Using Minikube with Pod Security Policies

Using Minikube with Pod Security Policies

Overview

This tutorial explains how to start minikube with Pod Security Policies (PSP) enabled.

Prerequisites

  • Minikube 1.11.1 with Kubernetes 1.16.x or higher

Tutorial

Start minikube with the PodSecurityPolicy admission controller and the pod-security-policy addon enabled.

  1. minikube start --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy --addons=pod-security-policy

The pod-security-policy addon must be enabled along with the admission controller to prevent issues during bootstrap.

Older versions of minikube

Older versions of minikube do not ship with the pod-security-policy addon, so the policies that addon enables must be separately applied to the cluster.

Minikube 1.5.2 through 1.6.2

Before starting minikube, you need to give it the PSP YAMLs in order to allow minikube to bootstrap.

Create the directory:

  1. mkdir -p ~/.minikube/files/etc/kubernetes/addons

Copy the YAML below into this file: ~/.minikube/files/etc/kubernetes/addons/psp.yaml

Now start minikube:

  1. minikube start --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy
  1. ---
  2. apiVersion: policy/v1beta1
  3. kind: PodSecurityPolicy
  4. metadata:
  5.   name: privileged
  6.   annotations:
  7.     seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
  8.   labels:
  9.     addonmanager.kubernetes.io/mode: EnsureExists
  10. spec:
  11.   privileged: true
  12.   allowPrivilegeEscalation: true
  13.   allowedCapabilities:
  14.   - "*"
  15.   volumes:
  16.   - "*"
  17.   hostNetwork: true
  18.   hostPorts:
  19.   - min: 0
  20.     max: 65535
  21.   hostIPC: true
  22.   hostPID: true
  23.   runAsUser:
  24.     rule: 'RunAsAny'
  25.   seLinux:
  26.     rule: 'RunAsAny'
  27.   supplementalGroups:
  28.     rule: 'RunAsAny'
  29.   fsGroup:
  30.     rule: 'RunAsAny'
  31. ---
  32. apiVersion: policy/v1beta1
  33. kind: PodSecurityPolicy
  34. metadata:
  35.   name: restricted
  36.   labels:
  37.     addonmanager.kubernetes.io/mode: EnsureExists
  38. spec:
  39.   privileged: false
  40.   allowPrivilegeEscalation: false
  41.   requiredDropCapabilities:
  42.     - ALL
  43.   volumes:
  44.     - 'configMap'
  45.     - 'emptyDir'
  46.     - 'projected'
  47.     - 'secret'
  48.     - 'downwardAPI'
  49.     - 'persistentVolumeClaim'
  50.   hostNetwork: false
  51.   hostIPC: false
  52.   hostPID: false
  53.   runAsUser:
  54.     rule: 'MustRunAsNonRoot'
  55.   seLinux:
  56.     rule: 'RunAsAny'
  57.   supplementalGroups:
  58.     rule: 'MustRunAs'
  59.     ranges:
  60.       # Forbid adding the root group.
  61.       - min: 1
  62.         max: 65535
  63.   fsGroup:
  64.     rule: 'MustRunAs'
  65.     ranges:
  66.       # Forbid adding the root group.
  67.       - min: 1
  68.         max: 65535
  69.   readOnlyRootFilesystem: false
  70. ---
  71. apiVersion: rbac.authorization.k8s.io/v1
  72. kind: ClusterRole
  73. metadata:
  74.   name: psp:privileged
  75.   labels:
  76.     addonmanager.kubernetes.io/mode: EnsureExists
  77. rules:
  78. - apiGroups: ['policy']
  79.   resources: ['podsecuritypolicies']
  80.   verbs:     ['use']
  81.   resourceNames:
  82.   - privileged
  83. ---
  84. apiVersion: rbac.authorization.k8s.io/v1
  85. kind: ClusterRole
  86. metadata:
  87.   name: psp:restricted
  88.   labels:
  89.     addonmanager.kubernetes.io/mode: EnsureExists
  90. rules:
  91. - apiGroups: ['policy']
  92.   resources: ['podsecuritypolicies']
  93.   verbs:     ['use']
  94.   resourceNames:
  95.   - restricted
  96. ---
  97. apiVersion: rbac.authorization.k8s.io/v1
  98. kind: ClusterRoleBinding
  99. metadata:
  100.   name: default:restricted
  101.   labels:
  102.     addonmanager.kubernetes.io/mode: EnsureExists
  103. roleRef:
  104.   apiGroup: rbac.authorization.k8s.io
  105.   kind: ClusterRole
  106.   name: psp:restricted
  107. subjects:
  108. - kind: Group
  109.   name: system:authenticated
  110.   apiGroup: rbac.authorization.k8s.io
  111. ---
  112. apiVersion: rbac.authorization.k8s.io/v1
  113. kind: RoleBinding
  114. metadata:
  115.   name: default:privileged
  116.   namespace: kube-system
  117.   labels:
  118.     addonmanager.kubernetes.io/mode: EnsureExists
  119. roleRef:
  120.   apiGroup: rbac.authorization.k8s.io
  121.   kind: ClusterRole
  122.   name: psp:privileged
  123. subjects:
  124. - kind: Group
  125.   name: system:masters
  126.   apiGroup: rbac.authorization.k8s.io
  127. - kind: Group
  128.   name: system:nodes
  129.   apiGroup: rbac.authorization.k8s.io
  130. - kind: Group
  131.   name: system:serviceaccounts:kube-system
  132.   apiGroup: rbac.authorization.k8s.io

Minikube between 1.6.2 and 1.11.1

With minikube versions greater than 1.6.2 and less than 1.11.1, the YAML files shown above will not be automatically applied to the cluster. You may have errors during bootstrap of the cluster if the admission controller is enabled.

To use Pod Security Policies with these versions of minikube, first start a cluster without the PodSecurityPolicy admission controller enabled.

Next, apply the YAML shown above to the cluster.

Finally, stop the cluster and then restart it with the admission controller enabled.

  1. minikube start
  2. kubectl apply -f /path/to/psp.yaml
  3. minikube stop
  4. minikube start --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy

Last modified December 1, 2020: Add missing language to code blocks (f6a770e0a)