Replace NGINX's PodSecurityPolicy objects with PodSecurityAdmission
Summary
Context: gitlab-org&7599 (comment 1097387625)
https://kubernetes.io/blog/2022/08/23/kubernetes-v1-25-release/#pod-security-changes
PodSecurityPolicy was initially deprecated in v1.21, and with the release of v1.25, it has been removed. The updates required to improve its usability would have introduced breaking changes, so it became necessary to remove it in favor of a more friendly replacement. That replacement is Pod Security Admission, which graduates to Stable with this release. If you are currently relying on PodSecurityPolicy, please follow the instructions for migration to Pod Security Admission.
I see that our forked NGINX chart is still referencing PSPs.
Even upstream, the latest version still references them but they're disabled by default (also disabled by default in our fork).
https://github.com/kubernetes/ingress-nginx/issues/7852 exists to address this, but it has no activity yet. Update: the issue was closed as stale by their maintenance bot 26 March 2022.
Related reading
- https://kubernetes.io/docs/concepts/security/pod-security-admission/
- https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/
- https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/
Acceptance criteria
-
NGINX's PSPs are replaced with PSAs