PodSecurity beta updates

content/en/docs/concepts/security/pod-security-admission.md

@@ -13,13 +13,13 @@ min-kubernetes-server-version: v1.22
 
 <!-- overview -->
 
-{{< feature-state for_k8s_version="v1.22" state="alpha" >}}
+{{< feature-state for_k8s_version="v1.23" state="beta" >}}
 
 The Kubernetes [Pod Security Standards](/docs/concepts/security/pod-security-standards/) define
 different isolation levels for Pods. These standards let you define how you want to restrict the
 behavior of pods in a clear, consistent fashion.
 
-As an Alpha feature, Kubernetes offers a built-in _Pod Security_ {{< glossary_tooltip
+As an Beta feature, Kubernetes offers a built-in _Pod Security_ {{< glossary_tooltip
 text="admission controller" term_id="admission-controller" >}}, the successor
 to [PodSecurityPolicies](/docs/concepts/policy/pod-security-policy/). Pod security restrictions
 are applied at the {{< glossary_tooltip text="namespace" term_id="namespace" >}} level when pods
@@ -32,15 +32,40 @@ The PodSecurityPolicy API is deprecated and will be
 
 <!-- body -->
 
-## Enabling the Alpha feature
+## Enabling the `PodSecurity` admission plugin
 
-Setting pod security controls by namespace is an alpha feature. You must enable the `PodSecurity`
+In v1.23, the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
-[feature gate](/docs/reference/command-line-tools-reference/feature-gates/) in order to use it.
+is a Beta feature and is enabled by default.
+
+In v1.22, the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
+is an Alpha feature and must be enabled in `kube-apiserver` in order to use the built-in admission plugin.
 
 ```shell
 --feature-gates="...,PodSecurity=true"
 ```
 
+## Alternative: installing the `PodSecurity` admission webhook
+
+For environments where the built-in `PodSecurity` admission plugin cannot be used,
+either because the cluster is older than v1.22, or the `PodSecurity` feature cannot be enabled,
+the `PodSecurity` admission logic is also available as a Beta [validating admission webhook](https://git.k8s.io/pod-security-admission/webhook).
+
+A pre-built container image, certificate generation scripts, and example manifests
+are available at [https://git.k8s.io/pod-security-admission/webhook](https://git.k8s.io/pod-security-admission/webhook).
+
+To install:
+```shell
+git clone git@github.com:kubernetes/pod-security-admission.git
+cd pod-security-admission/webhook
+make certs
+kubectl apply -k .
+```
+
+{{< note >}}
+The generated certificate is valid for 2 years. Before it expires,
+regenerate the certificate or remove the webhook in favor of the built-in admission plugin.
+{{< /note >}}
+
 ## Pod Security levels
 
 Pod Security admission places requirements on a Pod's [Security
@@ -52,7 +77,7 @@ page for an in-depth look at those requirements.
 
 ## Pod Security Admission labels for namespaces
 
-Provided that you have enabled this feature, you can configure namespaces to define the admission
+Once the feature is enabled or the webhook is installed, you can configure namespaces to define the admission
 control mode you want to use for pod security in each namespace. Kubernetes defines a set of 
 {{< glossary_tooltip term_id="label" text="labels" >}} that you can set to define which of the 
 predefined Pod Security Standard levels you want to use for a namespace. The label you select

content/en/docs/reference/access-authn-authz/admission-controllers.md

@@ -698,7 +698,7 @@ admission plugin, which allows preventing pods from running on specifically tain
 
 ### PodSecurity {#podsecurity}
 
-{{< feature-state for_k8s_version="v1.22" state="alpha" >}}
+{{< feature-state for_k8s_version="v1.23" state="beta" >}}
 
 This is the replacement for the deprecated [PodSecurityPolicy](#podsecuritypolicy) admission controller
 defined in the next section. This admission controller acts on creation and modification of the pod and

content/en/docs/reference/command-line-tools-reference/feature-gates.md

@@ -159,7 +159,8 @@ different Kubernetes components.
 | `PodAffinityNamespaceSelector` | `true` | Beta | 1.22 | |
 | `PodOverhead` | `false` | Alpha | 1.16 | 1.17 |
 | `PodOverhead` | `true` | Beta | 1.18 | |
-| `PodSecurity` | `false` | Alpha | 1.22 | |
+| `PodSecurity` | `false` | Alpha | 1.22 | 1.22 |
+| `PodSecurity` | `true` | Beta | 1.23 | |
 | `PreferNominatedNode` | `false` | Alpha | 1.21 | 1.21 |
 | `PreferNominatedNode` | `true` | Beta | 1.22 | |
 | `ProbeTerminationGracePeriod` | `false` | Alpha | 1.21 | 1.21 |

content/en/docs/tasks/configure-pod-container/enforce-standards-admission-controller.md

@@ -15,10 +15,52 @@ You can configure this admission controller to set cluster-wide defaults and [ex
 
 {{% version-check %}}
 
-- Enable the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features).
+- Ensure the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features) is enabled.
 
 ## Configure the Admission Controller
 
+{{< tabs name="PodSecurityConfiguration_example_1" >}}
+{{% tab name="pod-security.admission.config.k8s.io/v1beta1" %}}
+```yaml
+apiVersion: apiserver.config.k8s.io/v1
+kind: AdmissionConfiguration
+plugins:
+- name: PodSecurity
+  configuration:
+    apiVersion: pod-security.admission.config.k8s.io/v1beta1
+    kind: PodSecurityConfiguration
+    # Defaults applied when a mode label is not set.
+    #
+    # Level label values must be one of:
+    # - "privileged" (default)
+    # - "baseline"
+    # - "restricted"
+    #
+    # Version label values must be one of:
+    # - "latest" (default) 
+    # - specific version like "v{{< skew latestVersion >}}"
+    defaults:
+      enforce: "privileged"
+      enforce-version: "latest"
+      audit: "privileged"
+      audit-version: "latest"
+      warn: "privileged"
+      warn-version: "latest"
+    exemptions:
+      # Array of authenticated usernames to exempt.
+      usernames: []
+      # Array of runtime class names to exempt.
+      runtimeClassNames: []
+      # Array of namespaces to exempt.
+      namespaces: []
+```
+
+{{< note >}}
+v1beta1 configuration requires v1.23+. For v1.22, use v1alpha1.
+{{< /note >}}
+
+{{% /tab %}}
+{{% tab name="pod-security.admission.config.k8s.io/v1alpha1" %}}
 ```yaml
 apiVersion: apiserver.config.k8s.io/v1
 kind: AdmissionConfiguration
@@ -51,4 +93,6 @@ plugins:
       runtimeClassNames: []
       # Array of namespaces to exempt.
       namespaces: []
-```
+```
+{{% /tab %}}
+{{< /tabs >}}

content/en/docs/tasks/configure-pod-container/enforce-standards-namespace-labels.md

@@ -13,7 +13,7 @@ Namespaces can be labeled to enforce the [Pod Security Standards](/docs/concepts
 
 {{% version-check %}}
 
-- Enable the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features).
+- Ensure the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features) is enabled.
 
 ## Requiring the `baseline` Pod Security Standard with namespace labels
 

content/en/docs/tasks/configure-pod-container/migrate-from-psp.md

@@ -17,7 +17,7 @@ admission controller. This can be done effectively using a combination of dry-ru
 
 {{% version-check %}}
 
-- Enable the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features).
+- Ensure the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features) is enabled.
 
 <!-- body -->