Pod Security Policies is depreciated and will be removed in k8s v1.25
https://kubernetes.io/docs/concepts/security/pod-security-policy/
Investigate alternatives.
Pod Security Policies is depreciated and will be removed in k8s v1.25
https://kubernetes.io/docs/concepts/security/pod-security-policy/
Investigate alternatives.
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | rook | T317788 Remove kubeval | |||
Resolved | None | T317787 Pod Security Policies | |||
Duplicate | None | T294446 containerSecurityContext | |||
Resolved | rook | T326985 Test PAWS on k8s 1.25 |
Some sections of this, mostly host path parts, will become irrelevant with T308873 other parts remain unclear to me on why we need them. Aside from by default needing a psp, are there known benefits of our current setup? Still looking through some old tickets on where some parts of our psp came from. In the meantime @Chicocvenancio do you have any views on this, or do you feel it would be reasonable to disable psp moving forward?
See also T279110: [infra] Replace PodSecurityPolicy in Toolforge Kubernetes, would be nice to keep Toolforge and PAWS on similar-ish technology stack.
Some sections of this, mostly host path parts, will become irrelevant with T308873 other parts remain unclear to me on why we need them. Aside from by default needing a psp, are there known benefits of our current setup?
I think it was just general hardening of k8s at the time.
Still looking through some old tickets on where some parts of our psp came from. In the meantime @Chicocvenancio do you have any views on this, or do you feel it would be reasonable to disable psp moving forward?
I think it is reasonable. I think @taavi hits this in the head and PAWS should try to follow whatever hardening is decided for toolforge.