Page MenuHomePhabricator
Create Task
Maniphest T317787

Pod Security Policies
Closed, ResolvedPublic
Actions

Description

Pod Security Policies is depreciated and will be removed in k8s v1.25
https://kubernetes.io/docs/concepts/security/pod-security-policy/

Investigate alternatives.

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedrookT317788 Remove kubeval
 ResolvedNoneT317787 Pod Security Policies
 DuplicateNoneT294446 containerSecurityContext
 ResolvedrookT326985 Test PAWS on k8s 1.25

Event Timeline

rook created this task.Sep 14 2022, 4:48 PM
rook added a subtask: T294446: containerSecurityContext.
rook added a subscriber: Chicocvenancio.Sep 28 2022, 4:50 PM

Some sections of this, mostly host path parts, will become irrelevant with T308873 other parts remain unclear to me on why we need them. Aside from by default needing a psp, are there known benefits of our current setup? Still looking through some old tickets on where some parts of our psp came from. In the meantime @Chicocvenancio do you have any views on this, or do you feel it would be reasonable to disable psp moving forward?

taavi subscribed.Sep 28 2022, 4:55 PM

See also T279110: [infra] Replace PodSecurityPolicy in Toolforge Kubernetes, would be nice to keep Toolforge and PAWS on similar-ish technology stack.

rook mentioned this in T318885: Disable PodSecurityPolicy on Magnum.Sep 29 2022, 4:15 AM
rook mentioned this in T326164: Cannot stop server.Jan 4 2023, 12:43 PM
rook mentioned this in T326217: PAWS needs page reload after login.Jan 4 2023, 12:47 PM
Chicocvenancio added a comment.Jan 4 2023, 3:27 PM

Some sections of this, mostly host path parts, will become irrelevant with T308873 other parts remain unclear to me on why we need them. Aside from by default needing a psp, are there known benefits of our current setup?

I think it was just general hardening of k8s at the time.

Still looking through some old tickets on where some parts of our psp came from. In the meantime @Chicocvenancio do you have any views on this, or do you feel it would be reasonable to disable psp moving forward?

I think it is reasonable. I think @taavi hits this in the head and PAWS should try to follow whatever hardening is decided for toolforge.

rook removed a subtask: T317788: Remove kubeval.Apr 14 2023, 2:34 PM
rook added a parent task: T317788: Remove kubeval.
rook closed this task as Resolved.Apr 29 2024, 4:51 PM
rook added a subtask: T326985: Test PAWS on k8s 1.25.
rook reopened this task as Open.May 1 2024, 3:46 PM
rook closed this task as Resolved.May 1 2024, 3:52 PM
rook mentioned this in T363917: paws not connecting to any reconciliation services.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits