Remove PSP from examples

Question

Remove PSP from examples

hazcod opened this issue 4 years ago · 1 comments

Hi, there is news PodSecurityPolicy will go away in Kubernetes.
Perhaps we should. rewrite the rego examples so they do not depend on the PSP definition, but check the Pod spec?

e.g. https://github.com/plexsystems/konstraint/blob/main/examples/psp-deny-privileged/src.rego#L21

Answer 1 · 2021-02-08T18:36:59.000Z

Hi @hazcod . We already have many of the matching policies for the Pod/Container resources as well, see https://github.com/plexsystems/konstraint/tree/main/examples/container-deny-privileged as an example. The PSP policies were created as an example of using the RBAC library plus testing Gatekeeper's sync feature with conftest locally.

Since PSPs won't be removed from K8s for ~5 more releases, we have some time to think about other policies that will help demonstrate the same things. Keep in mind these are a set of example policies that show how to use Konstraint, and are not meant to be an exhaustive library.