From 2f009de2db90f3078cfa6f7da1a5f30c2cebc763 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Petazzoni?= Date: Fri, 10 May 2024 18:23:08 +0200 Subject: [PATCH] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20Update=20pod=20security=20?= =?UTF-8?q?sections?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Mark PSP as deprecated. Update PSS/PSA accordingly. --- slides/k8s/pod-security-admission.md | 54 +--------------------------- slides/k8s/pod-security-intro.md | 28 +++++++++++++-- slides/k8s/pod-security-policies.md | 8 +++-- 3 files changed, 32 insertions(+), 58 deletions(-) diff --git a/slides/k8s/pod-security-admission.md b/slides/k8s/pod-security-admission.md index 91560dd1..d20bc2a0 100644 --- a/slides/k8s/pod-security-admission.md +++ b/slides/k8s/pod-security-admission.md @@ -2,7 +2,7 @@ - "New" policies - (available in alpha since Kubernetes 1.22) + (available in alpha since Kubernetes 1.22, and GA since Kubernetes 1.25) - Easier to use @@ -66,50 +66,6 @@ class: extra-details --- -## PSA in practice - -- Step 1: enable the PodSecurity admission plugin - -- Step 2: label some Namespaces - -- Step 3: provide an AdmissionConfiguration (optional) - -- Step 4: profit! - ---- - -## Enabling PodSecurity - -- This requires Kubernetes 1.22 or later - -- This requires the ability to reconfigure the API server - -- The following slides assume that we're using `kubeadm` - - (and have write access to `/etc/kubernetes/manifests`) - ---- - -## Reconfiguring the API server - -- In Kubernetes 1.22, we need to enable the `PodSecurity` feature gate - -- In later versions, this might be enabled automatically - -.lab[ - -- Edit `/etc/kubernetes/manifests/kube-apiserver.yaml` - -- In the `command` list, add `--feature-gates=PodSecurity=true` - -- Save, quit, wait for the API server to be back up again - -] - -Note: for bonus points, edit the `kubeadm-config` ConfigMap instead! - ---- - ## Namespace labels - Three optional labels can be added to namespaces: @@ -277,14 +233,6 @@ Let's use @@LINK[k8s/admission-configuration.yaml]: - But the Pods don't get created ---- - -## Clean up - -- We probably want to remove the API server flags that we added - - (the feature gate and the admission configuration) - ??? :EN:- Preventing privilege escalation with Pod Security Admission diff --git a/slides/k8s/pod-security-intro.md b/slides/k8s/pod-security-intro.md index 034ad716..c390439e 100644 --- a/slides/k8s/pod-security-intro.md +++ b/slides/k8s/pod-security-intro.md @@ -124,7 +124,7 @@ ## Admission plugins -- [PodSecurityPolicy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) (will be removed in Kubernetes 1.25) +- [PodSecurityPolicy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) (was removed in Kubernetes 1.25) - create PodSecurityPolicy resources @@ -132,7 +132,7 @@ - create RoleBinding that grants the Role to a user or ServiceAccount -- [PodSecurityAdmission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) (alpha since Kubernetes 1.22) +- [PodSecurityAdmission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) (alpha since Kubernetes 1.22, stable since 1.25) - use pre-defined policies (privileged, baseline, restricted) @@ -162,9 +162,31 @@ --- +## Validating Admission Policies + +- Alternative to validating admission webhooks + +- Evaluated in the API server + + (don't require an external server; don't add network latency) + +- Written in CEL (Common Expression Language) + +- alpha in K8S 1.26; beta in K8S 1.28; GA in K8S 1.30 + +- Can replace validating webhooks at least in simple cases + +- Can extend Pod Security Admission + +- Check [the documentation][vapdoc] for examples + +[vapdoc]: https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/ + +--- + ## Acronym salad -- PSP = Pod Security Policy +- PSP = Pod Security Policy **(deprecated)** - an admission plugin called PodSecurityPolicy diff --git a/slides/k8s/pod-security-policies.md b/slides/k8s/pod-security-policies.md index 7cf95d95..920cb80d 100644 --- a/slides/k8s/pod-security-policies.md +++ b/slides/k8s/pod-security-policies.md @@ -2,11 +2,15 @@ - "Legacy" policies - (deprecated since Kubernetes 1.21; will be removed in 1.25) + (deprecated since Kubernetes 1.21; removed in 1.25) - Superseded by Pod Security Standards + Pod Security Admission - (available in alpha since Kubernetes 1.22) + (available in alpha since Kubernetes 1.22; stable since 1.25) + +- **Since Kubernetes 1.24 was EOL in July 2023, nobody should use PSPs anymore!** + +- This section is here mostly for historical purposes, and can be skipped ---