-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove PodSecurityPolicy ✂️ #4122
Conversation
PodSecurityPolicy is being deprecated in Kubernetes 1.21, and isn't being exercised by our CI. Let's just remove it from the payload (the `release.yaml` file). Signed-off-by: Vincent Demeester <[email protected]>
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sbwsg The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
I don't see the rush for this TBH? Tekton min k8s version is 1.18, and PSP is not deprecated until 1.21. Looking at https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/ a k8s replacement is not available yet, and PSP will still be available for a while. The alternative available today is admission controllers - so we could document that, or link to the k8s docs about that. |
/test check-pr-has-kind-label |
The corresponding issue is in 0.28 milestone, so I added it there. |
We should probably figure out what user migration for this would look like - can we document the best next step as part of release notes? At the moment it's not totally clear what those steps would look like. Maybe moving back to 0.30 is a good idea, and giving one release of notice for 0.29 that this is going away? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tektoncd/core-maintainers, it seems we're not ready to move ahead with this so considering moving it to the next milestone - maybe we can give a deprecation notice for in this release as @sbwsg suggested above?
Sounds good to me! |
/hold |
@vdemeester: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@dibyom, we have also a strong interest to migrate to PodSecurityAdmission and are curious to see your solution. Actually, we already tried some first steps. To achieve 'restricted' we just had to add 'runAsNonRoot = false' to 'securityContext' in various deployments. |
Closing this for the time being |
@vdemeester: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Changes
PodSecurityPolicy is being deprecated in Kubernetes 1.21, and isn't
being exercised by our CI. Let's just remove it from the payload (the
release.yaml
file).Closes #4112
Signed-off-by: Vincent Demeester [email protected]
/kind cleanup
/cc @tektoncd/core-collaborators
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
functionality, content, code)
Release Notes