Containers-roadmap: Support for PodSecurityPolicy Admission Controller

Created on 27 Feb 2019 · 6Comments · Source: aws/containers-roadmap

Tell us about your request
We are looking at adding a PodSecurityPolicy to our EKS clusters, mostly focused on restricting privileged containers and hostPath mounting. It looks like EKS doesn’t yet support the PodSecurityPolicy Admission Controller.

Which service(s) is this request for?
EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
We operate a shared group of EKS clusters for a wide-range of internal development teams. For this multi-tenant nature, we like to prevent inadvertent changes by developers to kernel parameters, breaking host components etc which may cause issues in other pods.

Are you currently working around this issue?
Hoping 🙏

Additional context

Attachments

EKS Proposed

Source

gavinbunney

👍54 🚀5

Most helpful comment

Why do you say that PodSecurityPolicy is in alpha until 1.13? Docs seem to indicate it was beta long before that. e.g. https://v1-11.docs.kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#podsecuritypolicy-v1beta1-extensions

llamahunter on 5 Apr 2019

👍9

All 6 comments

Will AWS break "alpha feature rule" for PodSecurityPolicy?

PSP turns beta in 1.13 only.

See https://github.com/awslabs/amazon-eks-ami/issues/145#issuecomment-459052026

spronin-aurea on 5 Mar 2019

👎2

Will delivering #30 help with this issue (as also asked in the other issue: https://github.com/aws/containers-roadmap/issues/30#issuecomment-459144990)?

pawelprazak on 26 Mar 2019

llamahunter on 5 Apr 2019

👍9

We can't use EKS until PSP support will be added =(

rvadim on 29 Apr 2019

👍6

Can confirm that EKS will support the PodSecurityPolicy admission controller along with K8s version 1.13 - https://github.com/aws/containers-roadmap/issues/30