Enabling pod isolation
Pod isolation is enabled automatically for IBM® Cloud Private.
If you are upgrading from version 3.1.1 to 3.1.2, additional steps must be performed to enable a globally default, restricted pod security policy for all users and service accounts.
To enable the restricted pod security policy setting with the IBM Cloud Private command line, complete the following steps:
-
Log in to IBM Cloud Private with
cloudctl
as a cluster administrator. -
Verify that the value for the pod security policy default is set to
unrestricted
. Run the following command:cloudctl cm psp-default-get
Your output might resemble the following content:
Default PSP: unrestricted
-
Enable the
restricted
default pod security policy. Run the following command:cloudctl cm psp-default-set restricted OK
The following changes are made to your cluster:
- All PodSecurityPolicy and ClusterRoleBinding resources are created or repaired.
- The unrestricted ClusterRoleBinding
ibm-anyuid-hostpath-psp-users
is removed. - The restricted ClusterRoleBinding
ibm-restricted-psp-users
, is created. This maps theibm-restricted-psp
PodSecurityPolicy to all users in the cluster, including all service accounts. - For any namespace that does not have an explicit RoleBinding or ClusterRoleBinding to a PodSecurityPolicy is bound to the
ibm-anyuid-hostpath-clusterrole
using a RoleBinding. This preserves compatibility for any workloads.