As a best practice, PSPs should not be enabled before you create your own policies. This recipe will take you through how to enable PSP on Google Kubernetes Engine (GKE) and how to review default policies.
Let's perform the following steps:
- You can enable PSP on the cluster you deployed by following the instructions given in Chapter 1, Building Production-Ready Kubernetes Clusters, in the Provisioning a managed Kubernetes cluster on GKE recipe by running the following command. Replace k8s-devops-cookbook-1 with your own cluster name:
$ gcloud beta container clusters update k8s-devops-cookbook-1 --enable-pod-security-policy
- The default configuration comes with a non-disruptive policy named gce.privileged that has no restrictions and couple of other policies. View the default policies with the following command:
$ kubectl get psp
NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP READONLYROOTFS VOLUMES
gce.event-exporter false RunAsAny RunAsAny RunAsAny RunAsAny false hostPath,secret
gce.fluentd-gcp false RunAsAny RunAsAny RunAsAny RunAsAny false configMap,hostPath,secret
gce.persistent-volume-binder false RunAsAny RunAsAny RunAsAny RunAsAny false nfs,secret,projected
gce.privileged true * RunAsAny RunAsAny RunAsAny RunAsAny false *
gce.unprivileged-addon false SETPCAP,MKNOD,AUDIT_WRITE,CHOWN,NET_RAW,DAC_OVERRIDE,FOWNER,FSETID,KILL,SETGID,SETUID,NET_BIND_SERVICE,SYS_CHROOT,SETFCAP RunAsAny RunAsAny RunAsAny RunAsAny false emptyDir,configMap,secret,projected
- Describe the policy to see its full details, as follows:
$ kubectl describe psp gce.privileged
- To review, restore, or delete the default PSP, use the YAML manifest in the example repository in src/chapter9/psp named gce-privileged-psp.yaml.