Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Scrub PSP docs for 1.25 #33512

Merged
merged 1 commit into from
Aug 16, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
775 changes: 12 additions & 763 deletions content/en/docs/concepts/security/pod-security-policy.md

Large diffs are not rendered by default.

6 changes: 0 additions & 6 deletions content/en/docs/concepts/security/pod-security-standards.md
Original file line number Diff line number Diff line change
Expand Up @@ -451,12 +451,6 @@ of individual policies are not defined here.
- {{< example file="security/podsecurity-baseline.yaml" >}}Baseline namespace{{< /example >}}
- {{< example file="security/podsecurity-restricted.yaml" >}}Restricted namespace{{< /example >}}

[**PodSecurityPolicy**](/docs/concepts/security/pod-security-policy/) (Deprecated)

- {{< example file="policy/privileged-psp.yaml" >}}Privileged{{< /example >}}
- {{< example file="policy/baseline-psp.yaml" >}}Baseline{{< /example >}}
- {{< example file="policy/restricted-psp.yaml" >}}Restricted{{< /example >}}
liggitt marked this conversation as resolved.
Show resolved Hide resolved

### Alternatives

{{% thirdparty-content %}}
Expand Down
4 changes: 2 additions & 2 deletions content/en/docs/contribute/style/write-new-topic.md
Original file line number Diff line number Diff line change
Expand Up @@ -105,8 +105,8 @@ following cases (not an exhaustive list):
[FlexVolume](/docs/concepts/storage/volumes#flexvolume) implementation.
- The code is an incomplete example because its purpose is to highlight a
portion of a larger file. For example, when describing ways to
customize the [PodSecurityPolicy](/docs/tasks/administer-cluster/sysctl-cluster/#podsecuritypolicy)
for some reasons, you can provide a short snippet directly in your topic file.
customize a [RoleBinding](/docs/reference/access-authn-authz/rbac/#role-binding-examples),
you can provide a short snippet directly in your topic file.
- The code is not meant for users to try out due to other reasons. For example,
when describing how a new attribute should be added to a resource using the
`kubectl edit` command, you can provide a short example that includes only
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -195,7 +195,7 @@ have access to the host PID namespace.

The DenyEscalatingExec admission plugin is deprecated.

Use of a policy-based admission plugin (like [PodSecurityPolicy](#podsecuritypolicy) or a custom admission plugin)
Use of a policy-based admission plugin (like [`PodSecurity`](#podsecurity) or a custom admission plugin)
which can be targeted at specific users or Namespaces and also protects against creation of overly privileged Pods
is recommended instead.

Expand All @@ -208,7 +208,7 @@ This admission controller will intercept all requests to exec a command in a pod
This functionality has been merged into [DenyEscalatingExec](#denyescalatingexec).
The DenyExecOnPrivileged admission plugin is deprecated.

Use of a policy-based admission plugin (like [PodSecurityPolicy](#podsecuritypolicy) or a custom admission plugin)
Use of a policy-based admission plugin (like [PodSecurity](#podsecurity) or a custom admission plugin)
which can be targeted at specific users or Namespaces and also protects against creation of overly privileged Pods
is recommended instead.

Expand Down Expand Up @@ -661,23 +661,16 @@ admission plugin, which allows preventing pods from running on specifically tain

{{< feature-state for_k8s_version="v1.23" state="beta" >}}

This is the replacement for the deprecated [PodSecurityPolicy](#podsecuritypolicy) admission controller
defined in the next section. This admission controller acts on creation and modification of the pod and
This admission controller acts on creation and modification of the pod and
determines if it should be admitted based on the requested security context and the
[Pod Security Standards](/docs/concepts/security/pod-security-standards/).

See the [Pod Security Admission documentation](/docs/concepts/security/pod-security-admission/)
for more information.

### PodSecurityPolicy {#podsecuritypolicy}

{{< feature-state for_k8s_version="v1.21" state="deprecated" >}}

This admission controller acts on creation and modification of the pod and determines if it should be admitted
based on the requested security context and the available Pod Security Policies.

See also the [PodSecurityPolicy](/docs/concepts/security/pod-security-policy/) documentation
for more information.
Versions of Kubernetes prior to 1.25 included an admission controller for
the beta `PodSecurityPolicy` API; the Pod Security admission controller
provides similar, but not identical, security enforcement.

### PodTolerationRestriction {#podtolerationrestriction}

Expand Down
2 changes: 0 additions & 2 deletions content/en/docs/reference/access-authn-authz/authorization.md
Original file line number Diff line number Diff line change
Expand Up @@ -80,8 +80,6 @@ The `get`, `list` and `watch` verbs can all return the full details of a resourc

Kubernetes sometimes checks authorization for additional permissions using specialized verbs. For example:

* [PodSecurityPolicy](/docs/concepts/security/pod-security-policy/)
* `use` verb on `podsecuritypolicies` resources in the `policy` API group.
* [RBAC](/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping)
* `bind` and `escalate` verbs on `roles` and `clusterroles` resources in the `rbac.authorization.k8s.io` API group.
* [Authentication](/docs/reference/access-authn-authz/authentication/)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ weight: 95

<!-- overview -->
The tables below enumerate the configuration parameters on
[PodSecurityPolicy](/docs/concepts/security/pod-security-policy/) objects, whether the field mutates
`PodSecurityPolicy` objects, whether the field mutates
liggitt marked this conversation as resolved.
Show resolved Hide resolved
and/or validates pods, and how the configuration values map to the
[Pod Security Standards](/docs/concepts/security/pod-security-standards/).

Expand Down
3 changes: 2 additions & 1 deletion content/en/docs/reference/glossary/pod-security-policy.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,5 @@ tags:

A cluster-level resource that controls security sensitive aspects of the Pod specification. The `PodSecurityPolicy` objects define a set of conditions that a Pod must run with in order to be accepted into the system, as well as defaults for the related fields. Pod Security Policy control is implemented as an optional admission controller.

PodSecurityPolicy is deprecated as of Kubernetes v1.21, and will be removed in v1.25. We recommend migrating to [Pod Security Admission](/docs/concepts/security/pod-security-admission/), or a 3rd party admission plugin.
PodSecurityPolicy was deprecated as of Kubernetes v1.21, and removed in v1.25.
As an alternative, use [Pod Security Admission](/docs/concepts/security/pod-security-admission/) or a 3rd party admission plugin.
52 changes: 0 additions & 52 deletions content/en/docs/tasks/administer-cluster/sysctl-cluster.md
Original file line number Diff line number Diff line change
Expand Up @@ -175,55 +175,3 @@ is recommended to use
[_taints and toleration_ feature](/docs/reference/generated/kubectl/kubectl-commands/#taint) or
[taints on nodes](/docs/concepts/scheduling-eviction/taint-and-toleration/)
to schedule those pods onto the right nodes.

## PodSecurityPolicy

{{< feature-state for_k8s_version="v1.21" state="deprecated" >}}

You can further control which sysctls can be set in pods by specifying lists of
sysctls or sysctl patterns in the `forbiddenSysctls` and/or
`allowedUnsafeSysctls` fields of the PodSecurityPolicy. A sysctl pattern ends
with a `*` character, such as `kernel.*`. A `*` character on its own matches
all sysctls.

By default, all safe sysctls are allowed.

Both `forbiddenSysctls` and `allowedUnsafeSysctls` are lists of plain sysctl names
or sysctl patterns (which end with `*`). The string `*` matches all sysctls.

The `forbiddenSysctls` field excludes specific sysctls. You can forbid a
combination of safe and unsafe sysctls in the list. To forbid setting any
sysctls, use `*` on its own.

If you specify any unsafe sysctl in the `allowedUnsafeSysctls` field and it is
not present in the `forbiddenSysctls` field, that sysctl can be used in Pods
using this PodSecurityPolicy. To allow all unsafe sysctls in the
PodSecurityPolicy to be set, use `*` on its own.

Do not configure these two fields such that there is overlap, meaning that a
given sysctl is both allowed and forbidden.

{{< warning >}}
If you allow unsafe sysctls via the `allowedUnsafeSysctls` field
in a PodSecurityPolicy, any pod using such a sysctl will fail to start
if the sysctl is not allowed via the `--allowed-unsafe-sysctls` kubelet
flag as well on that node.
{{< /warning >}}

This example allows unsafe sysctls prefixed with `kernel.msg` to be set and
disallows setting of the `kernel.shm_rmid_forced` sysctl.

```yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: sysctl-psp
spec:
allowedUnsafeSysctls:
- kernel.msg*
forbiddenSysctls:
- kernel.shm_rmid_forced
...
```


Original file line number Diff line number Diff line change
Expand Up @@ -484,7 +484,7 @@ kubectl delete pod security-context-demo-4
* [Tuning Docker with the newest security enhancements](https://github.com/containerd/containerd/blob/main/docs/cri/config.md)
* [Security Contexts design document](https://git.k8s.io/design-proposals-archive/auth/security_context.md)
* [Ownership Management design document](https://git.k8s.io/design-proposals-archive/storage/volume-ownership-management.md)
* [PodSecurityPolicy](/docs/concepts/security/pod-security-policy/)
* [PodSecurity Admission](/docs/concepts/security/pod-security-admission/)
* [AllowPrivilegeEscalation design
document](https://git.k8s.io/design-proposals-archive/auth/no-new-privs.md)
* For more information about security mechanisms in Linux, see
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -182,7 +182,7 @@ static-web 1/1 Running 0 2m
```

{{< note >}}
Make sure the kubelet has permission to create the mirror Pod in the API server. If not, the creation request is rejected by the API server. See [Pod Security admission](/docs/concepts/security/pod-security-admission) and [PodSecurityPolicy](/docs/concepts/security/pod-security-policy/).
Make sure the kubelet has permission to create the mirror Pod in the API server. If not, the creation request is rejected by the API server.
{{< /note >}}

{{< glossary_tooltip term_id="label" text="Labels" >}} from the static Pod are
Expand Down
45 changes: 1 addition & 44 deletions content/en/docs/tutorials/security/apparmor.md
Original file line number Diff line number Diff line change
Expand Up @@ -346,33 +346,6 @@ class of profiles) on the node, and use a
[node selector](/docs/concepts/scheduling-eviction/assign-pod-node/) to ensure the Pod is run on a
node with the required profile.

### Restricting profiles with the PodSecurityPolicy

{{< note >}}
PodSecurityPolicy is deprecated in Kubernetes v1.21, and will be removed in v1.25.
See [PodSecurityPolicy](/docs/concepts/security/pod-security-policy/) documentation for more information.
{{< /note >}}

If the PodSecurityPolicy extension is enabled, cluster-wide AppArmor restrictions can be applied. To
enable the PodSecurityPolicy, the following flag must be set on the `apiserver`:

```
--enable-admission-plugins=PodSecurityPolicy[,others...]
```

The AppArmor options can be specified as annotations on the PodSecurityPolicy:

```yaml
apparmor.security.beta.kubernetes.io/defaultProfileName: <profile_ref>
apparmor.security.beta.kubernetes.io/allowedProfileNames: <profile_ref>[,others...]
```

The default profile name option specifies the profile to apply to containers by default when none is
specified. The allowed profile names option specifies a list of profiles that Pod containers are
allowed to be run with. If both options are provided, the default must be allowed. The profiles are
specified in the same format as on containers. See the [API Reference](#api-reference) for the full
specification.

### Disabling AppArmor

If you do not want AppArmor to be available on your cluster, it can be disabled by a command-line flag:
Expand Down Expand Up @@ -421,7 +394,7 @@ Specifying the profile a container will run with:
### Profile Reference

- `runtime/default`: Refers to the default runtime profile.
- Equivalent to not specifying a profile (without a PodSecurityPolicy default), except it still
- Equivalent to not specifying a profile, except it still
requires AppArmor to be enabled.
- In practice, many container runtimes use the same OCI default profile, defined here:
https://github.com/containers/common/blob/main/pkg/apparmor/apparmor_linux_template.go
Expand All @@ -432,22 +405,6 @@ Specifying the profile a container will run with:

Any other profile reference format is invalid.

### PodSecurityPolicy Annotations

Specifying the default profile to apply to containers when none is provided:

* **key**: `apparmor.security.beta.kubernetes.io/defaultProfileName`
* **value**: a profile reference, described above

Specifying the list of profiles Pod containers is allowed to specify:

* **key**: `apparmor.security.beta.kubernetes.io/allowedProfileNames`
* **value**: a comma-separated list of profile references (described above)
- Although an escaped comma is a legal character in a profile name, it cannot be explicitly
allowed here.



## {{% heading "whatsnext" %}}


Expand Down