[RFC] PSP replacement proposal - 3-tier policies

[Tim Allclair]

We've made great progress in the PSP replacement breakout sessions, and we're close to reaching agreement on the solution to pursue. That solution is the 3-Tier Pod Security Proposal.

There are still implementation details to iron out in the KEP process, but before we proceed with bringing this proposal to KEP, I would appreciate any feedback on the overall design.

Action Item:

Please vote on and leave feedback about this approach through this survey:

https://docs.google.com/forms/d/e/1FAIpQLSdco6c20Xs3JcZPox66gz0QHBmcnyjxR_mHoBwA0muuxwbnRQ/viewform?usp=sf_link

The survey will close on Tuesday, March 16th.

Thank you!

-- Tim Allclair

[Davanum Srinivas]

Tim,

I'd encourage the team to think about conformance as well. especially with the "Enforcing" option. Is a cluster with this on conformant? (also what about the versions, what are their impact on conformance tests?)

thanks,

Dims

--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-auth" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-auth/CALXpagwUYVnNVFpfiJx8D89QtiKGe7JHu6BpQB_YkaQT8-5idg%40mail.gmail.com.

--

Davanum Srinivas :: https://twitter.com/dims

[Tim Allclair]

I've converted the proposal to a KEP: https://github.com/kubernetes/enhancements/pull/2582

Most of the content is copied over from the google doc, with the following additions:

- motivation & goals sections (copied from the PSP replacement goals doc)

- admission configuration section - This is mostly just spec'ing out what we were already discussing

- risks & mitigations - highlighting some concerns that have been raised about this approach.

- updates - discuss how pod updates will be handled in more detail, this section needs review

- test plan

- monitoring - needs more input

Other than that, I attempted to capture active comment threads in the <<[UNRESOLVED]>> sections.

I would still like to hold the PSP breakout session we have scheduled for this Wednesday, March 24th (1pm pacific) to discuss the implementation details and unresolved sections of the KEP. We also can discuss in that meeting whether we're ready to wrap up the breakout sessions and continue offline.

Thank you everyone for all your input and hard work, great progress has been made!

[Tim Allclair]

Hi folks,

Thank you to everyone who was able to join the breakout session today. For those who couldn't make it, you can find the notes on the sig-auth agenda, and I'll push an update to the KEP PR in the next few days.

Going forward, we decided that the breakout sessions are still useful, and will continue to meet on the same bi-weekly cadence at least until all the issues are resolved. We hope to make progress between sessions though, so please leave feedback on the PR if you have a chance.

-- Tim Allclair