Sangam Biradar
Principal Security Advocate
Developer Evangelist/Advocate Advisory Board
https://blog.cloudnativefolks.org
Cloud-Native Security: 4 C’s and 5 Strategies
Shared Responsibilities for Security
Cloud-Agnostic Security - IaC
Developer First Security - Shift Left
Defensive Depth - Auto Resilience
Supply Chain Security - SBOM/CBOM
Why Pod Security ?
As a beta feature, Kubernetes offers a built-in Pod Security admission controller, the successor to PodSecurityPolicies. Pod security restrictions are applied at the namespace level when pods are created.
Note: The PodSecurityPolicy API is deprecated and will be removed from Kubernetes in v1.25.
If Your Using Older Version of Kubernetes like v1.22 still you can use this admission Controller
What is admission controller ?
if older version then v1.23
git clone https://github.com/kubernetes/pod-security-admission.git
cd pod-security-admission/webhook
make certs
kubectl apply -k .
./etcd/systmd/system/kubelet.service.d/10-kubeadm.conf
./etcd/kubernetes/manifest/kubeapi-server.yaml
--features-gates=podsecurity=true
use pod security admission controller as standalone
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
configuration:
defaults: # Defaults applied when a mode label is not set.
enforce: <default enforce policy level>
enforce-version: <default enforce policy version>
audit: <default audit policy level>
audit-version: <default audit policy version>
warn: <default warn policy level>
warn-version: <default warn policy version>
exemptions:
usernames: [ <array of authenticated usernames to exempt> ]
runtimeClassNames: [ <array of runtime class names to exempt> ]
namespaces: [ <array of namespaces to exempt> ]
...
AdmissionConfiiguration
Pod Security Standards
Privileged |
|
|
The Privileged policy is purposely-open, and entirely unrestricted.
The Baseline policy is aimed at ease of adoption for common containerized workloads while preventing known privilege escalations
The Restricted policy is aimed at enforcing current Pod hardening best practices, at the expense of some compatibility.
The Baseline policy is aimed at ease of adoption for common containerized workloads while preventing known privilege escalations
apiVersion: v1
kind: Namespace
metadata:
name: my-privileged-namespace
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce-version: latest
apiVersion: v1
kind: Namespace
metadata:
name: my-baseline-namespace
labels:
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/enforce-version: latest
pod-security.kubernetes.io/warn: baseline
pod-security.kubernetes.io/warn-version: latest
apiVersion: v1
kind: Namespace
metadata:
name: my-restricted-namespace
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: latest
pod-security.kubernetes.io/warn: restricted
pod-security.kubernetes.io/warn-version: latest
Privileged |
|
|
Deep Dive Pod Security - Demo
check it out terrascan ! support and give gitstar! https://github.com/tenable/terrascan