psp scheduled for removal

[ArgTang]

kubernetes/kubernetes#97171

The PodSecurityPolicy API is deprecated in 1.21, and will no longer be served starting in 1.25.

For some cloudvendors this timeline is even more strict. like azure AKS.

most fields can be set right in the deployment manifest. as podsecuritycontext, or securityContext per container. Maybe they can be moved there?

[jcmoraisjr]

Yeah I'm aware of this deprecation but couldn't take the time to see alternatives - except to not configure psp in the customized values file. We've already pod security context which can be freely customized, maybe we can also add container security context? Any other suggestion?

[ArgTang]

security context would be a nice thing to add.
Maybe provide have a separate feature flag for psp and roles so people could disable the current psp?

[jcmoraisjr]

psp is currently disabled by default:

rbac:
  security:
    enable: false

This however doesn't disable roles and rolebindings used to authorize haproxy ingress in the cluster. Only psp related role and rolebindings are removed / not created.

Regarding container security context seems to be a good idea but I could find a good place to the configuration in the values file - something that allows me eg to configure one container and not the other. I'll leave this open until we have a proper implementation.