Closed erictune closed 2 years ago
Admission controller code is under review in: https://github.com/kubernetes/kubernetes/pull/24600
This feature is skipping straight to Beta since it has had initial exposure in OpenShift.
It will be default disabled in kubernetes/kubernetes#24600. After that goes in, we need changes in the admission controller to link PSPs to users.
Noting https://github.com/kubernetes/kubernetes/pull/20573 as a dependency for the next step on PSP (subject level access)
Whats the status of this? Is the description in first comment up to date?
Is the description in first comment up to date
no (I don't have permissions to update). I believe all of the alpha requirements have been met. The initial types, api, and tests have been merged. The admission controller is not enabled by default.
IMO the remaining work for beta/1.4 is auth integration for permissions, updating for new fields we want to constraint (seccomp - in progress, sysctl), and any required docs/tutorials.
And an e2e test.
On Tue, Jul 12, 2016 at 6:23 AM, Paul Weil notifications@github.com wrote:
Is the description in first comment up to date
no (I don't have permissions to update). I believe all of the alpha requirements have been met. The initial types, api, and tests have been merged. The admission controller is not enabled by default.
IMO the remaining work for beta/1.4 is auth integration for permissions, updating for new fields we want to constraint (seccomp - in progress, sysctl), and any required docs/tutorials.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/kubernetes/features/issues/5#issuecomment-232045429, or mute the thread https://github.com/notifications/unsubscribe/AHuudqFwephlYk0Y1PS77y0xxA5QW0_-ks5qU5U7gaJpZM4IaU8n .
How about interactions with cloud providers? It would be nice to easily assign each pod different IAM roles so they can access only the subset of cloud services that they actually need. Would it be in scope or is it considered a SecurityContext detail?
@therc that should be done via ServiceAccount.
@goltermann I noticed this was marked with alpha but I believe it probably needs the beta tag based on https://github.com/kubernetes/features/issues/5#issuecomment-217939650
@erictune does beta sound right based on the @pweil- comment?
@goltermann I think technically this would've been beta in 1.3, it is not new to 1.4 though development is ongoing.
Yes, beta is correct. I was incorrect when I said alpha earlier today.
great, fixed it up
@pweil- Are the docs ready? Please update the docs to https://github.com/kubernetes/kubernetes.github.io, and then add PR numbers and have the docs box checked in the issue description
@janetkuo docs PR https://github.com/kubernetes/kubernetes.github.io/pull/1150
edit: https://github.com/kubernetes/kubernetes.github.io/pull/1206 is the correct 1.4 PR
cc @kubernetes/feature-reviewers
@pweil- I suppose, this PR is actual - https://github.com/kubernetes/kubernetes.github.io/pull/1206?
correct
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
Prevent issues from auto-closing with an /lifecycle frozen
comment.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-testing, kubernetes/test-infra and/or @fejta
.
/lifecycle stale
work is happening in 1.10 to move PSP to its non-extensions API group cc @php-coder
@erictune doc updates, please? See also [the 1.10 feature tracking spreadsheet[(https://docs.google.com/spreadsheets/d/17bZrKTk8dOx5nomLrD1-93uBfajK5JS-v1o-nCLJmzE/edit#gid=0). lmk if you have any questions. We need to get a docs PR reviewed and merged by 3/9. Thanks!
@php-coder ^
@Bradamant3 @liggitt What doc updates are required?
For the changes related to API group transition, I've submitted: https://github.com/kubernetes/website/pull/7562, https://github.com/kubernetes/examples/pull/206, and https://github.com/kubernetes/examples/pull/208
I'm not the right owner for PSP Doc updates.
On Fri, Mar 2, 2018 at 11:26 AM, Vyacheslav Semushin < notifications@github.com> wrote:
@Bradamant3 https://github.com/bradamant3 @liggitt https://github.com/liggitt What doc updates are required?
For the changes related to API group transition, I've submitted: kubernetes/website#7562 https://github.com/kubernetes/website/pull/7562, kubernetes/examples#206 https://github.com/kubernetes/examples/pull/206, and kubernetes/examples#208 https://github.com/kubernetes/examples/pull/208
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/kubernetes/features/issues/5#issuecomment-370026485, or mute the thread https://github.com/notifications/unsubscribe-auth/AHuudtBCup17Kt91pqJzBRpKWStoXUt-ks5taZzcgaJpZM4IaU8n .
That's all we need. I've added the PR to the tracking spreadsheet. Thanks!
@php-coder @liggitt @tallclair Any plans for this in 1.11?
If so, can you please ensure the feature is up-to-date with the appropriate:
stage/{alpha,beta,stable}
sig/*
kind/feature
cc @idvoretskyi
@php-coder Can you respond to @justaugustus 's comment with the work that you're doing here? Are there any changes other than the policy group move?
Are there any changes other than the policy group move?
No, I worked only on this.
I hope that @liggitt will update the description when he has a time (because I don't have appropriate permissions).
Done.
@tallclair just to clarify, we're tracking stable as the target for 1.11, correct? I've updated the label, just want to make sure though.
No, this will still be beta. I'm not sure PodSecurityPolicy will ever go to stable (i.e. will be superceded by something else), but others might disagree with me on this.
Got it. Thanks for the update, @tallclair!
@justaugustus I'll remove this from 1.11 milestone, as there's no significant progress is going to happen in the current release.
No updates planned for 1.12
@tallclair i might be able to get the RunAsGroup PSP knobs in 1.12
Ack. This will still be in beta though. At the moment there are no plans for PSP to go to GA. There are some major useability issues that need to be addressed before we progress this. (see https://github.com/kubernetes/kubernetes/issues/60001 and https://github.com/kubernetes/kubernetes/issues/56174)
/unassign
/assign @tallclair
Hi This enhancement has been tracked before, so we'd like to check in and see if there are any plans for this to graduate stages in Kubernetes 1.13. This release is targeted to be more ‘stable’ and will have an aggressive timeline. Please only include this enhancement if there is a high level of confidence it will meet the following deadlines:
Please take a moment to update the milestones on your original post for future tracking and ping @kacole2 if it needs to be included in the 1.13 Enhancements Tracking Sheet
Thanks!
No changes planned in 1.13.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale
/remove-lifecycle stale
@tallclair Hello - I’m the enhancement’s lead for 1.14 and I’m checking in on this issue to see what work (if any) is being planned for the 1.14 release. Enhancements freeze is Jan 29th and I want to remind that all enhancements must have a KEP
Nothing planned for 1.14.
What are the gaps for this to be GA? I can think about few, but I do not see any criteria in the description.
Before this can go to GA, we need to fix these problems:
@liggitt and I have some ideas about how to address this, but there's an open question about whether this belongs in core Kubernetes. I'd like to have a roadmap out in the next month, either a plan for going to GA or a plan for deprecation.
Thanks for sharing the information!
Because pods are rejected by default, we cannot roll out PSP to all clusters without breaking them.
I guess it is not really that. We did this by creating a PodSecurityPolicy which is open enough(or even open all) firstly, and then refine that gradually.
@zhouhaibing089 a Kubrenetes user can use that method which works because they control the policies. However, we cannot roll that out as a Kubernetes default since PodSecurityPolicy only opens the cluster up, meaning it's very difficult to manage the system controlled allow-all PSP.
Hello @liggitt @tallclair , I'm the Enhancement Lead for 1.15. Is this feature going to be graduating alpha/beta/stable stages in 1.15? Please let me know so it can be tracked properly and added to the spreadsheet. The community proposal will need to be migrated to a KEP for inclusion in 1.15.
Once coding begins, please list all relevant k/k PRs in this issue so they can be tracked properly.
No changes planned for 1.15
Feature Description
Related issues
use
verb inpolicy
API group (will need to allow via either group for some time period)