Replace PodSecurityPolicy with new policy API

[jackfrancis]

The Kubernetes project will deprecate PodSecurityPolicy starting with 1.21.0, and then remove it entirely starting at 1.25.0. See:

• deprecate PSP in 1.21, but leave removal at 1.25 kubernetes/kubernetes#97171

This issue tracks the replacement of the existing kured PodSecurityPolicy implementation with its replacement. This KEP is an indication of where things are (probably) going:

• PSP Replacement KEP kubernetes/enhancements#2582

[evrardjp]

👍

Should we do this for 1.7.0, 1.8.0, or above? 1.7.0 supports 1.19 to 1.21 (and therefore will fall under the deprecated environment versions).

However, if there is no clear winner (as path to implementation), and that the winner is not backported to 1.19 or below, I suppose we should NOT move to a new solution anytime soon, else it will break our existing users.

PS: I am sorry if I am repeating what might be obvious here, it's just for reference/understanding for any contributor.

[jackfrancis]

Above. The new API doesn't yet exist. :) So this is just a long-term tracking issue to ensure that the kured project is ready.

[evrardjp]

Yup that's what I understood, thanks for confirming.

[evrardjp]

I am marking this PR as "good first issue" for two reasons:

1. It indeed isn't too hard to implement :)
2. With this tag, our issue expiring bot will not expire this issue.

[github-actions]

This issue was automatically considered stale due to lack of activity. Please update it and/or join our slack channels to promote it, before it automatically closes (in 7 days).

[ckotzbauer]

The new PodSecurity API is in beta now (with 1.23.0): https://kubernetes.io/blog/2021/12/09/pod-security-admission-beta/

[VedRatan]

HI! I'm new to this repo and would like to work on this, issue, I've gone through some of the code but couldn't find the exact file in which I have to make changes, could anyone please help me by telling the exact file path in which I have to make changes.

[ckotzbauer]

Please have a look at the helm chart: https://github.com/kubereboot/charts/tree/main/charts/kured/templates. I think there should be no references in this repo.

[ckotzbauer]

When Kubernetes 1.28 is out in about ten days and we release Kured 1.14.0 (with built-in k8s 1.27 support), we drop support for Kubernetes 1.25 which was the last release with PodSecurityPolicies, so we are safe to remove them from the chart.
The "Pod Security Standards" are mostly about the securityContextof the container, which can be configured in the helm-chart, so I think we don't really need to add some replacements on our side.

Thoughts on this? @jackfrancis @evrardjp