A Pod Security Policy (PSP) is a cluster-level resource that controls security-sensitive aspects of the pod specification. PodSecurityPolicy
objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.
Pod security policies serve two purposes in helping secure a Domino installation:
-
They prevent the admission (creation) of pods in the cluster if their security stance does not meet the defined policy.
-
They mutate (modify) pods that have been allowed by the policy to set defaults matching the PSP (where no values are set).
As of Kubernetes 1.21, PSPs are a deprecated feature. In Kubernetes 1.25, support for PSPs has been completely removed.
In order to support the removal of Pod Security Policies, Domino 5.4 and above do not create per-service PSPs as part of the installation. Instead, all pods define an explicit security context. This removes the need for duplicate modification of security contexts during pod creation by PSPs.
Domino will not support a replacement for runtime policy enforcement. Because Domino controls the definition of all pods created in its namespaces, PSP enforcement of security boundaries after installation (during “runtime”) is not necessary. Domino can control and report (during “build time”) the security context of every pod to ensure all services meet our security standards. See Kubernetes Pod Security for an overview with specifics and exemptions.
OpenShift maintains its own version of pod security policies named "Security Context Constraints" and Red Hat has laid out a different evolution for that feature going forward from upstream Kubernetes.
Domino does not deploy any custom security contexts but makes use of OpenShift-provided SCCs (anyuid
and privileged
) bound to all Domino namespaces. Any additional SCCs will cause the installation of Domino to fail.
In addition, UID remapping is not supported in Domino and all services run as the user ID defined in their container images.
Domino binds a blanket unrestricted policy for clusters where PSPs are still enabled. Many cluster providers, such as EKS, already do this. If Domino is the only application deployed in a cluster running Kubernetes < 1.25, it is advisable to turn off pod security policy support entirely.