CERIT-SC Kubernetes Docs

New Security Context

Kubernetes version 1.25 is coming and we will upgrade to this version by the beginning of July 2023. Starting with this release, PSP is deprecated and will be removed. Instead of the PSP, PSA will be used. Although this change is basically a matter of Kubernetes administration and not directly related to users, there is sill a user action required.

PSP has been mutating security policy, which means that any missing security options in the deployment manifest have been injected into the manifest, and users will not notice that the manifest has been changed. The PSA is only validating policy, so any required security options must be added by the user prior to deployment.

All security options are specified in the securityContext. There are two security contexts: (1) Pod security context and (2) Container security context. The Pod security context is at the same level as container, the container security context is inside all containers of the Pod.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: example
spec:
  replicas: 1
  selector:
    matchLabels:
      app: example
  template:
    metadata:
      labels:
        app: example
    spec:
      securityContext: # Pod security context
        fsGroupChangePolicy: OnRootMismatch
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault
      containers:
      - image: ubuntu
        name: example
        securityContext: # Container security context
          runAsUser: 1000
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL

The important new options for the Pod security context are the following:

runAsNonRoot: true
seccompProfile:
  type: RuntimeDefault

fsGroupChangePolicy: OnRootMismatch is not required but it is strongly recommended to add so that there are no problems when attaching PVCs.

The important new options for the Container sercurity context are the following:

allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL

Whithout all these important options, the deployments/daemonsets/cronjobs/jobs/pods will fail after upgrade. All options can be added now.

If running any CERIT-SC application from the Rancher, upgrade to the latest version is required. Again, this can be done now.