Enabling the DenyEscalatingExec Admission Plugin
Page last updated:
Topic provided by VMware
This section describes how and when to enable the DenyEscalatingExec admission controller for Enterprise Pivotal Container Service (Enterprise PKS) clusters.
The DenyEscalatingExec admission controller denies the “exec” and “attach” commands to pods that run with escalated privileges and allow host access. This includes pods that run as privileged, have access to the host Interprocess Communication (IPC) namespace, and have access to the host PID namespace.
See DenyEscalatingExec in the Kubernetes documentation for more information.
Note: The DenyEscalatingExec admission plugin is deprecated and is scheduled to be removed in a future Kubernetes release.
To provide better security when privileged containers are enabled, enable the DenyEscalatingExec admission controller or use PodSecurityPolicy. Privileged containers are enabled when Allow Privileged is selected.
Since the DenyEscalatingExec admission controller is being deprecated, the recommended approach is to use PodSecurityPolicy or a custom admission plugin that protects against the creation of overly privileged pods and that can be targeted at specific users or namespaces.
For more information, see Pod Security Policy.
Warning: If the DenyEscalatingExec admission plugin is enabled for a plan before upgrade, it remains enabled after upgrade.
By selecting the DenyEscalatingExec checkbox, you make Kubernetes clusters deployed with the associated plan more secure.
To enable the DenyEscalatingExec admission plugin, do the following:
- In the Enterprise PKS tile, select the desired Plan, such as Plan 1.
- At the bottom of the configuration panel, select the DenyEscalatingExec option.
- Click Save.
- At the Installation Dashboard, click Review Pending Changes.
- For Enterprise PKS, verify that the “Upgrade all clusters errand” is selected.
- Click Apply Changes to deploy clusters with the admission plugin enabled.
Please send any feedback you have to firstname.lastname@example.org.