Prerequisite: The options below are available only for clusters that are launched using RKE.
When your cluster is running pods with security-sensitive configurations, assign it a pod security policy, which is a set of rules that monitors the conditions and settings in your pods. If a pod doesn’t meet the rules specified in your policy, the policy stops it from running.
You can assign a pod security policy when you provision a cluster. However, if you need to relax or restrict security for your pods later, you can update the policy while editing your cluster.
From the Global view, find the cluster to which you want to apply a pod security policy. Select ⋮ > Edit.
Expand Cluster Options.
From Pod Security Policy Support, select Enabled.
Note: This option is only available for clusters provisioned by RKE.
From the Default Pod Security Policy drop-down, select the policy you want to apply to the cluster.
Rancher ships with policies of
restricted
andunrestricted
, although you can create custom policies as well.Click Save.
Result: The pod security policy is applied to the cluster and any projects within the cluster.
Note: Workloads already running before assignment of a pod security policy are grandfathered in. Even if they don’t meet your pod security policy, workloads running before assignment of the policy continue to run.
To check if a running workload passes your pod security policy, clone or upgrade it.