Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Deprecated] Pod Security Policy #5

Closed
2 of 7 tasks
erictune opened this issue May 9, 2016 · 105 comments
Closed
2 of 7 tasks

[Deprecated] Pod Security Policy #5

erictune opened this issue May 9, 2016 · 105 comments
Assignees
Labels
kind/deprecation Categorizes issue or PR as related to a feature/enhancement marked for deprecation. kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/node Categorizes an issue or PR as relevant to SIG Node.
Milestone

Comments

@erictune
Copy link
Member

erictune commented May 9, 2016

Feature Description

Related issues

@erictune
Copy link
Member Author

erictune commented May 9, 2016

Admission controller code is under review in: kubernetes/kubernetes#24600

@erictune
Copy link
Member Author

erictune commented May 9, 2016

This feature is skipping straight to Beta since it has had initial exposure in OpenShift.

@erictune
Copy link
Member Author

erictune commented May 9, 2016

It will be default disabled in kubernetes/kubernetes#24600. After that goes in, we need changes in the admission controller to link PSPs to users.

@pweil-
Copy link

pweil- commented May 11, 2016

Noting kubernetes/kubernetes#20573 as a dependency for the next step on PSP (subject level access)

@bryk
Copy link

bryk commented Jul 12, 2016

Whats the status of this? Is the description in first comment up to date?

@pweil-
Copy link

pweil- commented Jul 12, 2016

Is the description in first comment up to date

no (I don't have permissions to update). I believe all of the alpha requirements have been met. The initial types, api, and tests have been merged. The admission controller is not enabled by default.

IMO the remaining work for beta/1.4 is auth integration for permissions, updating for new fields we want to constraint (seccomp - in progress, sysctl), and any required docs/tutorials.

@erictune
Copy link
Member Author

And an e2e test.

On Tue, Jul 12, 2016 at 6:23 AM, Paul Weil [email protected] wrote:

Is the description in first comment up to date

no (I don't have permissions to update). I believe all of the alpha
requirements have been met. The initial types, api, and tests have been
merged. The admission controller is not enabled by default.

IMO the remaining work for beta/1.4 is auth integration for permissions,
updating for new fields we want to constraint (seccomp - in progress,
sysctl), and any required docs/tutorials.


You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#5 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/AHuudqFwephlYk0Y1PS77y0xxA5QW0_-ks5qU5U7gaJpZM4IaU8n
.

@therc
Copy link
Member

therc commented Jul 15, 2016

How about interactions with cloud providers? It would be nice to easily assign each pod different IAM roles so they can access only the subset of cloud services that they actually need. Would it be in scope or is it considered a SecurityContext detail?

@erictune
Copy link
Member Author

@therc that should be done via ServiceAccount.

@idvoretskyi idvoretskyi modified the milestone: v1.4 Jul 18, 2016
@idvoretskyi idvoretskyi added the sig/node Categorizes an issue or PR as relevant to SIG Node. label Aug 4, 2016
@pweil-
Copy link

pweil- commented Aug 22, 2016

@goltermann I noticed this was marked with alpha but I believe it probably needs the beta tag based on #5 (comment)

@goltermann
Copy link
Contributor

@erictune does beta sound right based on the @pweil- comment?

@pweil-
Copy link

pweil- commented Aug 22, 2016

@goltermann I think technically this would've been beta in 1.3, it is not new to 1.4 though development is ongoing.

@erictune
Copy link
Member Author

Yes, beta is correct. I was incorrect when I said alpha earlier today.

@goltermann
Copy link
Contributor

great, fixed it up

@janetkuo
Copy link
Member

janetkuo commented Sep 2, 2016

@pweil- Are the docs ready? Please update the docs to https://github.com/kubernetes/kubernetes.github.io, and then add PR numbers and have the docs box checked in the issue description

@pweil-
Copy link

pweil- commented Sep 2, 2016

@janetkuo docs PR kubernetes/website#1150

edit: kubernetes/website#1206 is the correct 1.4 PR

cc @kubernetes/feature-reviewers

@idvoretskyi
Copy link
Member

@pweil- I suppose, this PR is actual - kubernetes/website#1206?

@pweil-
Copy link

pweil- commented Sep 22, 2016

correct

@liggitt liggitt added the sig/auth Categorizes an issue or PR as relevant to SIG Auth. label Apr 4, 2017
@liggitt liggitt modified the milestones: next-milestone, v1.4 Jun 14, 2017
@tallclair
Copy link
Member

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 19, 2021
@tallclair
Copy link
Member

/lifecycle frozen

@k8s-ci-robot k8s-ci-robot added the lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. label Oct 19, 2021
@tallclair tallclair added the kind/deprecation Categorizes issue or PR as related to a feature/enhancement marked for deprecation. label Apr 20, 2022
@tallclair tallclair changed the title Pod Security Policy [Deprecated] Pod Security Policy Apr 20, 2022
@Priyankasaggu11929 Priyankasaggu11929 added tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team and removed tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team labels May 30, 2022
@Priyankasaggu11929
Copy link
Member

Hello @tallclair 👋, 1.25 Enhancements team here.

Just checking in as we approach enhancements freeze on 18:00 PST on Thursday June 16, 2022.

For note, This enhancement is targeting for Removal in 1.25 (followed by the Deprecation in 1.21) (correct me, if otherwise)

As discussed with the Release team in this K8s slack thread, the team agreed that we don't require to migrate the old archived design proposal to a KEP template, to just track the deprecation & removal stages for this enhancement.

Since, the new KEP-2579: Pod Security Admission Control KEP is there to explicitly replace PSP, we will align the deprecation & removal stages of this enhancement with that KEP & track both!

For note, the status of this enhancement is marked as tracked. Thank you for keeping the issue description up-to-date!

@Priyankasaggu11929
Copy link
Member

Hi @tallclair 👋

Checking in once more as we approach 1.25 code freeze at 01:00 UTC on Wednesday, 3rd August 2022.

Please ensure the following items are completed:

Please verify, if there are any additional k/k PRs besides the ones listed above.

Since all the listed k/k PRs are fully merged, the status of this enhancement is marked as tracked.

Please update the issue description with the relevant links for tracking purposes. Thank you so much!

@tallclair
Copy link
Member

All the k/k work for v1.25 is done.

@liggitt
Copy link
Member

liggitt commented Sep 1, 2022

marked complete in #3487

@liggitt liggitt closed this as completed Sep 1, 2022
@rhockenbury rhockenbury removed the tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team label Sep 20, 2022
@enj enj moved this to Closed / Done in SIG Auth Dec 5, 2022
@enj enj added this to SIG Auth Dec 5, 2022
justinsb added a commit to justinsb/features that referenced this issue Jan 30, 2023
Not an alternative rejected any more, given applyset.k8s.io/inventory
k8s-ci-robot pushed a commit that referenced this issue Feb 9, 2023
…ategy (#3661)

* Initial KEP for improving pruning in kubectl apply

* Add design details

Co-authored-by: Katrina Verey <[email protected]>

* Add another open question

* Links, clarifications, ownerRef and GKNN explanations

* Follow-on to initial feedback, address some unresolved blocks

* Fix lint errors

* Add more detail about reference implementation (#2)

* Apply prune jan25 (#3)

* More clearly delineate specification vs kubectl details

* Move design details of spec to Design Details section

* Updates from synchronous conversation

* Remove leftover paragraph (#5)

Not an alternative rejected any more, given applyset.k8s.io/inventory

* Justin has always been coauthor

* KEP-3659: production readiness etc (#4)

Fill in the testing/ PRR sections.

* Fix test failures

* Prune: document confused deputy attack and mitigations

Likely pushes us to GKNN-derived IDs.

* Constrain applyset id

We just choose the constrained applyset id to prevent "applyset ID
impersonation".

* Update KEP and PRR metadata

* Enhance testing description

* ID vs name fixes

* Fixes from soltysh's review

---------

Co-authored-by: Justin Santa Barbara <[email protected]>
dougbtv pushed a commit to dougbtv/enhancements that referenced this issue Feb 9, 2024
k8s-ci-robot pushed a commit that referenced this issue Jun 12, 2024
* Add draft of CSI CBT KEP

Signed-off-by: Ivan Sim <[email protected]>

* Update KEP status

Signed-off-by: Ivan Sim <[email protected]>

* Initial structure.
Filled in the Proposal, Caveats and Risks.
Put in the CSI spec in the Details section.

* Removed distracting links to common K8s definitions.
Clarified the proposal.

* More caveats.  Better grammar.

* Use "snapshot access session".

* addressed most of the feedback in the PR.

* Updated role figure.

* More refinements.

* Session figure. Renamed figure files.

* Fix background of session figure.

* Updated figures and roles.

* Propose a new role for session data.

* GRPC spec

* Don't propose roles.

* Add user stories in the proposal (#2)

* Add user stories in the proposal

Signed-off-by: Prasad Ghangal <[email protected]>

* Remove acceptance criteria for the user stories

* Make changes suggested by Carl

---------

Signed-off-by: Prasad Ghangal <[email protected]>

* Added details to the manager, sidecar and SP service sections.
Fixed session figure errors and rewrote the client gRPC
description in the risks section.

* Called out UNRESOLVED issues.
More on the SP service and sidecar.

* Resolved issues with expiry and advertising.

* Updated TOC

* Fixed typo and svg space rendering.

* Fixed typo in perms figure.

* Typo in session figure. More detail in user stories.

* Add SnapshotSession CRDs (#5)

* Add SnapshotSession CRDs

* Add CR descriptions

* Address review comments

* Address review comments

* Remove typo

* Remove unnecessary new line

* Added image of the flow when the TokenRequest and TokenReview APIs are used.

* Fixed figure spacing

* Updated permissions svg; removed session.

* Updated figures. Removed session figure.

* Added explanation of permissions.

* Updated overview and risks.

* Updated RPC and components.

* Completed remaining rewrite.

* Updated to CSI spec to reflect container-storage-interface/spec#551

* Removed the security_token and namespace from the gRPC spec.
Pass the security token via the metadata authorization key.
Pass the namespace as part of the K8s snapshot id string.

* Update sections on test plan, PRR and graduation criteria

Signed-off-by: Ivan Sim <[email protected]>

* More neutral language on passing the auth token.

* Updated to reflect changes in the CSI spec PR.

* Use a separate gRPC API for the sidecar.

* Replaced authorization gRPC metadata with a security_token field in request messages.

* Fixed typo.

* Updated CSI spec; downplayed similarity between the K8s and CSI gRPC services.

* Add beta and GA graduation criteria

Signed-off-by: Ivan Sim <[email protected]>

* Updated CSI spec again - no unsigned numbers used.

* Update KEP milestone to v1.30

Signed-off-by: Ivan Sim <[email protected]>

* Update 'Scalability' section

Signed-off-by: Ivan Sim <[email protected]>

* Add sig-auth as participating sigs

Signed-off-by: Ivan Sim <[email protected]>

* Require that the CR be named for the driver.

* Removed the label requirement for the CR.

* Replaced johnbelamaric with soltysh for PRR approver.

* Bump up milestone to v1.31

* Change KEP status to implementable

---------

Signed-off-by: Ivan Sim <[email protected]>
Signed-off-by: Prasad Ghangal <[email protected]>
Signed-off-by: Ivan Sim <[email protected]>
Co-authored-by: Carl Braganza <[email protected]>
Co-authored-by: Prasad Ghangal <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/deprecation Categorizes issue or PR as related to a feature/enhancement marked for deprecation. kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/node Categorizes an issue or PR as relevant to SIG Node.
Projects
Archived in project
Development

No branches or pull requests