charts icon indicating copy to clipboard operation
charts copied to clipboard

Published 20 hours ago verified publisher icon kubereboot

Replace PodSecurityPolicy with new policy API

Open jackfrancis opened this issue 4 years ago • 9 comments

The Kubernetes project will deprecate PodSecurityPolicy starting with 1.21.0, and then remove it entirely starting at 1.25.0. See:

  • https://github.com/kubernetes/kubernetes/pull/97171

This issue tracks the replacement of the existing kured PodSecurityPolicy implementation with its replacement. This KEP is an indication of where things are (probably) going:

  • https://github.com/kubernetes/enhancements/pull/2582

jackfrancis avatar Mar 29 '21 17:03 jackfrancis

👍

Should we do this for 1.7.0, 1.8.0, or above? 1.7.0 supports 1.19 to 1.21 (and therefore will fall under the deprecated environment versions).

However, if there is no clear winner (as path to implementation), and that the winner is not backported to 1.19 or below, I suppose we should NOT move to a new solution anytime soon, else it will break our existing users.

PS: I am sorry if I am repeating what might be obvious here, it's just for reference/understanding for any contributor.

evrardjp avatar Mar 29 '21 17:03 evrardjp

Above. The new API doesn't yet exist. :) So this is just a long-term tracking issue to ensure that the kured project is ready.

jackfrancis avatar Mar 29 '21 17:03 jackfrancis

Yup that's what I understood, thanks for confirming.

evrardjp avatar Mar 29 '21 17:03 evrardjp

I am marking this PR as "good first issue" for two reasons:

  1. It indeed isn't too hard to implement :)
  2. With this tag, our issue expiring bot will not expire this issue.

evrardjp avatar Mar 29 '21 17:03 evrardjp

This issue was automatically considered stale due to lack of activity. Please update it and/or join our slack channels to promote it, before it automatically closes (in 7 days).

github-actions[bot] avatar May 29 '21 02:05 github-actions[bot]

The new PodSecurity API is in beta now (with 1.23.0): https://kubernetes.io/blog/2021/12/09/pod-security-admission-beta/

ckotzbauer avatar Dec 09 '21 13:12 ckotzbauer

HI! I'm new to this repo and would like to work on this, issue, I've gone through some of the code but couldn't find the exact file in which I have to make changes, could anyone please help me by telling the exact file path in which I have to make changes.

VedRatan avatar Dec 30 '22 10:12 VedRatan

Please have a look at the helm chart: https://github.com/kubereboot/charts/tree/main/charts/kured/templates. I think there should be no references in this repo.

ckotzbauer avatar Dec 30 '22 12:12 ckotzbauer

When Kubernetes 1.28 is out in about ten days and we release Kured 1.14.0 (with built-in k8s 1.27 support), we drop support for Kubernetes 1.25 which was the last release with PodSecurityPolicies, so we are safe to remove them from the chart. The "Pod Security Standards" are mostly about the securityContextof the container, which can be configured in the helm-chart, so I think we don't really need to add some replacements on our side.

Thoughts on this? @jackfrancis @evrardjp

ckotzbauer avatar Aug 04 '23 08:08 ckotzbauer