Skip to content
This repository has been archived by the owner on Jun 29, 2022. It is now read-only.

psp: Make the restrictive policy as the first on the list #1328

Closed
wants to merge 1 commit into from
Closed

psp: Make the restrictive policy as the first on the list #1328

wants to merge 1 commit into from

Conversation

surajssd
Copy link
Member

@surajssd surajssd commented Jan 16, 2021
edited
Loading

The policy order of PSP has two methods of selecting a PSP for
applications:

  1. If a PSP allows the pod specification as is without a mutation, then
    that PSP is used.
  2. If the above condition fails, then the fist PSP is chosen from an
    allowed-PSP list, and the pod is mutated accordingly.

In Lokomotive's case the general cluster-wide PSP for apps that don't
ship PSP is the minimal restrictive PSP. So we need to ensure that it is
on top of the list for selection not bottom.

invidian
invidian reviewed Jan 16, 2021
View reviewed changes
Copy link
Member

@invidian invidian left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add some reasoning for the proposed change.

@surajssd
Copy link
Member Author

Please add some reasoning for the proposed change.

Yep, on it. I wanted to ensure my hypothesis works.

@surajssd
psp: Make the restrictive policy as the first on the list
8349564 
The policy order of PSP has two methods of selecting a PSP for
applications:

1. If a PSP allows the pod specification as is without a mutation, then
   that PSP is used.
2. If the above condition fails, then the fist PSP is chosen from an
   allowed-PSP list, and the pod is mutated accordingly.

In Lokomotive's case the general cluster-wide PSP for apps that don't
ship PSP is the minimal restrictive PSP. So we need to ensure that it is
on top of the list for selection not bottom.

Signed-off-by: Suraj Deshmukh <suraj@kinvolk.io>
@surajssd surajssd marked this pull request as ready for review January 18, 2021 06:50
@invidian
Copy link
Member

Yep, on it. I wanted to ensure my hypothesis works.

Thanks @surajssd... But I still struggle to understand the need for this PR. Can we have a test case, which will fail without the proposed patch to show the need of it on the patch itself? I think there is some critical information missing here.

Right now we only have one policy allowed in all namespaces, which is zz-minimal. If I deploy workload X, it must use some PSP, so it will either try to use zz-minimal or it will fail if this policy is too restrictive. If I create a policy X for my workload and allow it to use it, then the controller must choose between the policy X and zz-minimal for my workload. In such case, policy X will always be preferred, as we on purpose add zz- prefix to our policies, to entourage users to roll their own policies, which might be better tailored to their needs.

See also #293

@surajssd surajssd closed this Jun 1, 2022
@surajssd surajssd deleted the surajssd/modify-psp-minimal branch June 1, 2022 11:43
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@invidian invidian Awaiting requested review from invidian

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@surajssd @invidian