Skip to content

Latest commit

 

History

History
851 lines (614 loc) · 18.6 KB

PodSecurityPolicyIsDeadLongLive.md

File metadata and controls

851 lines (614 loc) · 18.6 KB
Raw
title description author marp theme class video_embed
Pod Security Policy is Dead, Long Live...?
What are Pod Security Policies? What do you mean, they are deprecated? What am I going to do?!
Chris Nesbitt-Smith
true
themes/esynergy
lead
<iframe width="560" height="315" src="https://www.youtube.com/embed/AciaVw_R1f4" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

PodSecurityPolicy is Dead,
Long Live...?

🤔

Chris Nesbitt-Smith

UK Gov | Control Plane | LearnK8s | lots of open source

👋

kubectl get pods

🙋👩‍🌾👩‍🚒
🙋‍♀️🦹‍♀️🙋‍♂️

apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
    - name: nginx
      image: nginx:1.14.2
      ports:
        - containerPort: 80

PodSecurityWhat?

🤔 

kind: PodSecurityPolicy
apiVersion: policy/v1beta1
kind: PodSecurityPolicy

😢

kubectl explain PodSecurityPolicy

Pod Security Policies enable fine-grained authorization of pod creation and updates.

A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.

https://kubernetes.io/docs/concepts/policy/pod-security-policy/

kubectl explain PodSecurityPolicy

Pod Security Policies enable fine-grained authorization of pod creation and updates.

A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  privileged: false
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
    - "*"
apiVersion: v1
kind: Pod
metadata:
  name: demo
spec:
  containers:
    - name: demo
      image: alpine
      securityContext:
        privileged: true

bg

Live demo

apiVersion: v1
kind: Pod
metadata:
  name: demo
spec:
  containers:
    - name: demo
      image: alpine
    volumeMounts:
    - mountPath: /storage
      name: storage
  volumes:
  - name: storage
    hostPath:
      path: /
      type: Directory
apiVersion: v1
kind: Pod
metadata:
  name: demo
spec:
  hostNetwork: true
  containers:
    - name: demo
      image: alpine

bg

👍

bg

bg

bg

🏃‍♀️

So now what?

<style scoped> li { font-size: 2em; } </style>
  • Admission Control
  • Anchore
  • Azure Policy
  • Istio
  • jspolicy
  • K-rail
  • Kopf
  • Kubewarden
  • Kyverno
  • OPA Gatekeeper
  • Opslevel
  • Polaris
  • Prisma Cloud
  • Qualys
  • Regula
  • Sysdig
  • TiDB
<style scoped> li { font-size: 2em; } </style>
  • Admission Control
  • Anchore
  • Azure Policy
  • Istio
  • jspolicy
  • K-rail
  • Kopf
  • Kubewarden
  • Kyverno
  • OPA Gatekeeper
  • Opslevel
  • Polaris
  • Prisma Cloud
  • Qualys
  • Regula
  • Sysdig
  • TiDB

Wait, what about
Pod Security Standards
&
Pod Security Admission?

Privileged

Baseline

Restricted

😀

☹️

😱

😜

🌟

🧓👴

🥁

bg

bg fit

bg fit

<style scoped> h1 { bottom: 0; position: absolute; font-size: 4em; -webkit-text-stroke-width: 3px; -webkit-text-stroke-color: black; } </style>

Live demo

bg

PodSecurityPolicy

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  privileged: false
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
    - "*"

Kyverno

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: example
spec:
  rules:
    - validate:
        pattern:
          spec:
            "=(initContainers)":
              - "=(securityContext)":
                  "=(privileged)": false
            "=(ephemeralContainers)":
              - "=(securityContext)":
                  "=(privileged)": false
            containers:
              - "=(securityContext)":
                  "=(privileged)": false
        message: Rejected by psp-privileged-0 rule
      match:
        resources:
          kinds:
            - Pod
      name: psp-privileged-0

Kubewarden

apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: example
spec:
  module: registry://ghcr.io/kubewarden/policies/pod-privileged:v0.1.9
  rules:
    - apiGroups:
        - ""
      apiVersions:
        - v1
      resources:
        - pods
      operations:
        - CREATE
        - UPDATE
  mutating: false
  settings: null

OPA Gatekeeper

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
  name: example
spec:
  match:
    kinds:
      - apiGroups:
          - ""
        kinds:
          - Pod
  parameters: null

bg fit

But, should you migrate from PodSecurityPolicy?

🚫

bg

sorry

(not sorry)

bg fit

bg

bg fit

<style scoped> li { font-size: 1.6em; } </style>
  • AppArmor
  • Continuous Integration
  • Cultural Change
  • eBPF
  • GitOps
  • Keep it Stupid Simple
  • Kernel Level Protection
  • Policy as code
  • seccomp
  • Secure By Design
  • Security Profiles Operator
  • SELinux
  • Shared Responsibility Model
  • Shift Left
  • Testing
  • Version Controlled Policy
  • Zero trust
<style scoped> h2 { position: absolute; bottom: 1ch; left: 2vw; width: 95% } </style>

🙏 Thanks 🙏

bg right

  • cns.me
  • github.com/chrisns
  • github.com/appvia
  • appvia.io/blog

Chris Nesbitt-Smith