How to get started with Kubernetes Pod Security Policies (PSPs)

What Are Kubernetes PSPs?

In a nutshell, PSPs are a way to govern access to services within your cluster securely. As you can imagine, this can be extremely useful. For example, a Kubernetes admin can enforce password access only from specific IP ranges, limit the number of concurrent users on a given service, or grant access to custom resources based on role, group, and even Git or Mercurial repository.

As their name implies, Kubernetes PSPs are usually used with Kubernetes's pod security layer. They can be integrated with the existing Kubernetes CLI or added as a plugin to the open-source version of the tools. 

How Do Kubernetes PSPs Work?

Let's start by taking a look at how Kubernetes PSPs work.

When a Kubernetes cluster is deployed, the PSPs running on the pods that comprise the cluster are registered in a proprietary LDAP registry, which resides in the Kubernetes cluster.

In this article, we will look at how Kubernetes automatically handles the registration of your PSPs. (Still, if you're using Pod-Xchange or another service, you may need to register your PSP manually.) Once your PSPs are registered, you can use them as two-factor authentication options for various systems within your cluster, configure them to prevent unwanted access to the cluster by giving them access to secrets stored in them (think PSC master password or GRC), and even allow certain groups to access custom services on your clusters.

When Kubernetes starts a new cluster, it will automatically register PSPs on every pod. This process is controlled by the kubelet (the system daemon) on the pod's node. All that's required is to set up a simple registerDnsDaemon DSL command.

For example, you could run this:

curl -XPUT 'localhost:9200/_kube/v1/controllers/registerDnsDaemon/register' -H 'Content-Type: application/json' -d '{ "namespace": {"pod": "src/pod.yml"}, "service": "pod.master", "service": "service.master", "sig": "node-data", "cookie": "", "autoscale": { "reload" : true, "size" : 40, "sizes" : [ "large", "medium" ], "status" : "success", "classifiers": ["XML", "JSON"] } }'

From there, the pod will automatically check for the registration and issue the appropriate certificates on demand for the pod and its service. You can also use a more complex DNS record that requires your pod to be registered with the PSP before using it.

Once you've established the PSP registration, you can configure it through the pod metadata in its namespace. For example, here's how you could configure a Pod Security Policy:

config/config.yml service: src/service.yml service-test: name: service-test service-type: service-test container: service-test image: name: my-avatar imageUrl: "https://github.com/kubernetes/test/releases/download/0.0.4" description: Image of avatar for system admin console: name: ps-controls console: name: ps-controls-0.6.0 containerPort: 3306 resource: service: image: name: web-admin-debian imageUrl: "https://coredump.io/kubernetes-kubernetes-labs/latest/distribution/kubernetes-nodejs-k8s-0.0.4.min.gz" credentials: security: certificate: certificateKey: certRequestPort: 12184 security":id: -1

Each name can contain all the services it specifies (e.g., src/service.yml ) or a more complex structure (e.g., Pod Security Policy. For more details, see the documentation for the Pod-Xchange service.

One important thing to note: Kubernetes automatically replaces your existing security policy with the new one, but the old policy can be accessed using the old certificate.

How can you install a Kubernetes orchestration platform on AWS? Kubernetes works on AWS ECS, the fully managed instance service. You can learn more about AWS ECS in our guide to Creating a Kubernetes Cluster on Amazon ECS.

What happens if your cluster has stopped? What happens if you forget to configure your resources properly and you're offline? Kubernetes has a unique approach to updates and installation on AWS, called a re-host. A re-host is a new instance of your cluster, created within AWS, that uses the ECS services that were initially deployed on your cluster.

While re-hosts are a convenient way to deploy cluster resources in AWS, they introduce some security and performance challenges. A primary concern is the lack of compatibility with existing applications. A Kubernetes cluster on re-hosts cannot be deployed in the same way as one on EC2. The security implications are more complex. When running on re-hosts, there is always a chance that malicious actors could access your cluster through ECS. As a result, it is generally recommended that you use Kubernetes on an AWS console running on a clean, isolated EC2 instance with a provisioning profile that does not have any EC2 security enforcement policies applied.

By implementing AWS security groups, we can provide security to your Kubernetes cluster without introducing another layer of complexity. This helps prevent Kubernetes clusters from being fully exposed to the public internet, making them more difficult to access from the outside.

Become an expert in cloud computing with our in-depth Post-Graduate Program in Cloud Computing. Enroll today for the next cohort!

Caltech Certification | Capstone Projects | 30 CEUs from Caltech CTME

Get Started With Kubernetes on AWS Today

Your company can start benefiting from deploying a Kubernetes cluster today. AWS ECS makes Kubernetes deployment and scaling easy and cost-effective.

To gain the skills you will need to configure solutions with Kubernetes, consider the Caltech Post Graduate Program in DevOps. You may also look into the Caltech Cloud Computing Bootcamp (in the Americas) or Caltech Post Graduate Program in Cloud Computing (in other locations) to dig deeper into AWS and its suite of tools, including ECS.