Page MenuHomePhabricator
Create Task
Maniphest T367950

Decision Request - Toolforge pod security via custom admission webhook
Closed, DeclinedPublic
Actions

Description

Problem

In the context of the migration away from Kubernetes PodSecurityPolicy into something more modern, we decided to go with Kyverno, see:

However, introducing Kyverno was proven to be very difficult (or impossible) due to the scale of Toolforge, see:

The other policy agent option, OPA Gatekeeper, has a similar architecture and works in a similar fashion, and may be a similar dead end.

We should decide if continue with this approach, or write our own custom admission webhook controller, like we do for a few other things.

Constraints and risks

  • High engineering time resources.

Decision record

TBD https://wikitech.wikimedia.org/wiki/Wikimedia_Cloud_Services_team/EnhancementProposals/Decision_record_XYZ_Toolforge_pod_security_via_custom_admission_webhook

Options

Option 1

Forget about policy agents, create our own custom admission webhooks to enforce pod security settings.

We already maintain a few other custom admission controllers, and having another one should be no big deal. However, there is definitely code to write and maintain.

Pros:

  • The most performant option (compared to kyverno at least)
  • Well supported pattern within the kubernetes ecosystem.
  • We already have other custom admission controllers, we should know how to do this already.

Cons:

  • New code to write and maintain.

Option 2

Keep trying and researching with policy agents. If kyverno does not work, try with OPA Gatekeeper.

Maybe we did not get right the policy agents setup/architecture, and there is a way to craft them into performing well.

Perhaps there is an -unknown at the moment- way to enforce the same pod configuration, but without 3.5k policy rules.

We could work with upstream to make sure our use case is supported, and that what we want to do is possible, and makes sense.

Pros:

  • We would use an upstream project instead of our own source code. Others are writing and maintaining it.

Cons:

  • There are strong evidences that this is a dead end.

Related Objects
Search...

Event Timeline

aborrero created this task.Jun 19 2024, 8:47 AM
aborrero mentioned this in T367386: [k8s,infra] kyverno has a track record of overloading the cluster, maybe on new ways.Jun 19 2024, 8:55 AM
aborrero edited parent tasks, added: T364297: [k8s,infra] track PSP migration plan; removed: T279110: [infra] Replace PodSecurityPolicy in Toolforge Kubernetes.Jun 19 2024, 8:59 AM
aborrero changed the status of subtask T367952: toolforge: drop kyverno from Open to In Progress.Jun 19 2024, 3:08 PM
aborrero mentioned this in T367985: toolforge: create a new custom admission webhook to handle pod security settings.
aborrero triaged this task as High priority.Jun 20 2024, 11:50 AM

heads up, I may have found a working setup for kyverno, see https://phabricator.wikimedia.org/T367386#9909053

aborrero mentioned this in T364297: [k8s,infra] track PSP migration plan.Jun 20 2024, 12:00 PM
aborrero closed this task as Declined.Jun 20 2024, 1:11 PM
aborrero closed subtask T367952: toolforge: drop kyverno as Declined.

We just did option 2, see T368044: Toolforge: redeploy kyverno after the outage

aborrero closed subtask T367985: toolforge: create a new custom admission webhook to handle pod security settings as Declined.Jun 20 2024, 1:12 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits