K
Q

How to enforce MustRunAsNonRoot policy in K8S cluster in AKS

2/8/2021

I have a K8S cluster running in Azure AKS service.

I want to enforce MustRunAsNonRoot policy. How to do it?

The following policy is created:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restrict-root
spec:
  privileged: false
  allowPrivilegeEscalation: false
  runAsUser:
    rule: MustRunAsNonRoot
  seLinux:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - '*'

It is deployed in the cluster:

$ kubectl get psp
NAME                            PRIV    CAPS   SELINUX    RUNASUSER          FSGROUP     SUPGROUP    READONLYROOTFS   VOLUMES
restrict-root                   false          RunAsAny   MustRunAsNonRoot   RunAsAny    RunAsAny    false            *

Admission controller is running in the cluster:

$ kubectl get pods -n gatekeeper-system
NAME                                     READY   STATUS    RESTARTS   AGE
gatekeeper-audit-7b4bc6f977-lvvfl        1/1     Running   0          32d
gatekeeper-controller-5948ddcd54-5mgsm   1/1     Running   0          32d
gatekeeper-controller-5948ddcd54-b59wg   1/1     Running   0          32d

Anyway it is possible to run a simple pod running under root:

apiVersion: v1
kind: Pod
metadata:
  name:      mypod
spec:
  containers:
    - name:  mypod
      image: busybox
      args: ["sleep", "10000"]
      securityContext:
        runAsUser: 0

Pod is running:

$ kubectl describe po mypod
Name:         mypod
Namespace:    default
Priority:     0
Node:         aks-default-31327534-vmss000001/10.240.0.5
Start Time:   Mon, 08 Feb 2021 23:10:46 +0100
Labels:       <none>
Annotations:  <none>
Status:       Running

Why MustRunAsNonRoot is not applied? How to enforce it?

EDIT: It looks like AKS engine does not support PodSecurityPolicy (list of supported policies). Then the question is still the same: how to enforce MustRunAsNonRoot rule on workloads?

-- Michael Chudinov
azure-aks
kubernetes

Similar Questions

How to delete a Kubeflow cluster?
Using KeyCloak Gateway in a K8S Cluster
Should I create single or separate Kubernetes Specification file?
GKE Creation from Cloud Deployment Manager
How to upgrade kubectl client version

1 Answer

2/9/2021

You shouldn't use PodSecurityPolicy on Azure AKS cluster as it has been set for deprecation as of May 31st, 2021 in favor of Azure Policy for AKS. Check the official docs for further details:

Warning

The feature described in this document, pod security policy (preview), is set for deprecation and will no longer be available after May 31st, 2021 in favor of Azure Policy for AKS. The deprecation date has been extended from the previous date of October 15th, 2020.

So currently you should rather use Azure Policy for AKS, where among other built-in policies grouped into initiatives (an initiative in Azure Policy is a collection of policy definitions that are tailored towards achieving a singular overarching goal), you can find a policy which goal is to disallow running of privileged containers on your AKS cluster.

As to PodSecurityPolicy, for the time being it should still work. Please check here if you didn't forget about anything e.g. make sure you set up the corresponding ClusterRole and ClusterRoleBinding to allow the policy to be used.

-- mario
Source: StackOverflow