‹ Blogs

What's New - Kubernetes 1.25 Security Features

Featured Image
Published on September 27, 2022
Author By James Cleverley-Prance

Release 1.25 of Kubernetes brings some features graduating to Stable and Beta. Some of these have a significant impact on the security of Kubernetes clusters.

Pod Security Updates

PSA promoted to Stable

In version 1.25, the PodSecurityPolicy (PSP) admission controller has been fully removed, having been deprecated for the last four major versions. As such it will not be possible to apply PSPs to your cluster or rely on them being enforced. For self-managed clusters, it is necessary to remove this feature gate in your control plane components.

The official in-tree replacement for PSP is Pod Security Admission (PSA). This is somewhat different from PSP and will require some migration. The new PSA is deliberately more rigid and provides less flexibility. Whilst good for basic use cases, more flexible options are available such as OPA gatekeeper and Kyverno. The latter has a policy library to facilitate quick adoption.

Ephemeral Containers

Promoted to Stable

Ephemeral containers present a great opportunity to reduce the attack surface of container images. It is now possible to remove debugging tools from images, whilst maintaining the same level of observability and interactivity that developers are used to from an interactive shell environment.

The feature allows users to spawn an interactive shell through kubectl debug, joined to a target pod’s namespaces. A new type of container is created in the target pod, of type ephemeralContainer, with a user specified container image. To be able to use the functionality, users will need the familiar get or patch pods RBAC permissions to create the container and get or create pods/exec to interact with the shell.

For example, we can launch a shell using our tools image, targeting our workload container:

kubectl debug --image=controlplane/sectools --target=alpine -it production-pod -- bash

Network Policy End Port

Promoted to Stable

This feature allows users to specify a port range in a network policy. This helps to write concise network policies, and both the Kubernetes version and CNI plugin in use must support the feature. This feature is still missing from some mainstream CNI plugins: both Calico and Antrea plugins have support, but Cilium and AWS VPC Native do not.

CNI PluginImplementation StatusProof
calicoSince v3.21.3Feature Commit
AntreaSince v1.1.0Feature Commit
ciliumNo (as of v1.12.1)Open Issue
Weave NetNo (as of v2.8.1)Old Library Version
AWS CNINo (as of v1.11.4)Old Library Version

SeccompDefault

Promoted to Beta, default enabled

This feature flag enables the runtime default seccomp profile to be enabled for every pod run on a node. It provides a baseline profile that should be suitable for almost all workloads. Beware that in addition to the feature flag, it is necessary to set the --seccomp-default flag/config option on the kubelet of every node you wish to use this with. It is not possible to observe that the profile has been applied through the API server: it must be inspected through a running pod, or through the runtime CLI interface.

Summary

The full list of changes for the Kubernetes 1.25 release can be found here. These include the full upgrade notes and other changes, which may affect the upgrade process and availability of clusters, but are not directly security features.

Hopefully the changes introduced this release will allow make it easier to encourage good security practices, with many of the discussed features aimed at defaulting sane security settings.

Further Information