Securing Shared Mode Virtual Clusters

By default, SUSE Virtual Clusters in shared mode allows privileged pods, which can lead to host-level access. To secure your environment, you must enforce Pod Security Standard (PSS).

The following guide explains how to enforce this using the VirtualClusterPolicy mechanism of K3k.

Create a VirtualClusterPolicy

Define a policy to restrict pod capabilities.

The Baseline profile is recommended to prevent privilege escalation without breaking most workloads.

apiVersion: k3k.io/v1beta1
kind: VirtualClusterPolicy
metadata:
  name: baseline-psa-policy
spec:
  podSecurityAdmissionLevel: baseline

Supported Levels

privileged: Unrestricted access (Default).
baseline: Prevents known privilege escalations.
restricted: Maximum hardening (highest security, lower compatibility).

See Pod Security Standards for more information.

Apply the Policy

Attach the policy to the namespace(s) where your virtual clusters are deployed using the Rancher UI or kubectl:

kubectl label namespace <namespace-name> policy.k3k.io/policy-name="baseline-psa-policy"

Verification

The K3k operator automatically updates the target namespace(s) to enforce the selected Pod Security Standard (PSS).

Example of an enforced namespace:

apiVersion: v1
kind: Namespace
metadata:
  name: prod-k3kcluster-ns
  labels:
    pod-security.kubernetes.io/enforce: baseline
    policy.k3k.io/policy-name: baseline-psa-policy

Any pod within the virtual cluster that violates this policy (for example, requesting privileged: true) is rejected.