OSC
Support Kubernetes Pod Security Standards
https://kubernetes.io/docs/concepts/security/pod-security-standards/ https://kubernetes.io/docs/concepts/security/pod-security-admission/
This replaces Pod Security Policies, and is much simpler to configure. This would be good for sites who don't necessarily want to or can't run something like Kyverno and so this allows using native Kubernetes methods to secure OnDemand's usage of Kubernetes.
┆Issue is synchronized with this Asana task by Unito
Forgot to mention that OSC can't yet support this until I upgrade us to at least 1.22 (we are 1.21 now). I plan to do the upgrade this week or next.
I moved from ood_core, the labels are part of namespaces so needs to be added as part of hook.
The two policies we may use would be Baseline or Restricted and both disallow the use of hostPath which we rely on heavily for OnDemand. If we did support this it would only be for cases where sites don't want any hostPath mounts or want to use Baseline and mount everything via non-hostPath like using NFS directly.
Do you see this happening in 4.1 @treydock. We're starting to pair down 4.1 in preparation for the release. Happy to defer it to the backlog otherwise. In any case, just let me know if you think you can get around to it in the next few months.
I'm not sure this is even required, ever. Pod Security Standards would have to be disabled in most/all Kubernetes resources for OnDemand since we rely so heavily on hostPath so not sure there's value in making this available since likely never will get used. We may want to just push folks towards things like Kyverno, and all our policies are on Github.