This document discusses Kubernetes admission controllers and options for replacing the deprecated PodSecurityPolicy feature. It provides an overview of admission control and some of the built-in controllers. It notes that PodSecurityPolicy is being deprecated and discusses potential in-built and third-party replacements like OPA Gatekeeper, Kyverno, K-rail, and jsPolicy. The document includes demonstrations of OPA and Kyverno. It concludes that admission control is important for Kubernetes security and administrators will need to choose an option to replace PodSecurityPolicy.

1. © 2021 Aqua Security Software Ltd., All Rights Reserved
PSP, OPA, Kyverno and more!
Rory McCune | June 2021
Kubernetes Admission Controllers

2. 2
2
• Cloud Native Security Advocate for Aqua
• Ex-Pentester/IT Security person
• CIS Benchmark author, Docker and Kubernetes
• Member of SIG-Honk
About Me

3. 3

4. 4
4
What is Admission Control?

5. 5
5
• Kubernetes has a set of admission controllers which will run by default on every
request.
• CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass,
DefaultStorageClass, DefaultTolerationSeconds, LimitRanger,
MutatingAdmissionWebhook, NamespaceLifecycle, PersistentVolumeClaimResize,
Priority, ResourceQuota, RuntimeClass, ServiceAccount, StorageObjectInUseProtection,
TaintNodesByCondition, ValidatingAdmissionWebhook
• Most of these have specific roles for specific object types (e.g. CertificateApproval
works on Certificate Signing Requests only)
• Two types of controller, validating and mutating
In-Built Admission Controllers

6. © 2021 Aqua Security Software Ltd., All Rights Reserved
Demo – Why do we need
Admission Control for Security?

7. 7

8. 8
8
• Docker and Kubernetes are essentially “remote code execution as a service”
• Without admission control, anyone who can create pods, can do that.
• Traditionally this element of security was handled by Pod Security Policies
Why did that work?

9. 9
9
• Not one of the default admission controllers
• But an in-built one
• Controls the rights of workloads in the cluster, preventing things like our demo.
PodSecurityPolicies

10. 10
10
• Beta feature, never made it to General Availability
• Decision made to deprecate
• Deprecation 1.22
• Removal 1.25 (planned)
What’s happening to PSP

11. 11
11
• In-Built PSP Replacement
• Open Source
• OPA
• Kyverno
• jsPolicy
• Kubewarden
• K-rail
• Commercial - KAP
Options for replacement

12. 12
12
• Relatively basic
• Implements 3 levels of restriction
• Privileged (no restrictions)
• Baseline
• Restricted
• Restrictions applied at a namespace level
• Code not yet merged.
In-built replacement

13. 13
13
• Kubernetes allows for external services to provide admission control
• Validating admission webhook
• Mutating admission webhook
3rd Party Projects

14. 14
14
- Fail open/Fail Closed?
- Attacking the admission controller workloads
- Managing exceptions
Some possible security challenges

15. 15
15
• Read policies to determine how they make decisions
• Using String matching on IP addresses and domain names
• CaSe SenSiTiViTy
• Keeping Policies Updated
Policy Trickery

16. 16
16
• General project for applying policy controls to systems
• Can do a variety of things, not just security
OPA – Open Policy Agent

17. 17
17
• OPA project for Kubernetes
• Deployed as a workload in the cluster
• Pre-generated Policies available
• OPA Gatekeeper Library (https://github.com/open-policy-agent/gatekeeper-library)
• Custom policies written in Rego
OPA Gatekeeper

18. 18
Constraint Templates

19. 19

20. © 2021 Aqua Security Software Ltd., All Rights Reserved
OPA Demo

21. 21

22. 22
22
• Policy project focused purely on Kubernetes
• Deployed as a workload in the cluster
• Pre-generated policies available (https://github.com/kyverno/policies)
• Custom policies written in YAML
Kyverno

23. 23

24. 24

25. © 2021 Aqua Security Software Ltd., All Rights Reserved
Kyverno Demo

26. 26

27. 27
27
• Open Source
• K-rail (https://github.com/cruise-automation/k-rail/)
• jsPolicy (https://github.com/loft-sh/jspolicy)
• Kubewarden (https://github.com/kubewarden)
Other Options

28. 28

29. 29
29
• New’ish area with many competing solutions
• Different approaches to policy writing
• Maintaining and developing policy libraries will be an ongoing challenge.
Policy Choices and Challenges

30. 30
30
• Admission control is a vital area of Kubernetes security
• With the deprecation of PSP, users will need to choose a path forward
• In-built option may be suitable for basic clusters
• Which 3rd party you choose will likely depend on your situation
Conclusion

31. © 2021 Aqua Security Software Ltd., All Rights Reserved
Questions?
Twitter - @raesene
E-mail –
rory.mccune@aquasec.com