You're reading from Kubernetes and Docker - An Enterprise Guide Effectively containerize applications, integrate enterprise systems, and scale applications in your enterprise

Product type Paperback

Published in Nov 2020

Publisher Packt

ISBN-13 9781839213403

Length 526 pages

Edition 1st Edition

Tools

Docker

Concepts

Cloud Computing

Authors (2):

Marc Boorshtein

Scott Surovich

View More author details

Table of Contents (20) Chapters

Preface

1. Section 1: Docker and Container Fundamentals

2. Chapter 1: Docker and Container Essentials FREE CHAPTER

3. Chapter 2: Working with Docker Data

4. Chapter 3: Understanding Docker Networking

5. Section 2: Creating Kubernetes Development Clusters, Understanding objects, and Exposing Services

6. Chapter 4: Deploying Kubernetes Using KinD

7. Chapter 5: Kubernetes Bootcamp

8. Chapter 6: Services, Load Balancing, and External DNS

9. Section 3: Running Kubernetes in the Enterprise

10. Chapter 7: Integrating Authentication into Your Cluster

11. Chapter 8: RBAC Policies and Auditing

12. Chapter 9: Deploying a Secured Kubernetes Dashboard

13. Chapter 10: Creating PodSecurityPolicies

14. Chapter 11: Extending Security Using Open Policy Agent

15. Chapter 12: Auditing using Falco and EFK

16. Chapter 13: Backing Up Workloads

17. Chapter 14: Provisioning a Platform

18. Assessments

19. Other Books You May Enjoy

Leave a review - let other readers know what you think

Enabling PSPs

Enabling PSPs is very simple. Adding PodSecurityPolicy to the API server's list of admission controllers will send all newly created Pod objects through the PodSecurityPolicy admission controller. This controller does two things:

Identifies the best policy: The best policy to use is identified by the capabilities requested by a pod's definition. A pod cannot explicitly state which policy it wants to enforce, only what capabilities it wants.
Determines whether the Pod's policy is authorized: Once a policy is identified, the admission controller needs to determine whether the creator of the pod or the serviceAccount of the pod is authorized to use that policy.

The combination of these two criteria can lead to unexpected results. The creator of the pod isn't the user that submits the Deployment or StatefulSet definition. There's a controller that watches for Deployment updates and creates a ReplicaSet. There is a controller that...