Add Kubernetes support for seccomp and capability drop

We’re getting ready for our Kubernetes clusters to eventually upgrade to 1.25 at which point PodSecurityPolicy (PSP) will be removed.

The successor to PSP is PodSecurity which offers three preconfigured levels of security (Privileged, Baseline, and Restricted).

We’re able to use the built-in Deploy Kubernetes containers step to configure workloads to conform with the Baseline level, but are missing two options to conform with the Restricted:

  • unrestricted capabilities (container processor must set securityContext.capabilities.drop=[ALL]),
  • seccompProfile (pod or container processor must set securityContext.seccompProfile.type to RuntimeDefault or Localhost)

We’d like to be able to follow the security best practices for the workloads we deploy to Kubernetes using Octopus Deploy.

Hi @Karg,

Thanks for reaching out, and I’d be happy to help with your questions on security best practices when upgrading Kubernetes (specifically around PodSecurityPolicy vs. PodSecurity).

In order to provide the best guidance on this I’ve reached out to the appropriate internal team on our side and will let you know as soon as I have an update.

Best regards,

Britton

Hi @Karg,

Thanks for your patience while I looked into this request further.

I just heard back from our engineering team on this, and it looks like the functionality you are asking about is not currently supported and we don’t have an ETA on when this will be incorporated into the product.

With that being the case I would recommend opening a new post on our UserVoice portal, where this suggestion can be reviewed/voted on by others in the community and also be considered for future implementation by our product teams.

I’m sorry I couldn’t be of more help, but let me know if I can be of any additional assistance.

Best,

Britton