Comments (3)
Thanks for the feedback @joebowbeer. You have roughly 2 years to decide. Until then, you can continue using PSPs or, once it emerges from alpha, you can use the PSP Replacement (presently, EKS only supports beta and GA features). If you have complex policy requirements you may want to consider using OPA, e.g. if you need to validate elements of the pod specification outside of securityContext. Here is a brief but good discussion on the deprecation of PSP, https://youtu.be/2G09tl9Gx_Q?t=638.
from aws-eks-best-practices.
We should also include Gatekeeper's support for PSP here.
from aws-eks-best-practices.
@jicowan Currently, OPA Gatekeeper is only mentioned in two links in a Tools and Resources section at the bottom of the page. Is this adequate guidance? (I ask this naively not rhetorically.)
Given that PSP is deprecated, I'm trying to determine what the best practice should be regarding pod security. Can you discuss the decision of whether to replace and/or augment PSP with Gatekeeper or Kyverno in the body of this section? I would appreciate it if you could recommend a course of action. Or are we to assume that we should stick with PSP for now, even if we are creating a new cluster?
from aws-eks-best-practices.
Related Issues (20)
- Current Equation of "Size of ETCD" is Incorrect
- Reference to a potentially unmaintained project (aquasecurity/kubectl-who-can)
- Version skew of EKS managed node group should be updated
- Reference to a potentially unmaintained project (kiosk-sh/kiosk)
- Reference to an archived project (uswitch/kiam)
- Spelling error in Control Plane section HOT 2
- Remove section https://aws.github.io/aws-eks-best-practices/networking/ipv6/#identify-dependencies-on-imdsv2 as it is now supported
- How to enforce read-only root file system using PSS? HOT 1
- Assistance/Explanation of the VPC CNI IP address consummation.
- Reference to an archived project (504ensicsLabs/LiME)
- The maximum pod count for all nodes in a particular node group is defined by the lowest maximum pod count of any single instance type in the node group. HOT 1
- Supported Version Policy HOT 1
- Cost Optimization -> Compute -> Karpenter and Cluster Autoscaler section -> Cluster Autoscaler FAQ hyperlink is incorrect
- Cost Optimization -> Compute -> Karpenter Consolidation & spot section : karpenter provisioner spec should be updated as nodepool
- Document AWS VPC CNI Enhanced Subnet Discovery
- Reference to an archived project (Shopify/voucher) HOT 1
- Reference to a potentially unmaintained project (mhausenblas/rbac.dev) HOT 1
- Reference to a potentially unmaintained project (aws-samples/example-permissions-boundary) HOT 1
- NCC Group article link is dead HOT 2
- Recommended practice(s) for AMI updates HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-eks-best-practices.