Restricted PSS Profile
Finally we can take a look at the Restricted profile, which is the most heavily restricted policy following current Pod hardening best practices. Add labels to the pss namespace to enable all PSA modes for the Restricted PSS profile:
- Kustomize Patch
- Namespace/pss
- Diff
apiVersion: v1
kind: Namespace
metadata:
name: pss
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/created-by: eks-workshop
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/warn: restricted
name: pss
kind: Namespace
metadata:
labels:
app.kubernetes.io/created-by: eks-workshop
+ pod-security.kubernetes.io/audit: restricted
+ pod-security.kubernetes.io/enforce: restricted
+ pod-security.kubernetes.io/warn: restricted
name: pss
Run Kustomize to apply this change to add labels to the pss namespace:
Warning: existing pods in namespace "pss" violate the new PodSecurity enforce level "restricted:latest"
Warning: pss-d59d88b99-flkgp: allowPrivilegeEscalation != false, runAsNonRoot != true, seccompProfile
namespace/pss configured
deployment.apps/pss unchanged
Similar to the Baseline profile we're getting a warning that the pss Deployment is violating the Restricted profile.
pod "pss-d59d88b99-flkgp" deleted
The Pods aren't re-created:
No resources found in pss namespace.
The above output indicates that PSA did not allow creation of Pods in the pss Namespace, because the Pod security configuration violates Restricted PSS profile. This behavior is same as what we saw earlier in the previous section.
In the case of the Restricted profile we actually need to proactively lock down some of the security configuration to meet the profile. Let's add some security controls to the Pod configuration to make it compliant with the Privileged PSS profile configured for the pss namespace:
- Kustomize Patch
- Deployment/pss
- Diff
apiVersion: apps/v1
kind: Deployment
metadata:
name: pss
spec:
template:
spec:
containers:
- name: pss
securityContext:
capabilities:
drop:
- ALL
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/created-by: eks-workshop
name: pss
namespace: pss
spec:
replicas: 1
selector:
matchLabels:
app: pss
template:
metadata:
labels:
app: pss
app.kubernetes.io/created-by: eks-workshop
spec:
containers:
- image: public.ecr.aws/aws-containers/retail-store-sample-catalog:1.2.1
livenessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 30
periodSeconds: 3
name: pss
ports:
- containerPort: 80
readinessProbe:
httpGet:
path: /health
port: 8080
periodSeconds: 5
successThreshold: 3
resources:
limits:
memory: 512Mi
requests:
cpu: 250m
memory: 512Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: false
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
requests:
cpu: 250m
memory: 512Mi
securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
readOnlyRootFilesystem: false
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
Run Kustomize to apply these changes, which we re-create the Deployment:
namespace/pss unchanged
deployment.apps/pss configured
Now, Run the below commands to check PSA allows the creation of Deployment and Pod with the above changes in the the pss namespace:
NAME READY STATUS RESTARTS AGE
pss-8dd6fc8c6-9kptf 1/1 Running 0 3m6s
The above output indicates that PSA allowed since Pod security configuration confirms to the Restricted PSS profile.
Note that the above security permissions are not the comprehensive list of controls allowed under Restricted PSS profile. For detailed security controls allowed/disallowed under each PSS profile, refer to the documentation.