**Deprecating** May 3rd 2021: Support for Pod Security Policies (preview)

[jnoller]

Pod security policy (preview) will be deprecated on February 1st, 2021. This deadline has been extended from the initial deprecation date of October 15th, 2020 to provide more time to migrate to Azure Policy / OPA solutions.

• Impacted customers with existing preview clusters enabled with pod security policy (preview) were sent the communication email via admin emails on July 13th for the initial deprecation notice.
  • The follow-up extension of the deadline was sent on September 10th, 2020 moving the deprecation to 02/01/2021.
• AKS release notes announced the initial deprecation warning in 2020-07-06.
• Existing PSP document contains a warning with details.
• The succeeding feature, Azure Policy for AKS contains a deep dive document for pod security through Policy for AKS.

[claudod]

Hi, thanks for this feature. The ordinary question: any idea on the ETA for GA ?

[sauryadas]

I doubt this will go GA given that there are plans to deprecate PSP upstream and roll it up with Azure Policy that leverages both OPA/Gatekeeper.

Deprecation is not finalized yet.. Take a look at the June 19th comments in the thread below
kubernetes/enhancements#5

[ferantivero]

@jluk may I ask what this label roadmap removal means for now?

[jluk]

The roadmap label was a duplicate of feature label, so the removal doesn't mean anything in particular.

PSP is a unique case though, in that the upstream community is not showing signs of moving this feature to stable which would block AKS from making it GA. For the future of PSP the trends point to OPA/Gatekeeper to replace it over time. You can look to the Azure Policy for AKS addon which implements OPA/GK in a cluster on your behalf in a managed fashion.

https://docs.microsoft.com/en-us/azure/governance/policy/concepts/rego-for-aks

[jluk]

Pod security policy (preview) will be deprecated on October 15th, 2020.

• Impacted customers with existing preview clusters enabled with pod security policy (preview) were sent the communication email via admin emails on July 13th.
• AKS release notes announced in 2020-07-06.
• Existing PSP document contains a warning with details.
• The succeeding feature, Azure Policy for AKS contains a deep dive document for pod security through Policy for AKS. This feature is tracked in issue [Feature] [Successor to pod security policy (preview)] Support audit & deny of pod security policies based on Azure policies #1715.

[alextrs]

PSP doesn't just validate that pod is in compliance it also can set defaults. Azure Policy for AKS only can deny or audit deployment. It is very painful to go deployment by deployment and make sure securityContext is set correctly, and for many operators even impossible. Is there a way to set defaults with Azure Policy for AKS?

[ritazh]

Thanks for the feedback @alextrs. I am one of the maintainers of the Gatekeeper project. Currently the Gatekeeper project is focusing on getting the admission side of things to stable as those seem to be the most broadly useful features from a security perspective. Mutation is significantly more complex than validation. It is in the project's backlog. I will share updates here once there's more progress with mutation.

[PrabhuMathi]

Good news but still still why deprecating and it? it is better to leave it with user itself!

[ghost]

This issue has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs within 15 days of this comment.

[ghost]

This issue will now be closed because it hasn't had any activity for 15 days after stale. jnoller feel free to comment again on the next 7 days to reopen or open a new issue after that time if you still have a question/issue or suggestion.