Create and manage security policies on Tanzu Platform for Kubernetes

Use security policies to manage the security setting in which deployed pods operate in your clusters.

Using VMware Tanzu Platform for Kubernetes, you can make the deployments to your clusters more secure by implementing constraints that govern what deployed pods can do. Security policies, implemented using Open Policy Agent-Gatekeeper, can prevent the deployment of pods that don’t conform to your specifications.

A security policy allows you to restrict certain aspects of pod execution in your clusters, such as privilege escalation, Linux capabilities, and allowed volume types. When a pod is deployed to a cluster with a security policy, and it does not conform to the constraints specified in the policy, the deployment is disallowed.

The following provide the steps for how to create and manage Security Policies on Tanzu Platform for Kubernetes.

Before you begin

Before you create a policy, make sure that you have the required permission and understand how polices are applied.

Permissions

To apply a security policy, you will need administrator access on your cluster and cluster groups.

Policy Precedence

You can implement security policies on a single cluster, on a cluster group, or at the organizational level, and they are inherited down through the hierarchy.

In contrast to native Kubernetes pod security policies, where the least restrictive policy takes precedence, security policies in Tanzu Platform for Kubernetes enforce all aspects of all applied policies, each to the most restrictive extent defined. You cannot relax the constraints of an inherited security policy by implementing a less restrictive policy on a child object.

Create a security policy

To create a policy:

1. On the Tanzu Platform hub, on the left navigation pane, scroll down to the Application Platform.

2. Expand Operations Policies.

3. Click Cluster Policies > Create Policy. You will see the Create Security Policy page.

4. For Basic details:

   1. Provide a name for the policy
   2. Select a scope for the policy.
   3. Click Continue.

5. For Additional properties:

   1. Select the security template that you want to use.

      The Strict template is a pre-configured set of constraints that define a tight security context for pods in your clusters.

      The Baseline template is a pre-configured set of constraints that prevents known privilege escalations, but is less stringent than the Strict template to ease adoption of the security policy for common containerized workloads.

      The Custom template allows you to specify how to handle the various aspects of pod security for your clusters.

   2. If you choose the Custom policy template, specify the detailed aspects for the policy.

   3. Select the Enforcement action you want the policy to use.

      Deny (default) indicates the policy is fully enforced, denying admission requests with any violation.

      Dry run indicates the policy is not enforced, but allows you to see the impact of the policy for testing. If this option is selected, the policy does not prevent containers from being scheduled on the cluster, but you do receive alerts for policy violations. You can later edit this policy to re-enable policy enforcement.

      Warn works similar to Dry run, except that it provides immediate feedback when a potential denial occurs.

   4. Click Continue.

6. (Optional) For Namespaces, you can provide label selectors to specify particular namespaces that you want to include or exclude for this policy.

7. Click Create Policy.

When you add a security policy, Tanzu Platform for Kubernetes applies the policy to each cluster impacted by the policy. If this is the first security policy for a cluster, Tanzu Platform for Kubernetes installs an extension in the cluster, and then applies the policy.

Edit a security policy

To edit a policy:

1. On the Tanzu Platform hub, on the left navigation pane, scroll down to the Application Platform.
2. Expand Operations Policies.
3. Click Cluster Policies. You will see the Cluster Policies page.
4. Select the object whose security policy you want to edit.
5. Click the policy name, and then click Edit.
6. Make the desired changes to the policy.
7. After you finish editing the policy, click Save.

Delete a security policy

To delete a policy:

1. On the Tanzu Platform hub, on the left navigation pane, scroll down to the Application Platform.
2. Expand Operations Policies.
3. Click Cluster Policies. You will see the Cluster Policies page.
4. Select the object whose security policy you want to edit.
5. Click the policy name, and then click Delete.
6. In the confirmation dialog, click Yes.