Applying the Pod Security Policies for Component Pack
Install the k8s-psp helm chart to apply the Pod Security Policies needed for Component Pack applications.
About this task
- The steps in this topic only need to be done if you have enabled the Pod Security Policies admission controller on your Kubernetes cluster.
- You can run
help list
on a master node to confirm whether the k8s-psp Helm chart was already deployed.
Procedure
-
Install or upgrade the k8s-psp Helm chart.
- If the Helm chart is not yet deployed, install it by running the
following command. In the command, replace
extractedFolder with the location of the directory
where you extracted the Component Pack installation package.
helm install \ --name=k8s-psp extractedFolder/microservices_connections/hybridcloud/helmbuilds/k8s-psp-0.1.0-20200131-192818.tgz
- If the Helm chart is already installed, run the upgrade
command:
helm upgrade k8s-psp extractedFolder/microservices_connections/hybridcloud/helmbuilds/k8s-psp-0.1.0-20200131-192818.tgz
- If the Helm chart is not yet deployed, install it by running the
following command. In the command, replace
extractedFolder with the location of the directory
where you extracted the Component Pack installation package.
-
Verify that policies have been applied by running the following command: kubectl get
psp
For Component Pack 6.5.0.0 or later, the following policies appear:
$ kubectl get psp NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP READONLYROOTFS VOLUMES cnx-ingress false NET_BIND_SERVICE RunAsAny MustRunAsNonRoot MustRunAs MustRunAs false configMap,secret filebeat false RunAsAny RunAsAny MustRunAs MustRunAs false configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim,hostPath infra-elasticsearch true IPC_LOCK,SYS_RESOURCE RunAsAny RunAsAny MustRunAs MustRunAs false configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim infra-storage false RunAsAny RunAsAny MustRunAs MustRunAs false configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim kudos-boards-minio false RunAsAny RunAsAny MustRunAs MustRunAs false configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim,hostPath privileged true * RunAsAny RunAsAny RunAsAny RunAsAny false * restricted false RunAsAny MustRunAsNonRoot MustRunAs MustRunAs false configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim