DocumentationAPI Reference

Pod Security Standards Profiles

Suggest Edits

Pod Security Standards Profiles (Pod standards) are filter options for Panoptica Deployment Policy Rules, to filter for workloads according to properties of the Kubernetes pod on which they are running.

Use Pod Standards

Use Pod standards as an additional filter option in Deployment Rules, to select Workloads for the rules. With this, you can select workloads that are running in pods with specific profiles.

With ALLOW type Deployment rules

For ALLOW type Deployment rules, you can select a Pod standard as a workload filter option in STEP 1. These will be applied to select workloads for the rule, like other filter options (such as vulnerabilities).

In addition, you can select actions for workloads that are excluded by the profile. You can select from these actions:

  • Detect- allow the workload to run, while recording an audit entry for it
  • Block - block the workload from running
  • Enforce - attempt to correct the Pod properties, to comply with the settings in the profile.

For example, if you applied a profile that requires no privilege escalation, and the workload is running in a pod that is configured to allow privilege escalation, the workload would be blocked by the filter. You could then optionally allow the workload to run in any case, but with restrictions. Or, you could apply the Enforce action, an correct the pod to not allow this escalation.

With BLOCK and DETECT rules

For BLOCK or DETECT Deployment rules, you can select a Pod standard as a workload filter option (STEP 1). These are applied to select workload for the rule, like other filter options. You cannot select optional actions for workloads that are excluded by the profile.

Example

The example below is an ALLOW type rule. It includes a Pod standard (the Strict Security Profile), with a DETECT otherwise option. This means that all workloads that are excluded by the security profile will be permitted to run in any case, but with a Detect event recorded in the audit trail.

1161

The next example is a DETECT rule. It also includes the Strict Security Profile PSP. It cannot include an option for excluded workloads, since the the rule is DETECT type.

1353

Create a Pod standard

Create Pod standards that can be used in Deployment Rules.

  1. Navigate to Policies page, and select the POD STANDARDS tab.
  2. Click New Pod Security Standards Profile.
655
  1. Enter a Name & Description, then click NEXT.
  2. Select/set the following pod options:
    • runAsUser - the user ID that the containers in the pod are run with. If omitted, can be any ID.
    • runAsGroup - the Group ID that the containers are run with. If omitted, can be any ID.
    • fsGroup - the supplemental FS (filesystem) Group applied to volumes mounted in the pod.
    • supplementalGroups - Group IDs that containers can add.
    • privileged - if set, a container in the pod can enable privileged mode (for example, to access devices).
    • readOnlyRootFilesystem - if set, containers in the pod must run with a read-only root filesystem only.
    • allowPrivilegEscalation - if set, containers in the pod can set the security context (escalate privilege). Default is true, if not overridden by the defaultAllowPrivilegeEscalation parameter.
    • defaultAllowPrivilegeEscalation - default value for the allowPrivilegeEscalation option.
    • volumes - whitelist of allowed volume types. Use '*' to allow all types. If omitted, no volume types are allowed.
    • allowedCapabilities - a whitelist of capabilities that can be added to a container. Use '*' to allow all capabilities. If omitted or empty, no capabilities can be added.
    • allowedProcMountTypes - a whitelist of allowed ProcMount types. If omitted or empty, only the DefaultProcMountType is allowed.
    • hostPorts - a whitelist of ranges of network ports that can be exposed in the pod (min to max, inclusive).
  3. Click FINISH.

See Kubernetes Pod Security Standards for more details about these options.

Modify a Pod standard

  1. Navigate to Policies page, and select the POD STANDARDS tab.
  2. Click on the edit symbol to the right of the profile to be modified.
1181
  1. Make changes to the profile, as necessary, and then click FINISH.

Updated about 1 month ago