What's New - Kubernetes 1.25 Security Features
Release 1.25 of Kubernetes brings some features graduating to Stable and Beta. Some of these have a significant impact on the security of Kubernetes clusters.
Pod Security Updates
PSA promoted to Stable
In version 1.25, the PodSecurityPolicy (PSP) admission controller has been fully removed, having been deprecated for the last four major versions. As such it will not be possible to apply PSPs to your cluster or rely on them being enforced. For self-managed clusters, it is necessary to remove this feature gate in your control plane components.
The official in-tree replacement for PSP is Pod Security Admission (PSA). This is somewhat different from PSP and will require some migration. The new PSA is deliberately more rigid and provides less flexibility. Whilst good for basic use cases, more flexible options are available such as OPA gatekeeper and Kyverno. The latter has a policy library to facilitate quick adoption.
Ephemeral Containers
Promoted to Stable
Ephemeral containers present a great opportunity to reduce the attack surface of container images. It is now possible to remove debugging tools from images, whilst maintaining the same level of observability and interactivity that developers are used to from an interactive shell environment.
The feature allows users to spawn an interactive shell through kubectl debug, joined to a target pod’s namespaces. A new type of container is created in the target pod, of type ephemeralContainer, with a user specified container image. To be able to use the functionality, users will need the familiar get or patch pods RBAC permissions to create the container and get or create pods/exec to interact with the shell.
For example, we can launch a shell using our tools image, targeting our workload container:
kubectl debug --image=controlplane/sectools --target=alpine -it production-pod -- bash
Network Policy End Port
Promoted to Stable
This feature allows users to specify a port range in a network policy. This helps to write concise network policies, and both the Kubernetes version and CNI plugin in use must support the feature. This feature is still missing from some mainstream CNI plugins: both Calico and Antrea plugins have support, but Cilium and AWS VPC Native do not.
| CNI Plugin | Implementation Status | Proof |
|---|---|---|
| calico | Since v3.21.3 | Feature Commit |
| Antrea | Since v1.1.0 | Feature Commit |
| cilium | No (as of v1.12.1) | Open Issue |
| Weave Net | No (as of v2.8.1) | Old Library Version |
| AWS CNI | No (as of v1.11.4) | Old Library Version |
SeccompDefault
Promoted to Beta, default enabled
This feature flag enables the runtime default seccomp profile to be enabled for every pod run on a node. It provides a baseline profile that should be suitable for almost all workloads. Beware that in addition to the feature flag, it is necessary to set the --seccomp-default flag/config option on the kubelet of every node you wish to use this with. It is not possible to observe that the profile has been applied through the API server: it must be inspected through a running pod, or through the runtime CLI interface.
Summary
The full list of changes for the Kubernetes 1.25 release can be found here. These include the full upgrade notes and other changes, which may affect the upgrade process and availability of clusters, but are not directly security features.
Hopefully the changes introduced this release will allow make it easier to encourage good security practices, with many of the discussed features aimed at defaulting sane security settings.