HNC: Adapt to new PSP replacement
yiqigao217 opened this issue · comments
See new PSP replacement.
The change is about replacing current PSP, which is not namespaced, with namespace labels such as podsecurity.kubernetes.io/warn=restricted
. The PodSecurityPolicy is deprecated as of Kubernetes v1.21, and will be removed in v1.25.
People will use these new labels to enforce pod security policies per namespace then. Since the label is on namespaces and HNC doesn't propagate labels on a subnamespace, there's no difference of HNC creating a new subnamespace or privileged users creating a new namespace without additional labels. However, users without privileges to create namespaces may not be able to update namespace labels. So we may need to enable them to self-serve namespaces with labels.
Moved to kubernetes-sigs/hierarchical-namespaces#18
/close
@adrianludwin: Closing this issue.
In response to this:
Moved to kubernetes-sigs/hierarchical-namespaces#18
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.