-
Notifications
You must be signed in to change notification settings - Fork 450
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Drop PodSecurityPolicy
usage / move to PodSecurity
#5250
Comments
The Gardener project currently lacks enough contributors to adequately respond to all issues and PRs.
You can:
/lifecycle stale |
/remove-lifecycle stale |
/remove lifecycle/frozen |
I looked into this issue.I will try to summarize what I understood:
and 3 levels:
In short, The fields which we have to take care in our case are:
kubectl label --dry-run=server --overwrite ns --all pod-security.kubernetes.io/enforce=baseline
namespace/default labeled
namespace/extension-dns-external-99c7f labeled
namespace/extension-networking-calico-njsht labeled
namespace/extension-os-gardenlinux-9h7lj labeled
Warning: existing pods in namespace "extension-provider-aws-4kwh2" violate the new PodSecurity enforce level "baseline:latest"
Warning: mtu-customizer-2qlwd (and 5 other pods): non-default capabilities, host namespaces
namespace/extension-provider-aws-4kwh2 labeled
Warning: existing pods in namespace "garden" violate the new PodSecurity enforce level "baseline:latest"
Warning: fluent-bit-946g8 (and 5 other pods): hostPath volumes
namespace/garden labeled
namespace/istio-ingress labeled
namespace/istio-system labeled
namespace/kube-node-lease labeled
namespace/kube-public labeled
Warning: existing pods in namespace "kube-system" violate the new PodSecurity enforce level "baseline:latest"
Warning: apiserver-proxy-jpxzz (and 5 other pods): non-default capabilities, host namespaces, hostPort
Warning: calico-kube-controllers-6f444cdf45-prhdq: privileged
Warning: calico-node-76xrz (and 11 other pods): host namespaces, hostPath volumes, hostPort, privileged
Warning: calico-typha-deploy-7c7455f5c7-lzf2k: host namespaces, hostPort
Warning: egress-filter-applier-55lwd (and 5 other pods): non-default capabilities, host namespaces
Warning: kube-proxy-worker-tj5yb-v1.23.6-2mhjp (and 5 other pods): non-default capabilities, host namespaces, hostPath volumes, hostPort, privileged
Warning: network-problem-detector-host-9bjvg (and 11 other pods): host namespaces, hostPath volumes, hostPort
Warning: network-problem-detector-pod-8w9v7 (and 5 other pods): hostPath volumes
Warning: node-problem-detector-5k44s (and 5 other pods): hostPath volumes, privileged
Warning: vpn-shoot-578d5dcd9b-kp584: non-default capabilities, privileged
namespace/kube-system labeled
Warning: existing pods in namespace "shoot--i545724dev--i545724-1" violate the new PodSecurity enforce level "baseline:latest"
Warning: etcd-events-0 (and 1 other pod): non-default capabilities
Warning: kube-apiserver-864475f96-ns8qd: hostPath volumes
Warning: loki-0 (and 1 other pod): non-default capabilities, privileged
namespace/shoot--i545724dev--i545724-1 labeled
|
Summarizing the meeting on "Migration to PodSecurity" on 12/07/22,
Update: The progress is now tracked in the issue description itself and has modified steps. |
/remove-lifecycle frozen |
With @ary1992 we looked the description above and were a bit confused about the following points:
|
Sorry for the confusion, I just meant it as steps, that's why I said "for these clusters after migration."
Good suggestion. Thanks. How about a
Sure. Will update the issue comment soon. |
Thanks!
Sounds reasonable, I think we already have this for globally enabled extensions as well, so it "fits": gardener/pkg/apis/core/v1beta1/types_shoot.go Lines 434 to 436 in 51c46e2
|
PodSecurityPolicy
usage / move to PodSecurity
?PodSecurityPolicy
usage / move to PodSecurity
/close |
@shafeeqes: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
How to categorize this issue?
/area open-source
/kind enhancement
What would you like to be added:
Drop usage of
PodSecurityPolicy
s and potentially move toPodSecurity
.Read more here: PodSecurityPolicy Deprecation: Past, Present, and Future
Steps:
kube-apiserver
admission plugins in the ShootSpec. > AddDisabled
field forAdmissionPlugin
inShootSpec
#6403PodSpec
so that we can drop all the gardener deployed PSPs when the user disables thePodSecurityPolicy
admission plugin.PSP
s whenPodSecurityPolicy
plugin is disabled #6409v1.53.0
PSP
s for cluster versions>=1.24
gardener-extension-shoot-dns-service#153v1.24.0
PSP
s whenPodSecurityPolicy
plugin is disabled gardener-extension-shoot-networking-filter#300.7.0
PSP
s whenPodSecurityPolicy
plugin is disabled gardener-extension-shoot-networking-problemdetector#23v0.5.0
PSP
s for cluster versions>=1.24
external-dns-management#273v0.13.1
PSP
s whenPodSecurityPolicy
plugin is disabled gardener-extension-networking-calico#203v1.26.0
PSP
s whenPodSecurityPolicy
plugin is disabled gardener-extension-networking-cilium#120v1.17.0
PSP
s whenPodSecurityPolicy
plugin is disabled gardener-extension-provider-alicloud#523v1.40.0
PSP
s whenPodSecurityPolicy
plugin is disabled gardener-extension-provider-aws#587v1.38.0
PSP
s whenPodSecurityPolicy
plugin is disabled gardener-extension-provider-azure#558v1.30.0
v1.31.0
v2.5.0
PSP
s whenPodSecurityPolicy
plugin is disabled gardener-extension-provider-gcp#482v1.25.0
PSP
s whenPodSecurityPolicy
plugin is disabled gardener-extension-provider-openstack#485v1.29.0
PSP
s whenPodSecurityPolicy
plugin is disabled gardener-attic/gardener-extension-provider-vsphere#295v0.19.0
PSP
s whenPodSecurityPolicy
plugin is disabled gardener-extension-runtime-gvisor#56v0.6.0
PodSecurityPolicy
admission plugin is disabled in the ShootSpec, if users want to upgrade their clusters to k8sv1.25
. Add documentation to follow the migration steps mentioned here and cleanup the PSPs deployed by them, because otherwise inv1.25
there won't be any API serving thePodSecurityPolicy
and therefore the resources can't be cleaned up. > Enforce PSP admission plugin disablement before upgrading the shoot cluster tov1.25
#6431PodSecurity
plugin in the Shoot spec for this plugin, addkube-system
to exempted namespaces. > Exemptkube-system
namespace inPodSecurity
admission config #6549.spec.kubernetes.allowPrivilegedContainers
for Shoot clusters with kubernetes version>=v1.25
.WithPodSecurityPolicy
plugin not present, this field doesn't have any relevance. > Deny setting.spec.kubernetes.allowPrivilegedContainers
field for Shoot clusters>=v1.25
#6570pod-security.admission.config.k8s.io/v1
for clusters >= 1.25 > Upgradek8s.io/*
tov0.25
,sigs.k8s.io/controller-runtime
tov0.13
#6668PodSecurityPolicy
from requiredAdmissionPlugins list and add a User facing warning for considering migration inv1.23
+ clusters. > RemovePodSecurityPolicy
from requiredPlugins and add a user-facing warning to consider migration #6700Why is this needed:
PodSecurityPolicy
s are deprecated and will be removed in v1.25. With v1.23, a new feature calledPodSecurity
was promoted to beta (ref).The text was updated successfully, but these errors were encountered: