i jst wanna say ur videos r awesome i have learn alot imprtnt imprtnt things in kubernetes which i dont know before thnk u very much for this brother keep going n do more
It's my pleasure. Thank you. Security concepts are always importent & it requires some basic knowledge. thanks for watching video's & comments etc. connect me in linkedin
Venkat , These videos are extremely helpful to understand the concepts throughly. I am planning to attempt CKS exam right after my HashiCorp Vault. I know this is super tough exam, planning for full 1 month preparation and sit for exam end of March. Is it possible to share the slides ?
Thanks & All the best for your exams My Slides are having just one liner info from its official documentation. Please refer this github.com/ramanagali/Interview_Guide/blob/main/CKS_Preparation_Guide.md and also CKS Certification Preparation Info github.com/ramanagali/Interview_Guide/blob/main/Certification_Preparation.md#cks
Thanks. Nice Video. I just want to ask if I want to diable PSP, Do I have to always remove it on the Api Server? Some documentations say you can do pre namespace disablement.
Apologies, somehow i missed to reply. Yes PSP is Admission Controller so one way to disable permanently in API server level, alternatively disallow(authorisation )at namespace level with RBAC feature i.e., role, rolebinding
great video, would ask one thing what if we want to have on some pods to have privileged true like I am on premises and I have nginx pod controllers and also using PSP, can I some how flag that pods to be ignored in PSP?
Thanks for feedback. In that case... run nginx pod controllers in different nameapace so that it will use default service account. 2nd - for your pods to use PSP; create PSP, service account, add RBAC permissions and apply it wherever you want. Hope you understood it what i mean
One question: is it possible to apply a psp to the default service account? since i think it may be more important for a pod is run under the default sa if no specific service account is specified.
Yes, we can apply and it's highly recommended for enhanced security By applying PSS to the default service account, you can significantly improve the security posture of your Kubernetes cluster and protect your applications and data from unauthorized access and potential vulnerabilities
Hello sir If we apply psp policy to deny root privileges,will it stop already running pod with root privilege, Which was running before psp enable Please reply
Varun, once you create PSP, SA, cluster role, cluster role binding...finally you will attach service to pod and test right? While k apply definitely it will throw error that given yaml file does follow the rule you created using PSP. watch the video again from 10:66 i.e., ua-cam.com/video/IQgFTNSKNv4/v-deo.html Hope this helps....
@@learnwithgvr thank you sir I want to create psp policy to allow permission in kube-system namespace and Should deny root privilege in all other ns Please give Idea how to do
Its advanced topic, you need override system configurations...there are multiple ways to achieve & multiple constraints ( not straight forward way). Sorry i am unable to provide solution in one comment. CKS one of the security objective is to achieve .. i would suggest to reach the kubernetes official slack channels and discuss the right approach with community on your use case. I hope this will help
I didn't get that how can we disable the psp in existing cluster Now am having an warning msg for deprecated api in gke cluster So first i wanted to disable the psp and if you have recorded video for migration from psp to PSAC please help me with that.
If you’re running a version prior to v1.25 and want to disable PSP, you would typically remove it from the admission controller’s list in the API server configuration and restart the API server For clusters that still use PSP, you would need to migrate to these alternatives before upgrading to Kubernetes v1.25 to avoid interruptions to your workloads # Example command to check if PSPs are in use in your cluster (for versions prior to v1.25) kubectl get psp # If PSPs are in use, you'll need to migrate to alternatives like PSA # Refer to the Kubernetes documentation for a detailed migration guide
i jst wanna say ur videos r awesome i have learn alot imprtnt imprtnt things in kubernetes which i dont know before thnk u very much for this brother keep going n do more
It's my pleasure. Thank you. Security concepts are always importent & it requires some basic knowledge. thanks for watching video's & comments etc. connect me in linkedin
Thank you so much. Sir appreciate it.
You are most welcome
Really good. Thank you
Thank you & keep learning
Thanks
Thank you
Venkat , These videos are extremely helpful to understand the concepts throughly. I am planning to attempt CKS exam right after my HashiCorp Vault. I know this is super tough exam, planning for full 1 month preparation and sit for exam end of March. Is it possible to share the slides ?
Thanks & All the best for your exams
My Slides are having just one liner info from its official documentation.
Please refer this github.com/ramanagali/Interview_Guide/blob/main/CKS_Preparation_Guide.md
and also CKS Certification Preparation Info
github.com/ramanagali/Interview_Guide/blob/main/Certification_Preparation.md#cks
Really awesome explonation Bro....keep going
Thank you Lavanya
Thanks. Nice Video. I just want to ask if I want to diable PSP, Do I have to always remove it on the Api Server? Some documentations say you can do pre namespace disablement.
Apologies, somehow i missed to reply. Yes PSP is Admission Controller so one way to disable permanently in API server level, alternatively disallow(authorisation )at namespace level with RBAC feature i.e., role, rolebinding
great video, would ask one thing what if we want to have on some pods to have privileged true like I am on premises and I have nginx pod controllers and also using PSP, can I some how flag that pods to be ignored in PSP?
Thanks for feedback. In that case...
run nginx pod controllers in different nameapace so that it will use default service account.
2nd - for your pods to use PSP; create PSP, service account, add RBAC permissions and apply it wherever you want. Hope you understood it what i mean
Great video Sir.
I have small question regarding PDB.
As PDB will be removed v1.25, do we have any alternative way of PDB to use ? Please reply me...
Thank you & are you talking abt PSP ? yes there alternative i.e.pod security admission, have a look the video
ua-cam.com/video/JYM7mSShfp0/v-deo.html
No Sir, I talking about PodDisruptionBudget. Are both same ?
No its different. I have made video on PDB too ua-cam.com/video/L1nCLcX5IAk/v-deo.html
only PSP is depricated in 1.25 not PDB
Thank you Sir for having patience and replyed back. I got the solution for my question through our conversation.
Also, could i know what terminal software you use? is it iterm2, or warp?
it's iterm2
One question: is it possible to apply a psp to the default service account? since i think it may be more important for a pod is run under the default sa if no specific service account is specified.
Yes, we can apply and it's highly recommended for enhanced security
By applying PSS to the default service account, you can significantly improve the security posture of your Kubernetes cluster and protect your applications and data from unauthorized access and potential vulnerabilities
Hello sir
If we apply psp policy to deny root privileges,will it stop already running pod with root privilege,
Which was running before psp enable
Please reply
Varun, once you create PSP, SA, cluster role, cluster role binding...finally you will attach service to pod and test right? While k apply definitely it will throw error that given yaml file does follow the rule you created using PSP.
watch the video again from 10:66 i.e., ua-cam.com/video/IQgFTNSKNv4/v-deo.html
Hope this helps....
@@learnwithgvr thank you sir
I want to create psp policy to allow permission in kube-system namespace and
Should deny root privilege in all other ns
Please give Idea how to do
Its advanced topic, you need override system configurations...there are multiple ways to achieve & multiple constraints ( not straight forward way). Sorry i am unable to provide solution in one comment.
CKS one of the security objective is to achieve .. i would suggest to reach the kubernetes official slack channels and discuss the right approach with community on your use case. I hope this will help
hi @@varunr3049 i do have the same doubts as your questions - have u got resolution for this.
if yes, kindly share the ideas how to do.
Explain in this manner
1. What happens if we don't use pod security policy
2.how to implement PSP
is this still applicable? According to latest changes this PSP has been replaced / updated with Pod Security Admissions.
In this Playlist Pod Security Admission is available
I didn't get that how can we disable the psp in existing cluster
Now am having an warning msg for deprecated api in gke cluster
So first i wanted to disable the psp and if you have recorded video for migration from psp to PSAC please help me with that.
If you’re running a version prior to v1.25 and want to disable PSP, you would typically remove it from the admission controller’s list in the API server configuration and restart the API server
For clusters that still use PSP, you would need to migrate to these alternatives before upgrading to Kubernetes v1.25 to avoid interruptions to your workloads
# Example command to check if PSPs are in use in your cluster (for versions prior to v1.25)
kubectl get psp
# If PSPs are in use, you'll need to migrate to alternatives like PSA
# Refer to the Kubernetes documentation for a detailed migration guide
Kubernetes pod security policy is removed from CKS exam curriculum. Instead PodSecurity Standard and Pod Security admission.
thats correct, i have made detailed video on PSA ua-cam.com/video/JYM7mSShfp0/v-deo.htmlsi=244KY5vBDSSp3l2o