Pod Security Admission (PSA) Configuration Templates
Pod Security admission (PSA) configuration templates are a Rancher custom-defined resource (CRD), available in Rancher v2.7.2 and above. The templates provide pre-defined security configurations that you can apply to a cluster:
rancher-privileged
: The most permissive configuration. It doesn't restrict the behavior of any pods. This allows for known privilege escalations. This policy has no exemptions.rancher-restricted
: A heavily restricted configuration that follows current best practices for hardening pods. You must make namespace-level exemptions for Rancher components.
Assign a Pod Security Admissions (PSA) Configuration Template
You can assign a PSA template at the same time that you create a downstream cluster. You can also add a template by configuring an existing cluster.
Assign a Template During Cluster Creation
- RKE2 and K3s
- RKE1
- In the upper left corner, click ☰ > Cluster Management.
- On the Clusters page, click the Create button.
- Select a provider.
- On the Cluster: Create page, go to Basics > Security.
- In the Pod Security Admission Configuration Template dropdown menu, select the template you want to assign.
- Click Create.
Assign a Template to an Existing Cluster
- In the upper left corner, click ☰ > Cluster Management.
- Find the cluster you want to update in the Clusters table, and click the ⋮.
- Select Edit Config .
- In the Pod Security Admission Configuration Template dropdown menu, select the template you want to assign.
- Click Save.
Hardening the Cluster
If you select the rancher-restricted template but don't select a CIS Profile, you won't meet required CIS benchmarks. See the RKE2 hardening guide for more details.
- In the upper left corner, click ☰ > Cluster Management.
- On the Clusters page, click the Create button.
- Select a provider.
- On the Add Cluster page, under Cluster Options, click Advanced Options.
- In the Pod Security Admission Configuration Template dropdown menu, select the template you want to assign.
- Click Create.
Assign a Template to an Existing Cluster
- In the upper left corner, click ☰ > Cluster Management.
- Find the cluster you want to update in the Clusters table, and click the ⋮.
- Select Edit Config.
- On the Edit Cluster page, go to Cluster Options > Advanced Options.
- In the Pod Security Admission Configuration Template, select the template you want to assign.
- Click Save.
Add or Edit a Pod Security Admissions (PSA) Configuration Template
If you have administrator privileges, you can customize security restrictions and permissions by creating additional PSA templates, or by editing existing templates.
If you edit an existing PSA template while it is still in use, changes will be applied to all clusters that have been assigned to that template.
- In the upper left corner, click ☰ > Cluster Management.
- Click Advanced to open the dropdown menu.
- Select Pod Security Admissions.
- Find the template you want to modify, and click the ⋮.
- Select Edit Config to edit the template.
- When you're done editing the configuration, click Save.
Allow Non-Admin Users to Manage PSA Templates
If you want to allow other users to manage templates, you can bind that user to a role that grants all verbs ("*"
) on management.cattle.io/podsecurityadmissionconfigurationtemplates
.
Any user that is bound to the above permission will be able to change the restriction levels on all managed clusters which use a given PSA template, including ones that they have no permissions on.
Exempting Required Rancher Namespaces
When you run Rancher on a Kubernetes cluster that enforces a restrictive security policy by default, you'll need to exempt the following namespaces, otherwise the policy might prevent Rancher system pods from running properly.
calico-apiserver
calico-system
cattle-alerting
cattle-csp-adapter-system
cattle-epinio-system
cattle-externalip-system
cattle-fleet-local-system
cattle-fleet-system
cattle-gatekeeper-system
cattle-global-data
cattle-global-nt
cattle-impersonation-system
cattle-istio
cattle-istio-system
cattle-logging
cattle-logging-system
cattle-monitoring-system
cattle-neuvector-system
cattle-prometheus
cattle-sriov-system
cattle-system
cattle-ui-plugin-system
cattle-windows-gmsa-system
cert-manager
cis-operator-system
fleet-default
ingress-nginx
istio-system
kube-node-lease
kube-public
kube-system
longhorn-system
rancher-alerting-drivers
security-scan
tigera-operator
Rancher, some Rancher owned charts, and RKE2 and K3s distributions all use these namespaces. A subset of the listed namespaces are already exempt in the built-in Rancher rancher-restricted
policy, for use in downstream clusters. For a complete template which has all the exemptions you need to run Rancher, please refer to this sample Admission Configuration.
Exempting Namespaces
If you assign the rancher-restricted
template to a cluster, by default the restrictions are applied across the entire cluster at the namespace level. To exempt certain namespaces from this highly restricted policy, do the following:
- In the upper left corner, click ☰ > Cluster Management.
- Click Advanced to open the dropdown menu.
- Select Pod Security Admissions.
- Find the template you want to modify, and click the ⋮.
- Select Edit Config.
- Click the Namespaces checkbox under Exemptions to edit the Namespaces field.
- When you're done exempting namespaces, click Save.
You need to update the target cluster to make the new template take effect in that cluster. An update can be triggered by editing and saving the cluster without changing values.