Use security policies to manage the security setting in which deployed pods operate in your clusters.
From Tanzu Platform for Kubernetes, you can make the deployments to your clusters more secure by implementing constraints that limit what deployed pods can do. Security policies, implemented using Open Policy Agent-Gatekeeper, can prevent the deployment of pods that do not conform to your specifications.
A security policy allows you to restrict certain aspects of pod execution in your clusters, such as privilege escalation, Linux capabilities, and allowed volume types. When a pod is deployed to a cluster with a security policy, and it does not conform to the constraints specified in the policy, the deployment is disallowed.
The following provide the steps for how to create and manage Security Policies on Tanzu Platform for Kubernetes.
Before you create a policy, make sure that you have the required permission and understand how polices are applied.
To apply a security policy, you will need administrator access on your cluster and cluster groups.
You can implement security policies on a single cluster, on a cluster group, or at the organizational level, and they are inherited down through the hierarchy.
In contrast to native Kubernetes pod security policies, where the least restrictive policy takes precedence, security policies in Tanzu Platform for Kubernetes enforce all aspects of all applied policies, each to the most restrictive extent defined. You cannot relax the constraints of an inherited security policy by implementing a less restrictive policy on a child object.
To create a policy:
In Tanzu Platform hub, on the left navigation pane, scroll down to the Application Platform.
Expand Operations Policies.
Click Cluster Policies > Create Policy. You will see the Create Security Policy page.
For Basic details:
For Additional properties:
Select the security template that you want to use.
The Strict template is a pre-configured set of constraints that define a tight security context for pods in your clusters.
The Baseline template is a pre-configured set of constraints that prevents known privilege escalations, but is less stringent than the Strict template to ease adoption of the security policy for common containerized workloads.
The Custom template allows you to specify how to handle the various aspects of pod security for your clusters.
If you choose the Custom policy template, specify the detailed aspects for the policy.
Select the Enforcement action you want the policy to use.
Deny (default) indicates the policy is fully enforced, denying admission requests with any violation.
Dry run indicates the policy is not enforced, but allows you to see the impact of the policy for testing. If this option is selected, the policy does not prevent containers from being scheduled on the cluster, but you do receive alerts for policy violations. You can later edit this policy to re-enable policy enforcement.
Warn works similar to Dry run, except that it provides immediate feedback when a potential denial occurs.
Click Continue.
(Optional) For Namespaces, you can provide label selectors to specify particular namespaces that you want to include or exclude for this policy.
Click Create Policy.
When you add a security policy, Tanzu Platform for Kubernetes applies the policy to each cluster impacted by the policy. If this is the first security policy for a cluster, Tanzu Platform for Kubernetes installs an extension in the cluster, and then applies the policy.
To edit a policy:
To delete a policy: