PodSecurityPolicy FEATURE STATE: Kubernetes v1.21 [deprecated] #3
Comments
|
Hey @lorenzo95 glad you liked the post 😄 So yea, 1.21+ Deprecates the PSPs, which means it still works but we need to start finding a replacement As stated in this blog article from the kubernetes.io blog This works for generic not-do-complicated hardenization and works when you write them pod-per-pod, but not as a generic policy for the cluster (eg when used by multiple users) personally (emphasis 😄 ) I would just go full with 2 tools: Falco by Sysdig, implements a great engine to detect stuff and make rule easily (as shown in the blogpost) And OPA Gatekeeper, which can enforce PSPs like explained here: https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies-with-gatekeeper |
|
Hey @89luca89 With the release of Kubernetes v1.23, Pod Security admission has now entered beta. This will be the replacement for PSP. I will less configurable the PSP so a tool like OPA Gatekeeper or Kyverno could be a better solution. I prefer to use Kyverno, because it is easier to use and has more functionality then OPA Gatekeeper. |
|
Hey @devopstales Yea was looking in to the new PSA will have to play with them a bit more |
Hello!
I would first like to say that I am amazed by the content of your blog post/repository. I am learning a lot and it gives me great ideas. Therefore, thank you for sharing!!!
I do want to ask what your opinion is on the PodSecurityPolicy Admission Controller since it is deprecated now (https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy)
Do you think for example that the SecurityContextDeny Controller would be a good replacement? Rancher is referring to it regarding the cis benchmark requirements here: https://rancher.com/docs/k3s/latest/en/security/self_assessment/#1-2-13
Thank you,
Gera
The text was updated successfully, but these errors were encountered: