89luca89
commented
2 years ago Hey @lorenzo95 glad you liked the post :smile:
So yea, 1.21+ Deprecates the PSPs, which means it still works but we need to start finding a replacement
As stated in this blog article from the kubernetes.io blog The immediate solution is to use PodSecurityContext which is an evolution of the SecurityContextDeny.
This works for generic not-do-complicated hardenization and works when you write them pod-per-pod, but not as a generic policy for the cluster (eg when used by multiple users)
personally (emphasis :smile: ) I would just go full with 2 tools:
Falco by Sysdig, implements a great engine to detect stuff and make rule easily (as shown in the blogpost) Using its ability to support directly the PSPs: https://falco.org/docs/psp-support/
And OPA Gatekeeper, which can enforce PSPs like explained here: https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies-with-gatekeeper
devopstales
Hello!
I would first like to say that I am amazed by the content of your blog post/repository. I am learning a lot and it gives me great ideas. Therefore, thank you for sharing!!!
I do want to ask what your opinion is on the PodSecurityPolicy Admission Controller since it is deprecated now (https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy)
Do you think for example that the SecurityContextDeny Controller would be a good replacement? Rancher is referring to it regarding the cis benchmark requirements here: https://rancher.com/docs/k3s/latest/en/security/self_assessment/#1-2-13
Thank you, Gera