New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Explore]: Supporting Pod Security in Kubernetes 1.25 #1202
Comments
We tried annotating a cf space namespace with the labels:
This enables pod security at the highest restricted level on the namespace. Then we attempted to push an app. The kpack logs show that the security policy requires certain policies to be set on the pod spec, namely:
We hacked a kpack build-pod spec and proved that adding these to the container and all init containers allowed the pod to be created. |
We are going to modify kpack to set these securityContext values. You can build kpack images using Diff:
|
We applied the above change by copying the release yaml (foo.yml) to korifi/dependencies/kpack-release-0.5.2.yaml and deploying korifi on kind. We also made the artifact registry public. This will be deleted after this explore. Now the kpack build succeeds, but the statefulset fails to create its pods:
So we need to change the eirini-controller pod spec to include those securityContext settings. |
We changed korifi to set the appropriate labels on cf-space namespaces:
and eirini to remove the PSPs and set the appropriate container security context:
And we can successfully push dora and curl its endpoint. |
To complete, we need to:
|
buildpacks-community/kpack#972
After discussing the topic with @georgethebeatle we decided that we could initially only support the
The stories above have been grouped via the |
Background
Kubernetes 1.25 will remove
PodSecurityPolicy
, which we are still using. The Pod Security admission controller is its designated replacement, and we should migrate to it.The new Pod Security admission controller works via Pod Security Standards that can be applied at the namespace level. The
restricted
standard seems to fit the EiriniPodSecurityPolicy
, but we should take a deeper look at what adopting it would imply.Acceptance Criteria
One or more stories/chores to migrate Korifi from
PodSecurityPolicy
to the Pod Security admission controller. Keep in mind that we need to do this for bothLRP
s/RunWorkload
s andTask
s.Timebox
No timebox
Dev Notes
The text was updated successfully, but these errors were encountered: