Adding a Pod Security Policy
Pod Security Policies are objects that control security-sensitive aspects of pod specification (like root privileges).
You can add a Pod Security Policy (PSPs hereafter) in the following contexts:
- When creating a cluster
- When editing an existing cluster
- When creating a project
- When editing an existing project
Note: We recommend adding PSPs during cluster and project creation instead of adding it to an existing one.
For more information about PSPs, refer to Pod Security Policy.
Cluster Creation: Adding a Default Pod Security Policy
When you create a new cluster, you can configure it to apply a PSP immediately. As you create the cluster, use the Cluster Options to enable a PSP. The PSP assigned to the cluster will be the default PSP for projects within the cluster.
Prerequisite:Create a Pod Security Policy within Rancher. Before you can assign a default PSP to a new cluster, you must have a PSP available for assignment. For instruction, see Creating Pod Security Policies.Note:For security purposes, we recommend assigning a PSP as you create your clusters.
To enable a default Pod Security Policy, set the Pod Security Policy Support option to Enabled, and then make a selection from the Default Pod Security Policy drop-down.
When the cluster finishes provisioning, the PSP you selected is applied to all projects within the cluster.
For detailed instruction about assigning a PSP to a new cluster, see Creating a Cluster.
Existing Cluster: Adding a Pod Security Policy
If you don’t apply a PSP as you create your cluster, you can always add one later.
Prerequisite:Create a Pod Security Policy within Rancher. Before you can assign a default PSP to an existing cluster, you must have a PSP available for assignment. For instruction, see Creating Pod Security Policies.
From the Global view, find the cluster that you want to apply your PSP to. Select Vertical Ellipsis (…) > Edit for the cluster you want to enable PSPs for.
Expand the Cluster Options accordion.
From Pod Security Policy Support, select Enabled.
Note: Not all cluster providers support PSPs, so this option may not be available.
步骤结果: The Default Pod Security Policy drop-down activates.
From Default Pod Security Policy, select the PSP you want to apply to the cluster.
Click Save.
Result: The PSP is applied to the cluster and any projects within the cluster.
Note: Any workloads that are already running in a cluster or project before a PSP is assigned will not be checked if it complies with the PSP. Workloads would need to be cloned or upgraded to see if they pass the PSP.
Project Creation: Adding a Pod Security Policy
When you create a new project, you can assign a PSP directly to the project. Assigning a PSP to a project will:
- Override the cluster’s default PSP.
- Apply the PSP to the project.
- Apply the PSP to any namespaces you add to the project later.
先决条件:
- Create a Pod Security Policy within Rancher. Before you can assign a default PSP to a new project, you must have a PSP available for assignment. For instruction, see Creating Pod Security Policies.
- Assign a default Pod Security Policy to the project’s cluster. You can’t assign a PSP to a project until one is already applied to the cluster. For more information, see Existing Cluster: Adding a Pod Security Policy.
As you create the project, make a selection from the Pod Security Policy drop-down to assign a PSP.
Existing Project: Adding a Pod Security Policy
You can always assign a PSP to an existing project if you didn’t assign one during creation.
先决条件:
- Create a Pod Security Policy within Rancher. Before you can assign a default PSP to an existing project, you must have a PSP available for assignment. For instruction, see Creating Pod Security Policies.
- Assign a default Pod Security Policy to the project’s cluster. You can’t assign a PSP to a project until one is already applied to the cluster. For more information, see Existing Cluster: Adding a Pod Security Policy.
From the Global view, find the cluster containing the project you want to apply a PSP to.
From the main menu, select Projects/Namespaces.
Find the project that you want to add a PSP to. From that project, select Vertical Ellipsis (…) > Edit.
From the Pod Security Policy drop-down, select the PSP you want to apply to the project.
Click Save.
Result: The PSP is applied to the project and any namespaces added to the project.
Note: Any workloads that are already running in a cluster or project before a PSP is assigned will not be checked if it complies with the PSP. Workloads would need to be cloned or upgraded to see if they pass the PSP.