Replacing PSPs?

Keep Bad Pods out of your

cluster using Kyverno!

1

Shuting Zhao

• Kyverno Maintainer
• Kubernetes Policy WG, Multi-tenancy WG
• Senior Software Engineer, Nirmata

2

3

Pod Security

​

Pod Security Standards

4

• Privileged - Unrestricted policy, providing the widest possible level of permissions. This policy allows for known privilege escalations.
• Baseline/Default - Minimally restrictive policy while preventing known privilege escalations. Allows the default (minimally specified) pod configuration.
• Restricted - Heavily restricted policy, following current pod hardening best practices.

Link to Pod Security Standards

Manage Pod Security

• Pod Security Admission - Kubernetes 1.22 offers a built-in Pod Security admission controller, as an alpha feature
• Pod Security Policies (PSPs) - Beta, deprecated in 1.22
• PSP Deprecation: Past, Present, and Future
• full discussion on PSPs: SIG Auth Deep Dive KubeCon Video

5

Pod Security Admission Considerations

• Enabling the feature requires access to the kube-apiserver
• Reporting is limited to audit-logs
• Enforcement is at pod level, not at pod controller level
• Namespace level settings, no support for fine-grained privileges
• No ability to mutate default security context

6

Recommendations

1. Start with PSA for secure defaults
2. Use a policy engine like Kyverno for:
• fine-grained security configuration
• additional workload and configuration security
• centralized reporting
• enforcing best practices
• automation of defaults

7

Why Kyverno

​

8

Kyverno Project Goals

1. Make K8s policies easy to write and manage
2. Make policy results easy to process
3. Validate (audit or enforce), Mutate, and Generate
4. Support all Kubernetes types including Custom Resources
5. Use Kubernetes patterns and practices �e.g. labels and selectors, annotations, events, ownerReferences, pod controllers, etc.

9

By being Kubernetes Native simplifies K8s policy management!

A Kyverno Policy

10

Kyverno Pod Security Standard Policies

• Baseline:
• Disallow Host Namespaces
• Disallow Privileged Containers
• Disallow Adding Capabilities
• Disallow Host Path
• Disallow Host Ports
• Restrict AppArmor Profiles
• Require Default Proc Mount
• Restrict Sysctls
• Disallow Custom SELinux Options

11

Kyverno Pod Security Standard Policies

• Restricted:
• Restrict Volume Types
• Deny Privilege Escalation
• Require Run As Non Root
• Require Non Root Groups
• Restrict Seccomp

12

Demo

Kyverno PSS policies installation

​

13

Demo 1 - Kyverno PSS Policies Install

$ kustomize build https://github.com/kyverno/policies/pod-security | kubectl apply -f -

​

14

Managing Pod Security

with Kyverno

15

Policy Mode

• Enforce - Policy violations will cause the resource to be rejected
• Audit - Policy violations will be logged in the reports and recorded in the events, the resource creation are allowed

​

16

Auto-generating Pod Controller Policies

• Kyverno automatically generates policy rules for pod controllers from rules written on pods
• Enabled by default
• Managed by an annotation `pod-policies.kyverno.io/autogen-controllers`:

​

17

Demo 2 - Policy Mode

• Enforce

18

Policy Reports

Kyverno uses the Policy WG PolicyReport CRD

• In-cluster policy report
• Generate reports

from Kyverno CLI

​

​

19

Policy Reports

Kyverno uses the Policy WG PolicyReport CRD

• In-cluster policy report
• Generate reports

from Kyverno CLI

​

​

20

Demo 3 - Reports

21

Policy Reporter

• View policy results from Kyverno, Falco, kube-bench, Trivy
• Send notifications to Loki, ES, Teams, Discord, Slack

22

Grafana Dashboard

23

Remedy Policy Violations

In Kyverno, you can remedy policy violations:

• By manual
• Mutate policy
• flexible resource

selection

24

Demo 4 - Remedy Violations

Mutate securityContext.privileged to false

​

​

25

Beyond Pod Security

• Other configurations also need to be secured! Some examples:
• workload identity
• fine-grained RBAC
• service configuration (i.e. CVE-2020-8554)
• ingress configuration
• Images need to be verified for signatures and attestations to prevent supply chain attacks
• Best-practice configuration should be standardized

26

Summary

27

Takeaways

1. Start with built-in security configurations
2. Use a policy engine for additional checks, configurations and automation
3. Use Kyverno for a Kubernetes native experience

28

Learn More!

• Visit Kyverno Booth in the Project Pavilion
• Join Our Office Hour
• Thursday, October 14, 4:30 PM PST: https://lnkd.in/gJJ9reRn
• Join the Kyverno Community:
• The Kyverno docs & samples: https://kyverno.io
• Slack Channel: https://slack.k8s.io/#kyverno
• Monthly community meetings
• Weekly contributor meetings

​

29

30

https://kyverno.io/

Twitter: @shutingzhao2

LinkedIn: @Shuting Zhao

Email: shuting@nirmata.com

​

​

​

Thank-You!