Toolforge: replace admission controllers with an existing policy admin project
Open, MediumPublic
Actions

Assigned To

None

Authored By

	aborrero
	Apr 20 2023, 12:55 PM

Description

There are tools that can work as policy checker/enforcer for kubernetes and basically can help us drop all our custom admissions controllers and replace their logic with some YAML files.

The main contenders are:

All have an overlapping featureset, kyverno a bit more lightweight, OPA being a bit more complex and featureful.

Arturo: My personal suggestion would be to try with kyverno.

Related Objects
Search...

Status	Assigned	Task
Open	None	T362869 Upgrade Toolforge to Uwubernetes
Open	None	T362868 Upgrade Toolforge Kubernetes to version 1.29
Open	None	T362867 Upgrade Toolforge Kubernetes to version 1.28
Open	None	T359641 [infra,k8s] Upgrade Toolforge Kubernetes to version 1.27
Open	None	T327025 Upgrade Toolforge Kubernetes to version 1.26
Open	None	T316107 Upgrade Toolforge Kubernetes to version 1.25
In Progress	aborrero	T279110 [infra] Replace PodSecurityPolicy in Toolforge Kubernetes
Open	None	T335131 Toolforge: replace admission controllers with an existing policy admin project

Event Timeline

aborrero created this task.Apr 20 2023, 12:55 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 20 2023, 12:55 PM

JJMC89 added a project: Kubernetes.Apr 20 2023, 2:01 PM

dcaro subscribed.Apr 20 2023, 6:16 PM

aborrero renamed this task from Toolforge consider replacing admission controllers with kyverno to Toolforge: consider replacing admission controllers with kyverno or OPA.Apr 21 2023, 11:42 AM

aborrero updated the task description. (Show Details)

dcaro renamed this task from Toolforge: consider replacing admission controllers with kyverno or OPA to Toolforge: consider replacing admission controllers with an existing policy admin project.Apr 21 2023, 1:03 PM

dcaro updated the task description. (Show Details)

fnegri subscribed.May 2 2023, 3:46 PM

aborrero mentioned this in T337538: [toolforge] Create envvars management offering.May 26 2023, 11:51 AM

In the 2023-05-02 council meeting it was decided to move forward with this project as part of the PSP deprecation process.

aborrero renamed this task from Toolforge: consider replacing admission controllers with an existing policy admin project to Toolforge: replace admission controllers with an existing policy admin project.May 26 2023, 12:19 PM

aborrero added a parent task: T279110: [infra] Replace PodSecurityPolicy in Toolforge Kubernetes.

JMeybohm mentioned this in T273507: PodSecurityPolicies will be deprecated with Kubernetes 1.21.Aug 31 2023, 8:57 AM

aborrero added a project: User-aborrero.Aug 31 2023, 9:24 AM

Just noticed: