SecurityPolicy Class¶
The SecurityPolicy class manages security policies and configurations in Kubernetes. It provides capabilities for Pod Security Standards (PSS), security contexts, security policies, and compliance configurations.
Overview¶
from celestra import SecurityPolicy
# Basic security policy
security = SecurityPolicy("app-security").pod_security_standard("restricted")
# Production security policy
security = (SecurityPolicy("production-security")
.pod_security_standard("restricted")
.security_context({
"runAsNonRoot": True,
"runAsUser": 1000,
"fsGroup": 2000
})
.seccomp_profile("RuntimeDefault"))
Core API Functions¶
Pod Security Standards¶
Pod Security Standard¶
Set the Pod Security Standard level.
# Privileged level (least secure)
security = SecurityPolicy("app-security").pod_security_standard("privileged")
# Baseline level (moderate security)
security = SecurityPolicy("app-security").pod_security_standard("baseline")
# Restricted level (most secure)
security = SecurityPolicy("app-security").pod_security_standard("restricted")
Privileged Policy¶
Configure privileged security policy.
Baseline Policy¶
Configure baseline security policy.
Restricted Policy¶
Configure restricted security policy.
Security Context Configuration¶
Security Context¶
Set the security context.
# Basic security context
security_context = {
"runAsNonRoot": True,
"runAsUser": 1000,
"fsGroup": 2000
}
security = SecurityPolicy("app-security").security_context(security_context)
Run As User¶
Set the user ID to run as.
# Run as non-root user
security = SecurityPolicy("app-security").run_as_user(1000)
# Run as specific user
security = SecurityPolicy("app-security").run_as_user(2000)
Run As Group¶
Set the group ID to run as.
# Run as specific group
security = SecurityPolicy("app-security").run_as_group(2000)
# Run as root group
security = SecurityPolicy("app-security").run_as_group(0)
Run As Non Root¶
Set whether to run as non-root.
# Run as non-root
security = SecurityPolicy("app-security").run_as_non_root(True)
# Allow root (not recommended)
security = SecurityPolicy("app-security").run_as_non_root(False)
Read Only Root Filesystem¶
Set read-only root filesystem.
# Read-only root filesystem
security = SecurityPolicy("app-security").read_only_root_filesystem(True)
# Read-write root filesystem
security = SecurityPolicy("app-security").read_only_root_filesystem(False)
allow_privilege_escalation(enabled: bool = False) -> SecurityPolicy¶
Allow privilege escalation.
# Disable privilege escalation
security = SecurityPolicy("app-security").allow_privilege_escalation(False)
# Allow privilege escalation (not recommended)
security = SecurityPolicy("app-security").allow_privilege_escalation(True)
privileged_container(enabled: bool = False) -> SecurityPolicy¶
Allow privileged containers.
# Disable privileged containers
security = SecurityPolicy("app-security").privileged_container(False)
# Allow privileged containers (not recommended)
security = SecurityPolicy("app-security").privileged_container(True)
Capabilities Configuration¶
drop_capabilities(capabilities: List[str]) -> SecurityPolicy¶
Drop Linux capabilities.
# Drop dangerous capabilities
security = SecurityPolicy("app-security").drop_capabilities([
"ALL"
])
# Drop specific capabilities
security = SecurityPolicy("app-security").drop_capabilities([
"NET_RAW",
"SYS_ADMIN",
"SYS_CHROOT"
])
add_capabilities(capabilities: List[str]) -> SecurityPolicy¶
Add Linux capabilities.
# Add specific capabilities
security = SecurityPolicy("app-security").add_capabilities([
"NET_BIND_SERVICE",
"CHOWN"
])
required_capabilities(capabilities: List[str]) -> SecurityPolicy¶
Set required capabilities.
# Set required capabilities
security = SecurityPolicy("app-security").required_capabilities([
"NET_BIND_SERVICE"
])
Seccomp Configuration¶
seccomp_profile(profile: str) -> SecurityPolicy¶
Set the seccomp profile.
# Runtime default profile
security = SecurityPolicy("app-security").seccomp_profile("RuntimeDefault")
# Unconfined profile (not recommended)
security = SecurityPolicy("app-security").seccomp_profile("Unconfined")
# Localhost profile
security = SecurityPolicy("app-security").seccomp_profile("localhost/restricted")
seccomp_type(type: str) -> SecurityPolicy¶
Set the seccomp type.
# Runtime default
security = SecurityPolicy("app-security").seccomp_type("RuntimeDefault")
# Localhost
security = SecurityPolicy("app-security").seccomp_type("Localhost")
AppArmor Configuration¶
apparmor_profile(profile: str) -> SecurityPolicy¶
Set the AppArmor profile.
# Runtime default profile
security = SecurityPolicy("app-security").apparmor_profile("runtime/default")
# Custom profile
security = SecurityPolicy("app-security").apparmor_profile("localhost/restricted")
apparmor_type(type: str) -> SecurityPolicy¶
Set the AppArmor type.
# Runtime default
security = SecurityPolicy("app-security").apparmor_type("RuntimeDefault")
# Localhost
security = SecurityPolicy("app-security").apparmor_type("Localhost")
SELinux Configuration¶
selinux_options(options: Dict[str, str]) -> SecurityPolicy¶
Set SELinux options.
# Set SELinux options
selinux_options = {
"level": "s0:c123,c456",
"role": "container_r",
"type": "container_t",
"user": "system_u"
}
security = SecurityPolicy("app-security").selinux_options(selinux_options)
selinux_level(level: str) -> SecurityPolicy¶
Set SELinux level.
selinux_role(role: str) -> SecurityPolicy¶
Set SELinux role.
selinux_type(type: str) -> SecurityPolicy¶
Set SELinux type.
selinux_user(user: str) -> SecurityPolicy¶
Set SELinux user.
Volume Security¶
volume_security_context(context: Dict[str, Any]) -> SecurityPolicy¶
Set volume security context.
# Volume security context
volume_context = {
"fsGroup": 2000,
"runAsUser": 1000,
"runAsGroup": 2000
}
security = SecurityPolicy("app-security").volume_security_context(volume_context)
volume_fs_group(group_id: int) -> SecurityPolicy¶
Set volume filesystem group.
volume_run_as_user(user_id: int) -> SecurityPolicy¶
Set volume run as user.
volume_run_as_group(group_id: int) -> SecurityPolicy¶
Set volume run as group.
Network Security¶
host_network(enabled: bool = False) -> SecurityPolicy¶
Allow host network access.
# Disable host network
security = SecurityPolicy("app-security").host_network(False)
# Allow host network (not recommended)
security = SecurityPolicy("app-security").host_network(True)
host_pid(enabled: bool = False) -> SecurityPolicy¶
Allow host PID namespace.
# Disable host PID
security = SecurityPolicy("app-security").host_pid(False)
# Allow host PID (not recommended)
security = SecurityPolicy("app-security").host_pid(True)
host_ipc(enabled: bool = False) -> SecurityPolicy¶
Allow host IPC namespace.
# Disable host IPC
security = SecurityPolicy("app-security").host_ipc(False)
# Allow host IPC (not recommended)
security = SecurityPolicy("app-security").host_ipc(True)
Compliance Configuration¶
compliance_standard(standard: str) -> SecurityPolicy¶
Set compliance standard.
# CIS compliance
security = SecurityPolicy("app-security").compliance_standard("cis")
# NIST compliance
security = SecurityPolicy("app-security").compliance_standard("nist")
# PCI compliance
security = SecurityPolicy("app-security").compliance_standard("pci")
compliance_level(level: str) -> SecurityPolicy¶
Set compliance level.
# Level 1 compliance
security = SecurityPolicy("app-security").compliance_level("level1")
# Level 2 compliance
security = SecurityPolicy("app-security").compliance_level("level2")
audit_enabled(enabled: bool = True) -> SecurityPolicy¶
Enable security auditing.
# Enable auditing
security = SecurityPolicy("app-security").audit_enabled(True)
# Disable auditing
security = SecurityPolicy("app-security").audit_enabled(False)
Advanced Configuration¶
namespace(namespace: str) -> SecurityPolicy¶
Set the namespace for the security policy.
add_label(key: str, value: str) -> SecurityPolicy¶
Add a label to the security policy.
add_labels(labels: Dict[str, str]) -> SecurityPolicy¶
Add multiple labels to the security policy.
labels = {
"environment": "production",
"team": "platform",
"tier": "security"
}
security = SecurityPolicy("app-security").add_labels(labels)
add_annotation(key: str, value: str) -> SecurityPolicy¶
Add an annotation to the security policy.
security = SecurityPolicy("app-security").add_annotation("description", "Application security policy")
add_annotations(annotations: Dict[str, str]) -> SecurityPolicy¶
Add multiple annotations to the security policy.
annotations = {
"description": "Application security policy for production",
"owner": "platform-team",
"compliance": "cis-level2"
}
security = SecurityPolicy("app-security").add_annotations(annotations)
enforcement_mode(mode: str) -> SecurityPolicy¶
Set enforcement mode.
# Enforce mode
security = SecurityPolicy("app-security").enforcement_mode("enforce")
# Audit mode
security = SecurityPolicy("app-security").enforcement_mode("audit")
# Warn mode
security = SecurityPolicy("app-security").enforcement_mode("warn")
violation_action(action: str) -> SecurityPolicy¶
Set violation action.
# Deny violations
security = SecurityPolicy("app-security").violation_action("deny")
# Warn on violations
security = SecurityPolicy("app-security").violation_action("warn")
# Audit violations
security = SecurityPolicy("app-security").violation_action("audit")
Output Generation¶
generate() -> SecurityPolicyGenerator¶
Generate the security policy configuration.
# Generate Kubernetes YAML
security.generate().to_yaml("./k8s/")
# Generate Helm values
security.generate().to_helm_values("./helm/")
# Generate Terraform
security.generate().to_terraform("./terraform/")
Complete Example¶
Here's a complete example of a production-ready security policy configuration:
from celestra import SecurityPolicy
# Create comprehensive security policy configuration
production_security = (SecurityPolicy("production-security")
.pod_security_standard("restricted")
.security_context({
"runAsNonRoot": True,
"runAsUser": 1000,
"fsGroup": 2000,
"readOnlyRootFilesystem": True,
"allowPrivilegeEscalation": False
})
.run_as_user(1000)
.run_as_group(2000)
.run_as_non_root(True)
.read_only_root_filesystem(True)
.allow_privilege_escalation(False)
.privileged_container(False)
.drop_capabilities(["ALL"])
.add_capabilities(["NET_BIND_SERVICE"])
.seccomp_profile("RuntimeDefault")
.apparmor_profile("runtime/default")
.selinux_options({
"level": "s0:c123,c456",
"role": "container_r",
"type": "container_t",
"user": "system_u"
})
.volume_security_context({
"fsGroup": 2000,
"runAsUser": 1000,
"runAsGroup": 2000
})
.host_network(False)
.host_pid(False)
.host_ipc(False)
.compliance_standard("cis")
.compliance_level("level2")
.audit_enabled(True)
.enforcement_mode("enforce")
.violation_action("deny")
.namespace("production")
.add_labels({
"environment": "production",
"team": "platform",
"tier": "security"
})
.add_annotations({
"description": "Production security policy",
"owner": "platform-team@company.com",
"compliance": "cis-level2"
}))
# Generate manifests
production_security.generate().to_yaml("./k8s/")
Security Policy Patterns¶
Restricted Policy Pattern¶
# Restricted security policy for production
restricted_policy = (SecurityPolicy("restricted-security")
.pod_security_standard("restricted")
.run_as_non_root(True)
.read_only_root_filesystem(True)
.allow_privilege_escalation(False)
.privileged_container(False)
.drop_capabilities(["ALL"])
.seccomp_profile("RuntimeDefault")
.apparmor_profile("runtime/default"))
Baseline Policy Pattern¶
# Baseline security policy for development
baseline_policy = (SecurityPolicy("baseline-security")
.pod_security_standard("baseline")
.run_as_non_root(True)
.allow_privilege_escalation(False)
.privileged_container(False)
.seccomp_profile("RuntimeDefault"))
Privileged Policy Pattern¶
# Privileged security policy for system components
privileged_policy = (SecurityPolicy("privileged-security")
.pod_security_standard("privileged")
.privileged_container(True)
.allow_privilege_escalation(True)
.host_network(True)
.host_pid(True))
Compliance Policy Pattern¶
# Compliance-focused security policy
compliance_policy = (SecurityPolicy("compliance-security")
.pod_security_standard("restricted")
.compliance_standard("cis")
.compliance_level("level2")
.audit_enabled(True)
.enforcement_mode("enforce")
.violation_action("deny"))
Network Security Policy Pattern¶
# Network-focused security policy
network_security = (SecurityPolicy("network-security")
.pod_security_standard("restricted")
.host_network(False)
.host_pid(False)
.host_ipc(False)
.add_capabilities(["NET_BIND_SERVICE"]))
Best Practices¶
1. Use Restricted Pod Security Standard¶
# ✅ Good: Use restricted PSS
security = SecurityPolicy("app-security").pod_security_standard("restricted")
# ❌ Bad: Use privileged PSS
security = SecurityPolicy("app-security").pod_security_standard("privileged")
2. Run as Non-Root¶
# ✅ Good: Run as non-root
security = SecurityPolicy("app-security").run_as_non_root(True).run_as_user(1000)
# ❌ Bad: Run as root
security = SecurityPolicy("app-security").run_as_non_root(False)
3. Use Read-Only Root Filesystem¶
# ✅ Good: Use read-only root filesystem
security = SecurityPolicy("app-security").read_only_root_filesystem(True)
# ❌ Bad: Use read-write root filesystem
security = SecurityPolicy("app-security").read_only_root_filesystem(False)
4. Drop Dangerous Capabilities¶
# ✅ Good: Drop all capabilities
security = SecurityPolicy("app-security").drop_capabilities(["ALL"])
# ❌ Bad: Keep all capabilities
security = SecurityPolicy("app-security") # No capability restrictions
5. Use Runtime Default Seccomp¶
# ✅ Good: Use runtime default seccomp
security = SecurityPolicy("app-security").seccomp_profile("RuntimeDefault")
# ❌ Bad: Use unconfined seccomp
security = SecurityPolicy("app-security").seccomp_profile("Unconfined")
6. Disable Host Namespaces¶
# ✅ Good: Disable host namespaces
security = SecurityPolicy("app-security").host_network(False).host_pid(False).host_ipc(False)
# ❌ Bad: Allow host namespaces
security = SecurityPolicy("app-security").host_network(True)
Related Components¶
- App - For stateless applications
- StatefulApp - For stateful applications
- RBAC - For access control
- NetworkPolicy - For network security
- Secret - For sensitive data
Next Steps¶
- WaitCondition - Learn about wait conditions
- Components Overview - Explore all available components
- Examples - See real-world examples
- Tutorials - Step-by-step guides