Pod security

Learn how to secure pods and containers that are running in your cluster.

Kubernetes is a container orchestration platform. Container images can come from various sources and have different operating system requirements. Some containers are written to be self-contained such that they do not require any host operating system features. Other containers require access to the host operating system, such as the host network or file system.

It is important to identify what features are required so that running containers can be efficiently colocated or isolated from one another.

Pod security policies can be used to enforce container image security for the pods in your cluster. A pod security policy is a cluster level resource that controls the security sensitive aspects of pod specification and the set of conditions that must be met for a pod to be admitted into the cluster. The pod security policy is applied to the namespace by creating a ClusterRoleBinding or RoleBinding with the respective pod security policy ClusterRole for all ServiceAccounts in the namespace. Pod security policies allow cluster administrators to create pod isolation policies, and assign them to namespaces and worker nodes. For more information about isolated pods, see Pod isolation. For more information about pod security policy, see Pod Security Policies on the Kubernetes Concepts page .

Important: Multiple pod security policies can be associated with a namespace or ServiceAccount. Pods can resolve to any of the compatible defined policies. For more information about policy order, see Policy Order on the Kubernetes Concepts page .

A Kubernetes Pod is a set of 1 or more colocated containers. The Pod Admission Controller prevents the creation of a pod if the pod security policy does not allow the privileged feature. The Pod Admission Controller can also set default values in the pod and container, preventing or allowing runtime access to privileged features.

All IBM Certified Containers provide detailed container security requirements. For more information, see IBM Certified Container Security Policy definitions .

See Isolation on IBM Cloud Private to learn more about pod isolation.

Predefined pod security policies

IBM Cloud Private provides predefined policies that you can apply to your pod by associating them to a namespace during namespace creation. These predefined pod security policies apply to most of the IBM content charts. The following list shows the types and descriptions that range from the most restrictive to the least restrictive:

• ibm-restricted-psp: This policy requires pods to run with a non-root user ID, and prevents pods from accessing the host.
• ibm-anyuid-psp: This policy allows pods to run with any user ID and group ID, but prevents access to the host.
• ibm-anyuid-hostpath-psp: This policy allows pods to run with any user ID and group ID and any volume, including the host path. Attention: This policy allows hostPath volumes. Ensure that is level of access that you want to provide.
• ibm-anyuid-hostaccess-psp: This policy allows pods to run with any user ID and group ID, any volume, and full access to the host. Attention: This policy allows full access to the host and network. Ensure that is level of access that you want to provide.
• ibm-privileged-psp: This policy grants access to all privileged host features and allows a pod to run with any user ID and group ID and any volume. Attention: This policy is the least restrictive and must be used only for cluster administration. Use with caution.

For more details about the policy definitions, see the IBM Certified Container Pod Security Policy Definitions .

If you install IBM Cloud Private version 3.2.0 or later as a new installation, the default pod security policy setting is the ibm-restricted-psp policy, which is applied to all of the existing and newly created namespaces. If you upgrade to version 3.2.0 or later from an earlier version, the default pod security is the ibm-anyuid-hostpath-psp policy, which is unrestricted and is applied by default to all of the existing and newly created namespaces. The upgraded settings are unrestricted to prevent any disruptions with access issues on the applications and pods that are already running in your cluster.

You can also use the IBM® Cloud Private CLI commands to view the current settings of the cluster, and to toggle the pod security policy between restricted and unrestricted modes. See IBM Cloud Private CLI cm commands (cm) for more information about using these commands.

You can view the PodSecurityPolicy CLI command settings information in the IBM Cloud Private management console by selecting the settings icon on the Pod Security page.

The namespace overview page shows the pod security policies for every namespace. See Namespaces for more information about namespaces.

When you create a namespace, you can now associate the pod security policy to the namespace, which can be used to deploy content or a chart. See Creating a namespace for more details about associating a pod security policy to a namespace.

The pod security policy requirements are displayed on the chart configuration page to help facilitate namespace selection and deployment. See Deploying Helm charts in the Catalog.

Customized pod security policies

You can also create your own pod security policies.

See the following topics to manage your pod security policy:

• Creating pod security policies
• IBM Cloud Private CLI cm commands (cm)