PodSecurity admission (PodSecurityPolicy replacement)

[tallclair]

Enhancement Description

• One-line enhancement description (can be used as a release note): Introduce a new admission controller for enforcing the Pod Security Standards on pods in a namespace.

• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/2579-psp-replacement/

• Discussion Link: https://docs.google.com/document/d/1woLGRoONE3EBVx-wTb4pvp4CI7tmLZ6lS26VTbosLKM/view#bookmark=id.km06bp3uzuco

• Primary contact (assignee): @tallclair

• Responsible SIGs: sig-auth, sig-security

• Enhancement target (which target equals to which milestone):

  • Alpha release target (x.y): 1.22
  • Beta release target (x.y): 1.23
  • Stable release target (x.y): 1.25

• Alpha (1.22)

  • KEP (k/enhancements) update PR(s): PSP Replacement KEP #2582
  • Code (k/k) update PR(s):
    • [PodSecurity] Add ValidatePodSecurityConfiguration kubernetes#103560
    • PodSecurity message/check/fixture cleanups kubernetes#103558
    • PodSecurity: use code/reason/details from admission library kubernetes#103552
    • Implement check drop capabilities.go kubernetes#103543
    • Podsecurity fixture cleanup kubernetes#103517
    • Podsecurity webhook kubernetes#103465
    • Move pod-security-admission to an external Attributes interface kubernetes#103445
    • [PodSecurity] hostProcess baseline check kubernetes#103382
    • [PodSecurity] baseline - apparmor kubernetes#103378
    • PodSecurity: make failure integration tests feature-aware kubernetes#103365
    • [PodSecurity] Add privileged containers baseline check kubernetes#103364
    • [Pod Security] Baseline + restricted policy checks for seccomp kubernetes#103341
    • Add baseline check for procMount type kubernetes#103340
    • Mark net.ipv4.ip_unprivileged_port_start as a safe sysctl kubernetes#103326
    • [PodSecurity] Implement sysctls check kubernetes#103325
    • [Pod Security] Restricted volume type check kubernetes#103323
    • [Pod Security]: HostNamespace baseline check kubernetes#103316
    • [Pod Security] HostPath baseline check kubernetes#103315
    • [PodSecurity] Implement host ports check kubernetes#103314
    • PodSecurity admission kubernetes#103099
    • [test-only]PodSecurity: make integration tests run sparsely kubernetes#103617
    • [test-only][PodSecurity] Add test coverage for pod-template-containing objects kubernetes#103452
  • Docs (k/website) update PR(s):
    • Add Pod Security Standards documentation website#28903

• Beta (1.23)

  • KEP (k/enhancements) update PR(s):
    • KEP-2579: PodSecurity beta / 1.23 updates #2895
    • KEP-2579: PodSecurity beta updates #3035
  • Code (k/k) update PR(s):
    • PodSecurity: trim path when building webhook binary kubernetes#106118
    • Update pods validation based on uniqueness of controller kubernetes#106097
    • PodSecurity: promote config and feature gate to beta kubernetes#106089
    • PodSecurity: benchmark large numbers of owned pods kubernetes#106087
    • [PodSecurity] Expand unit test coverage and fix error cases kubernetes#106017
    • PodSecurity: return namespace validation errors in standard field.ErrorList format kubernetes#105959
    • PodSecurity webhook makefile, image, and manifests kubernetes#105923
    • PodSecurity: clean up namespace validation messages, time bounding, and add testing kubernetes#105922
    • [PodSecurity] Add annotations denoting the exemption reason and the enforcement policy used kubernetes#105908
    • [PodSecurity] Metrics improvements kubernetes#105898
    • [PodSecurity] Aggregate identical warnings for multiple pods in a namespace kubernetes#105889
    • PodSecurity: Add runAsUser check to restricted policy kubernetes#105857
    • Add --version flag to podsecurity-webhook command kubernetes#105749
    • PodSecurity: limit webhook admission input kubernetes#105485
    • PodSecurity: add namespace update verify benchmark kubernetes#105457
    • [PodSecurity]Add context to failure message kubernetes#105314
    • Fix PodSecurity forbidden response reason kubernetes#105180
    • PodSecurity: benchmark and optimize privileged namespace evaluations kubernetes#104588
    • [PodSecurity] log nsPolicy evaluation for the request kubernetes#104365
    • [PodSecurity] Implement metricRecorder for admission kubernetes#104217
    • Promote pod-security-webhook:v1.23-beta.0 k8s.io#3029
    • PodSecurity: update webhook manifest for beta kubernetes#106106
  • Docs (k/website) update(s):
    • PodSecurity: runAsUser docs website#30225
    • Podsecurity beta updates website#30351
    • Tutorials for Pod Security Admission website#30422
    • v1.23 blog post: Pod Security Admission Graduates to Beta website#30502

• Stable (1.25)

  • KEP (k/enhancements) update PR(s):
    • KEP-2579: Pod Security GA plan #3310
  • Code (k/k) update PR(s):
    • PodSecurity: promote config and feature gate to GA kubernetes#110459
  • Docs (k/website) update(s):
    • Update Pod Security Admission docs for graduation to stable website#35618
    • Blog post about Pod Security admission graduating to stable website#35614

[gracenng]

Hi @tallclair 👋 1.22 Enhancements shadow here.

This enhancement is in good shape for 1.22, a couple minor change requests in light of Enhancement Freeze on Thursday May 13th:

• KEP has not been merged to master
• the "reviewers" section in kep.yaml is not filled out
• <<[unresolved]>> in README
• Graduation Criteria in README

Thank you!