Kubernetes Pod Security Policy Migration
PodSecurityPolicy is dead, long live ???
This project is striving to recreate common Pod Security Policy configuration in other common kubernetes policy engines, to better inform the consumer how to migrate before it is removed in Kubernetes 1.25
Eventually there'll probably be a tool to do this for you, but for now you can follow the tests.
⚠️ This table is manually updated, see the automated test suites results ⚠️
Note: ❌ Doesn't mean it doesn't work, it just means the test is currently failing, in most cases the test needs to be updated
| PSP field | Pod Security Policy | Pod Security Standard (baseline) | Gatekeeper | Kyverno | Kubewarden | k-rail |
|---|---|---|---|---|---|---|
| privileged | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
| hostPID | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
| hostIPC | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
| hostNetwork | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
| hostPorts | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
| volumes | ✔️ | ✔️ | ✔️ | ❌ | ✔️ | ❌ |
| allowedHostPaths | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
| allowedFlexVolumes | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
| readOnlyRootFilesystem | ✔️ | ❌ | ✔️ | ✔️ | ❌ | ❌ |
| runAsUser | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
| runAsGroup | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
| supplementalGroups | ✔️ | ❌ | ✔️ | ❌ | ✔️ | ❌ |
| fsgroup | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
| allowPrivilegeEscalation | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
| defaultAllowPrivilegeEscalation | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
| allowedCapabilities | ✔️ | ❌ | ✔️ | ❌ | ✔️ | ❌ |
| defaultAddCapabilities | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
| requiredDropCapabilities | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
| seLinux | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
| allowedProcMountTypes | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
| apparmor | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
| seccomp | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ❌ |
| forbiddenSysctls | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
| allowedUnsafeSysctls | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
- https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/
- https://github.com/open-policy-agent/gatekeeper-library
- https://kubernetes.io/docs/concepts/security/pod-security-standards/
- https://github.com/open-policy-agent/gatekeeper
- https://github.com/kyverno/kyverno
- https://github.com/kyverno/policies
- https://github.com/kubewarden/kubewarden-controller
- https://hub.kubewarden.io/
- https://github.com/cruise-automation/k-rail/blob/master/charts/k-rail/values.yaml
- https://github.com/cruise-automation/k-rail