📢 Pod Security Standards enforcement might affect your solutions #2840
Closed
camilamacedo86
announced in
Announcements
Replies: 1 comment
-
Closing since it was released already. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Kubernetes API has been changing, and the PodSecurityPolicy API is deprecated and will no longer be served from k8s 1.25. This API is replaced by a new built-in admission controller (KEP-2579: Pod Security Admission Control), allowing cluster admins to enforce the Pod Security Standards with Namespace Labels.
💁What does it mean?
With the introduction of the new built-in admission controller that enforces the Pod Security Standards, Namespace and Pods can be defined with three different policies: Privileged, Baseline and Restricted. Therefore, Pod(s) that are not configured according to the enforced security standards defined globally or on the namespace level will not be admitted and cannot run.
From k8s 1.25, namespaces will be labeled as "Privileged" by default. (More info). However, cluster admins may ask why escalated permissions are necessary and push for the workload definition to be changed so it can be qualified as restricted, thereby allowing the NS to be labeled as restricted. So, if your workload doesn’t meet the requirements, it will fail to run.
TL'DR:
🚀 What is recommended ?
The best option for any new publication is to ensure that workloads (Operators, Operands) are configured to run under the restricted policy. However, If your solutions require escalated permissions then, you can ensure the namespace containing your solution is labeled accordingly. You can either update your operator to manage the namespace labels or include the namespace labelling as part of the manual install instructions.
👩🏭 Guidance with examples and helpers
💡 IMPORTANT: The most straightforward way to ensure your workloads can work on a restricted namespaces by labeling the namespaces where they should run by enforcing the restricted policy and verifying if they are admitted and are successfully running. It is recommended to ensure the desired behaviour via an e2e test
Please, ensure that you check the guide to see code examples, tips and helpers as further info.
Beta Was this translation helpful? Give feedback.
All reactions