♻️ Update pod security sections

Mark PSP as deprecated. Update PSS/PSA accordingly.
This commit is contained in:
Jérôme Petazzoni
2024-05-10 18:23:08 +02:00
parent 06ca097b52
commit 2f009de2db
3 changed files with 32 additions and 58 deletions

View File

@@ -2,7 +2,7 @@
- "New" policies
(available in alpha since Kubernetes 1.22)
(available in alpha since Kubernetes 1.22, and GA since Kubernetes 1.25)
- Easier to use
@@ -66,50 +66,6 @@ class: extra-details
---
## PSA in practice
- Step 1: enable the PodSecurity admission plugin
- Step 2: label some Namespaces
- Step 3: provide an AdmissionConfiguration (optional)
- Step 4: profit!
---
## Enabling PodSecurity
- This requires Kubernetes 1.22 or later
- This requires the ability to reconfigure the API server
- The following slides assume that we're using `kubeadm`
(and have write access to `/etc/kubernetes/manifests`)
---
## Reconfiguring the API server
- In Kubernetes 1.22, we need to enable the `PodSecurity` feature gate
- In later versions, this might be enabled automatically
.lab[
- Edit `/etc/kubernetes/manifests/kube-apiserver.yaml`
- In the `command` list, add `--feature-gates=PodSecurity=true`
- Save, quit, wait for the API server to be back up again
]
Note: for bonus points, edit the `kubeadm-config` ConfigMap instead!
---
## Namespace labels
- Three optional labels can be added to namespaces:
@@ -277,14 +233,6 @@ Let's use @@LINK[k8s/admission-configuration.yaml]:
- But the Pods don't get created
---
## Clean up
- We probably want to remove the API server flags that we added
(the feature gate and the admission configuration)
???
:EN:- Preventing privilege escalation with Pod Security Admission

View File

@@ -124,7 +124,7 @@
## Admission plugins
- [PodSecurityPolicy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) (will be removed in Kubernetes 1.25)
- [PodSecurityPolicy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) (was removed in Kubernetes 1.25)
- create PodSecurityPolicy resources
@@ -132,7 +132,7 @@
- create RoleBinding that grants the Role to a user or ServiceAccount
- [PodSecurityAdmission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) (alpha since Kubernetes 1.22)
- [PodSecurityAdmission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) (alpha since Kubernetes 1.22, stable since 1.25)
- use pre-defined policies (privileged, baseline, restricted)
@@ -162,9 +162,31 @@
---
## Validating Admission Policies
- Alternative to validating admission webhooks
- Evaluated in the API server
(don't require an external server; don't add network latency)
- Written in CEL (Common Expression Language)
- alpha in K8S 1.26; beta in K8S 1.28; GA in K8S 1.30
- Can replace validating webhooks at least in simple cases
- Can extend Pod Security Admission
- Check [the documentation][vapdoc] for examples
[vapdoc]: https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/
---
## Acronym salad
- PSP = Pod Security Policy
- PSP = Pod Security Policy **(deprecated)**
- an admission plugin called PodSecurityPolicy

View File

@@ -2,11 +2,15 @@
- "Legacy" policies
(deprecated since Kubernetes 1.21; will be removed in 1.25)
(deprecated since Kubernetes 1.21; removed in 1.25)
- Superseded by Pod Security Standards + Pod Security Admission
(available in alpha since Kubernetes 1.22)
(available in alpha since Kubernetes 1.22; stable since 1.25)
- **Since Kubernetes 1.24 was EOL in July 2023, nobody should use PSPs anymore!**
- This section is here mostly for historical purposes, and can be skipped
---