This document discusses Kubernetes admission controllers and options for replacing the deprecated PodSecurityPolicy feature. It provides an overview of admission control and some of the built-in controllers. It notes that PodSecurityPolicy is being deprecated and discusses potential in-built and third-party replacements like OPA Gatekeeper, Kyverno, K-rail, and jsPolicy. The document includes demonstrations of OPA and Kyverno. It concludes that admission control is important for Kubernetes security and administrators will need to choose an option to replace PodSecurityPolicy.
2. 2
2
• Cloud Native Security Advocate for Aqua
• Ex-Pentester/IT Security person
• CIS Benchmark author, Docker and Kubernetes
• Member of SIG-Honk
About Me
5. 5
5
• Kubernetes has a set of admission controllers which will run by default on every
request.
• CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass,
DefaultStorageClass, DefaultTolerationSeconds, LimitRanger,
MutatingAdmissionWebhook, NamespaceLifecycle, PersistentVolumeClaimResize,
Priority, ResourceQuota, RuntimeClass, ServiceAccount, StorageObjectInUseProtection,
TaintNodesByCondition, ValidatingAdmissionWebhook
• Most of these have specific roles for specific object types (e.g. CertificateApproval
works on Certificate Signing Requests only)
• Two types of controller, validating and mutating
In-Built Admission Controllers
8. 8
8
• Docker and Kubernetes are essentially “remote code execution as a service”
• Without admission control, anyone who can create pods, can do that.
• Traditionally this element of security was handled by Pod Security Policies
Why did that work?
9. 9
9
• Not one of the default admission controllers
• But an in-built one
• Controls the rights of workloads in the cluster, preventing things like our demo.
PodSecurityPolicies
10. 10
10
• Beta feature, never made it to General Availability
• Decision made to deprecate
• Deprecation 1.22
• Removal 1.25 (planned)
What’s happening to PSP
11. 11
11
• In-Built PSP Replacement
• Open Source
• OPA
• Kyverno
• jsPolicy
• Kubewarden
• K-rail
• Commercial - KAP
Options for replacement
12. 12
12
• Relatively basic
• Implements 3 levels of restriction
• Privileged (no restrictions)
• Baseline
• Restricted
• Restrictions applied at a namespace level
• Code not yet merged.
In-built replacement
13. 13
13
• Kubernetes allows for external services to provide admission control
• Validating admission webhook
• Mutating admission webhook
3rd Party Projects
14. 14
14
- Fail open/Fail Closed?
- Attacking the admission controller workloads
- Managing exceptions
Some possible security challenges
15. 15
15
• Read policies to determine how they make decisions
• Using String matching on IP addresses and domain names
• CaSe SenSiTiViTy
• Keeping Policies Updated
Policy Trickery
16. 16
16
• General project for applying policy controls to systems
• Can do a variety of things, not just security
OPA – Open Policy Agent
17. 17
17
• OPA project for Kubernetes
• Deployed as a workload in the cluster
• Pre-generated Policies available
• OPA Gatekeeper Library (https://github.com/open-policy-agent/gatekeeper-library)
• Custom policies written in Rego
OPA Gatekeeper
22. 22
22
• Policy project focused purely on Kubernetes
• Deployed as a workload in the cluster
• Pre-generated policies available (https://github.com/kyverno/policies)
• Custom policies written in YAML
Kyverno
29. 29
29
• New’ish area with many competing solutions
• Different approaches to policy writing
• Maintaining and developing policy libraries will be an ongoing challenge.
Policy Choices and Challenges
30. 30
30
• Admission control is a vital area of Kubernetes security
• With the deprecation of PSP, users will need to choose a path forward
• In-built option may be suitable for basic clusters
• Which 3rd party you choose will likely depend on your situation
Conclusion