New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Deprecated] Pod Security Policy #5
Comments
Admission controller code is under review in: kubernetes/kubernetes#24600 |
This feature is skipping straight to Beta since it has had initial exposure in OpenShift. |
It will be default disabled in kubernetes/kubernetes#24600. After that goes in, we need changes in the admission controller to link PSPs to users. |
Noting kubernetes/kubernetes#20573 as a dependency for the next step on PSP (subject level access) |
Whats the status of this? Is the description in first comment up to date? |
no (I don't have permissions to update). I believe all of the alpha requirements have been met. The initial types, api, and tests have been merged. The admission controller is not enabled by default. IMO the remaining work for beta/1.4 is auth integration for permissions, updating for new fields we want to constraint (seccomp - in progress, sysctl), and any required docs/tutorials. |
And an e2e test. On Tue, Jul 12, 2016 at 6:23 AM, Paul Weil notifications@github.com wrote:
|
How about interactions with cloud providers? It would be nice to easily assign each pod different IAM roles so they can access only the subset of cloud services that they actually need. Would it be in scope or is it considered a SecurityContext detail? |
@therc that should be done via ServiceAccount. |
@goltermann I noticed this was marked with alpha but I believe it probably needs the beta tag based on #5 (comment) |
@goltermann I think technically this would've been beta in 1.3, it is not new to 1.4 though development is ongoing. |
Yes, beta is correct. I was incorrect when I said alpha earlier today. |
great, fixed it up |
@pweil- Are the docs ready? Please update the docs to https://github.com/kubernetes/kubernetes.github.io, and then add PR numbers and have the docs box checked in the issue description |
@janetkuo docs PR kubernetes/website#1150 edit: kubernetes/website#1206 is the correct 1.4 PR cc @kubernetes/feature-reviewers |
@pweil- I suppose, this PR is actual - kubernetes/website#1206? |
correct |
@liggitt next action is PSP Replacement KEP |
For more information on the deprecation, see PodSecurityPolicy Deprecation: Past, Present, and Future. |
Remove security review.
Fix nits and table of contents
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
/lifecycle frozen |
Hello @tallclair 👋, 1.25 Enhancements team here. Just checking in as we approach enhancements freeze on 18:00 PST on Thursday June 16, 2022. For note, This enhancement is targeting for As discussed with the Release team in this K8s slack thread, the team agreed that we don't require to migrate the old archived design proposal to a KEP template, to just track the deprecation & removal stages for this enhancement. Since, the new KEP-2579: Pod Security Admission Control KEP is there to explicitly replace PSP, we will align the deprecation & removal stages of this enhancement with that KEP & track both! For note, the status of this enhancement is marked as |
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Hi @tallclair 👋 Checking in once more as we approach 1.25 code freeze at 01:00 UTC on Wednesday, 3rd August 2022. Please ensure the following items are completed:
Please verify, if there are any additional k/k PRs besides the ones listed above. Since all the listed k/k PRs are fully merged, the status of this enhancement is marked as Please update the issue description with the relevant links for tracking purposes. Thank you so much! |
All the k/k work for v1.25 is done. |
marked complete in #3487 |
Not an alternative rejected any more, given applyset.k8s.io/inventory
…ategy (#3661) * Initial KEP for improving pruning in kubectl apply * Add design details Co-authored-by: Katrina Verey <katrina.verey@shopify.com> * Add another open question * Links, clarifications, ownerRef and GKNN explanations * Follow-on to initial feedback, address some unresolved blocks * Fix lint errors * Add more detail about reference implementation (#2) * Apply prune jan25 (#3) * More clearly delineate specification vs kubectl details * Move design details of spec to Design Details section * Updates from synchronous conversation * Remove leftover paragraph (#5) Not an alternative rejected any more, given applyset.k8s.io/inventory * Justin has always been coauthor * KEP-3659: production readiness etc (#4) Fill in the testing/ PRR sections. * Fix test failures * Prune: document confused deputy attack and mitigations Likely pushes us to GKNN-derived IDs. * Constrain applyset id We just choose the constrained applyset id to prevent "applyset ID impersonation". * Update KEP and PRR metadata * Enhance testing description * ID vs name fixes * Fixes from soltysh's review --------- Co-authored-by: Justin Santa Barbara <justinsb@google.com>
Another pass at the goals
Feature Description
Related issues
use
verb inpolicy
API group (will need to allow via either group for some time period)The text was updated successfully, but these errors were encountered: