vcluster

vcluster copied to clipboard

Since pod security policies are deprecated and Kubernetes has now defined pod security standards, it would be good if there was an option for vcluster to enforce these automatically on a syncer level. You could enable these via a syncer flag --enforce-pod-security-standard=Privileged,Baseline,Restricted (defaults to privileged) and vcluster would make sure during translation that these policies are enforced.

Why?

Admission controllers are biased and add-on to Kubernetes that need to be installed into it. While we do not want vcluster to be an admission controller, it makes sense to enforce those well-defined policies as workload isolation is a basic building block for secure multi-tenancy. In combination with other isolation features of Kubernetes (resource quota, network policies etc.), secure multi-tenancy could be achieved without the need to install additional admission controllers.

Other solutions

The current recommended way is to install an additional admission controller in the host cluster that enforces these or other policies. While this is definitely still a good way to enforce other custom policies, it requires the policy creation as well as admission controller installation first.

@FabianKramm We discussed this privately, but just to give visibility and clarify the scope of this issue I want to bring it up again. Enforcing the policies during resource creation would bring a much better user experience. Immediate feedback would be given to the user if the pod spec, or pod template of the higher-level resource, doesn't adhere to the enforced policy. This can be configured in the vcluster k8s control plane with the AdmissionConfiguration CR. This CR is in k8s since v1.18, so I don't think we need any version checks, it will be just ignored if vcluster k8s version doesn't support pod security standards. Should we write a small controller to create or update the AdmissionConfiguration CR based on the new --enforce-pod-security-standard flag?

Afaiu this was implemented on v0.7.0?

However there is still room to make user experience better by making pods compliant with restricted policy by default which I have been trying to do lately like mentioned on https://github.com/loft-sh/vcluster/issues/465#issuecomment-1121494176

Then vcluster can be easily used to turn any Kubernetes service to hardened multi-tenant platform and most of the existing applications would works on it without changes.

@olljanat you are of course correct, this was already implemented and released, so I will close this issue.

As for your improvement proposal, I am not sure if it would be a good idea to make pods compliant(basically modify the pod spec) automatically. IMHO it's better to let the user know which fields have unacceptable values and let them fix those fields. Benefits of current implementation: education of the user, transparency, compatibility with vanilla k8s, and no unexpected behavior of the workloads. If you want to discuss your proposal further, you are more than welcome to create a new "feature request" issue. Thank you.