Adding a Pod Security Policy

Prerequisite:

The options below are available only for clusters that are launched using RKE.

When your cluster is running pods with security-sensitive configurations, assign it a pod security policy, which is a set of rules that monitors the conditions and settings in your pods. If a pod doesn’t meet the rules specified in your policy, the policy stops it from running.

You can assign a pod security policy when you provision a cluster. However, if you need to relax or restrict security for your pods later, you can update the policy while editing your cluster.

  1. Click ☰ > Cluster Management.

  2. Go to the cluster to which you want to apply a pod security policy and click ⋮ > Edit Config.

  3. From Pod Security Policy Support, select Enabled.

    This option is only available for clusters provisioned by RKE.

  4. From the Default Pod Security Policy drop-down, select the policy you want to apply to the cluster.

    Rancher ships with policies of restricted and unrestricted, although you can create custom policies as well.

  5. Click Save.

Result: The pod security policy is applied to the cluster and any projects within the cluster.

Workloads already running before assignment of a pod security policy are grandfathered in. Even if they don’t meet your pod security policy, workloads running before assignment of the policy continue to run.

To check if a running workload passes your pod security policy, clone or upgrade it.