Enabling the DenyEscalatingExec Admission Plugin
Page last updated:
Topic provided by VMware
This section describes how and when to enable the DenyEscalatingExec admission controller for VMware Tanzu Kubernetes Grid Integrated Edition clusters.
The DenyEscalatingExec admission controller denies the “exec” and “attach” commands to pods that run with escalated privileges and allow host access. This includes pods that run as privileged, have access to the host Interprocess Communication (IPC) namespace, and have access to the host PID namespace.
See DenyEscalatingExec in the Kubernetes documentation for more information.
Note: The DenyEscalatingExec admission plugin is deprecated and is scheduled to be removed in a future Kubernetes release.
To provide better security when privileged containers are enabled, enable the DenyEscalatingExec admission controller or use PodSecurityPolicy. Privileged containers are enabled when Allow Privileged is selected.
Since the DenyEscalatingExec admission controller is being deprecated, the recommended approach is to use PodSecurityPolicy or a custom admission plugin that protects against the creation of overly privileged pods and that can be targeted at specific users or namespaces.
For more information, see Pod Security Policy.
Warning: If the DenyEscalatingExec admission plugin is enabled for a plan before upgrade, it remains enabled after upgrade.
By selecting the DenyEscalatingExec checkbox, you make Kubernetes clusters deployed with the associated plan more secure.
To enable the DenyEscalatingExec admission plugin, do the following:
- In the Tanzu Kubernetes Grid Integrated Edition tile, select the desired Plan, such as Plan 1.
- At the bottom of the configuration panel, select the DenyEscalatingExec option.
- Click Save.
- On the Installation Dashboard, click Review Pending Changes.
- For Tanzu Kubernetes Grid Integrated Edition, verify that Upgrade all clusters errand is enabled.
- Click Apply Changes to deploy clusters with the admission plugin enabled.
Alternatively, instead of enabling Upgrade all clusters errand, you can upgrade individual Kubernetes clusters through the TKGI Command Line Interface (TKGI CLI). For instructions on upgrading individual Kubernetes clusters, see Upgrading Clusters.
Please send any feedback you have to email@example.com.