Enabling the SecurityContextDeny Admission Plugin
Page last updated:
Warning: Pivotal Container Service (PKS)
v1.4 is no longer supported because it has reached the End
of General Support (EOGS) phase as defined by the
Support Lifecycle Policy.
To stay up to date with the latest software and security updates, upgrade to a supported version.
Topic provided by VMware
This section describes how to enable the SecurityContextDeny admission controller for Enterprise Pivotal Container Service (Enterprise PKS) clusters.
The SecurityContextDeny admission controller plugin will deny any pod that attempts to set certain escalating Security Context fields.
In Kubernetes, a security context defines privilege and access control settings for a pod or container. The securityContext field is a PodSecurityContext object. For more information, see Set the security context for a Pod in the Kubernetes documentation.
The SecurityContextDeny admission plugin should be enabled if a cluster does not use pod security policies (PSPs) to restrict the set of values a security context can take. See Enabling and Using Pod Security Policies for more information.
PSPs are the preferred method for providing a more secure Kubernetes environment. However, PSPs have administrative overhead. Enabling the SecurityContextDeny is a stopgap method of providing a more secure Kubernetes environment when it is not feasible to use PSPs. If you plan to use PSPs in the future, consider enabling the SecurityContextDeny admission plugin as an interim security measure.
This section describes the impact of enabling the SecurityContextDeny admission control plugin for new and existing cluster plans.
New Cluster. If you enable the SecurityContextDeny admission plugin in a plan and deploy a new Kubernetes cluster based on that plan, cluster users will not be able to create securityContext capabilities on that cluster.
Existing Cluster. If you enable the SecurityContextDeny admission plugin in a plan and update a Kubernetes cluster, cluster users will no longer be able to create securityContext capabilities on that cluster. This assumes you have triggered the generation of a new deployment manifest by running the “Upgrade all clusters errand.”
To enable the SecurityContextDeny admission plugin:
- In the PKS tile, select the desired Plan, such as Plan 1.
- At the bottom of the configuration panel, select the SecurityContextDeny option.
- Click Save.
- At the Installation Dashboard, click Review Pending Changes.
- For Enterprise PKS, verify that the “Upgrade all clusters errand” is selected.
- Click Apply Changes to deploy the cluster with the admission plugin enabled.
Please send any feedback you have to firstname.lastname@example.org.