pod security policies, then the native policies are disabled. To enable enforcement of native Kubernetes pod security policies for a cluster, all Tanzu Mission Control security policies that impact the cluster must have this option deselected.

What Happens When You Add a Security Policy

When you add a security policy, Tanzu Mission Control applies the policy to each cluster impacted by the policy. If this is the first security policy for a cluster, Tanzu Mission Control installs an extension in the cluster, and then applies the policy.