Enabling the DenyEscalatingExec Admission Plugin

Page last updated:

Topic provided by VMware

This section describes how and when to enable the DenyEscalatingExec admission controller for VMware Tanzu Kubernetes Grid Integrated Edition clusters.

About the DenyEscalatingExec Admission Plugin

The DenyEscalatingExec admission controller denies the “exec” and “attach” commands to pods that run with escalated privileges and allow host access. This includes pods that run as privileged, have access to the host Interprocess Communication (IPC) namespace, and have access to the host PID namespace.

See DenyEscalatingExec in the Kubernetes documentation for more information.

Note: The DenyEscalatingExec admission plugin is deprecated and is scheduled to be removed in a future Kubernetes release.

When to Enable the DenyEscalatingExec Admission Plugin

To provide better security when privileged containers are enabled, enable the DenyEscalatingExec admission controller or use PodSecurityPolicy. Privileged containers are enabled when Allow Privileged is selected.

Since the DenyEscalatingExec admission controller is being deprecated, the recommended approach is to use PodSecurityPolicy or a custom admission plugin that protects against the creation of overly privileged pods and that can be targeted at specific users or namespaces.

For more information, see Pod Security Policy.

Warning: If the DenyEscalatingExec admission plugin is enabled for a plan before upgrade, it remains enabled after upgrade.

Impact of Enabling the DenyEscalatingExec Admission Controller

By selecting the DenyEscalatingExec checkbox, you make Kubernetes clusters deployed with the associated plan more secure.

Enabling the DenyEscalatingExec Admission Plugin

To enable the DenyEscalatingExec admission plugin, do the following:

  1. In the Tanzu Kubernetes Grid Integrated Edition tile, select the desired Plan, such as Plan 1.
  2. At the bottom of the configuration panel, select the DenyEscalatingExec option. Enabling SecurityContextDeny
  3. Click Save.
  4. On the Installation Dashboard, click Review Pending Changes.
  5. For Tanzu Kubernetes Grid Integrated Edition, verify that Upgrade all clusters errand is enabled.
  6. Click Apply Changes to deploy clusters with the admission plugin enabled.

Alternatively, instead of enabling Upgrade all clusters errand, you can upgrade individual Kubernetes clusters through the TKGI Command Line Interface (TKGI CLI). For instructions on upgrading individual Kubernetes clusters, see Upgrading Clusters.

Please send any feedback you have to pks-feedback@pivotal.io.