Blog post about Pod Security admission graduating to stable #35614
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
/retitle [WIP] Add article about Pod Security admission graduating to stable |
k8s-ci-robot
changed the title
k8s-ci-robot
added
the
do-not-merge/work-in-progress
|
We should aim to update https://kubernetes.io/blog/2021/12/09/pod-security-admission-beta/ to link to the new article. |
|
We might want to embed https://www.youtube.com/watch?v=gcz5VsvOYmI in the blog article - what do folks think? |
|
Hi from the Comms team! Just a reminder that the Ready to Review deadline for feature blogs is Tuesday, August 16. You will also be assigned a publication date post-release. Is there anything we can do to help you right now? |
|
I'm drafting the post this afternoon. I'm interested in cross-referencing some of the other posts. Is there a standard way of doing that, or should I just make sure this post goes out after them, and use the permalink? Specifically, I think the PSP history post, and the pod os post. |
|
Hey Tim! Your assigned publication date is 25 August. As for cross-references, we're aiming to have that history post published before release, but the Pod OS post isn't scheduled until the following week, so you won't be able to link to it immediately. |
|
Do you require any assistance from the comms team in drafting this? We need to begin reviews. :) |
|
Sorry this is delinquent. I'm putting the finishing touches on the draft here, and then I'll convert to markdown and update this PR. |
k8s-ci-robot
added
size/M
tallclair
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
OK, this is ready for review! |
|
/assign @samos123 |
|
@tallclair: GitHub didn't allow me to assign the following users: samos123. Note that only kubernetes members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site settings. |
| _Note that Kubelets prior to Kubernetes v1.24 did not enforce the Pod OS field, so clusters running | ||
| older nodes should explicitly | ||
| [pin restricted policies to a version](https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-admission-labels-for-namespaces) | ||
| prior to v1.25._ |
There was a problem hiding this comment.
| _Note that Kubelets prior to Kubernetes v1.24 did not enforce the Pod OS field, so clusters running | |
| older nodes should explicitly | |
| [pin restricted policies to a version](https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-admission-labels-for-namespaces) | |
| prior to v1.25._ | |
| In Kubernetes v1.24 and earlier, the kubelet didn't enforce the Pod OS field. If your cluster runs nodes with | |
| earlier version, you should explicitly | |
| [pin Restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-admission-labels-for-namespaces) to a version prior to v1.25. |
There was a problem hiding this comment.
Went with:
| _Note that Kubelets prior to Kubernetes v1.24 did not enforce the Pod OS field, so clusters running | |
| older nodes should explicitly | |
| [pin restricted policies to a version](https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-admission-labels-for-namespaces) | |
| prior to v1.25._ | |
| In Kubernetes v1.23 and earlier, the kubelet didn't enforce the Pod OS field. If your cluster runs | |
| nodes with any of those versions, you should explicitly | |
| [pin Restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-admission-labels-for-namespaces) | |
| to a version prior to v1.25. |
| A [guide](https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/) was published | ||
| to make the process of migrating from PSP to PSA easier, and to help you choose the best migration | ||
| strategy for your use case. In addition, a tool called |
There was a problem hiding this comment.
| A [guide](https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/) was published | |
| to make the process of migrating from PSP to PSA easier, and to help you choose the best migration | |
| strategy for your use case. In addition, a tool called | |
| For instructions to migrate from PodSecurityPolicy to the PodSecurity admission controller, and for help | |
| choosing a migration strategy, refer to the [migration guide](https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/). | |
| We're also developing a tool called |
|
Congrats on the graduation @tallclair @samos123 et al 🥳 |
|
Please make the title change as per #35614 (comment) |
|
Thanks for all the feedback. I applied most of the suggestions, and responded to those that I deviated from. The main difference is referring to the feature as |
|
@tallclair could you take a look at #35614 (comment) and #35614 (comment) ? Those are things we could leave in for publication, but that I'd really prefer to fix. |
|
@tallclair yeah sorry haha I was doing it for technical accuracy but it's a blog post not a doc. If you don't have it already, I'd recommend mentioning somewhere that Pod Security Admission uses the |
|
/label tide/merge-method-squash |
k8s-ci-robot
added
the
tide/merge-method-squash
|
Thank you for addressing feedback |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: c7969a1eb822457738bab5512edc70239b4a306d
|
|
Hi @kubernetes/sig-docs-blog-owners , ptal |
|
Thanks /approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rolfedh, sftim The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Blog post for v1.25 Pod Security Admission (PSA) graduating to Stable
Topics:
/cc @katcosgrove