|
41 | 41 | - [Scalability](#scalability) |
42 | 42 | - [Troubleshooting](#troubleshooting) |
43 | 43 | - [Optional Future Extensions](#optional-future-extensions) |
| 44 | + - [Automated PSP migration tooling](#automated-psp-migration-tooling) |
44 | 45 | - [Rollout of baseline-by-default for unlabeled namespaces](#rollout-of-baseline-by-default-for-unlabeled-namespaces) |
45 | 46 | - [Custom Profiles](#custom-profiles) |
46 | 47 | - [Custom Warning Messages](#custom-warning-messages) |
@@ -661,47 +662,35 @@ The following audit annotations will be added: |
661 | 662 | 5. `pod-security.kubernetes.io/exempt = [user, namespace, runtimeClass]` For exempt requests, record the parameters |
662 | 663 | that triggered the exemption here. |
663 | 664 |
|
664 | | -### PodSecurityPolicy Migration |
665 | | - |
666 | | -<<[UNRESOLVED]>> |
667 | 665 |
|
668 | | -_Targeting Beta or GA, non-blocking for Alpha._ |
| 666 | +### PodSecurityPolicy Migration |
669 | 667 |
|
670 | 668 | Migrating to the replacement policy from PodSecurityPolicies can be done effectively using a |
671 | 669 | combination of dry-run and audit/warn modes (although this becomes harder if mutating PSPs are |
672 | 670 | used). |
673 | 671 |
|
674 | | -We could also ship a standalone tool to assist with the PodSecurityPolicy migration. Here are some |
675 | | -ideas for the sorts of things the tool could assist with: |
676 | | - |
677 | | -- Analyze PSP resources, identify the closest profile level, and highlight the differences |
678 | | -- Check the authorization mode for existing pods. For example, if a pod’s service account is not |
679 | | - authorized to use the PSP that validated it (based on the `kubernetes.io/psp` annotation), then |
680 | | - that should trigger a warning. |
681 | | -- Automate the dry-run and/or labeling process. |
682 | | -- Automatically select (and optionally apply) a policy level for each namespace. |
683 | | - |
684 | | -We should also publish a step-by-step migration guide. A rough approach might look something like |
| 672 | +Publish a step-by-step migration guide. A rough approach might look something like |
685 | 673 | this, with the items tagged (automated) having support from the PSP migration tool. |
686 | 674 |
|
687 | | -1. Enable 3-tier policy admission plugin, default everything to privileged. |
| 675 | +1. Enable the `PodSecurity` admission plugin, default everything to privileged. |
688 | 676 | 2. Eliminate mutating PSPs: |
689 | | - 1. Clone all mutating PSPs to a non-mutating version (automated) |
| 677 | + 1. Clone all mutating PSPs to a non-mutating version |
690 | 678 | 2. Update all ClusterRoles authorizing use of the mutating PSPs to also authorize use of the |
691 | | - non-mutating variant (automated) |
| 679 | + non-mutating variant |
692 | 680 | 3. Watch for pods using the mutating PSPs (check via the `kubernetes.io/psp` annotation), and |
693 | 681 | work with code owners to migrate to valid non-mutating resources. |
694 | 682 | 4. Delete mutating PSPs |
695 | | -3. Select a compatible profile for each namespace, based on the existing resources in the namespace |
696 | | - (automated) |
697 | | - 1. Review the profile choices |
698 | | - 2. Evaluate the difference in privileges that would come from disabling the PSP controller |
699 | | - (automated). |
700 | | -4. (optional) Apply the profiles in `warn` and `audit` mode (automated) |
701 | | -5. Apply the profiles in `enforce` mode (automated) |
702 | | -6. Disable PodSecurityPolicy |
| 683 | +3. Select a compatible pod security level for each namespace, based on the existing resources in the namespace |
| 684 | + 1. Review the pod security level choices |
| 685 | + 2. Evaluate the difference in privileges that would come from disabling the PSP controller. |
| 686 | +4. Apply the pod security levels in `warn` and `audit` mode |
| 687 | +5. Iterate on Pod and workload configurations until no warnings or audit violations exist |
| 688 | +6. Apply the pod security levels in `enforce` mode |
| 689 | +7. Disable `PodSecurityPolicy` admission plugin |
| 690 | + |
| 691 | +This was published at https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/ in 1.22. |
| 692 | + |
703 | 693 |
|
704 | | -<<[/UNRESOLVED]>> |
705 | 694 |
|
706 | 695 | ### Graduation Criteria |
707 | 696 |
|
@@ -974,6 +963,20 @@ which case they should be moved out of this section). |
974 | 963 |
|
975 | 964 | This whole section should be considered <<[UNRESOLVED]>>. |
976 | 965 |
|
| 966 | +### Automated PSP migration tooling |
| 967 | + |
| 968 | +We could also ship a standalone tool to assist with the steps identified above. |
| 969 | +Here are some ideas for the sorts of things the tool could assist with: |
| 970 | + |
| 971 | +- Analyze PSP resources |
| 972 | + - identify mutating PSPs |
| 973 | + - for non-mutating PSPs, identify the closest Pod Security Standards levels and highlight the differences |
| 974 | +- Check the authorization mode for existing pods. For example, if a pod’s service account is not |
| 975 | + authorized to use the PSP that validated it (based on the `kubernetes.io/psp` annotation), then |
| 976 | + that should trigger a warning. |
| 977 | +- Automate the dry-run and/or labeling process. |
| 978 | +- Automatically select (and optionally apply) a policy level for each namespace. |
| 979 | + |
977 | 980 | ### Rollout of baseline-by-default for unlabeled namespaces |
978 | 981 |
|
979 | 982 | If we wanted to change the default-default value from privileged to baseline, here is a possible |
|
0 commit comments