Default Pod security policies in MKE

By default, the two Pod security policies defined within MKE are privileged and unprivileged. Additionally, to ensure backward compatibility after an upgrade, there is a ClusterRoleBinding that gives every user access to the privileged policy. By default, any user can create any Pod.

Note

PSPs do not override security defaults built into the MKE RBAC engine for Kubernetes Pods. These security defaults prevent non-admin users from mounting host paths into Pods or starting privileged Pods.

To review the default PSPs:

kubectl get podsecuritypolicies

Expected output:

NAME           PRIV    CAPS   SELINUX    RUNASUSER   FSGROUP    SUPGROUP   READONLYROOTFS   VOLUMES
privileged     true    *      RunAsAny   RunAsAny    RunAsAny   RunAsAny   false            *
unprivileged   false          RunAsAny   RunAsAny    RunAsAny   RunAsAny   false            *

The following specification is for the privileged policy:

allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
fsGroup:
  rule: RunAsAny
hostIPC: true
hostNetwork: true
hostPID: true
hostPorts:
- max: 65535
  min: 0
privileged: true
runAsUser:
  rule: RunAsAny
seLinux:
  rule: RunAsAny
supplementalGroups:
  rule: RunAsAny
volumes:
- '*'

The following specification is for the unprivileged policy:

allowPrivilegeEscalation: false
allowedHostPaths:
- pathPrefix: /dev/null
  readOnly: true
fsGroup:
  rule: RunAsAny
hostPorts:
- max: 65535
  min: 0
runAsUser:
  rule: RunAsAny
seLinux:
  rule: RunAsAny
supplementalGroups:
  rule: RunAsAny
volumes:
- '*'