Practical Challenges with Pod Security Admission

The presentation discusses the challenges of implementing Pod Security Admission in real-world scenarios and provides solutions to address them.

• Pod Security Admission is a security feature that replaces pod security policies.
• The main challenge with implementing Pod Security Admission is that workloads often require privileges to run, which defeats the purpose of the feature.
• To address this, the speaker suggests breaking down services into separate component parts and locking down everything else.
• The principle of least privilege does not mean zero privilege, so a node with minimal value can be used to welcome exploited privileges.
• The presentation provides an overview of the challenges and pitfalls of implementing Pod Security Admission and offers guidelines to develop applications using PSA.

The speaker explains that if privileges are not given to a workload that needs them, strange things can happen. For example, the workload may not even be created, or it may crash in a loop. However, if privileges are given to everything, it defeats the purpose of Pod Security Admission. The solution is to give privileges at first and then start curtailing them to optimize security.

A big reason we love Pod Security Admission is that it's so easy and simple to use. But here's a challenge that comes with implementing Pod Security Admission: there's always a workload that needs too many privileges to run, and then it needs to get a pass from the security controls. One way to address this unsecured footprint is to break down all the different services, applications, and packages into their separate component parts, leaving the bits that need privileges privileged, and locking down everything else. There's a whole art to that – we'll talk about it. But 'principle of least privilege' doesn't mean zero privilege so... What do we do when that privilege gets exploited? We welcome it with a node that has nothing valuable whatsoever, is what! And there's a whole art to that too – we'll talk about it. In this presentation attendees will get an overview of the challenges that come with implementing Pod Security Admission in the real world, and tap on the speaker's experience working with partner companies to solve them.