Migrate from PodSecurityPolicy (PSP) to Pod Security Standards (PSS)

[nickumia-reisys]

Key points:

• Kubernetes version 1.21 to 1.25
• PodSecurityPolicy (PSP) to built-in Kubernetes Pod Security Standards (PSS)

This might be a no-op. But creating an issue since I haven't worked with EKS recently enough to remember the setup. The following is an email from AWS,

• What is changing? PodSecurityPolicy (PSP) was deprecated [1] in Kubernetes version 1.21 and has been removed in Kubernetes version 1.25 [2]. If you are using PSPs in your cluster, then you must migrate from PSP to the built-in Kubernetes Pod Security Standards (PSS) or to a policy as code solution before upgrading your cluster to version 1.25 to avoid interruption to your workloads.
• What actions can customers take? PSP resources were used to specify a set of requirements that pods had to meet before they could be created. Since PSPs have been removed in Kubernetes version 1.25, you must replace those security controls. Two solutions can fill this need:

1) Kubernetes Pod Security Standards (PSS) 2) Policy-as-code solutions from the Kubernetes ecosystem

In response to the PSP deprecation and the ongoing need to control pod security out-of-the-box, the Kubernetes community created a built-in solution with PSS [3] and Pod Security Admission (PSA) [4]. The PSA webhook implements the controls defined in the PSS. To review best practices for migrating PSPs to the built-in Pod Security Standards, see references [5] and [6].

Policy-as-code solutions provide guardrails to guide cluster users, and prevent unwanted behaviors, through prescribed and automated controls. Policy-as-code solutions typically use Kubernetes Dynamic Admission Controllers to intercept the Kubernetes API server request flow, via a webhook call, and mutate and validate request payloads, based on policies written and stored as code. There are several open source policy-as-code solutions available for Kubernetes. To review best practices for migrating PSPs to a policy-as-code solution, see reference [7].

You can run the following command to view the PSPs in your cluster: kubectl get psp. If you see the eks.privileged PSP in your cluster, it will be automatically migrated to PSS by Amazon EKS. No action is needed on your part.

To summarize, if you are using PSP in your cluster, then you must migrate from PSP to the built-in Kubernetes PSS or to a policy as code solution before upgrading your cluster to version 1.25 to avoid interruptions to your workloads. EKS offers best practices for pod security and guidance for implementing pod security standards [8]. You can find details on PSP Migration in EKS documentation [1].

If you have any questions or concerns, please reach out to AWS Support [9].

[1] https://docs.aws.amazon.com/eks/latest/userguide/pod-security-policy-removal-faq.html [2] https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-release-calendar [3] https://kubernetes.io/docs/concepts/security/pod-security-standards/ [4] https://kubernetes.io/docs/concepts/security/pod-security-admission/ [5] https://aws.github.io/aws-eks-best-practices/security/docs/pods/#pod-security-standards-pss-and-pod-security-admission-psa [6] https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/ [7] https://aws.github.io/aws-eks-best-practices/security/docs/pods/#policy-as-code-pac [8] https://aws.amazon.com/blogs/containers/implementing-pod-security-standards-in-amazon-eks/ [9] https://aws.amazon.com/support

Sincerely, Amazon Web Services