Applying the Pod Security Policies for Component Pack

Install the k8s-psp helm chart to apply the Pod Security Policies needed for Component Pack applications.

About this task

  • The steps in this topic only need to be done if you have enabled the Pod Security Policies admission controller on your Kubernetes cluster.
  • You can run help list on a master node to confirm whether the k8s-psp Helm chart was already deployed.

Procedure

  1. Install or upgrade the k8s-psp Helm chart.
    • If the Helm chart is not yet deployed, install it by running the following command. In the command, replace extractedFolder with the location of the directory where you extracted the Component Pack installation package.
      helm install \
      --name=k8s-psp extractedFolder/microservices_connections/hybridcloud/helmbuilds/k8s-psp-0.1.0-20200131-192818.tgz
    • If the Helm chart is already installed, run the upgrade command:
      helm upgrade k8s-psp extractedFolder/microservices_connections/hybridcloud/helmbuilds/k8s-psp-0.1.0-20200131-192818.tgz
  2. Verify that policies have been applied by running the following command: kubectl get psp
    For Component Pack 6.5.0.0 or later, the following policies appear:
    $ kubectl get psp
    NAME                  PRIV    CAPS                    SELINUX    RUNASUSER          FSGROUP     SUPGROUP    READONLYROOTFS   VOLUMES
    cnx-ingress           false   NET_BIND_SERVICE        RunAsAny   MustRunAsNonRoot   MustRunAs   MustRunAs   false            configMap,secret
    filebeat              false                           RunAsAny   RunAsAny           MustRunAs   MustRunAs   false            configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim,hostPath
    infra-elasticsearch   true    IPC_LOCK,SYS_RESOURCE   RunAsAny   RunAsAny           MustRunAs   MustRunAs   false            configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim
    infra-storage         false                           RunAsAny   RunAsAny           MustRunAs   MustRunAs   false            configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim
    kudos-boards-minio    false                           RunAsAny   RunAsAny           MustRunAs   MustRunAs   false            configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim,hostPath
    privileged            true    *                       RunAsAny   RunAsAny           RunAsAny    RunAsAny    false            *
    restricted            false                           RunAsAny   MustRunAsNonRoot   MustRunAs   MustRunAs   false            configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim