From a5e4e9b62a022c672b86929add1d66394727e12e Mon Sep 17 00:00:00 2001
From: xdavidwu <xdavidwuph@gmail.com>
Date: Fri, 16 Apr 2021 20:39:51 +0800
Subject: [PATCH] posts: add 2021-04-16-kubeadm-psp

---
 _posts/2021-04-16-kubeadm-psp.md | 82 ++++++++++++++++++++++++++++++++
 1 file changed, 82 insertions(+)
 create mode 100644 _posts/2021-04-16-kubeadm-psp.md

diff --git a/_posts/2021-04-16-kubeadm-psp.md b/_posts/2021-04-16-kubeadm-psp.md
new file mode 100644
index 0000000..c4067e6
--- /dev/null
+++ b/_posts/2021-04-16-kubeadm-psp.md
@@ -0,0 +1,82 @@
+---
+title: "Kubeadm cluster with PodSecurityPolicy"
+categories:
+  - Kubernetes
+tags:
+  - kubernetes
+  - linux
+  - containers
+  - en
+---
+
+After enabling PodSecurityPolicy admission controller in a kubeadm cluster, one might forget to create policy for mirror pods until finding it out in a hard way when upgrading the cluster.
+
+When creating static pods, kubelet also creates mirror pods on API server. Kubelets are under `system:nodes` group.
+
+Here is a not so strict one that I composed:
+
+```yaml
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: nodes
+spec:
+  privileged: false
+  defaultAllowPrivilegeEscalation: false
+  allowedCapabilities: []
+  volumes:
+    - hostPath
+  allowedHostPaths:
+    - pathPrefix: /etc
+    - pathPrefix: /usr
+  forbiddenSysctls:
+    - '*'
+  hostIPC: false
+  hostNetwork: true
+  hostPID: false
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+  runAsUser:
+    rule: 'RunAsAny'
+```
+
+I tested it with static pods created by kubeadm, that is, kube-apiserver, kube-controller-manager, kube-scheduler and etcd.
+
+Obiviously this can be futher improved by composing the policy with only what those pods need.
+
+The corresposing ClusterRole and ClusterRoleBinding:
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: psp-nodes
+rules:
+  - apiGroups:
+      - policy
+    resources:
+      - podsecuritypolicies
+    verbs:
+      - use
+    resourceNames:
+      - nodes
+```
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: psp-nodes
+roleRef:
+  kind: ClusterRole
+  name: psp-nodes
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: Group
+    name: system:nodes
+    apiGroup: rbac.authorization.k8s.io
+```
-- 
2.45.2