Pod Security Admission (PSA) Configuration Templates

Pod Security admission (PSA) configuration templates are a Rancher custom-defined resource (CRD), available in Rancher v2.7.2 and above. The templates provide pre-defined security configurations that you can apply to a cluster:

  • rancher-privileged: The most permissive configuration. It doesn’t restrict the behavior of any pods. This allows for known privilege escalations. This policy has no exemptions.

  • rancher-restricted: A heavily restricted configuration that follows current best practices for hardening pods. You must make namespace-level exemptions for Rancher components.

Assign a Pod Security Admissions (PSA) Configuration Template

You can assign a PSA template at the same time that you create a downstream cluster. You can also add a template by configuring an existing cluster.

Assign a Template During Cluster Creation

  • RKE2 and K3s

  • RKE1

  1. In the upper left corner, click ☰ > Cluster Management.

  2. On the Clusters page, click the Create button.

  3. Select a provider.

  4. On the Cluster: Create page, go to Basics  Security.

  5. In the Pod Security Admission Configuration Template dropdown menu, select the template you want to assign.

  6. Click Create.

Assign a Template to an Existing Cluster

  1. In the upper left corner, click ☰ > Cluster Management.

  2. Find the cluster you want to update in the Clusters table, and click the .

  3. Select Edit Config .

  4. In the Pod Security Admission Configuration Template dropdown menu, select the template you want to assign.

  5. Click Save.

Hardening the Cluster

If you select the rancher-restricted template but don’t select a CIS Profile, you won’t meet required CIS benchmarks. See the RKE2 hardening guide for more details.

  1. In the upper left corner, click ☰ > Cluster Management.

  2. On the Clusters page, click the Create button.

  3. Select a provider.

  4. On the Add Cluster page, under Cluster Options, click Advanced Options.

  5. In the Pod Security Admission Configuration Template dropdown menu, select the template you want to assign.

  6. Click Create.

Assign a Template to an Existing Cluster

  1. In the upper left corner, click ☰ > Cluster Management.

  2. Find the cluster you want to update in the Clusters table, and click the .

  3. Select Edit Config.

  4. On the Edit Cluster page, go to Cluster Options  Advanced Options.

  5. In the Pod Security Admission Configuration Template, select the template you want to assign.

  6. Click Save.

Add or Edit a Pod Security Admissions (PSA) Configuration Template

If you have administrator privileges, you can customize security restrictions and permissions by creating additional PSA templates, or by editing existing templates.

If you edit an existing PSA template while it is still in use, changes will be applied to all clusters that have been assigned to that template.

  1. In the upper left corner, click ☰ > Cluster Management.

  2. Click Advanced to open the dropdown menu.

  3. Select Pod Security Admissions.

  4. Find the template you want to modify, and click the .

  5. Select Edit Config to edit the template.

  6. When you’re done editing the configuration, click Save.

Allow Non-Admin Users to Manage PSA Templates

If you want to allow other users to manage templates, you can bind that user to a role that grants all verbs ("*") on management.cattle.io/podsecurityadmissionconfigurationtemplates.

Any user that is bound to the above permission will be able to change the restriction levels on all managed clusters which use a given PSA template, including ones that they have no permissions on.

Exempting Required Rancher Namespaces

When you run Rancher on a Kubernetes cluster that enforces a restrictive security policy by default, you’ll need to exempt the following namespaces, otherwise the policy might prevent Rancher system pods from running properly.

  • calico-apiserver

  • calico-system

  • cattle-alerting

  • cattle-csp-adapter-system

  • cattle-elemental-system

  • cattle-epinio-system

  • cattle-externalip-system

  • cattle-fleet-local-system

  • cattle-fleet-system

  • cattle-gatekeeper-system

  • cattle-global-data

  • cattle-global-nt

  • cattle-impersonation-system

  • cattle-istio

  • cattle-istio-system

  • cattle-logging

  • cattle-logging-system

  • cattle-monitoring-system

  • cattle-neuvector-system

  • cattle-prometheus

  • cattle-provisioning-capi-system

  • cattle-resources-system

  • cattle-sriov-system

  • cattle-system

  • cattle-ui-plugin-system

  • cattle-windows-gmsa-system

  • cert-manager

  • cis-operator-system

  • fleet-default

  • ingress-nginx

  • istio-system

  • kube-node-lease

  • kube-public

  • kube-system

  • longhorn-system

  • rancher-alerting-drivers

  • security-scan

  • tigera-operator

Rancher, some Rancher owned charts, and RKE2 and K3s distributions all use these namespaces. A subset of the listed namespaces are already exempt in the built-in Rancher rancher-restricted policy, for use in downstream clusters. For a complete template which has all the exemptions you need to run Rancher, please refer to this sample Admission Configuration.

Exempting Namespaces

If you assign the rancher-restricted template to a cluster, by default the restrictions are applied across the entire cluster at the namespace level. To exempt certain namespaces from this highly restricted policy, do the following:

  1. In the upper left corner, click ☰ > Cluster Management.

  2. Click Advanced to open the dropdown menu.

  3. Select Pod Security Admissions.

  4. Find the template you want to modify, and click the .

  5. Select Edit Config.

  6. Click the Namespaces checkbox under Exemptions to edit the Namespaces field.

  7. When you’re done exempting namespaces, click Save.

You need to update the target cluster to make the new template take effect in that cluster. An update can be triggered by editing and saving the cluster without changing values.