Slide 11
Slide 11 text
PodSecurityPolicyͷഇࢭʹ͍ͭͯ
▶ ͦΜͳPSP͕Kubernetes v1.21Ͱඇਪ, v1.25Ͱഇࢭ༧ఆͱͳ͍ͬͯ·͢
▶ ഇࢭͷܦҢͷৄࡉҎԼͷϦϯΫΛࢀর͍ͩ͘͞
+ KEP-2579: Pod Security Admission Control - Motivatio
n
+ https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2579-psp-replacement#motivation
+ PodSecurityPolicy Deprecation: Past, Present, and Futur
e
+ https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/#why-is-podsecuritypolicy-going-away
It is easy to accidentally grant broader permissions than intended, and dif
fi
cult to inspect which
PSP(s) apply in a given situation.
The “changing Pod defaults” feature can be handy, but is only supported for certain Pod settings
and it’s not obvious when they will or will not apply to your Pod
.
Without a “dry run” or audit mode, it’s impractical to retro
fi
t PSP to existing clusters safely, and it’s
impossible for PSP to ever be enabled by default.
[PodSecurityPolicy Deprecation: Past, Present, and FutureΑΓҾ༻]