As a best practice, PodSecurityPolicy should not be enabled before you create your own policies. This recipe will take you through how to enable PSP on Azure Kubernetes Service (AKS) and how to review default policies.
Let's perform the following steps:
- You can enable PSP on the cluster you have deployed by following the instructions given in Chapter 1 Building Production-Ready Kubernetes Clusters, in the Provisioning a managed Kubernetes cluster on AKS recipe by running the following command. Replace k8sdevopscookbook with your own resource group and AKSCluster with your cluster name:
$ az aks create --resource-group k8sdevopscookbook
--name AKSCluster
--enable-pod-security-policy
- he default configuration comes with a non-disruptive policy named privileged that has no restrictions. View the default policy with the following command:
$ kubectl get psp
NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP READONLYROOTFS VOLUMES
privileged true * RunAsAny RunAsAny RunAsAny RunAsAny false * configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim
- Describe the policy to see its full details, as follows:
$ kubectl describe psp privileged
- To review, restore, or delete the default PSP, use the YAML manifest in the example repository in src/chapter9/psp named aks-privileged-psp.yaml.