Recreation of common Pod Security Policy configuration in other common Kubernetes policy engines
PodSecurityPolicy is dead, long live ???
This project is striving to recreate common Pod Security Policy configuration in other common kubernetes policy engines, to better inform the consumer how to migrate before it is removed in Kubernetes 1.25
Download the right binary for your OS and Arch from the latest release
Or you can try it now in your browser!
The app takes PodSecurityPolicy on stdIn
and output your policy engine of choice on stdOut
, you select the policy engine with the --engine=<engine>
:
$ cat psp.yaml | ./psp-migration --engine=gatekeeper > output.yaml
# or if you're feeling brave you can pipe it back and forth to the kubernetes api
$ kubectl get -o yaml mypodsecuritypolicy | ./psp-migration -e kubewarden | kubectl apply -f -
Note: ❌ Doesn't mean it doesn't work, it just means the test is currently failing, in most cases the test needs to be updated
PSP field | Pod Security Policy | Pod Security Standard (baseline) | Gatekeeper | Kyverno | Kubewarden | k-rail |
---|---|---|---|---|---|---|
privileged | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
hostPID | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
hostIPC | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
hostNetwork | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
hostPorts | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
volumes | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
allowedHostPaths | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
allowedFlexVolumes | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
readOnlyRootFilesystem | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
runAsUser | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
runAsGroup | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
supplementalGroups | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
fsgroup | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
allowPrivilegeEscalation | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
defaultAllowPrivilegeEscalation | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
allowedCapabilities | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
defaultAddCapabilities | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
requiredDropCapabilities | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
seLinux | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
allowedProcMountTypes | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
apparmor | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
seccomp | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
forbiddenSysctls | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |
allowedUnsafeSysctls | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ❌ |