Add Pod Security Standards documentation

[sejr]

This PR adds documentation for Pod Security Standards.

Fixes #28721, fixes #28820, fixes #28866

This PR

• Securing Pods with Pod Security Standards
  • Enabling feature gate
  • Configuring namespaces
  • Migrating from PSP
  • Exemptions
  • Best practices
  • Examples
    • Example namespace YAML
    • Applying labels to an existing namespace
    • Applying labels to all existing namespaces

Follow-up tasks

• Ensure consistent language for policy levels (ie privileged baseline restricted)
• Comb through KEP for other noteworthy callouts
  • Metrics (Beta?)
  • Scalability
    • Hard limit on # of pods analyzed
  • Looking forward
    • Baseline by default
    • Custom profiles

Related issues

• Pod Security Standards website updates #28721
• Reference use-case/workloads for Pod Security Standards #28820
• PodSecurity alpha documentation #28866

[netlify]

👷 Deploy Preview for kubernetes-io-vnext-staging processing.

🔨 Explore the source changes: e0d4b53

🔍 Inspect the deploy log: https://app.netlify.com/sites/kubernetes-io-vnext-staging/deploys/60f83e74a325df0008b1495d

[sejr]

/assign @liggitt @tabbysable (per convo w/ @tallclair)

[sftim]

I'm concerned about seeing this PR propose to delete https://k8s.io/docs/concepts/security/pod-security-standards/

External projects (the likes of Kyverno) refer to these Pod security standards. It's not just in-project code that relies on them. We should keep the URL of those standards where possible: cool URIs don't change.

It's OK to document a new in-tree mechanism for enforcing that Pods follow these standards. It's important to leave a path to distinguish between the standards themselves on the one hand, and the in-tree enforcement code on the other.

[sftim]

/sig auth
/sig security

[sejr]

@sftim Very good point - reverted.

[sftim]

Looking at this PR I recommend some more work on it.

• it looks like it's still draft. If that's true, please mark it draft to help reviewers. For example, ask prow to /retitle WIP: Add Pod Security Standards documentation
• I would like to see two new pages in the Task section, that each link to each other in their introduction:
  1. Enforcing PodSecurity using the built-in admission controller
  2. Enforcing PodSecurity using a webhook
• Be sure to describe the new feature gate in https://k8s.io/docs/reference/command-line-tools-reference/feature-gates/
• We must also add PodSecurity into https://k8s.io/docs/reference/access-authn-authz/admission-controllers/

If the webhook isn't available, let's leave room to add that documentation later.

nits:

• within the page (but not the page title), write headings in sentence case
• if you can, use glossary tooltips for any first mention of concepts, unless you're confident that readers know what these mean

Feedback was addressed

[sftim]

Another page we must update: https://kubernetes.io/docs/reference/labels-annotations-taints/

[liggitt]

#28903 (comment) is my only outstanding comment, then technical content lgtm

[liggitt]

/approve
/lgtm

for technical content

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 704b45b3b56a84dfa0fcb606584940d39eeb0660

[sftim]

Really good work.
/lgtm

I'll leave the release folks to approve this.

[liggitt]

/assign @PI-Victor

[reylejano]

re-applying lgtm after link to opa gatekeeper repo was fixed
/lgtm

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: c2f10c36f7958065382a78014912c042127b482c

[PI-Victor]

had to give this a proper read myself, thank you all for the work!

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, PI-Victor

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• content/en/OWNERS [PI-Victor]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment