PSP is Dead, Long Live PodSecurity

The conference presentation discusses the development of a new pod security feature in Kubernetes and its implementation as a standalone tool for static validation of security requirements.

• The new pod security feature in Kubernetes has significantly better security properties than legacy tokens.
• The implementation of the new pod security feature is based on the Canadian Storage Interface (CSI) driver with back-ends for AWS, Azure, GCP, and Vault.
• The pod security feature is a deny-based system that needs to be ordered correctly to ensure that the checks run in the right order.
• The new pod security feature is feature-gated and not enabled by default.
• The implementation of the new pod security feature allows for the development of standalone tools for static validation of security requirements.

The speaker provides an example of a tool that can run without an API server and statically validate pod specs for security requirements. The tool is built using the builder pattern and visitor pattern and is roughly 100 lines of code. The hope is that this will enable people to build tooling off of this and offer value outside of just pure Kubernetes admission.

After a quick intro, this presentation will touch upon two auth features that recently went GA: bound service account tokens [1] and kubectl credential plugins [2]. The bulk of the talk will focus on the replacement for pod security policy: pod security admission control [3]. We will cover the reasons behind the replacement of PSP along with the specific technical details of PSA. [1] https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#bound-service-account-token-volume [2] https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins [3] https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2579-psp-replacement