Say Goodbye to PSPs?! Migrate your PSP Rules to OPA with No Hassle

Pod Security Policies (PSPs) are cluster-wide resources that control security-sensitive aspects of pod specification. They define a set of conditions that a pod must run with in order to be accepted into the system.

Due to its limitations, the Kubernetes Auth Special Interest Group (AKA sig-auth) announced PSPs would be deprecated in Kubernetes 1.21. This decision could leave many Kubernetes users at risk of being exposed to various exploits. Adversaries may utilize the lack of such policy to run privileged pods, create pods on host namespaces or networks, and much more. One of the best alternatives for Kubernetes users to mitigate PSP deprecation is through the built-in admission controller utilizing Open Policy Agent (OPA) rules.

Join us as we:

• Discuss the main limitation in PSP to explain how OPA is a better overall solution
• Show how the Kube-policy-advisor tool works and how it’s possible to generate an OPA Rule from a live environment
• Enforce the rule using Kubernetes Admission Controller
• See how OPA works, with the new rule in place, when we try to deploy a non-compliant pod

Speakers:  

• Stefano Chierici, Security Researcher, Sysdig