apps sc & wc: how to enable pod security admission #1294
Conversation
robinelastisys
changed the title
robinelastisys
force-pushed
the
robinr/how-to-enable-pod-security-admission
branch
from
3a94ca5
to
27e378e
Compare
There was a problem hiding this comment.
Nice to see the ball rolling!
I foresee what we will get quite a few questions like "but why did you?".
Could you leave as comments:
- What is the default PSA for all namespaces? Why did we make that choice? (Perhaps an architectural decision is required.)
- For namespaces which don't have the default, why do we need to change that default?
| pod-security.kubernetes.io/enforce: baseline | ||
| pod-security.kubernetes.io/enforce-version: v1.25 | ||
| pod-security.kubernetes.io/warn: baseline | ||
| pod-security.kubernetes.io/warn-version: v1.25 | ||
| - name: dex |
There was a problem hiding this comment.
What about the namespaces without labels, such as Dex? Can you clarify your choice?
| - name: kube-node-lease | ||
| - name: kube-public | ||
| - name: kube-system | ||
| - name: monitoring | ||
| labels: | ||
| pod-security.kubernetes.io/audit: privileged |
There was a problem hiding this comment.
Do you happen to know why this namespace needs privileged?
| - name: ingress-nginx | ||
| labels: | ||
| pod-security.kubernetes.io/audit: baseline |
There was a problem hiding this comment.
Would this work if we need to configure the Ingress Controller with hostNetwork, e.g., for SafeSpring?
| - name: ingress-nginx | ||
| labels: | ||
| pod-security.kubernetes.io/audit: baseline |
There was a problem hiding this comment.
Same comment here, as above. Would the Ingress Controller work in hostNetwork mode only with baseline?
|
We have talked about it a lot during the day and our end conclusion is that we may want to consider an alternative to PSA as PSA has many drawbacks that need to be considered. One and the main reason is that PSA is limited to setting security levels to namespaces and not applications/pods specifically. One of our first thoughts is using Gatekeeper e.g https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy. Further discussions can be taken during an arch meeting. The use of gatekeeper will be investigated in a new task. |
What this PR does / why we need it:
#1147.
Which issue this PR fixes (use the format
fixes #<issue number>(, fixes #<issue_number>, ...)to automatically close the issue when PR gets merged): fixes #1147Public facing documentation PR (if applicable)
Special notes for reviewer:
This is the practical part of #1147. Also see the documentation part: #2977.
Add a screenshot or an example to illustrate the proposed solution:
Checklist:
E.g. logs or metrics are not being collected or Kubernetes API server
will not be responding while upgrading.
E.g. removes or changes any CK8S config options or Kubernetes APIs.
I.e. full cluster migration is required.
Pipeline config (if applicable)
If you change some config options (e.g. add/rename variable or change the default value) you may need to update the config used by the pipeline in
pipeline/config.