[Deprecated] Pod Security Policy

[erictune]

Feature Description

• Define policy objects that limit what security-related features pods and containers can use
• Primary contact (assignee): @tallclair
• Responsible SIGs: @kubernetes/sig-auth-feature-requests @kubernetes/sig-node-feature-requests
• Design proposal link (community repo): https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auth/pod-security-policy.md
• Link to e2e and/or unit tests: https://github.com/kubernetes/kubernetes/blob/master/test/e2e/auth/pod_security_policy.go
• Reviewer(s) - (for LGTM): @liggitt @tallclair
• Approver: @liggitt @tallclair
• Feature target (which target equals to which milestone):
  • Beta release target (extensions/v1beta1) - 1.8
  • Beta release target (policy/v1beta1) - 1.10
  • Stable release target - TBD

Related issues

• stop serving extensions/v1beta1 and networking.k8s.io/v1beta1 in 1.22 kubernetes#43214 - Move out of extensions/v1beta1 API group:
  • 1.10
    • additionally allow authorizing via use verb in policy API group (will need to allow via either group for some time period)
    • update e2e tests (test both for some time period)
  • 1.11
    • move internal types to policy package (cleanup)
    • move registry to policy package (cleanup)
    • update addon manifests to use policy/v1beta1, grant permissions in policy API group
    • switch admission plugin to use policy group informer
    • switch preferred storage version to policy group
• [PodSecurityPolicy] API changes kubernetes#56174
• PodSecurityPolicy should work with managed sidecars kubernetes#55435
• [PodSecurityPolicy] "MayRunAs" strategies kubernetes#56173

[erictune]

Admission controller code is under review in: kubernetes/kubernetes#24600

[erictune]

This feature is skipping straight to Beta since it has had initial exposure in OpenShift.

[erictune]

It will be default disabled in kubernetes/kubernetes#24600. After that goes in, we need changes in the admission controller to link PSPs to users.

[pweil-]

Noting kubernetes/kubernetes#20573 as a dependency for the next step on PSP (subject level access)

[bryk]

Whats the status of this? Is the description in first comment up to date?

[pweil-]

Is the description in first comment up to date

no (I don't have permissions to update). I believe all of the alpha requirements have been met. The initial types, api, and tests have been merged. The admission controller is not enabled by default.

IMO the remaining work for beta/1.4 is auth integration for permissions, updating for new fields we want to constraint (seccomp - in progress, sysctl), and any required docs/tutorials.

[erictune]

And an e2e test.

On Tue, Jul 12, 2016 at 6:23 AM, Paul Weil notifications@github.com wrote:

Is the description in first comment up to date

no (I don't have permissions to update). I believe all of the alpha
requirements have been met. The initial types, api, and tests have been
merged. The admission controller is not enabled by default.

IMO the remaining work for beta/1.4 is auth integration for permissions,
updating for new fields we want to constraint (seccomp - in progress,
sysctl), and any required docs/tutorials.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#5 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/AHuudqFwephlYk0Y1PS77y0xxA5QW0_-ks5qU5U7gaJpZM4IaU8n
.

[therc]

How about interactions with cloud providers? It would be nice to easily assign each pod different IAM roles so they can access only the subset of cloud services that they actually need. Would it be in scope or is it considered a SecurityContext detail?

[erictune]

@therc that should be done via ServiceAccount.

[pweil-]

@goltermann I noticed this was marked with alpha but I believe it probably needs the beta tag based on #5 (comment)