Using Pod Security Policies to harden your Kubernetes cluster
Submitted by Suraj Deshmukh (@suraj-deshmukh) on Sunday, 17 March 2019
In a multi-tenant Kubernetes cluster there is a high probability that a malicious user can break out of the pods and snoop over the traffic on the network or read secrets of other users mounted on that node.
As a cluster admin, to protect interests of other users, you would want some measure to lock down users to their own constrained environment. Pod Security Policy can help achieve exactly that. It is your first line of defense against uncontained pods.
This presentation will highlight various benefits of locking down the workloads using PSP & striking the right balance of security vs usability. Hence bringing in the security mindset while developing & deploying applications. By the end of the presentation users will be convinced to use PSP as their one of the default security measures.
This talk will start with current state of Kubernetes security and how folks are setting up their clusters. How folks are using shortcuts to get around changing their old bad practices. The talk will explain folks what’s worst that can happen if they keep using those bad practices. Specially in the multi-tenant setup this can lead to massive breakouts.
The above topics are there to create a ground for folks to appreciate the security feature of Kubernetes Pod Security Policy.
We then come to core of the talk this is where I will explain what Pod Security Policy is and how it can help in hardening the cluster. I will explain all the supported features that PSP has and what feature stops what kind of attack vector in a multi-tenant untrusted environment.
Also I will explain the benefits of having secure & hardened clusters from the development phase itself and how it helps you understand and catch the issues that you might encounter only while deploying on production.
There is no requirements in terms of bringing anything from the participants. They should just have basic understanding of Kubernetes is the assumption.
Suraj is involved in the Kubernetes community from the days of 1.3 release. He mainly worked on the project Kompose and areas of app definition with mission of making Kubernetes easier for developers to consume. He has spoken at various conferences like FOSDEM, Pycon India, DevConf India and DevOpsDays India. He is co-organizer of Kubernetes Bangalore meetup which is active and diverse in terms of people, organizations and projects for two years now. He currently works for Kinvolk where they are building secure by default Kubernetes distribution.