-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
apps sc & wc: how to enable pod security admission #1294
Conversation
3a94ca5
to
27e378e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice to see the ball rolling!
I foresee what we will get quite a few questions like "but why did you?".
Could you leave as comments:
- What is the default PSA for all namespaces? Why did we make that choice? (Perhaps an architectural decision is required.)
- For namespaces which don't have the default, why do we need to change that default?
pod-security.kubernetes.io/enforce: baseline | ||
pod-security.kubernetes.io/enforce-version: v1.25 | ||
pod-security.kubernetes.io/warn: baseline | ||
pod-security.kubernetes.io/warn-version: v1.25 | ||
- name: dex |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about the namespaces without labels, such as Dex? Can you clarify your choice?
- name: kube-node-lease | ||
- name: kube-public | ||
- name: kube-system | ||
- name: monitoring | ||
labels: | ||
pod-security.kubernetes.io/audit: privileged |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you happen to know why this namespace needs privileged
?
- name: ingress-nginx | ||
labels: | ||
pod-security.kubernetes.io/audit: baseline |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would this work if we need to configure the Ingress Controller with hostNetwork, e.g., for SafeSpring?
- name: ingress-nginx | ||
labels: | ||
pod-security.kubernetes.io/audit: baseline |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same comment here, as above. Would the Ingress Controller work in hostNetwork mode only with baseline
?
We have talked about it a lot during the day and our end conclusion is that we may want to consider an alternative to PSA as PSA has many drawbacks that need to be considered. One and the main reason is that PSA is limited to setting security levels to namespaces and not applications/pods specifically. One of our first thoughts is using Gatekeeper e.g https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy. Further discussions can be taken during an arch meeting. The use of gatekeeper will be investigated in a new task. |
What this PR does / why we need it:
#1147.
Which issue this PR fixes (use the format
fixes #<issue number>(, fixes #<issue_number>, ...)
to automatically close the issue when PR gets merged): fixes #1147Public facing documentation PR (if applicable)
Special notes for reviewer:
This is the practical part of #1147. Also see the documentation part: #2977.
Add a screenshot or an example to illustrate the proposed solution:
Checklist:
E.g. logs or metrics are not being collected or Kubernetes API server
will not be responding while upgrading.
E.g. removes or changes any CK8S config options or Kubernetes APIs.
I.e. full cluster migration is required.
Pipeline config (if applicable)
If you change some config options (e.g. add/rename variable or change the default value) you may need to update the config used by the pipeline in
pipeline/config
.