Implement PodSecurity admission checks in the devfile/library #1017
Description
Which area this feature is related to?
/area library
Which functionality do you think we should add?
As an odo user, I want to be able to run my application with standard Devfile even if the cluster that I'm using enforces security policies using PodSecurity Admission controller.
Why is this needed? Is your feature request related to a problem?
This feature will help tools such as odo to run a Devfile specification on a cluster that had these additional checks in place.
This problem will likely be faced by other tools that need to run the Devfile specification on a cluster and it makes sense to fix this problem inside the devfile/library.
Detailed description:
Describe the solution you'd like
To fix this, we propose to use https://github.com/kubernetes/pod-security-admission to analyze such checks and fix the failed checks within the devfile/library by modifying pod specs.
We do not expect the library to go online or fetch these policies, odo will pass the pod spec and the policies and library can modify the pod spec to satisfy the policy.
@feloy has created a POC to show how the pod-security-admission library can be used.
POC: https://github.com/feloy/podsecurity-admission-test
Describe alternatives you've considered
Alternatively, we could implement this within odo.
Additional context
redhat-developer/odo#6339
https://github.com/feloy/podsecurity-admission-test
https://github.com/kubernetes/pod-security-admission
cc: @kadel