Add a security policy that governs how pods can run in your clusters.

Prerequisites

Log in to the Tanzu Mission Control console, go to the Policies page and view the security policies for the object, as described in View the Policy Assignments for an Object.

Make sure you have the appropriate permissions.
  • To create a security policy for an object, you must be associated with the .admin role for that object.

Procedure

  1. On the Policies page, click the Security tab.
  2. Use the tree control to navigate to and select the object for which you want to create a security policy.
  3. Click Create Security Policy.
  4. Select the security template that you want to use.
    • The Strict template is a preconfigured set of constraints that define a tight security context for pods in your clusters. The detailed options defined in this template are displayed on the form in the Tanzu Mission Control console.
    • The Baseline template is a preconfigured set of constraints that prevents known privilege escalations, but is less stringent than the Strict template to ease adoption of the security policy for common containerized workloads. The detailed options defined in this template are displayed on the form in the Tanzu Mission Control console.
    • The Custom template allows you to specify how to handle the various aspects of pod security for your clusters.
      Note:

      The Custom template for security policies is available only if you are using the advanced edition of Tanzu Mission Control.

  5. Provide a policy name.
  6. If you choose the Custom policy template, specify the detailed aspects for the policy.
  7. You can optionally provide label selectors to specify particular namespaces that you want to include or exclude for this policy.
    For more information about how label selectors work, see Policy-Driven Cluster Management in VMware Tanzu Mission Control Concepts.
  8. Select the Enforcement action you want the policy to use.
    • Deny (default) indicates the policy is fully enforced, denying admission requests with any violation.
    • Dry run indicates the policy is not enforced, but allows you to see the impact of the policy for testing. If this option is selected, the policy does not prevent containers from being scheduled on the cluster, but you do receive alerts for policy violations. You can later edit this policy to re-enable policy enforcement.
    • Warn works like dry run, except that it provides immediate feedback when a potential denial occurs.
  9. You can optionally select Disable native pod security policies to restrict the enforcement of native Kubernetes pod security policies that are implemented on the cluster.
    If this option is selected for any policy (direct or inherited) that impacts a cluster, then native Kubernetes pod security policies are disabled for that cluster. If this option is not selected, then any native pod security policies defined on the cluster take precedence over the policy you define here.
    You can later edit this policy to re-enable native pod security policies.
  10. Click Create policy.