appvia/psp-migration

GitHub: appvia/psp-migration

将已废弃的 Kubernetes PodSecurityPolicy 配置自动转换为多种主流策略引擎的等效规则，助力平滑迁移。

Stars: 52 | Forks: 4

# Kubernetes [Pod 安全策略](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) 迁移 [![CI](https://static.pigsec.cn/wp-content/uploads/repos/2026/05/52c8ef0b0e191418.svg)](https://github.com/appvia/psp-migration/actions/workflows/ci.yml) [![GitHub issues](https://img.shields.io/github/issues/appvia/psp-migration)](https://github.com/appvia/psp-migration/issues) [![GitHub forks](https://img.shields.io/github/forks/appvia/psp-migration)](https://github.com/appvia/psp-migration/network) [![GitHub stars](https://img.shields.io/github/stars/appvia/psp-migration)](https://github.com/appvia/psp-migration/stargazers) ![GitHub contributors](https://img.shields.io/github/contributors/appvia/psp-migration) ![GitHub last commit](https://img.shields.io/github/last-commit/appvia/psp-migration) [![Appvia 社区 Slack](https://img.shields.io/badge/slack-@appvia_community-default.svg?logo=slack)](https://join.slack.com/t/appvia-community/shared_invite/zt-rcqz9vif-eDDQrbD_EAZBxsem30c2bQ) [![GitHub 许可证](https://img.shields.io/github/license/appvia/psp-migration)](https://github.com/appvia/psp-migration/blob/main/LICENSE) # 请参阅我们的博客文章 [PodSecurityPolicy 已死，万岁...？](https://www.appvia.io/blog/podsecuritypolicy-is-dead-long-live)！ ## 🚨 🚧 正在积极开发中（欢迎提交 pull request） 🚧 🚨 本项目致力于在其他常见的 Kubernetes 策略引擎中重现通用的 Pod 安全策略配置，以便在 Kubernetes 1.25 移除该功能前，更好地指导用户如何进行迁移。 ## 安装从[最新发布版本](https://github.com/appvia/psp-migration/releases/latest)中下载适合您的操作系统和架构的二进制文件。或者您可以**[立即在浏览器中试用](https://appvia.github.io/psp-migration/)**！ ## 使用方法该应用程序从 `stdIn` 接收 PodSecurityPolicy，并在 `stdOut` 输出您选择的策略引擎，您可以通过 `--engine=` 参数来选择策略引擎： ``` $ cat psp.yaml | ./psp-migration --engine=gatekeeper > output.yaml # 或者如果你足够勇敢，你可以将其来回 pipe 到 kubernetes api $ kubectl get -o yaml mypodsecuritypolicy | ./psp-migration -e kubewarden | kubectl apply -f - ``` ## 已知限制 - 生成的策略可能会相当冗长 - 生成的策略可能会产生一些意外的副作用，发生这种情况时请[创建一个 issue](https://github.com/appvia/psp-migration/issues/new?assignees=&labels=bug%2Ctriage&template=bug.yaml&title=%5BBug%5D%3A+) - 一次只能接收一个 PodSecurityPolicy - 生成的策略可能会与其他策略发生冲突 ## 功能特性 ### :warning: 此表为手动更新，请参阅[自动化测试套件结果](https://github.com/appvia/psp-migration/actions/workflows/ci.yml) :warning: | PSP 字段 | [Pod 安全策略](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) | [Pod 安全标准 (baseline)](https://kubernetes.io/docs/concepts/security/pod-security-standards/) | [Gatekeeper](https://github.com/open-policy-agent/gatekeeper) | [Kyverno](https://github.com/kyverno/kyverno) | [Kubewarden](https://github.com/kubewarden/kubewarden-controller) | [k-rail](https://github.com/cruise-automation/k-rail) | | -------------------------------------------------------------------------- | -------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------- | --------------------------------------------------------- | ----------------------------------------------------------------- | ------------------------------------------------------- | | [privileged](./tests/privileged) | [✔️](./tests/privileged/psp.yaml) | [✔️](./tests/privileged/pss.yaml) | [✔️](./tests/privileged/gatekeeper.yaml) | [✔️](./tests/privileged/kyverno.yaml) | [✔️](./tests/privileged/kubewarden.yaml) | [✔️](./tests/privileged/krail.yaml) | | [hostPID](./tests/hostPID) | [✔️](./tests/hostPID/psp.yaml) | [✔️](./tests/hostPID/pss.yaml) | [✔️](./tests/hostPID/hostPID.yaml) | [✔️](./tests/hostPID/kyverno.yaml) | [✔️](./tests/hostPID/kubewarden.yaml) | [✔️](./tests/hostPID/krail.yaml) | | [hostIPC](./tests/hostIPC) | [✔️](./tests/hostIPC/psp.yaml) | [✔️](./tests/hostIPC/pss.yaml) | [✔️](./tests/hostIPC/gatekeeper.yaml) | [✔️](./tests/hostIPC/kyverno.yaml) | [✔️](./tests/hostIPC/kubewarden.yaml) | [❌](./tests/hostIPC/krail.yaml) | | [hostNetwork](./tests/hostNetwork) | [✔️](./tests/hostNetwork/psp.yaml) | [✔️](./tests/hostNetwork/pss.yaml) | [✔️](./tests/hostNetwork/gatekeeper.yaml) | [✔️](./tests/hostNetwork/kyverno.yaml) | [✔️](./tests/hostNetwork/kubewarden.yaml) | [✔️](./tests/hostNetwork/krail.yaml) | | [hostPorts](./tests/hostPorts) | [✔️](./tests/hostPorts/psp.yaml) | [❌](./tests/hostPorts/pss.yaml) | [✔️](./tests/hostPorts/gatekeeper.yaml) | [✔️](./tests/hostPorts/kyverno.yaml) | [✔️](./tests/hostPorts/kubewarden.yaml) | [❌](./tests/hostPorts/krail.yaml) | | [volumes](./tests/volumes) | [✔️](./tests/volumes/psp.yaml) | [✔️](./tests/volumes/pss.yaml) | [✔️](./tests/volumes/gatekeeper.yaml) | [✔️](./tests/volumes/kyverno.yaml) | [✔️](./tests/volumes/kubewarden.yaml) | [❌](./tests/volumes/krail.yaml) | | [allowedHostPaths](./tests/allowedHostPaths) | [✔️](./tests/allowedHostPaths/psp.yaml) | [❌](./tests/allowedHostPaths/pss.yaml) | [✔️](./tests/allowedHostPaths/gatekeeper.yaml) | [✔️](./tests/allowedHostPaths/kyverno.yaml) | [✔️](./tests/allowedHostPaths/kubewarden.yaml) | [❌](./tests/allowedHostPaths/krail.yaml) | | [allowedFlexVolumes](./tests/allowedFlexVolumes) | [✔️](./tests/allowedFlexVolumes/psp.yaml) | [❌](./tests/allowedFlexVolumes/pss.yaml) | [✔️](./tests/allowedFlexVolumes/gatekeeper.yaml) | [✔️](./tests/allowedFlexVolumes/kyverno.yaml) | [✔️](./tests/allowedFlexVolumes/kubewarden.yaml) | [❌](./tests/allowedFlexVolumes/krail.yaml) | | [readOnlyRootFilesystem](./tests/readOnlyRootFilesystem) | [✔️](./tests/readOnlyRootFilesystem/psp.yaml) | [❌](./tests/readOnlyRootFilesystem/pss.yaml) | [✔️](./tests/readOnlyRootFilesystem/gatekeeper.yaml) | [✔️](./tests/readOnlyRootFilesystem/kyverno.yaml) | [✔️](./tests/readOnlyRootFilesystem/kubewarden.yaml) | [❌](./tests/readOnlyRootFilesystem/krail.yaml) | | [runAsUser](./tests/runAsUser) | [✔️](./tests/runAsUser/psp.yaml) | [❌](./tests/runAsUser/pss.yaml) | [✔️](./tests/runAsUser/gatekeeper.yaml) | [✔️](./tests/runAsUser/kyverno.yaml) | [✔️](./tests/runAsUser/kubewarden.yaml) | [❌](./tests/runAsUser/krail.yaml) | | [runAsGroup](./tests/runAsGroup) | [✔️](./tests/runAsGroup/psp.yaml) | [❌](./tests/runAsGroup/pss.yaml) | [✔️](./tests/runAsGroup/gatekeeper.yaml) | [✔️](./tests/runAsGroup/kyverno.yaml) | [✔️](./tests/runAsGroup/kubewarden.yaml) | [❌](./tests/runAsGroup/krail.yaml) | | [supplementalGroups](./tests/supplementalGroups) | [✔️](./tests/supplementalGroups/psp.yaml) | [❌](./tests/supplementalGroups/pss.yaml) | [✔️](./tests/supplementalGroups/gatekeeper.yaml) | [✔️](./tests/supplementalGroups/kyverno.yaml) | [✔️](./tests/supplementalGroups/kubewarden.yaml) | [❌](./tests/supplementalGroups/krail.yaml) | | [fsgroup](./tests/fsgroup) | [✔️](./tests/fsgroup/psp.yaml) | [❌](./tests/fsgroup/pss.yaml) | [✔️](./tests/fsgroup/gatekeeper.yaml) | [✔️](./tests/fsgroup/kyverno.yaml) | [✔️](./tests/fsgroup/kubewarden.yaml) | [❌](./tests/fsgroup/krail.yaml) | | [allowPrivilegeEscalation](./tests/allowPrivilegeEscalation) | [✔️](./tests/allowPrivilegeEscalation/psp.yaml) | [❌](./tests/allowPrivilegeEscalation/pss.yaml) | [✔️](./tests/allowPrivilegeEscalation/gatekeeper.yaml) | [✔️](./tests/allowPrivilegeEscalation/kyverno.yaml) | [✔️](./tests/allowPrivilegeEscalation/kubewarden.yaml) | [❌](./tests/allowPrivilegeEscalation/krail.yaml) | | [defaultAllowPrivilegeEscalation](./tests/defaultAllowPrivilegeEscalation) | [✔️](./tests/defaultAllowPrivilegeEscalation/psp.yaml) | [❌](./tests/defaultAllowPrivilegeEscalation/pss.yaml) | [✔️](./tests/defaultAllowPrivilegeEscalation/gatekeeper.yaml) | [✔️](./tests/defaultAllowPrivilegeEscalation/kyverno.yaml) | [✔️](./tests/defaultAllowPrivilegeEscalation/kubewarden.yaml) | [❌](./tests/defaultAllowPrivilegeEscalation/krail.yaml) | | [allowedCapabilities](./tests/allowedCapabilities) | [✔️](./tests/allowedCapabilities/psp.yaml) | [❌](./tests/allowedCapabilities/pss.yaml) | [✔️](./tests/allowedCapabilities/gatekeeper.yaml) | [✔️](./tests/allowedCapabilities/kyverno.yaml) | [✔️](./tests/allowedCapabilities/kubewarden.yaml) | [❌](./tests/allowedCapabilities/krail.yaml) | | [defaultAddCapabilities](./tests/defaultAddCapabilities) | [✔️](./tests/defaultAddCapabilities/psp.yaml) | [❌](./tests/defaultAddCapabilities/pss.yaml) | [✔️](./tests/defaultAddCapabilities/gatekeeper.yaml) | [✔️](./tests/defaultAddCapabilities/kyverno.yaml) | [✔️](./tests/defaultAddCapabilities/kubewarden.yaml) | [❌](./tests/defaultAddCapabilities/krail.yaml) | | [requiredDropCapabilities](./tests/requiredDropCapabilities) | [✔️](./tests/requiredDropCapabilities/psp.yaml) | [❌](./tests/requiredDropCapabilities/pss.yaml) | [✔️](./tests/requiredDropCapabilities/gatekeeper.yaml) | [✔️](./tests/requiredDropCapabilities/kyverno.yaml) | [✔️](./tests/requiredDropCapabilities/kubewarden.yaml) | [❌](./tests/requiredDropCapabilities/krail.yaml) | | [seLinux](./tests/seLinux) | [✔️](./tests/seLinux/psp.yaml) | [❌](./tests/seLinux/pss.yaml) | [✔️](./tests/seLinux/gatekeeper.yaml) | [✔️](./tests/seLinux/kyverno.yaml) | [✔️](./tests/seLinux/kubewarden.yaml) | [❌](./tests/seLinux/krail.yaml) | | [allowedProcMountTypes](./tests/allowedProcMountTypes) | [✔️](./tests/allowedProcMountTypes/psp.yaml) | [❌](./tests/allowedProcMountTypes/pss.yaml) | [✔️](./tests/allowedProcMountTypes/gatekeeper.yaml) | [✔️](./tests/allowedProcMountTypes/kyverno.yaml) | [✔️](./tests/allowedProcMountTypes/kubewarden.yaml) | [❌](./tests/allowedProcMountTypes/krail.yaml) | | [apparmor](./tests/apparmor) | [✔️](./tests/apparmor/psp.yaml) | [✔️](./tests/apparmor/pss.yaml) | [✔️](./tests/apparmor/gatekeeper.yaml) | [✔️](./tests/apparmor/kyverno.yaml) | [✔️](./tests/apparmor/kubewarden.yaml) | [✔️](./tests/apparmor/krail.yaml) | | [seccomp](./tests/seccomp) | [✔️](./tests/seccomp/psp.yaml) | [✔️](./tests/seccomp/pss.yaml) | [✔️](./tests/seccomp/gatekeeper.yaml) | [✔️](./tests/seccomp/kyverno.yaml) | [✔️](./tests/seccomp/kubewarden.yaml) | [❌](./tests/seccomp/krail.yaml) | | [forbiddenSysctls](./tests/forbiddenSysctls) | [✔️](./tests/forbiddenSysctls/psp.yaml) | [❌](./tests/forbiddenSysctls/pss.yaml) | [✔️](./tests/forbiddenSysctls/gatekeeper.yaml) | [✔️](./tests/forbiddenSysctls/kyverno.yaml) | [✔️](./tests/forbiddenSysctls/kubewarden.yaml) | [❌](./tests/forbiddenSysctls/krail.yaml) | | [allowedUnsafeSysctls](./tests/allowedUnsafeSysctls) | [✔️](./tests/allowedUnsafeSysctls/psp.yaml) | [❌](./tests/allowedUnsafeSysctls/pss.yaml) | [✔️](./tests/allowedUnsafeSysctls/gatekeeper.yaml) | [✔️](./tests/allowedUnsafeSysctls/kyverno.yaml) | [✔️](./tests/allowedUnsafeSysctls/kubewarden.yaml) | [❌](./tests/allowedUnsafeSysctls/krail.yaml) | ## 参考资料 - https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/ - https://github.com/open-policy-agent/gatekeeper-library - https://kubernetes.io/docs/concepts/security/pod-security-standards/ - https://github.com/open-policy-agent/gatekeeper - https://github.com/kyverno/kyverno - https://github.com/kyverno/policies - https://github.com/kubewarden/kubewarden-controller - https://hub.kubewarden.io/ - https://github.com/cruise-automation/k-rail/blob/master/charts/k-rail/values.yaml - https://github.com/cruise-automation/k-rail

标签：devsecops, K8s安全, Pod Security Policy, Pod安全策略, PSP, PSP Migration, Web截图, 二进制发布, 人工智能安全, 合规性, 子域名突变, 安全合规, 容器安全, 开源工具, 无线安全, 日志审计, 策略引擎, 策略迁移, 系统配置, 网络代理, 网络安全挑战, 自动化攻击, 自动化转换, 集群策略