logo

Migrating From PodSecurityPolicy

2022-10-27

Authors:   Tim Allclair, Sam Stoelinga


Summary

The presentation discusses the migration from Pod Security Policy (PSP) to Pod Security Admission (PSA) in Kubernetes and the limitations of PSA.
  • PSA is a simpler and more secure way to manage pod security in Kubernetes
  • PSA is built into Kubernetes and guarantees that any new features added to Kubernetes will be constrained by PSA
  • The PSP Migrator tool can be used to detect and migrate from PSP to PSA
  • PSA has limitations such as using namespace labels to control it and lack of customization
The PSP Migrator tool was demonstrated to show how it can detect and migrate from PSP to PSA. It checks for mutating PSP and suggests using the Baseline in the default namespace. It also allows for an easier migration process than doing it manually.

Abstract

Pod Security Policy (PSP) has been completely removed in Kubernetes v1.25, making it essential for users to migrate their clusters before upgrading to v1.25. The good news is that the Pod Security admission controller, designed as a simpler successor to PSP, just graduated to stable. The bad news is that the migration is not always straightforward. In this talk, you will see the quick-and-dirty migration path, and then dive deep into the nuances and challenges of migrating off PSP. We will also explore a couple of alternatives to the Pod Security admission controller, and when and why you might choose those alternatives instead. The goal of this talk is to empower you to confidently and safely begin upgrading your clusters, and bid farewell to PSP.

Materials:

Post a comment