Skip to main content
Version: v1.8 (Dev)

Harvester Cluster Pod Security Standard Setting

Starting from v1.8.0, Harvester provides a more flexible way for cluster admins to apply Kubernetes Pod Security Standards by changing a setting.

This is useful for users leveraging Harvester for bare metal workloads.

Background

Harvester users running baremetal workloads in large multi-tenant environments may need to avoid privileged escalation.

Users could manually apply pod security standards using the following knowledge base document.

The new setting simplifies setup of cluster-wide pod security standards.

The setting is disabled by default.

{
  "enabled":false,
  "whitelistedNamespacesList":"", 
  "privilegedNamespacesList":"",
  "restrictedNamespacesList":""
}

The various fields are as follows

enabled: when true ensures a baseline standard is applied to all non harvester system specific namespaces. Core Harvester features are verified to work at the baseline level. Once enabled, direct changes to the namespace PSS configuration are forbidden. All modifications must be done via the Harvester settings UI or API.

whitelistedNamespacesList: cluster admins can specify a list of namespaces to be skipped from pod security standard application.

privilegedNamespacesList: cluster admins can specify a list of namespaces which will have privileged pod security standard applied.

restrictedNamespacesList: cluster admins can specify a list of namespaces which will have restricted pod security standard applied.

Configuring pod security standards

Cluster-wide pod security standards can be applied using the cluster-pod-security-standard setting.

To enable this setting, check its current value:

kubectl get settings.harvesterhci.io cluster-pod-security-standard
NAME                            VALUE
cluster-pod-security-standard

Update the setting as follows:

kubectl patch settings.harvesterhci.io cluster-pod-security-standard --type='json' -p='[{"op": "replace", "path": "/value", "value": "{\"enabled\":true,\"whitelistedNamespacesList\":\"default\",\"restrictedNamespacesList\":\"demo,restricted-ns\",\"privilegedNamespacesList\":\"demo2,privileged-ns\"}"}]'

Verify that the setting was applied:

kubectl get settings.harvesterhci.io cluster-pod-security-standard
NAME                            VALUE
cluster-pod-security-standard   {"enabled":true,"whitelistedNamespacesList":"default","restrictedNamespacesList":"demo,restricted-ns","privilegedNamespacesList":"demo2,privileged-ns"}