Refreshing Pod Security Standard policies #199
Replies: 4 comments 4 replies
-
@chipzoller - I agree that 1.6 makes sense. We can cherry-pick / merge specific fixes in to 1.5.3, if they are critical for pod security. Would be good to understand the Kubernetes compatibility matrix impact. @realshuting and I were discussing some ideas on how to evolve Kyverno support of PSS, as Pod Security Admission goes GA. She is planning on publishing a document soon - but this may be post 1.6.0. |
Beta Was this translation helpful? Give feedback.
-
The other update I noticed in 1.23 which might be relevant to this is that Windows hostProcess containers hit beta, so will be enabled by default. It's mentioned in the current PSS docs but they've not updated them to note that it's on by default now. |
Beta Was this translation helpful? Give feedback.
-
@raesene - are you aware of any discussion on how to version and update PSS? Seems like some process to manage updates would be helpful to consumers. |
Beta Was this translation helpful? Give feedback.
-
Please see temp repo of mine here for the complete refresh of the policies and notes: https://github.com/chipzoller/kyverno-pss |
Beta Was this translation helpful? Give feedback.
-
The upstream Kubernetes Pod Security Standards have once again changed, which I am working through, bringing with them updates to existing rules and new rules for versions up through v1.23 (the current release). Most notably, they've added in the
ephemeralContainers
option since this is now on by default and no longer subject to a feature gate. We obviously need to intersect with these new requirements, but there's a minor modification we have to make to Kyverno to do so (see this issue). But, in addition to this, one of the new standards in the Baseline group (called "Capabilities") defines a list of allowable values in thesecurityContext.capabilities.add[]
list. In order to write this, we need the forthcomingAnyNotIn
operator that is slated for Kyverno 1.6.0, which is the second change in Kyverno that's needed. I have this policy written and working so that's not an issue. And there's more than this, but these are some of the points. So it seems like the best time to drop this refreshed set of PSS policies is to coincide with Kyverno 1.6.0. We'll also need to refresh the policies getting pushed with the Helm chart and a way to replace the aforementioned Baseline/Capabilities policy with a more restrictive one in the Restricted profile.Thoughts, comments?
Beta Was this translation helpful? Give feedback.
All reactions