Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PodSecurity admission (PodSecurityPolicy replacement) #2579

Closed
12 tasks done
tallclair opened this issue Mar 19, 2021 · 35 comments
Closed
12 tasks done

PodSecurity admission (PodSecurityPolicy replacement) #2579

tallclair opened this issue Mar 19, 2021 · 35 comments
Assignees
Labels
sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/security Categorizes an issue or PR as relevant to SIG Security. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status
Milestone

Comments

@tallclair
Copy link
Member

tallclair commented Mar 19, 2021

Enhancement Description

@tallclair tallclair added sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/security Categorizes an issue or PR as relevant to SIG Security. labels Mar 19, 2021
@tallclair tallclair added this to the v1.22 milestone Mar 19, 2021
@tallclair tallclair mentioned this issue Mar 22, 2021
18 tasks
@tallclair tallclair changed the title Pod Isolation Policy (Pod Security Policy replacement) Pod Security Policy replacement Mar 30, 2021
@ritazh ritazh added this to KEP Backlog in SIG Auth Old Apr 9, 2021
@liggitt liggitt moved this from KEP Backlog to Backlog (v1.22) in SIG Auth Old Apr 16, 2021
@liggitt liggitt moved this from Backlog (v1.22) to KEP Backlog in SIG Auth Old Apr 16, 2021
@liggitt liggitt added the stage/alpha Denotes an issue tracking an enhancement targeted for Alpha status label Apr 29, 2021
@liggitt liggitt moved this from KEP Backlog to In Progress (v1.22) in SIG Auth Old Apr 29, 2021
@liggitt liggitt moved this from In Progress (v1.22) to In Review (v1.22) in SIG Auth Old Apr 29, 2021
@liggitt liggitt moved this from In Review (v1.22) to In Progress (v1.22) in SIG Auth Old Apr 29, 2021
@JamesLaverack JamesLaverack added the tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team label Apr 29, 2021
@gracenng
Copy link
Member

gracenng commented May 9, 2021

Hi @tallclair 👋 1.22 Enhancements shadow here.

This enhancement is in good shape for 1.22, a couple minor change requests in light of Enhancement Freeze on Thursday May 13th:

  • KEP has not been merged to master
  • the "reviewers" section in kep.yaml is not filled out
  • <<[unresolved]>> in README
  • Graduation Criteria in README

Thank you!

@tallclair
Copy link
Member Author

tallclair commented May 10, 2021

  • I'm nagging the approvers daily, and still expect to get this merged by enhancement freeze
  • Filled in reviewers
  • The only remaining unresolved sections are explicitly flagged as non-blocking for the alpha. Is it OK to leave these sections for beta, or will they cause tooling issues?
  • Filled in graduation criteria

@gracenng
Copy link
Member

Hi there, thanks for the speedy updates.

  • I talked to the team and it is okay to have unresolved sections for alpha
  • With regards to graduation criteria, the KEP template has been updated to clarify this. Apologies for the confusion.

@gracenng
Copy link
Member

Hi @tallclair 👋 1.22 Enhancements shadow here.
I just wanted to double check to see if SIG-Auth will need to do anything for this enhancement and if so, are they OK with it?
Thanks!

@liggitt
Copy link
Member

liggitt commented May 11, 2021

yes, this is one of the top three items sig-auth is tackling this release

@liggitt liggitt changed the title Pod Security Policy replacement PodSecurity admission (PodSecurityPolicy replacement) May 12, 2021
@ritpanjw
Copy link

Hello @tallclair 👋 , 1.22 Docs Shadow here.

This enhancement is marked as Needs Docs for 1.22 release.
Please follow the steps detailed in the documentation to open a PR against dev-1.22 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Fri July 9, 11:59 PM PDT.
Also, take a look at Documenting for a release to familiarize yourself with the docs requirement for the release.

Thank you!

@gracenng
Copy link
Member

Hi @tallclair 🌞 1.22 enhancements shadow here.

In light of Code Freeze on July 8th, this enhancement current status is at risk as there is no k/k PR tracked.
Please update the associated PR or let me know if there is none required for this enhancement.

Thanks

@liggitt
Copy link
Member

liggitt commented Jun 23, 2021

kubernetes/kubernetes#103099 is open for this enhancement

@liggitt liggitt added this to the v1.24 milestone Jan 18, 2022
@liggitt
Copy link
Member

liggitt commented Jan 19, 2022

plan is to continue beta work for 1.24 and target GA in 1.25

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 19, 2022
@tallclair
Copy link
Member Author

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 20, 2022
@liggitt liggitt added stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status and removed stage/beta Denotes an issue tracking an enhancement targeted for Beta status labels Apr 28, 2022
@marosset
Copy link
Contributor

Can we try our best to make sure kubernetes/kubernetes#105919 lands in 1.25 too?

We are pursuing having 'PodOS' field go to GA in 1.25 too and without this change users may be unable to schedule Windows pods that specify a OS=windows with restricted policies.

For example:
Restricted policy enforces that ALL capabilities must be dropped for containers but pods that set OS=windows will be rejected if the specify anything in the capabilities fields.

@ravisantoshgudimetla FYI

@liggitt
Copy link
Member

liggitt commented May 11, 2022

yes, I'd expect kubernetes/kubernetes#105919 to be required for GA of the PodOS feature

@ravisantoshgudimetla
Copy link
Contributor

Can we try our best to make sure kubernetes/kubernetes#105919 lands in 1.25 too?

We are pursuing having 'PodOS' field go to GA in 1.25 too and without this change users may be unable to schedule Windows pods that specify a OS=windows with restricted policies.

For example: Restricted policy enforces that ALL capabilities must be dropped for containers but pods that set OS=windows will be rejected if the specify anything in the capabilities fields.

@ravisantoshgudimetla FYI

Yes, that is the goal and this was the PR I mentioned during sig-windows community meeting on Tuesday. We also explicitly mentioned it in KEP

Pod Security Standards are to be changed in 1.25 timeframe to accommodate the supported kubelet and kube-apiserver skew.

@Priyankasaggu11929 Priyankasaggu11929 added tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team and removed tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team labels May 30, 2022
@Priyankasaggu11929
Copy link
Member

Priyankasaggu11929 commented May 30, 2022

Hello @tallclair 👋, 1.25 Enhancements team here.

Just checking in as we approach enhancements freeze on 18:00 PST on Thursday June 16, 2022.

For note, This enhancement is targeting for stage stable for 1.25 (correct me, if otherwise)

Here's where this enhancement currently stands: (updated on June 9, 2022)

  • KEP file using the latest template has been merged into the k/enhancements repo.
  • KEP status is marked as implementable
  • KEP has a updated detailed test plan section filled out
  • KEP has up to date graduation criteria
  • KEP has a production readiness review that has been completed and merged into k/enhancements.

Looks like for this one, we would need to update the following:

[ ] I/we understand the owners of the involved components may require updates to existing tests to make this code solid enough prior to committing the changes necessary to implement this enhancement.

For note, the status of this enhancement is marked as at risk. Thank you for keeping the issue description up-to-date!

@tallclair
Copy link
Member Author

Test details were added in #3310

(Grudgingly) added the check box in #3330

@Priyankasaggu11929
Copy link
Member

Thanks so much for the very quick update @tallclair. 🙂

With the PR #3330 merged & Test Plan Section updated, the KEP is all ready for the upcoming enhancements freeze. 🚀

For note, the status of the enhancement is now tracked in the 1.25 enhancement tracking sheet. Thank you!

@didicodes
Copy link

Hello @tallclair 👋, 1.25 Release Docs Shadow here.

This enhancement is marked as ‘Needs Docs’ for the 1.25 release. Please follow the steps detailed in the documentation to open a PR against the dev-1.25 branch in the k/website repo. This PR can be just a placeholder at this time and must be created by August 4.


Also, take a look at Documenting for a release to familiarize yourself with the docs requirement for the release. Thank you!

@sftim
Copy link
Contributor

sftim commented Jul 25, 2022

One thing to document: the config API (see https://kubernetes.io/docs/reference/config-api/). Talk to SIG Docs if you want help with generating that reference, we usually automate this.

@marosset
Copy link
Contributor

Hi @tallclair 👋

1.25 enhancements team here.

It looks like all PRs subject to the v1.25 code freeze have been merged so this enhancement is still tracked fro the v1.25 release.

Also, thank you for linking PRs and including them in the issue description.

As always, we are here to help should questions come up.

Thanks!!

@liggitt liggitt moved this from GA to Done (1.25) in SIG-Auth: PodSecurity Aug 31, 2022
@liggitt
Copy link
Member

liggitt commented Sep 1, 2022

marked complete in #3487

@liggitt liggitt closed this as completed Sep 1, 2022
SIG Auth Old automation moved this from In Progress to Closed / Done Sep 1, 2022
@rhockenbury rhockenbury removed the tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team label Sep 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/security Categorizes an issue or PR as relevant to SIG Security. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status
Projects
Archived in project
SIG Auth Old
Closed / Done
Development

No branches or pull requests