k3s-on-prem-production icon indicating copy to clipboard operation
k3s-on-prem-production copied to clipboard

Published 20 hours ago verified publisher icon digitalis-io

PodSecurityPolicy FEATURE STATE: Kubernetes v1.21 [deprecated]

Open lorenzo95 opened this issue 3 years ago • 3 comments

Hello!

I would first like to say that I am amazed by the content of your blog post/repository. I am learning a lot and it gives me great ideas. Therefore, thank you for sharing!!!

I do want to ask what your opinion is on the PodSecurityPolicy Admission Controller since it is deprecated now (https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy)

Do you think for example that the SecurityContextDeny Controller would be a good replacement? Rancher is referring to it regarding the cis benchmark requirements here: https://rancher.com/docs/k3s/latest/en/security/self_assessment/#1-2-13

Thank you, Gera

lorenzo95 avatar Dec 08 '21 00:12 lorenzo95

Hey @lorenzo95 glad you liked the post :smile:

So yea, 1.21+ Deprecates the PSPs, which means it still works but we need to start finding a replacement

As stated in this blog article from the kubernetes.io blog The immediate solution is to use PodSecurityContext which is an evolution of the SecurityContextDeny.

This works for generic not-do-complicated hardenization and works when you write them pod-per-pod, but not as a generic policy for the cluster (eg when used by multiple users)

personally (emphasis :smile: ) I would just go full with 2 tools:

Falco by Sysdig, implements a great engine to detect stuff and make rule easily (as shown in the blogpost) Using its ability to support directly the PSPs: https://falco.org/docs/psp-support/

And OPA Gatekeeper, which can enforce PSPs like explained here: https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies-with-gatekeeper

89luca89 avatar Dec 08 '21 09:12 89luca89

Hey @89luca89

With the release of Kubernetes v1.23, Pod Security admission has now entered beta. This will be the replacement for PSP. I will less configurable the PSP so a tool like OPA Gatekeeper or Kyverno could be a better solution. I prefer to use Kyverno, because it is easier to use and has more functionality then OPA Gatekeeper.

devopstales avatar Dec 13 '21 13:12 devopstales

Hey @devopstales

Yea was looking in to the new PSA will have to play with them a bit more What I was thinking with Falco and OPA is that they can drop-in use the old PSP, so that in the meantime that PSA becomes stable it is still possible to use the PSP already written

89luca89 avatar Dec 13 '21 15:12 89luca89