charts icon indicating copy to clipboard operation
charts copied to clipboard

Published 20 hours ago verified publisher icon haproxy-ingress

psp scheduled for removal

Open ArgTang opened this issue 3 years ago • 3 comments

https://github.com/kubernetes/kubernetes/pull/97171

The PodSecurityPolicy API is deprecated in 1.21, and will no longer be served starting in 1.25.

For some cloudvendors this timeline is even more strict. like azure AKS.

most fields can be set right in the deployment manifest. as podsecuritycontext, or securityContext per container. Maybe they can be moved there?

ArgTang avatar Mar 31 '21 12:03 ArgTang

Yeah I'm aware of this deprecation but couldn't take the time to see alternatives - except to not configure psp in the customized values file. We've already pod security context which can be freely customized, maybe we can also add container security context? Any other suggestion?

jcmoraisjr avatar Apr 12 '21 10:04 jcmoraisjr

security context would be a nice thing to add. Maybe provide have a separate feature flag for psp and roles so people could disable the current psp?

ArgTang avatar Apr 14 '21 19:04 ArgTang

psp is currently disabled by default:

rbac:
  security:
    enable: false

This however doesn't disable roles and rolebindings used to authorize haproxy ingress in the cluster. Only psp related role and rolebindings are removed / not created.

Regarding container security context seems to be a good idea but I could find a good place to the configuration in the values file - something that allows me eg to configure one container and not the other. I'll leave this open until we have a proper implementation.

jcmoraisjr avatar Apr 16 '21 09:04 jcmoraisjr