Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pod Security Policy Deprecation #335

Open
jdpleiness opened this issue Aug 22, 2023 · 1 comment
Open

Pod Security Policy Deprecation #335

jdpleiness opened this issue Aug 22, 2023 · 1 comment
Assignees
@Chickensoupwithrice

Comments

@jdpleiness
Copy link
Contributor

Pod Security Policies (PSPs) were deprecated in Kubernetes 1.21 and will be removed in 1.25. PSPs were replaced with Pod Security Admission labels and Pod Security Standards (Privileged, Baseline, Restricted).

TODO:

  • Remove deprecated APIs from Helm charts
  • Replace with new standards where applicable

Original Slack Thread: https://sourcegraph.slack.com/archives/C05DWT4ANHH/p1692636601829699
@jdpleiness
Copy link
Contributor Author

Check to see if Baseline security standard has any warnings on a fresh deployment: kubectl label --overwrite ns default pod-security.kubernetes.io/warn=baseline pod-security.kubernetes.io/warn-version=v1.27

deploy-sourcegraph-helm git:(jdp/psp-deprecation) ✗ helm upgrade --install  sourcegraph charts/sourcegraph/.
Release "sourcegraph" does not exist. Installing it now.
W0821 17:01:20.631517   37370 warnings.go:70] would violate PodSecurity "baseline:v1.27": hostPath volumes (volumes "rootfs", "var-run", "sys", "docker", "disk", "kmsg"), privileged (container "cadvisor" must not set securityContext.privileged=true)
W0821 17:01:20.637322   37370 warnings.go:70] would violate PodSecurity "baseline:v1.27": host namespaces (hostPID=true), hostPath volumes (volumes "rootfs", "sys", "proc")
W0821 17:01:20.637348   37370 warnings.go:70] would violate PodSecurity "baseline:v1.27": hostPort (container "otel-agent" uses hostPorts 4317, 4318, 55679)
W0821 17:01:22.456934   37370 warnings.go:70] annotation "kubernetes.io/ingress.class" is deprecated, please use 'spec.ingressClassName' instead
NAME: sourcegraph
LAST DEPLOYED: Mon Aug 21 17:01:05 2023
NAMESPACE: default
STATUS: deployed
REVISION: 1
NOTES:
Thank you for installing sourcegraph.

Your release is named sourcegraph.

To learn more about supported configuration, check out https://docs.sourcegraph.com/admin/install/kubernetes/helm.

Also check Restricted standard: kubectl label --overwrite ns default pod-security.kubernetes.io/warn=restricted pod-security.kubernetes.io/warn-version=v1.27

Warning: existing pods in namespace "default" violate the new PodSecurity enforce level "restricted:latest"
Warning: blobstore-fd75455c9-5hfdf (and 16 other pods): unrestricted capabilities, runAsNonRoot != true, seccompProfile
Warning: cadvisor-gptl2: privileged, allowPrivilegeEscalation != false, unrestricted capabilities, restricted volume types, runAsNonRoot != true, seccompProfile
Warning: codeinsights-db-0 (and 3 other pods): allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, seccompProfile
Warning: node-exporter-c99rm: host namespaces, unrestricted capabilities, restricted volume types, seccompProfile
Warning: otel-agent-bd5jb: hostPort, allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, seccompProfile
namespace/default labeled (server dry run)

@Chickensoupwithrice Chickensoupwithrice self-assigned this Apr 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Chickensoupwithrice Chickensoupwithrice

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jdpleiness @Chickensoupwithrice