Feature+Docs: PodSecurityPolicy for Windows #64801
Comments
k8s-ci-robot
added
needs-sig
|
/sig windows |
k8s-ci-robot
added
sig/windows
|
/assign |
|
I'd like to redo PodSecurityPolicy at some point, and don't necessarily see it progressing to GA in its current form. Given that, I think it will be useful to understand the windows requirements for PodSecurityPolicy to inform the design of the successor, but I don't think it's worth investing in retrofitting the current PSP for windows. |
Any timeline for this? |
|
No. Discussions are underway (wg-policy) about what should be a native policy vs. a policy DSL (e.g. OPA/rego). Any progress on PodSecurityPolicy is blocked on that guidance. |
|
@PatrickLang we need to clarify the pod spec for windows before making updates around the policy discussion. |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
/sig auth |
k8s-ci-robot
added
the
sig/auth
|
/priority awaiting-more-evidence |
k8s-ci-robot
added
the
priority/awaiting-more-evidence
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
|
This has come up quite a bit and starting to find more scenarios where although it should be ignore not affect windows pods they are either blocked or don't get scheduled. I will start to look into more as well as the how it might work in regards to Gatekeeper. /assign |
|
A good starting point might be to document that pod features that should be restricted on windows, as part of the "Pod Security Standards" |
|
I went through the Pod Security Standards doc and mapped each to what can/should apply to windows and things that don't make sense. If folks want to have a look and leave comments we can discuss at a sig-windows meeting: https://docs.google.com/spreadsheets/d/1Snhqtnu38I2Sqa7UQQbD3ZwYTkXMo7L81lUHSmh7buU/edit?usp=sharing For areas where the security context was causing issues with PSP these PR's should take care of them: #93475 and #91482 In summary the following should be available in windows and need to map to a particular "standard".
There are on windows specific one that should be added:
|
|
With the proposal for the Privileged Containers KEP, there was an analysis done for what would be potentially impacted in regards to Pod Security Standards and policies. Please see the KEP for details. |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
Can this be closed given #97171? |
|
for PodSecurityPolicy specifically, I don't expect to see any windows-related changes, so this issue could probably be closed, but the points raised here (how OS-specific implications shape policy) would be good for the group working on a proposal for a PSP replacement to consider/incorporate if possible |
|
agree for PSP but would like to get update guidance for general Windows Pod Security Standards doc: https://kubernetes.io/docs/concepts/security/pod-security-standards/ |
|
@jsturtevant It sounds like y'all in SIG Windows know what the hardening guidelines you have in mind are (at least somewhat, with the mappings you've done already), but would like some additional eyes on it and assistance with writing a PR to the Pod Security Standards doc? I'd recommend asking about that in the sig-security-docs channel on kubernetes slack to see if anybody has bandwidth to help. |
|
Before writing the docs I wanted to ensure we had these working in some form (most likely via Gatekeeper) so if we publish guidance it is something that can be followed and implemented. I had to step away from this shortly after doing the initial analysis for other work. Hoping I can get back to it soon. |
|
Awesome! I assume you'll be PRing an example policy into https://github.com/open-policy-agent/gatekeeper-library/. Feel free to drop into #sig-security on k8s slack to ask if anyone wants to review it! |
|
We got the first gate-keeper policy PR open for anyone following along: open-policy-agent/gatekeeper-library#70 |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
k8s-ci-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
k8s-ci-robot
added
lifecycle/rotten
|
I think we can close this, since PSP is marked as deprecated and targeting removal in v1.25 |
Most of the fields in PodSecurityPolicy today cannot be implemented in Windows since they're based on Linux namespace and UID/GID assumptions.
We need a feature proposal to add or modify what can be implemented on Windows to achieve use cases such as:
Areas that need to be documented as does not apply to Windows:
Is this a BUG REPORT or FEATURE REQUEST?:
/kind feature
Environment:
kubectl version): v1.9, v1.10, v1.11The text was updated successfully, but these errors were encountered: