Feature+Docs: PodSecurityPolicy for Windows

[PatrickLang]

Most of the fields in PodSecurityPolicy today cannot be implemented in Windows since they're based on Linux namespace and UID/GID assumptions.

We need a feature proposal to add or modify what can be implemented on Windows to achieve use cases such as:

• Restricting host path mounts (allowedFlexVolumes, allowedHostPaths)
• Restricting runAsUser based on username[string] or group membership rather than uid/gid
• Using group managed service accounts (related to Feature: Add Group Managed Service Account support to Windows #62038)

Areas that need to be documented as does not apply to Windows:

• hostPID, hostIPC, hostNetwork, hostPorts - these are not possible today without changes to Windows itself, could be considered for future
• fsGroup
• *Capabilities, seLinux, AppArmor, sysctl - these are all Linux specific

Is this a BUG REPORT or FEATURE REQUEST?:

/kind feature

Environment:

• Kubernetes version (use kubectl version): v1.9, v1.10, v1.11
• Cloud provider or hardware configuration: not specific
• OS (e.g. from /etc/os-release): Windows Server 2016, Windows Server version 1709, Windows Server version 1803

[PatrickLang]

/sig windows

[PatrickLang]

/assign

[tallclair]

I'd like to redo PodSecurityPolicy at some point, and don't necessarily see it progressing to GA in its current form. Given that, I think it will be useful to understand the windows requirements for PodSecurityPolicy to inform the design of the successor, but I don't think it's worth investing in retrofitting the current PSP for windows.

[feiskyer]

I'd like to redo PodSecurityPolicy at some point, and don't necessarily see it progressing to GA in its current form.

Any timeline for this?

[tallclair]

No. Discussions are underway (wg-policy) about what should be a native policy vs. a policy DSL (e.g. OPA/rego). Any progress on PodSecurityPolicy is blocked on that guidance.

[derekwaynecarr]

@PatrickLang we need to clarify the pod spec for windows before making updates around the policy discussion.

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale