making it possible to grant specific PodSecurity permissions for specific services

[alonSadan]

(moved from https://github.com/kubernetes/pod-security-admission/issues/1)

As a user of this feature I would like to be able to allow specific capabilities for specific services in my project.

The current implementations offers only three general definitions of security levels which can be hard to suit services that require one or two special capabilities.

Also since the admission is applied in the namespace level (and because of the general security levels) it makes me either adopt the most permissive security level for the entire namespace (so that all services with their "special requirements" will be allowed in the cluster), or divide my project into small namespaces increasing it's granularity. I see both options is bad options.

The ability to allow specific capabilities for specific services would help me keeping my project less granular, and secure as possible.

[sftim]

/kind feature

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[liggitt]

/transfer kubernetes

[k8s-ci-robot]

@alonSadan: There are no sig labels on this issue. Please add an appropriate label by using one of the following commands:

• /sig <group-name>
• /wg <group-name>
• /committee <group-name>

Please see the group list for a listing of the SIGs, working groups, and committees available.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

@alonSadan: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[liggitt]

Granting at the namespace level was an intentional design decision. PodSecurityAdmission controls the highest permission pod allowed into a namespace. It is certainly possible to deploy low-privileged things into a namespace that is more permissive.

Dividing into smaller more granular namespaces is the recommended approach, especially if you do not uniformly trust manifest authors.

Experience with the PodSecurityPolicy API and authorization model convinced us that namespace-level, coarse-grained permissions were the right level to build into Kubernetes, and to defer fine-grained policy or sub-namespace authorizations to external policy solutions via admission webhooks.

/close

[k8s-ci-robot]

@liggitt: Closing this issue.

Details

In response to this:

Granting at the namespace level was an intentional design decision. PodSecurityAdmission controls the highest permission pod allowed into a namespace. It is certainly possible to deploy low-privileged things into a namespace that is more permissive.

Dividing into smaller more granular namespaces is the recommended approach, especially if you do not uniformly trust manifest authors.

Experience with the PodSecurityPolicy API and authorization model convinced us that namespace-level, coarse-grained permissions were the right level to build into Kubernetes, and to defer fine-grained policy or sub-namespace authorizations to external policy solutions via admission webhooks.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.