FAQs: Pod Security Standards and Pod Security Admission in Amazon EKS Pods

4 minute read
0

I have some questions about Pod Security Standards and Pod Security Admission in Amazon Elastic Kubernetes Service (Amazon EKS) Pods.

Q: How do I turn on or turn off Pod Security Standards and Pod Security Admission for my Amazon EKS cluster?

By default, Kubernetes versions 1.23 and later turned on all Pod Security Admission modes for the privileged Pod Security Standards profile at the cluster level. Pod Security Admission allows deployments or Pods with the privileged Pod Security Standards profile across all namespaces.

Q: How do I apply specific Pod Security Admission modes and Pod Security Standards profiles at the Kubernetes namespace level?

To apply specific Pod Security Admission modes and Pod Security Standards profiles at the Kubernetes namespace level, configure the namespace labels accordingly.

Example:

Run the following command to apply the enforce mode for baseline Pod Security Standards to a single namespace:

$ kubectl label --overwrite ns test-namespace pod-security.kubernetes.io/enforce=baseline

Run the following command to apply the enforce mode for baseline Pod Security Standards to all available namespaces:

$ kubectl label --overwrite ns --all pod-security.kubernetes.io/enforce=baseline

Note: In the preceding commands, replace test-namespace with the name of your namespace. Replace enforce with your preferred Pod Security Admission mode, and baseline with your preferred Pod Security Standards policy profile. For more information, see Pod Security Admission labels for namespaces and Pod Security Standards on the Kubernetes website.

Q: When I modify my namespace to use a more restrictive Pod Security Standards profile, does it affect the function of existing Pods in the namespace?

No. If you modify your namespace with existing Pods to use the audit or warn modes, you get an appropriate warning on your terminal. You can also see the warning message in the Pod YAML output status.message section. If you modify the namespace to use the enforce mode, Kubernetes doesn't delete the existing Pods in the namespace. However, you see a warning message that's similar to the following:

Warning: existing pods in namespace "policy-test" violate the new PodSecurity enforce level "restricted:latest"
Warning: test-688f68dc87-htm8x: allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, seccompProfilenamespace/policy-test configured

Example warning message in the Pod YAML output:

lastTransitionTime: "2022-11-24T05:10:49Z"
lastUpdateTime: "2022-11-24T05:10:49Z"
message: 'pods "test-67d5fc995b-8r9t2" is forbidden: violates PodSecurity "baseline:latest": privileged (container "assets" must not set securityContext.privileged=true)'
reason: FailedCreate
status: "True"
type: ReplicaFailure

When a Pod violates the Pod Security Standards profile policy or Pod Security Admission mode in the namespace, update the corresponding deployment manifest with appropriate values.

Q: How do I customize the pod security policy that the Pod security Admission controller applied at my namespace level?

Kubernetes doesn't support customization of the applied pod security policy through the Pod Security Admission controller. However, you can use validating admission policies to implement and enforce your custom rules. Or, you can use Webhook admission control with external code.

Q: Can I apply multiple Pod Security Admission modes and Pod Security Standards profiles to a single Kubernetes namespace?

No. However, you can use labels to configure multiple Pod Security Standards checks on any namespace.

For example, the following command applies the enforce mode to baseline Pod Security Standards. But, it also applies the warn and audit modes for restricted Pod Security Standards according to the latest version:

$ kubectl label --overwrite ns test \\
  pod-security.kubernetes.io/enforce=baseline \\
  pod-security.kubernetes.io/enforce-version=latest \\
  pod-security.kubernetes.io/warn=restricted \\
  pod-security.kubernetes.io/warn-version=latest \\
  pod-security.kubernetes.io/audit=restricted \\
  pod-security.kubernetes.io/audit-version=latest

Q: Can I apply the Pod Security Admission modes and Pod Security Standards profiles at the cluster scope for my managed Kubernetes cluster?

No, you can apply Pod Security Admission modes and Pod Security Standards profiles only at the namespace level for managed clusters.

AWS OFFICIAL
AWS OFFICIALUpdated 3 months ago