[Deprecated] Pod Security Policy #5
Comments
|
Admission controller code is under review in: kubernetes/kubernetes#24600 |
|
This feature is skipping straight to Beta since it has had initial exposure in OpenShift. |
|
It will be default disabled in kubernetes/kubernetes#24600. After that goes in, we need changes in the admission controller to link PSPs to users. |
|
Noting kubernetes/kubernetes#20573 as a dependency for the next step on PSP (subject level access) |
|
Whats the status of this? Is the description in first comment up to date? |
no (I don't have permissions to update). I believe all of the alpha requirements have been met. The initial types, api, and tests have been merged. The admission controller is not enabled by default. IMO the remaining work for beta/1.4 is auth integration for permissions, updating for new fields we want to constraint (seccomp - in progress, sysctl), and any required docs/tutorials. |
|
And an e2e test. On Tue, Jul 12, 2016 at 6:23 AM, Paul Weil notifications@github.com wrote:
|
|
How about interactions with cloud providers? It would be nice to easily assign each pod different IAM roles so they can access only the subset of cloud services that they actually need. Would it be in scope or is it considered a SecurityContext detail? |
|
@therc that should be done via ServiceAccount. |
idvoretskyi
added
the
sig/node
|
@goltermann I noticed this was marked with alpha but I believe it probably needs the beta tag based on #5 (comment) |
|
@goltermann I think technically this would've been beta in 1.3, it is not new to 1.4 though development is ongoing. |
|
Yes, beta is correct. I was incorrect when I said alpha earlier today. |
|
great, fixed it up |
|
@pweil- Are the docs ready? Please update the docs to https://github.com/kubernetes/kubernetes.github.io, and then add PR numbers and have the docs box checked in the issue description |
|
@janetkuo docs PR kubernetes/website#1150 edit: kubernetes/website#1206 is the correct 1.4 PR cc @kubernetes/feature-reviewers |
|
@pweil- I suppose, this PR is actual - kubernetes/website#1206? |
|
correct |
|
For more information on the deprecation, see PodSecurityPolicy Deprecation: Past, Present, and Future. |
Remove security review.
Fix nits and table of contents
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
/lifecycle frozen |
k8s-ci-robot
added
the
lifecycle/frozen
tallclair
added
the
kind/deprecation
Priyankasaggu11929
added
tracked/yes
|
Hello @tallclair 👋, 1.25 Enhancements team here. Just checking in as we approach enhancements freeze on 18:00 PST on Thursday June 16, 2022. For note, This enhancement is targeting for As discussed with the Release team in this K8s slack thread, the team agreed that we don't require to migrate the old archived design proposal to a KEP template, to just track the deprecation & removal stages for this enhancement. Since, the new KEP-2579: Pod Security Admission Control KEP is there to explicitly replace PSP, we will align the deprecation & removal stages of this enhancement with that KEP & track both! For note, the status of this enhancement is marked as |
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
|
Hi @tallclair 👋 Checking in once more as we approach 1.25 code freeze at 01:00 UTC on Wednesday, 3rd August 2022. Please ensure the following items are completed:
Please verify, if there are any additional k/k PRs besides the ones listed above. Since all the listed k/k PRs are fully merged, the status of this enhancement is marked as Please update the issue description with the relevant links for tracking purposes. Thank you so much! |
|
All the k/k work for v1.25 is done. |
|
marked complete in #3487 |
rhockenbury
removed
the
tracked/yes
Not an alternative rejected any more, given applyset.k8s.io/inventory
…ategy (#3661) * Initial KEP for improving pruning in kubectl apply * Add design details Co-authored-by: Katrina Verey <katrina.verey@shopify.com> * Add another open question * Links, clarifications, ownerRef and GKNN explanations * Follow-on to initial feedback, address some unresolved blocks * Fix lint errors * Add more detail about reference implementation (#2) * Apply prune jan25 (#3) * More clearly delineate specification vs kubectl details * Move design details of spec to Design Details section * Updates from synchronous conversation * Remove leftover paragraph (#5) Not an alternative rejected any more, given applyset.k8s.io/inventory * Justin has always been coauthor * KEP-3659: production readiness etc (#4) Fill in the testing/ PRR sections. * Fix test failures * Prune: document confused deputy attack and mitigations Likely pushes us to GKNN-derived IDs. * Constrain applyset id We just choose the constrained applyset id to prevent "applyset ID impersonation". * Update KEP and PRR metadata * Enhance testing description * ID vs name fixes * Fixes from soltysh's review --------- Co-authored-by: Justin Santa Barbara <justinsb@google.com>
Another pass at the goals
* Add draft of CSI CBT KEP Signed-off-by: Ivan Sim <ivan.sim@dell.com> * Update KEP status Signed-off-by: Ivan Sim <ivan.sim@dell.com> * Initial structure. Filled in the Proposal, Caveats and Risks. Put in the CSI spec in the Details section. * Removed distracting links to common K8s definitions. Clarified the proposal. * More caveats. Better grammar. * Use "snapshot access session". * addressed most of the feedback in the PR. * Updated role figure. * More refinements. * Session figure. Renamed figure files. * Fix background of session figure. * Updated figures and roles. * Propose a new role for session data. * GRPC spec * Don't propose roles. * Add user stories in the proposal (#2) * Add user stories in the proposal Signed-off-by: Prasad Ghangal <prasad.ghangal@gmail.com> * Remove acceptance criteria for the user stories * Make changes suggested by Carl --------- Signed-off-by: Prasad Ghangal <prasad.ghangal@gmail.com> * Added details to the manager, sidecar and SP service sections. Fixed session figure errors and rewrote the client gRPC description in the risks section. * Called out UNRESOLVED issues. More on the SP service and sidecar. * Resolved issues with expiry and advertising. * Updated TOC * Fixed typo and svg space rendering. * Fixed typo in perms figure. * Typo in session figure. More detail in user stories. * Add SnapshotSession CRDs (#5) * Add SnapshotSession CRDs * Add CR descriptions * Address review comments * Address review comments * Remove typo * Remove unnecessary new line * Added image of the flow when the TokenRequest and TokenReview APIs are used. * Fixed figure spacing * Updated permissions svg; removed session. * Updated figures. Removed session figure. * Added explanation of permissions. * Updated overview and risks. * Updated RPC and components. * Completed remaining rewrite. * Updated to CSI spec to reflect container-storage-interface/spec#551 * Removed the security_token and namespace from the gRPC spec. Pass the security token via the metadata authorization key. Pass the namespace as part of the K8s snapshot id string. * Update sections on test plan, PRR and graduation criteria Signed-off-by: Ivan Sim <ihcsim@gmail.com> * More neutral language on passing the auth token. * Updated to reflect changes in the CSI spec PR. * Use a separate gRPC API for the sidecar. * Replaced authorization gRPC metadata with a security_token field in request messages. * Fixed typo. * Updated CSI spec; downplayed similarity between the K8s and CSI gRPC services. * Add beta and GA graduation criteria Signed-off-by: Ivan Sim <ihcsim@gmail.com> * Updated CSI spec again - no unsigned numbers used. * Update KEP milestone to v1.30 Signed-off-by: Ivan Sim <ihcsim@gmail.com> * Update 'Scalability' section Signed-off-by: Ivan Sim <ihcsim@gmail.com> * Add sig-auth as participating sigs Signed-off-by: Ivan Sim <ihcsim@gmail.com> * Require that the CR be named for the driver. * Removed the label requirement for the CR. * Replaced johnbelamaric with soltysh for PRR approver. * Bump up milestone to v1.31 * Change KEP status to implementable --------- Signed-off-by: Ivan Sim <ivan.sim@dell.com> Signed-off-by: Prasad Ghangal <prasad.ghangal@gmail.com> Signed-off-by: Ivan Sim <ihcsim@gmail.com> Co-authored-by: Carl Braganza <carl@kasten.io> Co-authored-by: Prasad Ghangal <prasad.ghangal@gmail.com>
and others
Feature Description
Related issues
useverb inpolicyAPI group (will need to allow via either group for some time period)The text was updated successfully, but these errors were encountered: