Sysdig Documentation

[Beta] Policy Advisor

Sysdig Secure has introduced a tool for enhanced Kubernetes security called the Policy Advisor. At this time, it is used exclusively for Kubernetes Pod Security Policies.

[Beta] Pod Security Policies (PSP)

According to Kubernetes, "A Pod Security Policy [PSP] is a cluster-level resource that controls security-sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields."

See more here: Kubernetes PSP documentation.

With Sysdig's Kubernetes Policy Advisor, you can auto-generate Pod Security Policies and perform dry tests or "simulations" of them before you commit them to an environment. These features offer several benefits:

  • PSPs help enforce least-privilege to strengthen security

  • Auto-generation can significantly decrease the time spent configuring Kubernetes policies

  • Simulation tests help teams tune their PSPs to avoid false positives, and help them avoid breaking applications during PSP deployments

Understand the PSP Workflow

In general, you will generate a PSP, run a simulated test, review the results, tune the PSP as needed, then turn off the simulator and add the pod security policy to the actual deployment.

psp_list.png

Prerequisites

Terminology

Note that Kubernetes Pod Security Policies are not the same as standard Sysdig Secure Policies and will not be displayed on the regular Policies list page.

Steps

Typically, the workflow proceeds as follows:

  1. Access the module under Policies > Pod Security Policies.

    psp_nav.png
  2. Create the Pod Security Policy rules to be tested: either upload an existing PSP or upload a yaml deployment file from which the tool will auto-generate the PSP contents.

  3. Click Start Simulation.

  4. Deploy the pods in the appropriate cluster in your environment. Because the Simulator is running, it will deploy as a dry test and trigger any resulting alerts.

  5. Check the Simulation output and tweak the PSP content if needed.

  6. When satisfied that the PSP rules perform as desired, click Stop Simulation.

  7. You are now ready to apply this PSP to your cluster. See https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies.

Manage a Pod Security Policy Simulation

Review the Pod Security Policies Landing Page

Access the module from Policies>Pod Security Policies.

The Pod Security Policies list page is displayed.

psp_list.png

After at least one simulation has been generated, there will be content in the list.

Notice the following view-at-a-glance features:

  • Search Bar: Search will be performed words or characters in the PSP namesl as they appear in the Pod Security Policy column.

  • Status: This is the status of the simulation associated with the PSP name. It can be Running sim_run.png or Stopped sim_stop.png.

    Note that Simulations run continuously until they are manually stopped. The "Running" symbol does not indicate "amount completed."

  • Pod Security Policy (name): The PSP name is auto-inherited or generated from the name parameter in uploaded PSP content. You can use the name parameter to edit this title.

  • Scope: The Scope column reflects whatever Kubernetes namespace name and deployment name were defined for the simulation.

  • Rerun | Stop | Delete Simulation links: Use the 3 dots on the right to re-run a stopped simulation, stop a running one, or delete a simulation from the system.

Generate a PSP Simulation

  1. Select Policies>Pod Security Policies and click New Simulation.

    The New Simulation page is displayed.

    sim_empty.png
  2. Use the Import buttons to upload either an existing PSP Policy or a deployment YAML file.

    PSP-1.png
  3. Click Generate PSP.

    The PSP rule content will be displayed in the text box below. If you used a YAML file, the PSP rule content will be auto-generated from it and displayed.

  4. Enter the namespace.name and/or deployment.name of the cluster where you will run the simulated PSP, or choose "all."

  5. Click Save.

    The PSP Simulation has been defined and will appear on the PSP list page.

Run a Simulation and Review Output Events

  1. Once you have generated a PSP simulation, simply click Start Simulation to begin.

    You can access the Start button from the main List page or from the simulation detail page.

  2. Deploy the PSP to the designated environment, where the Simulator will test it.

  3. Select the simulation while it's running to review any generated event output.

  4. Edit the rules as needed, and Restart the simulation if necessary.

Stop a Simulation

When you are satisfied with the PSP test behavior. click Stop Simulation.

You are now ready to apply this PSP to your cluster. See https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies.