An Ultimate Guide to Pod Security that every k8s Developers Must Know

Sangam Biradar

Principal Security  Advocate

Developer Evangelist/Advocate Advisory Board

https://blog.cloudnativefolks.org

Cloud-Native Security: 4 C’s and 5 Strategies

Shared Responsibilities for Security 

Cloud-Agnostic Security - IaC 

Developer First  Security - Shift Left

Defensive Depth - Auto Resilience  

Supply Chain Security - SBOM/CBOM

Why Pod Security ?

As a beta feature, Kubernetes offers a built-in Pod Security admission controller, the successor to PodSecurityPolicies. Pod security restrictions are applied at the namespace level when pods are created.

 

Note: The PodSecurityPolicy API is deprecated and will be removed from Kubernetes in v1.25.

 

If Your Using Older Version of Kubernetes like v1.22 still you can use this admission Controller 

What is admission controller ?

if older version then v1.23
git clone https://github.com/kubernetes/pod-security-admission.git
cd pod-security-admission/webhook
make certs
kubectl apply -k .
./etcd/systmd/system/kubelet.service.d/10-kubeadm.conf
./etcd/kubernetes/manifest/kubeapi-server.yaml 
    --features-gates=podsecurity=true
use pod security admission controller as standalone
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
  configuration:
    defaults:  # Defaults applied when a mode label is not set.
      enforce:         <default enforce policy level>
      enforce-version: <default enforce policy version>
      audit:         <default audit policy level>
      audit-version: <default audit policy version>
      warn:          <default warn policy level>
      warn-version:  <default warn policy version>
    exemptions:
      usernames:         [ <array of authenticated usernames to exempt> ]
      runtimeClassNames: [ <array of runtime class names to exempt> ]
      namespaces:        [ <array of namespaces to exempt> ]
...
AdmissionConfiiguration 
Pod Security Standards
Privileged
Baseline
Restricted
The Privileged policy is purposely-open, and entirely unrestricted.
The Baseline policy is aimed at ease of adoption for common containerized workloads while preventing known privilege escalations
The Restricted policy is aimed at enforcing current Pod hardening best practices, at the expense of some compatibility.
The Baseline policy is aimed at ease of adoption for common containerized workloads while preventing known privilege escalations
apiVersion: v1
kind: Namespace
metadata:
  name: my-privileged-namespace
  labels:
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/enforce-version: latest
apiVersion: v1
kind: Namespace
metadata:
  name: my-baseline-namespace
  labels:
    pod-security.kubernetes.io/enforce: baseline
    pod-security.kubernetes.io/enforce-version: latest
    pod-security.kubernetes.io/warn: baseline
    pod-security.kubernetes.io/warn-version: latest
apiVersion: v1
kind: Namespace
metadata:
  name: my-restricted-namespace
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/enforce-version: latest
    pod-security.kubernetes.io/warn: restricted
    pod-security.kubernetes.io/warn-version: latest
Privileged
Baseline
Restricted

Deep Dive Pod Security - Demo 

check it out terrascan ! support and give gitstar!  https://github.com/tenable/terrascan