Taavi to close decision request task and implement required novaproxy support
Taavi to shut down the grid as originally planned
Pod Security Policy (PSP) is being removed in 1.25, so we need to replace PSP before we can upgrade. PSP currently enforces some basic security properties for us that let us offer a multi tenant system with tenants who have direct access to the Kubernetes API. Production k8s clusters also need to replace PSP today. Both WMCS and core SREs are sharing information about their research in this problem. "PSA" and "PSS" are possible upstream replacement technologies.
Open Policy Agent (OPA) is a widely used system in this space. This is a graduated CNCF project.
Will also need an additional per-namespace policy for each tool to enforce runtime uid, gid, and some similar restrictions.
David: Kyverno is a single vendor project at this time, Worried about a license rug pull in the future.
Francesco: Is there a non-Kyverno option for us at the moment? OPA seems heavy to start with.
David: Has anyone done an OPA PoC?
Arturo: no
Arturo: Kyverno's parent company (Nirmata) is selling value add services, but not in a cloud hosting model like Redis, etc. It is always a risk however that a corporate FOSS project can change.
"Kyverno was accepted to CNCF on November 10, 2020 and moved to the Incubating maturity level on July 13, 2022."
Taavi: Are other trials planned?
Arturo: Only if I hit a hard blocker? But the PoC is not currently completed. Wanted to show progress because feeling better about the work needed to replace PSP.
Francesco: wanted to talk about the goal of the component API epic now that things are getting more concrete
David: The "next steps" list. One task for each of the 9 points.
Francesco: will there be a working output for users at the end of this epic?
David: Yes, but some things are not completely designed to expose all of the features
Francesco: Maybe we should add some prose to the task(s) to make the mapping back to the document easier to understand? Might make it easier for others who are trying to follow along but have not been in all of the discussions. Also might help us define a definition of done for the epic.
Arturo: config for the api defined in the document allows for things from multiple repos. Was thinking about 1 tool to 1 repo before.
David: supporting multiple repos helps with separation of concerns. Toolinfo standard doesn't support listing multiple repos today which might be some source of confusion.
Taavi: Are we ready to do something about deprecated/ancient pre-built images?
Andrew: users have to do something for that to work correct?
Yes
Bryan: Not a thing we have done. I tired to trick Kunal into doing it years ago, but never happened. Probably need to follow the general patterns we use for OS deprecation: List of things to do, nag app to track what still needs doing, lots of emails. Python2 is probably the hardest to think about dropping.
