Skip to content

Recreation of common Pod Security Policy configuration in other common Kubernetes policy engines

License

Notifications You must be signed in to change notification settings

appvia/psp-migration

Repository files navigation

Kubernetes Pod Security Policy Migration

PodSecurityPolicy is dead, long live ???

CI GitHub issues GitHub forks GitHub stars GitHub contributors GitHub last commit Appvia Community Slack GitHub license


🚨 🚧 UNDER ACTIVE DEVELOPMENT (pull requests welcome) 🚧 🚨

This project is striving to recreate common Pod Security Policy configuration in other common kubernetes policy engines, to better inform the consumer how to migrate before it is removed in Kubernetes 1.25

Installation

Download the right binary for your OS and Arch from the latest release

Or you can try it now in your browser!

Usage

The app takes PodSecurityPolicy on stdIn and output your policy engine of choice on stdOut, you select the policy engine with the --engine=<engine>:

$ cat psp.yaml | ./psp-migration --engine=gatekeeper > output.yaml
# or if you're feeling brave you can pipe it back and forth to the kubernetes api
$ kubectl get -o yaml mypodsecuritypolicy | ./psp-migration -e kubewarden | kubectl apply -f -

Known limitations

  • Generated policy will probably be pretty verbose
  • Generated policy will probably have some unintended side effects, please create an issue when this happens
  • Only takes one PodSecurityPolicy at a time
  • Generated policy may conflict with other policies

Features

⚠️ This table is manually updated, see the automated test suites results ⚠️

Note: ❌ Doesn't mean it doesn't work, it just means the test is currently failing, in most cases the test needs to be updated

PSP field Pod Security Policy Pod Security Standard (baseline) Gatekeeper Kyverno Kubewarden k-rail
privileged βœ”οΈ βœ”οΈ βœ”οΈ βœ”οΈ βœ”οΈ βœ”οΈ
hostPID βœ”οΈ βœ”οΈ βœ”οΈ βœ”οΈ βœ”οΈ βœ”οΈ
hostIPC βœ”οΈ βœ”οΈ βœ”οΈ βœ”οΈ βœ”οΈ ❌
hostNetwork βœ”οΈ βœ”οΈ βœ”οΈ βœ”οΈ βœ”οΈ βœ”οΈ
hostPorts βœ”οΈ ❌ βœ”οΈ βœ”οΈ βœ”οΈ ❌
volumes βœ”οΈ βœ”οΈ βœ”οΈ βœ”οΈ βœ”οΈ ❌
allowedHostPaths βœ”οΈ ❌ βœ”οΈ βœ”οΈ βœ”οΈ ❌
allowedFlexVolumes βœ”οΈ ❌ βœ”οΈ βœ”οΈ βœ”οΈ ❌
readOnlyRootFilesystem βœ”οΈ ❌ βœ”οΈ βœ”οΈ βœ”οΈ ❌
runAsUser βœ”οΈ ❌ βœ”οΈ βœ”οΈ βœ”οΈ ❌
runAsGroup βœ”οΈ ❌ βœ”οΈ βœ”οΈ βœ”οΈ ❌
supplementalGroups βœ”οΈ ❌ βœ”οΈ βœ”οΈ βœ”οΈ ❌
fsgroup βœ”οΈ ❌ βœ”οΈ βœ”οΈ βœ”οΈ ❌
allowPrivilegeEscalation βœ”οΈ ❌ βœ”οΈ βœ”οΈ βœ”οΈ ❌
defaultAllowPrivilegeEscalation βœ”οΈ ❌ βœ”οΈ βœ”οΈ βœ”οΈ ❌
allowedCapabilities βœ”οΈ ❌ βœ”οΈ βœ”οΈ βœ”οΈ ❌
defaultAddCapabilities βœ”οΈ ❌ βœ”οΈ βœ”οΈ βœ”οΈ ❌
requiredDropCapabilities βœ”οΈ ❌ βœ”οΈ βœ”οΈ βœ”οΈ ❌
seLinux βœ”οΈ ❌ βœ”οΈ βœ”οΈ βœ”οΈ ❌
allowedProcMountTypes βœ”οΈ ❌ βœ”οΈ βœ”οΈ βœ”οΈ ❌
apparmor βœ”οΈ βœ”οΈ βœ”οΈ βœ”οΈ βœ”οΈ βœ”οΈ
seccomp βœ”οΈ βœ”οΈ βœ”οΈ βœ”οΈ βœ”οΈ ❌
forbiddenSysctls βœ”οΈ ❌ βœ”οΈ βœ”οΈ βœ”οΈ ❌
allowedUnsafeSysctls βœ”οΈ ❌ βœ”οΈ βœ”οΈ βœ”οΈ ❌

References