The Kubernetes community will deprecate the PSP in 1.21 and remove the API from 1.25. Current CNCF ecosphere similar projects: Kyverno and Open Policy Agen(OPA).

PodSecurityPolicy is a cluster-level Pod security policy that authorizes fine-grained Pod operations. In Kubernetes architecture, the Admission Controller (similar to NamespaceLifecycle, ResourceQuota, etc.) is a plug-in for checking before writing

First, PSP dilemma

The current PodSecurityPolicy feature has the following problems:

  1. The authorization model is flawed
  2. Features easy to open difficulties
  3. The API interface lacks consistency and extensibility, such as MustRunAsNonRoot and AllowPrivilegeEscalation configurations
  4. Unable to handle dynamically injected Side-cars (e.g. Knative)
  5. Hard to land in CI/CD scenarios

Second, alternatives

Kyverno profile

Kyverno is a policy engine designed for Kubernetes (CNCF Sandbox project). It has the following functions:

  • Related policies are similar to Kubernetes objects and are easy to use

  • Convenient configuration and management

  • Declarative validation of policies for Kubernetes resources, changing and generating resource configurations.

  • Runs as a dynamic access controller in a Kubernetes cluster.

  • Resources can be matched using resource type, name, and label selectors. Wildcard characters are supported in the name

Current open source projects adopting this solution: FluxCD V2, etc

OPA summary

Open Policy Agent (OPA, CNCF incubation project) provides a unified framework for Policy decision requirements. It decouples policy decision from software business logic, abstracts policy definition and decision process into a general model, and realizes a general policy engine.

It can be used in microservices, Kubernetes, CI/CD, API gateway and other application scenarios.

OPA can be integrated with existing software systems through sidecars, external services, or dependent libraries. OPA can accept any type of structured data, and the decision flow is shown below:

OPA uses data input and policy to make decisions. The decision process is independent of data. Such as:

  • Determine which resources a user can access
  • Which subnets are allowed to access
  • Which cluster the workload can be deployed in
  • Which mirrors are available
  • Which system functions are available to the container
  • When is access available

For follow-up information, please check the public account: DCOS

The resources

  • Github.com/kubernetes/…
  • PodSecurityPolicy Options
  • Redhat about the OPA series