Pod Security Admission Demo Script

psa.txt

# Pod Security Admission Demo

## Part 1 - What is this

1. New Project:
oc new-project psa-test


2. Create deployment
oc create -f https://raw.githubusercontent.com/radikaled/psa/main/deploy/psa-test-deployment.yaml


3. See Warning

Despite the warning, the Deployment was created succesfully. Although this behavior will likely change when the `restricted` Pod Security level is enforced.

The `restricted` Pod Security level criteria is outlined [here](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)


## Part 2 - Namespace Sync

1. See labels for namespace:
oc get ns psa-test -o jsonpath-as-json='{.metadata.labels}'


2. These are Pod Security Admission labels
https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-admission-labels-for-namespaces

Created automatically via `pod security admission synchronization`
https://docs.openshift.com/container-platform/4.11/authentication/understanding-and-managing-pod-security-admission.html#security-context-constraints-psa-opting_understanding-and-managing-pod-security-admission


## Part 3 - Fix

1. Fix Warning
oc replace -f https://raw.githubusercontent.com/radikaled/psa/main/deploy/psa-test-deployment_restricted.yaml

No warnings!  Diff files to see change.


2. Clean up
oc delete deployment psa-test


## Part 4 - Priviledge
So what may things look like once Pod Security Admission is set to enforce? We can illustrate the behavior by attempting to deploy a privileged pod.

1. Add labels to the `psa-test` namespace:
oc edit ns psa-test

```shell
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: v1.24
```

The namespace labels should now resemble the following:

```
  labels:
    kubernetes.io/metadata.name: psa-test
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/enforce-version: v1.24
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/audit-version: v1.24
    pod-security.kubernetes.io/warn: restricted
    pod-security.kubernetes.io/warn-version: v1.24
```


2. Create the `privileged` ServiceAccount:
oc create -f https://raw.githubusercontent.com/radikaled/psa/main/deploy/sa-privileged.yaml


3. Create the `scc-privileged` Role:
(so a serviceaccount/user can use the priviledge role)
oc create -f https://raw.githubusercontent.com/radikaled/psa/main/deploy/role-scc-privileged.yaml


4. Create the `scc-privileged` RoleBinding:
oc create -f https://raw.githubusercontent.com/radikaled/psa/main/deploy/rb-scc-privileged.yaml


5. Create the Deployment that utilizes the `privileged` SCC:
oc create -f https://raw.githubusercontent.com/radikaled/psa/main/deploy/psa-test-deployment_privileged.yaml


6. No warning has been returned via CLI and the Deployment has been created:
oc get deployments

Although our Deployment is not READY:

```
NAME       READY   UP-TO-DATE   AVAILABLE   AGE
psa-test   0/1     0            0           2m11s
```


7. Looking at the events in the namespace reveals the reason:
oc get events | grep -i warning

Since the Pod Security Admission level is set to `restricted` and the requisite labels are set to enforce. The pod has been rejected accordingly.


oc get replicaset/psa-test-7cdc48784
oc describe replicaset/psa-test-7cdc48784 | bat


8. We can turn this syncing off with:
To disable pod security admission label synchronization in a namespace, set the value of the security.openshift.io/scc.podSecurityLabelSync label to false