Cloud Native Rejekts NA (Los Angeles + Hybrid) 2021

Say goodbye to PSP! Migrate your PSP rules to OPA with no hassle
10-09, 15:30–16:00 (US/Pacific), Main stage

Pod Security Policies are cluster-wide resources that control security sensitive aspects of pod specification, defining a set of conditions that a pod must run with in order to be accepted into the system.
Due to its limitations, recently the Kubernetes Auth Special Interest Group (AKA sig-auth) announced to deprecate the pod security policy (PSP) in Kubernetes next versions. This decision could leave many Kubernetes users at risk of being exposed to various exploits. Adversaries may utilise the lack of such policy to run privileged pods, create pods on host namespaces or networks and much more. One of the best alternatives for Kubernetes users to mitigate PSP deprecation through the built-in admission controller is utilising Open Policy Agent (OPA) rules.

OPA is a CNCF Incubating project and supports enforcing policies in a variety of areas, including microservices, Kubernetes, CI/CD pipeline, service mesh and API gateways. Relying on a declarative policy language called Rego, security operators can concisely express policy-rules and implement them in your environment. Moving from PSP to OPA, users need an easy way to translate their policy or automatically generate new OPA rules based on the rules already deployed in the environment. With this need in mind, we integrated the existing project kube-psp-advisor, already capable of creating K8s Pod Security Policies (PSPs) from either a live environment or from a single .yaml file containing a pod specification, adding a new feature to automatically generate OPA Rules, scanning an existing security context from Kubernetes resources in live environments or directly from a .yaml file.

In this talk we go through the main limitation in PSP to explain how OPA is a better overall solution, capable of providing security controls to all the components in your Kubernetes environment. We show how the kube-policy-advisor tool works and how it’s possible to generate an OPA Rule from a live environment. We proceed then to enforce the rule using Kubernetes Admission Controller in the environment and see how OPA with the new rule in place works when we try to deploy a non compliant pod inside the existing environment.

Stefano Chierici is a security researcher in Sysdig where his research focuses on defending containerized environments and cloud environments from attacks ranging from web to kernel. Stefano is one of the Falco contributors, an incubation level CNCF project. He studied cyber security in Italyand, before joining Sysdig, he was a pentester and obtained the OSCP Certification in 2019. He was a security engineer and a red team member.