PodSecurity admission (PodSecurityPolicy replacement)

[tallclair]

Enhancement Description

• One-line enhancement description (can be used as a release note): Introduce a new admission controller for enforcing the Pod Security Standards on pods in a namespace.

• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/2579-psp-replacement/

• Discussion Link: https://docs.google.com/document/d/1woLGRoONE3EBVx-wTb4pvp4CI7tmLZ6lS26VTbosLKM/view#bookmark=id.km06bp3uzuco

• Primary contact (assignee): @tallclair

• Responsible SIGs: sig-auth, sig-security

• Enhancement target (which target equals to which milestone):

  • Alpha release target (x.y): 1.22
  • Beta release target (x.y): 1.23
  • Stable release target (x.y): 1.25

• Alpha (1.22)

  • KEP (k/enhancements) update PR(s): PSP Replacement KEP #2582
  • Code (k/k) update PR(s):
    • [PodSecurity] Add ValidatePodSecurityConfiguration kubernetes#103560
    • PodSecurity message/check/fixture cleanups kubernetes#103558
    • PodSecurity: use code/reason/details from admission library kubernetes#103552
    • Implement check drop capabilities.go kubernetes#103543
    • Podsecurity fixture cleanup kubernetes#103517
    • Podsecurity webhook kubernetes#103465
    • Move pod-security-admission to an external Attributes interface kubernetes#103445
    • [PodSecurity] hostProcess baseline check kubernetes#103382
    • [PodSecurity] baseline - apparmor kubernetes#103378
    • PodSecurity: make failure integration tests feature-aware kubernetes#103365
    • [PodSecurity] Add privileged containers baseline check kubernetes#103364
    • [Pod Security] Baseline + restricted policy checks for seccomp kubernetes#103341
    • Add baseline check for procMount type kubernetes#103340
    • Mark net.ipv4.ip_unprivileged_port_start as a safe sysctl kubernetes#103326
    • [PodSecurity] Implement sysctls check kubernetes#103325
    • [Pod Security] Restricted volume type check kubernetes#103323
    • [Pod Security]: HostNamespace baseline check kubernetes#103316
    • [Pod Security] HostPath baseline check kubernetes#103315
    • [PodSecurity] Implement host ports check kubernetes#103314
    • PodSecurity admission kubernetes#103099
    • [test-only]PodSecurity: make integration tests run sparsely kubernetes#103617
    • [test-only][PodSecurity] Add test coverage for pod-template-containing objects kubernetes#103452
  • Docs (k/website) update PR(s):
    • Add Pod Security Standards documentation website#28903

• Beta (1.23)

  • KEP (k/enhancements) update PR(s):
    • KEP-2579: PodSecurity beta / 1.23 updates #2895
    • KEP-2579: PodSecurity beta updates #3035
  • Code (k/k) update PR(s):
    • PodSecurity: trim path when building webhook binary kubernetes#106118
    • Update pods validation based on uniqueness of controller kubernetes#106097
    • PodSecurity: promote config and feature gate to beta kubernetes#106089
    • PodSecurity: benchmark large numbers of owned pods kubernetes#106087
    • [PodSecurity] Expand unit test coverage and fix error cases kubernetes#106017
    • PodSecurity: return namespace validation errors in standard field.ErrorList format kubernetes#105959
    • PodSecurity webhook makefile, image, and manifests kubernetes#105923
    • PodSecurity: clean up namespace validation messages, time bounding, and add testing kubernetes#105922
    • [PodSecurity] Add annotations denoting the exemption reason and the enforcement policy used kubernetes#105908
    • [PodSecurity] Metrics improvements kubernetes#105898
    • [PodSecurity] Aggregate identical warnings for multiple pods in a namespace kubernetes#105889
    • PodSecurity: Add runAsUser check to restricted policy kubernetes#105857
    • Add --version flag to podsecurity-webhook command kubernetes#105749
    • PodSecurity: limit webhook admission input kubernetes#105485
    • PodSecurity: add namespace update verify benchmark kubernetes#105457
    • [PodSecurity]Add context to failure message kubernetes#105314
    • Fix PodSecurity forbidden response reason kubernetes#105180
    • PodSecurity: benchmark and optimize privileged namespace evaluations kubernetes#104588
    • [PodSecurity] log nsPolicy evaluation for the request kubernetes#104365
    • [PodSecurity] Implement metricRecorder for admission kubernetes#104217
    • Promote pod-security-webhook:v1.23-beta.0 k8s.io#3029
    • PodSecurity: update webhook manifest for beta kubernetes#106106
  • Docs (k/website) update(s):
    • PodSecurity: runAsUser docs website#30225
    • Podsecurity beta updates website#30351
    • Tutorials for Pod Security Admission website#30422
    • v1.23 blog post: Pod Security Admission Graduates to Beta website#30502

• Stable (1.25)

  • KEP (k/enhancements) update PR(s):
    • KEP-2579: Pod Security GA plan #3310
  • Code (k/k) update PR(s):
    • PodSecurity: promote config and feature gate to GA kubernetes#110459
  • Docs (k/website) update(s):
    • Update Pod Security Admission docs for graduation to stable website#35618
    • Blog post about Pod Security admission graduating to stable website#35614

[gracenng]

Hi @tallclair 👋 1.22 Enhancements shadow here.

This enhancement is in good shape for 1.22, a couple minor change requests in light of Enhancement Freeze on Thursday May 13th:

• KEP has not been merged to master
• the "reviewers" section in kep.yaml is not filled out
• <<[unresolved]>> in README
• Graduation Criteria in README

Thank you!

[tallclair]

• I'm nagging the approvers daily, and still expect to get this merged by enhancement freeze
• Filled in reviewers
• The only remaining unresolved sections are explicitly flagged as non-blocking for the alpha. Is it OK to leave these sections for beta, or will they cause tooling issues?
• Filled in graduation criteria

[gracenng]

Hi there, thanks for the speedy updates.

• I talked to the team and it is okay to have unresolved sections for alpha
• With regards to graduation criteria, the KEP template has been updated to clarify this. Apologies for the confusion.

[gracenng]

Hi @tallclair 👋 1.22 Enhancements shadow here.
I just wanted to double check to see if SIG-Auth will need to do anything for this enhancement and if so, are they OK with it?
Thanks!

[liggitt]

yes, this is one of the top three items sig-auth is tackling this release

[ritpanjw]

Hello @tallclair 👋 , 1.22 Docs Shadow here.

This enhancement is marked as Needs Docs for 1.22 release.
Please follow the steps detailed in the documentation to open a PR against dev-1.22 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Fri July 9, 11:59 PM PDT.
Also, take a look at Documenting for a release to familiarize yourself with the docs requirement for the release.

Thank you!

[gracenng]

Hi @tallclair 🌞 1.22 enhancements shadow here.

In light of Code Freeze on July 8th, this enhancement current status is at risk as there is no k/k PR tracked.
Please update the associated PR or let me know if there is none required for this enhancement.

Thanks

[liggitt]

kubernetes/kubernetes#103099 is open for this enhancement

[liggitt]

plan is to continue beta work for 1.24 and target GA in 1.25

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[tallclair]

/remove-lifecycle stale

[marosset]

Can we try our best to make sure kubernetes/kubernetes#105919 lands in 1.25 too?

We are pursuing having 'PodOS' field go to GA in 1.25 too and without this change users may be unable to schedule Windows pods that specify a OS=windows with restricted policies.

For example:
Restricted policy enforces that ALL capabilities must be dropped for containers but pods that set OS=windows will be rejected if the specify anything in the capabilities fields.

@ravisantoshgudimetla FYI

[liggitt]

yes, I'd expect kubernetes/kubernetes#105919 to be required for GA of the PodOS feature

[ravisantoshgudimetla]

Can we try our best to make sure kubernetes/kubernetes#105919 lands in 1.25 too?

We are pursuing having 'PodOS' field go to GA in 1.25 too and without this change users may be unable to schedule Windows pods that specify a OS=windows with restricted policies.

For example: Restricted policy enforces that ALL capabilities must be dropped for containers but pods that set OS=windows will be rejected if the specify anything in the capabilities fields.

@ravisantoshgudimetla FYI

Yes, that is the goal and this was the PR I mentioned during sig-windows community meeting on Tuesday. We also explicitly mentioned it in KEP

Pod Security Standards are to be changed in 1.25 timeframe to accommodate the supported kubelet and kube-apiserver skew.

[Priyankasaggu11929]

Hello @tallclair 👋, 1.25 Enhancements team here.

Just checking in as we approach enhancements freeze on 18:00 PST on Thursday June 16, 2022.

For note, This enhancement is targeting for stage stable for 1.25 (correct me, if otherwise)

Here's where this enhancement currently stands: (updated on June 9, 2022)

• KEP file using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable
• KEP has a updated detailed test plan section filled out
• KEP has up to date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements.

Looks like for this one, we would need to update the following:

• update the merged enhancement KEP to incorporate more details in the Test Plan section, in furtherance of the goal of increasing reliability across the project. TMU, the only thing missing is adding the following acknowledgement checkbox:

[ ] I/we understand the owners of the involved components may require updates to existing tests to make this code solid enough prior to committing the changes necessary to implement this enhancement.

For note, the status of this enhancement is marked as at risk. Thank you for keeping the issue description up-to-date!

[tallclair]

Test details were added in #3310

(Grudgingly) added the check box in #3330

[Priyankasaggu11929]

Thanks so much for the very quick update @tallclair. 🙂

With the PR #3330 merged & Test Plan Section updated, the KEP is all ready for the upcoming enhancements freeze. 🚀

For note, the status of the enhancement is now tracked in the 1.25 enhancement tracking sheet. Thank you!

[didicodes]

Hello @tallclair 👋, 1.25 Release Docs Shadow here.

This enhancement is marked as ‘Needs Docs’ for the 1.25 release. Please follow the steps detailed in the documentation to open a PR against the dev-1.25 branch in the k/website repo. This PR can be just a placeholder at this time and must be created by August 4.


Also, take a look at Documenting for a release to familiarize yourself with the docs requirement for the release. Thank you!

[sftim]

One thing to document: the config API (see https://kubernetes.io/docs/reference/config-api/). Talk to SIG Docs if you want help with generating that reference, we usually automate this.

[marosset]

Hi @tallclair 👋

1.25 enhancements team here.

It looks like all PRs subject to the v1.25 code freeze have been merged so this enhancement is still tracked fro the v1.25 release.

Also, thank you for linking PRs and including them in the issue description.

As always, we are here to help should questions come up.

Thanks!!

[liggitt]

marked complete in #3487