DEV Community

Aviral Srivastava
Aviral Srivastava

Posted on

Pod Security Admission/Policies

#devops #kubernetes #security #tutorial

Level Up Your Kubernetes Security Game: Pod Security Admission & Policies Explained (No Boring Jargon Allowed!)

Hey there, fellow Kubernetes adventurers! Ever feel like your cluster is a bit of a Wild West, with pods doing whatever they please? You've got applications running, deployments humming, but a nagging feeling that someone could… well, break things? If that sounds familiar, then buckle up, because we're about to dive deep into the awesome world of Pod Security Admission (PSA) and its trusty sidekick, Pod Security Policies (PSPs). Think of it as putting a bouncer at the door of your container party, making sure only the well-behaved guests get in.

Introduction: What's the Big Deal with Pod Security?

At its heart, Kubernetes is all about orchestrating containers. And while containers are fantastic for packaging and isolating applications, they can also be a potential entry point for attackers if not properly secured. Imagine a rogue container with the keys to your kingdom. Scary, right?

Historically, securing pods relied on a patchwork of solutions. We had things like Network Policies, Role-Based Access Control (RBAC), and even custom admission controllers. But it could get complicated, and ensuring consistent security across your cluster could feel like juggling chainsaws.

Enter Pod Security Admission (PSA). It's Kubernetes' built-in way to enforce security standards at the pod creation level. Instead of letting any pod definition into your cluster, PSA acts as a gatekeeper, checking each pod against a predefined set of security rules. This is a massive win for security hygiene and preventing accidental misconfigurations that could lead to vulnerabilities.

You'll also hear about Pod Security Policies (PSPs). While PSA is the modern, recommended approach, PSPs were the OG. They served a similar purpose but had some limitations and have been deprecated in newer Kubernetes versions. We'll touch on them for context, but the real star of the show is PSA.

Prerequisites: What Do I Need Before I Start?

Before we unleash the power of PSA, let's make sure you're prepped.

  • A Working Kubernetes Cluster: Obviously! Whether it's a local minikube, a managed cloud service (EKS, GKE, AKS), or your own on-premise setup, you need a cluster to play with.
  • kubectl Access: Your trusty command-line tool for interacting with the cluster.
  • Understanding of Pods: You should know what a Pod manifest looks like (YAML, remember!).
  • A Hint of RBAC: PSA relies on user permissions (via RBAC) to determine who can create pods that violate certain policies. So, a basic grasp of RBAC is helpful.
  • Kubernetes Version Matters: PSA was introduced in Kubernetes 1.16 and graduated to stable in 1.25. If you're on a really old version, you might be stuck with PSPs (which, again, are deprecated).

The Core Concept: Pod Security Standards

PSA works by enforcing Pod Security Standards (PSS). These are a set of predefined security profiles that you can apply to your namespaces. Think of them as levels of security you can dial up or down. The three main profiles are:

  • privileged: This is the Wild West. Almost no restrictions. Pods running in this mode have elevated privileges and can do pretty much anything. Use with extreme caution, and ideally, not at all in production.
  • baseline: This is a good starting point. It restricts pods from common security risks like running as root, using host namespaces, and exposing host directories. It's designed to prevent known privilege escalation exploits.
  • restricted: This is the most secure. Pods in this mode are heavily restricted and must adhere to strict security best practices. They run with limited privileges, cannot access host resources, and are generally very locked down. This is your go-to for sensitive workloads.

How PSA Works: The Admission Controller Magic

PSA is implemented as an admission controller. Admission controllers are plugins that intercept requests to the Kubernetes API server before they are persisted in etcd (the cluster's database). They can validate, mutate, or reject requests.

When PSA is enabled, it intercepts CREATE and UPDATE requests for Pods. It then checks the Pod's definition against the PSS profile configured for the namespace where the Pod is being created or updated.

  • Enforce Mode: If the Pod violates the PSS, the request is rejected. This is your "bouncer saying no" scenario.
  • Audit Mode: If the Pod violates the PSS, the request is allowed, but a warning is logged. This is like a friendly reminder: "Hey, you might want to fix this."
  • Warn Mode: Similar to audit, but the warning is returned to the user as an HTTP status code.

You can configure these modes on a per-namespace basis. For example, you might have baseline enforced in most namespaces and restricted in critical ones.

Setting Up Pod Security Admission: A Hands-On Guide

Let's get our hands dirty and see how to configure PSA.

1. Enabling PSA on the API Server:

This is usually handled by your Kubernetes distribution. For example, if you're using kubeadm, you might configure it via the KubeAPIServer configuration. For managed services, it's often enabled by default or configurable through their control plane settings.

2. Applying Labels to Namespaces:

This is where the magic happens! You assign labels to your namespaces to tell the PSA admission controller which PSS profile to apply and in which mode.

Let's say you want to apply the baseline profile in enforce mode to your development namespace and the restricted profile in audit mode to your staging namespace.

# For the 'development' namespace (baseline enforced)
kubectl label --overwrite namespace development pod-security.kubernetes.io/enforce=baseline

# For the 'staging' namespace (restricted audited)
kubectl label --overwrite namespace staging pod-security.kubernetes.io/audit=restricted
Enter fullscreen mode Exit fullscreen mode

You can also set the warn mode:

# For a namespace where you want to warn about violations (e.g., production)
kubectl label --overwrite namespace production pod-security.kubernetes.io/warn=restricted
Enter fullscreen mode Exit fullscreen mode

Important Note: You can combine these labels. For instance, you might have pod-security.kubernetes.io/enforce=baseline and pod-security.kubernetes.io/audit=restricted on the same namespace. In this case, the enforce label takes precedence for rejection, while the audit label will still log warnings for stricter violations.

3. Testing the Policies:

Now, let's see it in action.

Scenario 1: Creating a Pod that violates baseline in the development namespace.

A common violation is running as the root user inside the container. Let's create a simple pod that does this.

# violating-pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: violating-pod
spec:
  containers:
  - name: nginx
    image: nginx
    securityContext:
      runAsUser: 0 # Running as root
Enter fullscreen mode Exit fullscreen mode

Now, try to create it:

kubectl apply -f violating-pod.yaml -n development
Enter fullscreen mode Exit fullscreen mode

You should see an error message similar to this, indicating that the baseline policy is enforcing the restriction:

Error from server: error when creating "violating-pod.yaml": pods "violating-pod" is forbidden: violates PodSecurity: restricted: runAsNonRoot prevents using capabilities, privileged, hostNetwork, hostPID, hostIPC, nodeSelector, securityContext.apparmor, securityContext.seccomp, unsupported features, hostPath volumes, privileged, procMount, volumes.restricted: runAsNonRoot prevents using capabilities, privileged, hostNetwork, hostPID, hostIPC, nodeSelector, securityContext.apparmor, securityContext.seccomp, unsupported features, hostPath volumes, privileged, procMount, volumes
Enter fullscreen mode Exit fullscreen mode

Scenario 2: Creating a Pod that violates restricted in the staging namespace (audit mode).

Let's try to run a privileged container in staging.

# privileged-pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: privileged-pod
spec:
  containers:
  - name: ubuntu
    image: ubuntu
    command: ["sleep", "3600"]
    securityContext:
      privileged: true # This is a big no-no for restricted
Enter fullscreen mode Exit fullscreen mode

Now, try to create it:

kubectl apply -f privileged-pod.yaml -n staging
Enter fullscreen mode Exit fullscreen mode

This time, the pod should be created, but you'll get a warning in your kubectl apply output:

pod/privileged-pod created (and warning logged)
Enter fullscreen mode Exit fullscreen mode

To see the audit logs, you'd typically check your Kubernetes API server logs or use a log aggregation tool. The exact location depends on your cluster setup.

Pod Security Policies (PSPs): The Legacy Companion

While PSA is the future, you might still encounter PSPs in older clusters. They worked by defining a PodSecurityPolicy object that specified a set of conditions a pod must meet to be allowed.

Here's a simplified example of a PSP that restricts privileged containers:

# psp-no-privileged.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted-psp
spec:
  privileged: false # Disallow privileged containers
  # ... other restrictive settings ...
Enter fullscreen mode Exit fullscreen mode

Then, you'd need to bind this PSP to users or ServiceAccounts using Role and RoleBinding objects.

The key difference from PSA is that PSPs were more granular but also more complex to manage. PSA simplifies this by providing standardized profiles. PSPs have been deprecated since Kubernetes 1.21 and removed in 1.25. If you're on a modern cluster, focus on PSA.

Advantages of Using Pod Security Admission

Why bother with PSA? The benefits are significant:

  • Enhanced Security Posture: This is the most obvious. PSA prevents common security misconfigurations and reduces the attack surface of your cluster.
  • Simplified Security Management: Instead of managing individual PSPs or complex admission controllers, you apply standardized profiles to namespaces. Much easier to understand and maintain.
  • Consistent Security Across Workloads: Enforce security standards consistently across all your applications, regardless of who deploys them.
  • Reduced Risk of Privilege Escalation: By restricting unnecessary privileges, PSA makes it harder for compromised containers to gain elevated access.
  • Built-in Kubernetes Feature: No need for external tools or complex installations. It's part of the Kubernetes control plane.
  • Phased Rollout: The audit and warn modes allow you to gradually introduce stricter policies without breaking existing applications.
  • Future-Proofing: PSA is the modern and recommended approach, ensuring compatibility with future Kubernetes releases.

Disadvantages and Considerations

While PSA is fantastic, it's not a silver bullet. Here are some things to keep in mind:

  • Potential for Disruption: If you enable enforce mode too aggressively without proper testing, you could inadvertently block legitimate application deployments. Always start with audit or warn modes.
  • Requires Understanding of PSS: You need to understand what each PSS profile (privileged, baseline, restricted) restricts to effectively configure them.
  • Not a Replacement for Other Security Measures: PSA is one layer of security. You still need RBAC, Network Policies, secrets management, image scanning, and more.
  • Limited Granularity (Compared to PSPs): While PSA simplifies management, PSPs offered more fine-grained control over specific security settings. For highly specific needs, you might still need custom admission controllers.
  • Deprecation of PSPs: If you're on a very old cluster, you might be stuck with PSPs, which are now deprecated and will eventually be removed.

Key Features and Configurations

Let's dive into some of the specific features and configurations you'll encounter with PSA:

  • Namespaced Configuration: PSA is applied at the namespace level, allowing you to have different security profiles for different environments (e.g., dev vs. prod).
  • Mode Configuration (enforce, audit, warn): As we've seen, these modes allow for flexible policy enforcement.
  • Pod Security Standards: The three predefined profiles (privileged, baseline, restricted) offer a tiered approach to security.
  • Custom Labels: You can use custom labels for more complex scenarios if the built-in labels aren't sufficient, though this is less common for basic PSA implementation.
  • PodSecurity Admission Controller: This is the core controller that enforces the PSS.
  • Kubernetes Version Compatibility: Always ensure your cluster version supports the PSA features you intend to use.

Conclusion: Your Cluster's New Security Best Friend

Pod Security Admission is a game-changer for securing your Kubernetes cluster. It provides a standardized, built-in mechanism to enforce critical security configurations at the pod creation level. By understanding and leveraging Pod Security Standards and the different enforcement modes, you can significantly harden your cluster, reduce vulnerabilities, and gain peace of mind.

Remember to approach PSA implementation strategically:

  1. Understand your applications and their security needs.
  2. Start with audit or warn modes to identify potential violations without breaking deployments.
  3. Gradually move to enforce mode for critical namespaces.
  4. Always combine PSA with other security best practices.

So, go forth and secure your pods! Your cluster will thank you for it. Happy containerizing!

Top comments (0)