Merge pull request #251176 from schaffererin/use-psa-freshness-pass

JamesJBarnett · web-flow · commit 45881875d97a · 2023-09-14T12:19:10.000-07:00
Use PSA in AKS freshness pass
diff --git a/articles/aks/use-psa.md b/articles/aks/use-psa.md
@@ -1,16 +1,16 @@
 ---
 title: Use Pod Security Admission in Azure Kubernetes Service (AKS)
 description: Learn how to enable and use Pod Security Admission with Azure Kubernetes Service (AKS).
+ms.custom: azure-kubernetes-service
 ms.topic: article
-ms.date: 08/08/2022
-
+ms.date: 09/12/2023
 ---
 
 # Use Pod Security Admission in Azure Kubernetes Service (AKS)
 
-Pod Security Admission enforces Pod Security Standards policies on pods running in a namespace. Pod Security Admission is enabled by default in AKS and is controlled by adding labels to a namespace. For more information about Pod Security Admission, see [Enforce Pod Security Standards with Namespace Labels][kubernetes-psa]. For more information about the Pod Security Standards used by Pod Security Admission, see [Pod Security Standards][kubernetes-pss].
+Pod Security Admission (PSA) uses labels to enforce Pod Security Standards policies on pods running in a namespace. AKS enables Pod Security Admission is enabled by default. For more information about Pod Security Admission and Pod Security Standards, see [Enforce Pod Security Standards with namespace labels][kubernetes-psa] and [Pod Security Standards][kubernetes-pss].
 
-Pod Security Admission is a built-in policy solution for single cluster implementations. If you are looking for enterprise-grade policy, then [Azure policy](use-azure-policy.md) is a better choice.
+Pod Security Admission is a built-in policy solution for single cluster implementations. If you want to use an enterprise-grade policy, we recommend you use [Azure policy](use-azure-policy.md).
 
 ## Before you begin
 
@@ -20,90 +20,104 @@ Pod Security Admission is a built-in policy solution for single cluster implemen
 
 ## Enable Pod Security Admission for a namespace in your cluster
 
-To enable PSA for a namespace in your cluster, set the `pod-security.kubernetes.io/enforce` label with the policy value you want to enforce. For example:
+### Enable PSA for a single namespace
+
+- Enable PSA for a single namespace in your cluster using the `kubectl label` command and set the `pod-security.kubernetes.io/enforce` label with the policy value you want to enforce. The following example enables the `restricted` policy for the *NAMESPACE* namespace.
+
+    ```azurecli-interactive
+    kubectl label --overwrite ns NAMESPACE pod-security.kubernetes.io/enforce=restricted
+    ```
+
+### Enable PSA for all namespaces
+
+- Enable PSA for all namespaces in your cluster using the `kubectl label` command and set the `pod-security.kubernetes.io/warn` label with the policy value you want to enforce. The following example enables the `baseline` policy for all namespaces in your cluster. This policy generates a user-facing warning if any pods are deployed to a namespace that doesn't meet the *baseline* policy.
+
+    ```azurecli-interactive
+    kubectl label --overwrite ns --all pod-security.kubernetes.io/warn=baseline
+    ```
 
-```azurecli-interactive
-kubectl label --overwrite ns NAMESPACE pod-security.kubernetes.io/enforce=restricted
-```
+## Enforce a Pod Security Admission policy with a deployment
 
-The above command enforces the `restricted` policy for the *NAMESPACE* namespace. 
+1. Create two namespaces using the `kubectl create namespace` command.
 
-You can also enable Pod Security Admission for all your namespaces. For example: 
+    ```azurecli-interactive
+    kubectl create namespace test-restricted
+    kubectl create namespace test-privileged
+    ```
 
-```azurecli-interactive
-kubectl label --overwrite ns --all pod-security.kubernetes.io/warn=baseline
-```
+1. Enable a PSA policy for each namespace, one with the `restricted` policy and one with the `baseline` policy, using the `kubectl label` command.
 
-The above example will generate a user-facing warning if any pods are deployed to any namespace that does not meet the `baseline` policy.
+    ```azurecli-interactive
+    kubectl label --overwrite ns test-restricted pod-security.kubernetes.io/enforce=restricted pod-security.kubernetes.io/warn=restricted
+    kubectl label --overwrite ns test-privileged pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/warn=privileged
+    ```
 
-## Example of enforcing a Pod Security Admission policy with a deployment
+    This configures the `test-restricted` and `test-privileged` namespaces to block running pods and generate a user-facing warning if any pods that don't meet the configured policy attempt to run.
 
-Create two namespaces, one with the `restricted` policy and one with the `baseline` policy.
+1. Attempt to deploy pods to the `test-restricted` namespace using the `kubectl apply` command. This command results in an error because the `test-restricted` namespace is configured to block pods that don't meet the `restricted` policy.
 
-```azurecli-interactive
-kubectl create namespace test-restricted
-kubectl create namespace test-privileged
-kubectl label --overwrite ns test-restricted pod-security.kubernetes.io/enforce=restricted pod-security.kubernetes.io/warn=restricted
-kubectl label --overwrite ns test-privileged pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/warn=privileged
-```
+    ```azurecli-interactive
+    kubectl apply --namespace test-restricted -f https://raw.githubusercontent.com/Azure-Samples/azure-voting-app-redis/master/azure-vote-all-in-one-redis.yaml
+    ```
 
-Both the `test-restricted` and `test-privileged` namespaces will block running pods as well as generate a user-facing warning if any pods attempt to run that do not meet the configured policy.
+    The following example output shows a warning stating the pods violate the configured policy:
 
-Attempt to deploy pods to the `test-restricted` namespace.
+    ```output
+    ...
+    Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "azure-vote-back" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "azure-vote-back" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "azure-vote-back" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "azure-vote-back" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
+    deployment.apps/azure-vote-back created
+    service/azure-vote-back created
+    Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "azure-vote-front" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "azure-vote-front" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "azure-vote-front" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "azure-vote-front" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
+    deployment.apps/azure-vote-front created
+    service/azure-vote-front created
+    ```
 
-```azurecli-interactive
-kubectl apply --namespace test-restricted -f https://raw.githubusercontent.com/Azure-Samples/azure-voting-app-redis/master/azure-vote-all-in-one-redis.yaml
-```
+1. Confirm there are no pods running in the `test-restricted` namespace using the `kubectl get pods` command.
 
-Notice you get a warning that the pods violate the configured policy.
+    ```azurecli-interactive
+    kubectl get pods --namespace test-restricted
+    ```
 
-```output
-...
-Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "azure-vote-back" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "azure-vote-back" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "azure-vote-back" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "azure-vote-back" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
-deployment.apps/azure-vote-back created
-service/azure-vote-back created
-Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "azure-vote-front" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "azure-vote-front" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "azure-vote-front" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "azure-vote-front" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
-deployment.apps/azure-vote-front created
-service/azure-vote-front created
-```
+    The following example output shows no pods running in the `test-restricted` namespace:
 
-Confirm there are no pods running in the `test-restricted` namespace.
+    ```output
+    No resources found in test-restricted namespace.
+    ```
 
-```azurecli-interactive
-kubectl get pods --namespace test-restricted
-```
+1. Attempt to deploy pods to the `test-privileged` namespace using the `kubectl apply` command. This time, the pods should deploy successfully because the `test-privileged` namespace is configured to allow pods that violate the `privileged` policy.
 
-```output
-$ kubectl get pods --namespace test-restricted
-No resources found in test-restricted namespace.
-```
+    ```azurecli-interactive
+    kubectl apply --namespace test-privileged -f https://raw.githubusercontent.com/Azure-Samples/azure-voting-app-redis/master/azure-vote-all-in-one-redis.yaml
+    ```
 
-Attempt to deploy pods to the `test-privileged` namespace.
+    The following example output shows the pods deployed successfully:
 
-```azurecli-interactive
-kubectl apply --namespace test-privileged -f https://raw.githubusercontent.com/Azure-Samples/azure-voting-app-redis/master/azure-vote-all-in-one-redis.yaml
-```
+    ```output
+    deployment.apps/azure-vote-back created
+    service/azure-vote-back created
+    deployment.apps/azure-vote-front created
+    service/azure-vote-front created
+    ```
 
-Notice there are no warnings about pods not meeting the configured policy.
+1. Confirm you have pods running in the `test-privileged` namespace using the `kubectl get pods` command.
 
-Confirm you have pods running in the `test-privileged` namespace.
+    ```azurecli-interactive
+    kubectl get pods --namespace test-privileged
+    ```
 
-```azurecli-interactive
-kubectl get pods --namespace test-privileged
-```
+    The following example output shows two pods running in the `test-privileged` namespace:
 
-```output
-$ kubectl get pods --namespace test-privileged
-NAME                               READY   STATUS    RESTARTS   AGE
-azure-vote-back-6fcdc5cbd5-svbdf   1/1     Running   0          2m29s
-azure-vote-front-5f4b8d498-tqzwv   1/1     Running   0          2m28s
-```
+    ```output
+    NAME                               READY   STATUS    RESTARTS   AGE
+    azure-vote-back-6fcdc5cbd5-svbdf   1/1     Running   0          2m29s
+    azure-vote-front-5f4b8d498-tqzwv   1/1     Running   0          2m28s
+    ```
 
-Delete both the `test-restricted` and `test-privileged` namespaces.
+1. Remove the `test-restricted` and `test-privileged` namespaces using the `kubectl delete` command.
 
-```azurecli-interactive
-kubectl delete namespace test-restricted test-privileged
-```
+    ```azurecli-interactive
+    kubectl delete namespace test-restricted test-privileged
+    ```
 
 ## Next steps
 
