Kubernetes API Requirements

This document describes the requirements Yaook imposes on the Kubernetes API of a cluster. In contrast to Kubernetes Cluster Requirements, this document is focused on the Kubernetes API itself and discusses feature flags and version requirements. For requirements on the services offered inside the Kubernetes cluster, such as Ingress controllers, please see Kubernetes Cluster Requirements instead.

Kubernetes Versions

Yaook is automatically tested with Kubernetes 1.19. Development takes place on 1.18 and 1.19, so those versions can generally be assumed to be supported.

API Features

Pod security policies

Pod security policies are currently NOT supported. They MUST NOT be enabled in a cluster in order for Yaook to work. Fixing this is on the roadmap for 2021-Q2.

There is currently no workaround.

NodeRestriction admission controller

The [NodeRestriction](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction) admission controller SHOULD be enabled for all Yaook clusters and is REQUIRED for SecuStack clusters.

Yaook relies on the NodeRestriction admission controller in order to control the distribution of secrets.