This laboratory is developed to have a first contact with the Pod Security Policies locally using microk8s.
This lab assumes you have basic knowledge about kubernetes, RBAC and basic linux commands and concepts.
As a requirement, you must have installed (default installation) microk8s on your linux PC. Then enable the dns microk8s plugin: microk8s.enable dns.
To check that microk8s is running correctly, execute the following command, you should have an output like the one shown below:
$ sudo microk8s.inspect
Inspecting services
Service snap.microk8s.daemon-docker is running
Service snap.microk8s.daemon-apiserver is running
Service snap.microk8s.daemon-proxy is running
Service snap.microk8s.daemon-kubelet is running
Service snap.microk8s.daemon-scheduler is running
Service snap.microk8s.daemon-controller-manager is running
Service snap.microk8s.daemon-etcd is running
Copy service arguments to the final report tarball
Inspecting AppArmor configuration
Gathering system info
Copy network configuration to the final report tarball
Copy processes list to the final report tarball
Copy snap list to the final report tarball
Inspect kubernetes cluster
Building the report tarball
Report tarball is at /var/snap/microk8s/383/inspection-report-20190123_110858.tar.gz- 0. Save default kubeconfig
- 1. Configure RBAC
- 2. Create a cluster-admin kubeconfig file
- 3. Create an user space
- 4. Expose secure API Server
- 5. Modify kubeconfig files to use secure servers
- 6. Enable Pod Security Policies
- 7. Configure default Pod Security Policy
- 8. Configure kube-system Pod Security Policy
This is a laboratory and therefore may not function properly. It is designed to show the capabilities offered by pod security policies. Following this laboratory is enough to know at a high level the functionality of them.