[EKS] [request]: PodSecurity admission control

[sftim]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
Add Pod Security admission control into EKS

• document a way to run the Pod Security admission webhook safely
• build in Pod Security admission control (currently alpha, but on course to become beta) into EKS itself
• configure reasonable defaults

Which service(s) is this request for?
EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
Restrict access to run privileged containers. Only trusted, cluster-critical or node-critical components should be able to use Pods that launch a privileged container. More broadly, I want to disallow a workload from elevating its privileges via a container / containment escape.

It's hard to do this well because Pod Security admission is an essential security control. If you run this component as an in-cluster workload, and it fails, then either:

• you enabled fail-dangerous, and a DoS attack can become an elevation of privilege
• you set the admission webhook to fail safe, and now your cluster can't launch any Pods, including for healing. Maybe even critical Pods like CoreDNS and the CNI plugin can't launch.

With that in mind, it's useful to either have a documented method for adding Pod Security admission or, better, to have it available as part of EKS itself.

Are you currently working around this issue?
Various options, including using (deprecated) PodSecurityPolicies.

Additional context

• follows on from Support for PodSecurityPolicy Admission Controller #174

Pod Security admission is the in-tree replacement for PodSecurityPolicy, which will is scheduled to disappear from Kubernetes in v1.25.

[sftim]

It's useful to be able to customise the Pod Security admission mechanism. One mechanism for this might be to make part of the implementation work like an EKS add-on, with a ConfigMap that has some fields managed by EKS and others available for cluster-operator configuration.

[dec5e]

This was released with EKS v1.23:

Kubernetes graduated the Pod Security Admission feature to beta. The feature is enabled by default. For more information, see Pod Security Admission in the Kubernetes documentation. Pod Security Admission replaces the Pod Security Policy (PSP) admission controller. The PSP admission controller isn't supported and is scheduled for removal in Kubernetes version 1.25.

But would it be possible to enable that feature in 1.22 as well although it is in alpha version, in a similar manner as TTL controller was enabled (#255 (comment))? Pod Security Admission was promoted to beta in v1.23 and stable in v1.25.

[dec5e]

v1.22 is not under support anymore, v1.23 has Pod Security Admission in beta, v1.23 has a full support and PodSecurityPolicies are removed. (ref)

This issue is not relevant anymore?