Question about replace PSP with PSA in EKS unmanaged cluster

0

Hi, I'm currently have my cluster upgraded to v1.24, and i have already installed pod-security-admission webhook It also worked as i could see there are some warnings. But if i remove the default eks.privileged policy, pod will be failed to create with error no providers available to validate pod request. Anything else I need to do to completely disconnect that PSP please ? If I upgrade my cluster to v1.25 now, will it be disrupted because the PSP is removed from kubernetes 1.25 ? Thanks !

profile picture
vinhoe
asked a year ago2188 views
1 Answer
1
Accepted Answer

Please be advised that as of Amazon EKS 1.23, the PodSecurity validating admission controller is already installed, as part of native Kubernetes. You do not have to install any additional OSS PSA webhook.

Amazon EKS clusters with Kubernetes versions 1.13 to 1.24 have a default pod security policy that’s named eks.privileged. This policy isn’t relevant, starting from Amazon EKS 1.25. For this particular PSP, you will not need to do anything. However, if you remove this PSP—or associated ClusterRole and ClusterRoleBinding—prior to 1.25, your Pods will not start in Amazon EKS. You will see the error you mentioned:

pods "..." is forbidden: PodSecurityPolicy: no providers available to validate pod request

So, you should not remove this PSP or associated resources prior to Amazon EKS 1.25. As of 1.25, these resources are no longer available, and you do not need to do anything to remediate them. However, you would have to remediate any PSP resources you have created, beyond the default eks.privileged PSP.

For additional information about moving from PSP to PSA/PSS, please reference our blog post: Implementing Pod Security Standards in Amazon EKS . You can also reference this OSS project, Pod Security Admission (PSA) Testing for Kubernetes 1.23 , that explains how we tested PSA/PSS when PSA went beta in Kubernetes 1.23.

Finally, there is this additional blog post, Managing Pod Security on Amazon EKS with Kyverno , that explains how to use PSA/PSS with the Policy-as-Code solution, Kyverno , in case the PSA/PSS does not provide the granular security you need, or that you had with PSP.

As always, please reach out should you have additional questions or concerns.

profile pictureAWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions