[RFC] PodSecurityPolicy Replacement Design

[Tabitha Sable]

Friends,

PodSecurityPolicy is being marked “deprecated” in 1.21, with a plan to remove it in 1.25. It is critically important that we give Kubernetes users a built-in admission controller that is easy to use out of the box, moving Kubernetes closer toward being secure by default.

Since it’s easier to improve something than start from scratch, a few of us have written two pre-KEP proposals for possible PSP replacements. Each document aims to provide a solid starting point, but has plenty of room for improvement.

Please have a look and improve them with your suggestions and comments!

PSP++ / ContainerBoundaryPolicy gdoc here

Bare Minimum Pod Security gdoc here

We’ll be discussing these proposals, and the underlying philosophical differences between them, at the upcoming meetings of SIG Auth and Kubernetes SIG Security.

Thank you for your time and consideration!

Tabitha Sable, Tim Allclair, and Ian Coldwater