Understanding and managing pod security admission

Pod security admission is an implementation of the Kubernetes pod security standards. Use pod security admission to restrict the behavior of pods.

Security context constraint synchronization with pod security standards

OKD includes Kubernetes pod security admission. Globally, the privileged profile is enforced, and the restricted profile is used for warnings and audits.

In addition to the global pod security admission control configuration, a controller exists that applies pod security admission control warn and audit labels to namespaces according to the SCC permissions of the service accounts that are in a given namespace.

The controller examines ServiceAccount object permissions to use security context constraints in each namespace. Security context constraints (SCCs) are mapped to pod security profiles based on their field values; the controller uses these translated profiles. Pod security admission warn and audit labels are set to the most privileged pod security profile found in the namespace to prevent warnings and audit logging as pods are created.

Namespace labeling is based on consideration of namespace-local service account privileges.

Applying pods directly might use the SCC privileges of the user who runs the pod. However, user privileges are not considered during automatic labeling.

Namespaces that have an openshift- name prefix and were not created by the system during the installation are not synchronized by default.

Namespaces that have the openshift- prefix are typically system namespaces; by convention, a controller should exist to manage them.

You can enable SCC synchronization in namespaces that have the openshift- prefix by setting the value of the security.openshift.io/scc.podSecurityLabelSync label to true.

Namespaces that are defined as part of the cluster payload have pod security admission synchronization disabled permanently. These namespaces include:

  • All namespaces that are prefixed with openshift-, except for openshift-operators

  • default

  • kube-node-lease

  • kube-system

  • kube-public

  • openshift

Controlling pod security admission synchronization

You can enable or disable automatic pod security admission synchronization for most namespaces.

By default, user-created namespaces that have the prefix openshift- have pod security admission label synchronization disabled.

Namespaces that the installer creates have pod security admission label synchronization disabled permanently. These namespaces include:

  • All namespaces that are prefixed with openshift-, except for openshift-operators

  • default

  • kube-node-lease

  • kube-system

  • kube-public

  • openshift

Procedure

  • For each namespace that you want to configure, set a value for the security.openshift.io/scc.podSecurityLabelSync label:

    • To disable pod security admission label sychronization in a namespace, set the value of the security.openshift.io/scc.podSecurityLabelSync label to false.

      Run the following command:

      1. $ oc label namespace <namespace> security.openshift.io/scc.podSecurityLabelSync=false

    • To enable pod security admission label sychronization in a namespace, set the value of the security.openshift.io/scc.podSecurityLabelSync label to true.

      Run the following command:

      1. $ oc label namespace <namespace> security.openshift.io/scc.podSecurityLabelSync=true

About pod security admission alerts

A PodSecurityViolation alert is triggered when the Kubernetes API server reports that there is a pod denial on the audit level of the pod security admission controller. This alert persists for one day.

View the Kubernetes API server audit logs to investigate alerts that were triggered. As an example, a workload is likely to fail admission if global enforcement is set to the restricted pod security level.

For assistance in identifying pod security admission violation audit events, see Audit annotations in the Kubernetes documentation.

Additional resources