mirror of
https://github.com/jpetazzo/container.training.git
synced 2026-07-16 19:39:27 +00:00
♻️ Update pod security sections
Mark PSP as deprecated. Update PSS/PSA accordingly.
This commit is contained in:
@@ -2,7 +2,7 @@
|
||||
|
||||
- "New" policies
|
||||
|
||||
(available in alpha since Kubernetes 1.22)
|
||||
(available in alpha since Kubernetes 1.22, and GA since Kubernetes 1.25)
|
||||
|
||||
- Easier to use
|
||||
|
||||
@@ -66,50 +66,6 @@ class: extra-details
|
||||
|
||||
---
|
||||
|
||||
## PSA in practice
|
||||
|
||||
- Step 1: enable the PodSecurity admission plugin
|
||||
|
||||
- Step 2: label some Namespaces
|
||||
|
||||
- Step 3: provide an AdmissionConfiguration (optional)
|
||||
|
||||
- Step 4: profit!
|
||||
|
||||
---
|
||||
|
||||
## Enabling PodSecurity
|
||||
|
||||
- This requires Kubernetes 1.22 or later
|
||||
|
||||
- This requires the ability to reconfigure the API server
|
||||
|
||||
- The following slides assume that we're using `kubeadm`
|
||||
|
||||
(and have write access to `/etc/kubernetes/manifests`)
|
||||
|
||||
---
|
||||
|
||||
## Reconfiguring the API server
|
||||
|
||||
- In Kubernetes 1.22, we need to enable the `PodSecurity` feature gate
|
||||
|
||||
- In later versions, this might be enabled automatically
|
||||
|
||||
.lab[
|
||||
|
||||
- Edit `/etc/kubernetes/manifests/kube-apiserver.yaml`
|
||||
|
||||
- In the `command` list, add `--feature-gates=PodSecurity=true`
|
||||
|
||||
- Save, quit, wait for the API server to be back up again
|
||||
|
||||
]
|
||||
|
||||
Note: for bonus points, edit the `kubeadm-config` ConfigMap instead!
|
||||
|
||||
---
|
||||
|
||||
## Namespace labels
|
||||
|
||||
- Three optional labels can be added to namespaces:
|
||||
@@ -277,14 +233,6 @@ Let's use @@LINK[k8s/admission-configuration.yaml]:
|
||||
|
||||
- But the Pods don't get created
|
||||
|
||||
---
|
||||
|
||||
## Clean up
|
||||
|
||||
- We probably want to remove the API server flags that we added
|
||||
|
||||
(the feature gate and the admission configuration)
|
||||
|
||||
???
|
||||
|
||||
:EN:- Preventing privilege escalation with Pod Security Admission
|
||||
|
||||
@@ -124,7 +124,7 @@
|
||||
|
||||
## Admission plugins
|
||||
|
||||
- [PodSecurityPolicy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) (will be removed in Kubernetes 1.25)
|
||||
- [PodSecurityPolicy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) (was removed in Kubernetes 1.25)
|
||||
|
||||
- create PodSecurityPolicy resources
|
||||
|
||||
@@ -132,7 +132,7 @@
|
||||
|
||||
- create RoleBinding that grants the Role to a user or ServiceAccount
|
||||
|
||||
- [PodSecurityAdmission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) (alpha since Kubernetes 1.22)
|
||||
- [PodSecurityAdmission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) (alpha since Kubernetes 1.22, stable since 1.25)
|
||||
|
||||
- use pre-defined policies (privileged, baseline, restricted)
|
||||
|
||||
@@ -162,9 +162,31 @@
|
||||
|
||||
---
|
||||
|
||||
## Validating Admission Policies
|
||||
|
||||
- Alternative to validating admission webhooks
|
||||
|
||||
- Evaluated in the API server
|
||||
|
||||
(don't require an external server; don't add network latency)
|
||||
|
||||
- Written in CEL (Common Expression Language)
|
||||
|
||||
- alpha in K8S 1.26; beta in K8S 1.28; GA in K8S 1.30
|
||||
|
||||
- Can replace validating webhooks at least in simple cases
|
||||
|
||||
- Can extend Pod Security Admission
|
||||
|
||||
- Check [the documentation][vapdoc] for examples
|
||||
|
||||
[vapdoc]: https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/
|
||||
|
||||
---
|
||||
|
||||
## Acronym salad
|
||||
|
||||
- PSP = Pod Security Policy
|
||||
- PSP = Pod Security Policy **(deprecated)**
|
||||
|
||||
- an admission plugin called PodSecurityPolicy
|
||||
|
||||
|
||||
@@ -2,11 +2,15 @@
|
||||
|
||||
- "Legacy" policies
|
||||
|
||||
(deprecated since Kubernetes 1.21; will be removed in 1.25)
|
||||
(deprecated since Kubernetes 1.21; removed in 1.25)
|
||||
|
||||
- Superseded by Pod Security Standards + Pod Security Admission
|
||||
|
||||
(available in alpha since Kubernetes 1.22)
|
||||
(available in alpha since Kubernetes 1.22; stable since 1.25)
|
||||
|
||||
- **Since Kubernetes 1.24 was EOL in July 2023, nobody should use PSPs anymore!**
|
||||
|
||||
- This section is here mostly for historical purposes, and can be skipped
|
||||
|
||||
---
|
||||
|
||||
|
||||
Reference in New Issue
Block a user