Aller au contenu principal

Default Pod Security Standards

This document describes how RKE2 configures PodSecurityStandards and NetworkPolicies in order to be secure-by-default while also providing operators with maximum configuration flexibility.

Version Gate

This document applies to RKE2 v1.25 and newer, please refer to the Pod Security Policies Documentation for the default policy information for RKE2 v1.24 and older.

Pod Security Standards

Starting from Kubernetes version v1.25.0, Pod Security Policies (PSP) are totally removed from Kubernetes, and replaced by Pod Security Admission (PSA). A default Pod Security Admission config file will be added to the cluster upon startup as follows:

If running with the profile: cis configuration:

  • RKE2 will apply a restricted pod security standard via a configuration file which will enforce restricted mode throughout the cluster with an exception to the kube-system, cis-operator-system, and tigera-operator namespaces to ensure successful operation of system pods.

If running without a profile configuration:

  • RKE2 will apply a nonrestricted pod security standard via a configuration file which will enforce privileged mode throughout the cluster which allows a completely unrestricted mode to all pods in the cluster.

RKE2 will put this configuration file at /etc/rancher/rke2/rke2-pss.yaml, the content of the configuration file varies according to the cis mode which you started rke2:

CIS Mode

apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
  configuration:
    apiVersion: pod-security.admission.config.k8s.io/v1beta1
    kind: PodSecurityConfiguration
    defaults:
      enforce: "restricted"
      enforce-version: "latest"
      audit: "restricted"
      audit-version: "latest"
      warn: "restricted"
      warn-version: "latest"
    exemptions:
      usernames: []
      runtimeClasses: []
      namespaces: [kube-system, cis-operator-system, tigera-operator]

Non CIS Mode

apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
  configuration:
    apiVersion: pod-security.admission.config.k8s.io/v1beta1
    kind: PodSecurityConfiguration
    defaults:
      enforce: "privileged"
      enforce-version: "latest"
    exemptions:
      usernames: []
      runtimeClasses: []
      namespaces: []

After placing this configuration file, rke2 will start the kube-apiserver with the following flag --admission-control-config-file which will be set to the path of the PSA config file.

If you want to override the default pod security standard configuration file, you can pass pod-security-admission-config-file: <path-to-custom-psa-config-file> to the RKE2 config file.