[Deprecated] Pod Security Policy

[erictune]

Feature Description

• Define policy objects that limit what security-related features pods and containers can use
• Primary contact (assignee): @tallclair
• Responsible SIGs: @kubernetes/sig-auth-feature-requests @kubernetes/sig-node-feature-requests
• Design proposal link (community repo): https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auth/pod-security-policy.md
• Link to e2e and/or unit tests: https://github.com/kubernetes/kubernetes/blob/master/test/e2e/auth/pod_security_policy.go
• Reviewer(s) - (for LGTM): @liggitt @tallclair
• Approver: @liggitt @tallclair
• Feature target (which target equals to which milestone):
  • Beta release target (extensions/v1beta1) - 1.8
  • Beta release target (policy/v1beta1) - 1.10
  • Stable release target - TBD

Related issues

• stop serving extensions/v1beta1 and networking.k8s.io/v1beta1 in 1.22 kubernetes#43214 - Move out of extensions/v1beta1 API group:
  • 1.10
    • additionally allow authorizing via use verb in policy API group (will need to allow via either group for some time period)
    • update e2e tests (test both for some time period)
  • 1.11
    • move internal types to policy package (cleanup)
    • move registry to policy package (cleanup)
    • update addon manifests to use policy/v1beta1, grant permissions in policy API group
    • switch admission plugin to use policy group informer
    • switch preferred storage version to policy group
• [PodSecurityPolicy] API changes kubernetes#56174
• PodSecurityPolicy should work with managed sidecars kubernetes#55435
• [PodSecurityPolicy] "MayRunAs" strategies kubernetes#56173

[erictune]

Admission controller code is under review in: kubernetes/kubernetes#24600

[erictune]

This feature is skipping straight to Beta since it has had initial exposure in OpenShift.

[erictune]

It will be default disabled in kubernetes/kubernetes#24600. After that goes in, we need changes in the admission controller to link PSPs to users.

[pweil-]

Noting kubernetes/kubernetes#20573 as a dependency for the next step on PSP (subject level access)

[bryk]

Whats the status of this? Is the description in first comment up to date?

[pweil-]

Is the description in first comment up to date

no (I don't have permissions to update). I believe all of the alpha requirements have been met. The initial types, api, and tests have been merged. The admission controller is not enabled by default.

IMO the remaining work for beta/1.4 is auth integration for permissions, updating for new fields we want to constraint (seccomp - in progress, sysctl), and any required docs/tutorials.

[erictune]

And an e2e test.

On Tue, Jul 12, 2016 at 6:23 AM, Paul Weil notifications@github.com wrote:

Is the description in first comment up to date

no (I don't have permissions to update). I believe all of the alpha
requirements have been met. The initial types, api, and tests have been
merged. The admission controller is not enabled by default.

IMO the remaining work for beta/1.4 is auth integration for permissions,
updating for new fields we want to constraint (seccomp - in progress,
sysctl), and any required docs/tutorials.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#5 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/AHuudqFwephlYk0Y1PS77y0xxA5QW0_-ks5qU5U7gaJpZM4IaU8n
.

[therc]

How about interactions with cloud providers? It would be nice to easily assign each pod different IAM roles so they can access only the subset of cloud services that they actually need. Would it be in scope or is it considered a SecurityContext detail?

[erictune]

@therc that should be done via ServiceAccount.

[pweil-]

@goltermann I noticed this was marked with alpha but I believe it probably needs the beta tag based on #5 (comment)

[goltermann]

@erictune does beta sound right based on the @pweil- comment?

[pweil-]

@goltermann I think technically this would've been beta in 1.3, it is not new to 1.4 though development is ongoing.

[erictune]

Yes, beta is correct. I was incorrect when I said alpha earlier today.

[goltermann]

great, fixed it up

[janetkuo]

@pweil- Are the docs ready? Please update the docs to https://github.com/kubernetes/kubernetes.github.io, and then add PR numbers and have the docs box checked in the issue description

[pweil-]

@janetkuo docs PR kubernetes/website#1150

edit: kubernetes/website#1206 is the correct 1.4 PR

cc @kubernetes/feature-reviewers

[idvoretskyi]

@pweil- I suppose, this PR is actual - kubernetes/website#1206?

[pweil-]

correct

[pierluigilenoci]

@liggitt next action is PSP Replacement KEP

[sftim]

For more information on the deprecation, see PodSecurityPolicy Deprecation: Past, Present, and Future.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[tallclair]

/remove-lifecycle stale

[tallclair]

/lifecycle frozen

[Priyankasaggu11929]

Hello @tallclair 👋, 1.25 Enhancements team here.

Just checking in as we approach enhancements freeze on 18:00 PST on Thursday June 16, 2022.

For note, This enhancement is targeting for Removal in 1.25 (followed by the Deprecation in 1.21) (correct me, if otherwise)

As discussed with the Release team in this K8s slack thread, the team agreed that we don't require to migrate the old archived design proposal to a KEP template, to just track the deprecation & removal stages for this enhancement.

Since, the new KEP-2579: Pod Security Admission Control KEP is there to explicitly replace PSP, we will align the deprecation & removal stages of this enhancement with that KEP & track both!

For note, the status of this enhancement is marked as tracked. Thank you for keeping the issue description up-to-date!

[Priyankasaggu11929]

Hi @tallclair 👋

Checking in once more as we approach 1.25 code freeze at 01:00 UTC on Wednesday, 3rd August 2022.

Please ensure the following items are completed:

• All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
• All PRs are fully merged by the code freeze deadline.
  • Remove PodSecurityPolicy admission plugin kubernetes#109798

Please verify, if there are any additional k/k PRs besides the ones listed above.

Since all the listed k/k PRs are fully merged, the status of this enhancement is marked as tracked.

Please update the issue description with the relevant links for tracking purposes. Thank you so much!

[tallclair]

All the k/k work for v1.25 is done.

[liggitt]

marked complete in #3487