I'm trying to enable the new PSA controller with Minikube but no luck (neither with Kind).
Here is the command I'm using to start minikube: minikube start --kubernetes-version=v1.25.3 --feature-gates=PodSecurity=true --extra-config=apiserver.enable-admission-plugins=PodSecurity
This is not really documented properly but I found that there is both a feature-gate for PSA and the admission controller plugin. Even enabling both seems to have no effect.
To make sure I'm not missing something, here is how I'm trying to test it: Namespace configuration:
kind: Namespace
metadata:
labels:
pod-security.kubernetes.io/enforce: restricted
name: psa```
Super unsecure Deployment:
```apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment-unsecure
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
securityContext:
runAsUser: 0
runAsGroup: 0
fsGroup: 0
volumes:
- name: etcvol
hostPath:
path: "/etc"
type: Directory
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
securityContext:
allowPrivilegeEscalation: true
privileged: true
capabilities:
add: ["NET_ADMIN", "SYS_TIME"]```
When I try to create this deployment in the `psa` namespace it goes through without a hitch.
Ok I realized this was my misunderstanding of how PSA should work. The PSA controller doesn't check higher level resources like Deployments it seems. So the Deployment gets created just fine but then it can't create Pods because those would be violating the policies.
No configuration is needed at all for minikube (or Kind) at all (no feature gate or admission plugins configuration) if running Kubernetes 1.25.