Use security policies and mutation policies to manage the security context in which deployed pods operate in your clusters.

Using VMware Tanzu Mission Control, you can make the deployments to your clusters more secure by implementing constraints that govern what deployed pods can do. Security policies and mutation policies, implemented using OPA Gatekeeper, can help prevent the deployment of pods that don't conform to your specifications.
  • A security policy allows you to restrict certain aspects of pod execution in your clusters, such as privilege escalation, Linux capabilities, and allowed volume types. When a pod is deployed to a cluster with a security policy, and it does not conform to the constraints specified in the policy, the deployment is disallowed.
  • A mutation policy is similar to security policy, except that it can alter (mutate) the pod specification (podspec) to enforce conformance to the policy. When a pod is deployed to the cluster, the policy mutates the podspec as defined in the policy before admitting the request to deploy the pod. For more information, see Mutating Kubernetes Resources.

For more details about how security policies work in Tanzu Mission Control, see Pod Security Management in VMware Tanzu Mission Control Concepts.

Note:

The Custom template for security policies is available in Tanzu Mission Control only if you are using the the advanced version of Tanzu Mission Control.

Evaluation and Precedence of Security and Mutation Policies

Both security policies and mutation policies can be applied in the clusters hierarchy (infrastructure view) in Tanzu Mission Control, and they are inherited down through the hierarchy. You can read more about that in Pod Security Management in VMware Tanzu Mission Control Concepts.

When a workload is deployed to a cluster that has both mutation policies and security policies, first the mutation policies are evaluated and applied, mutating the podspec as specified. Then, after all mutations have been applied, the security policies are evaluated to determine if the podspec is conformant to allow deployment.

When multiple mutation policies are applied to a cluster, through either direct or inherited policies, they are evaluated as follows:
  • Mutation policies are run against the podspec starting with those applied to the cluster, then those inherited from the cluster group, and finally those inherited from the organization.
  • If there are multiple mutation policies at any level of the hierarchy, they are run in alphanumeric order.
Because a mutation policy can overwrite changes applied by a previously run mutation policy, the order in which they are run is significant.