Closed MKlimuszka closed 2 years ago
Please check with @aiyengar2 and @PennyScissors if you face any issues in researching/handling this for our charts! cc @MKlimuszka
As we move to kubernetes 1.25 PSP will be deprecated, the new security method is called PSAs and it will take some work to migrate to from our previous security policies.
For more detailed info see this page.
With Kubernetes validating admission webhooks and OPA (Open Policy Agent), you can perform the same built-in checks that PSP provides and potentially more, like enforcing checks on resources such as Services, CronJobs, etc., or evaluating any configuration in those resources rather than only the checks that PSP supports.
Kubernetes mutating admission controllers can also address more use cases by modifying resources or patching them in different ways.
Use the PodSecurity admission controller. You can use the PodSecurity admission controller to apply Pod Security Standards to Pods running on your GKE Standard and Autopilot clusters. Pod Security Standards are predefined security policies that meet the high-level needs of Pod security in Kubernetes. These policies are cumulative, and range from being highly permissive to being highly restrictive.
Suse has also published an article on migrating your psp's to Kubewarden. Article can be found here.
I've also generated a list (attached below) of all the charts and their respective versions which use deprecated apis like PSP.
the research is done, but 1.25 support still needs to be done
In Kubernetes 1.25, Pod Security Policy (PSP) is being deprecated and replaced with Pod Security Admissions (PSA). Check how upstream charts are handling this change and report results on this ticket. This will be used to inform how our charts should handle this change.