PSP is deprecated

[hazcod]

Description

trivy currently checks for the existance of a PodSecurityPolicy in GKE clusters. This is being deprecated and replaced.
https://avd.aquasec.com/misconfig/google/gke/avd-gcp-0047/

What did you expect to happen?

Not mention a finding.

What happened instead?

HIGH: Cluster pod security policy is not enforced.
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
By default, Pods in Kubernetes can operate with capabilities beyond what they require. You should constrain the Pod's capabilities to only those required for that workload.

Kubernetes offers controls for restricting your Pods to execute with only explicitly granted capabilities. 

Pod Security Policy allows you to set smart defaults for your Pods, and enforce controls you want to enable across your fleet. 

The policies you define should be specific to the needs of your application

See https://avd.aquasec.com/misconfig/avd-gcp-0047
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 google/gke/gke.tf:5-200
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   5 ┌ resource "google_container_cluster" "gke_cluster" {
   6 │   # we need KMS for etcd encryption
   7 │   depends_on = [
   8 │     google_kms_key_ring.k8s_key_ring,
   9 │     google_compute_firewall.gke_ingress_firewall,
  10 │     google_compute_firewall.gke_egress_firewall,
  11 │   ]
  12 │ 
  13 └   project  = var.project_id
  ..   
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Additional details (base image name, container registry info...):

trivy -v    
Version: 0.29.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-06-16 06:06:28.171512256 +0000 UTC
  NextUpdate: 2022-06-16 12:06:28.171511856 +0000 UTC
  DownloadedAt: 2022-06-16 06:45:32.442723 +0000 UTC

[hazcod]

Unstale

[knqyf263]

@giorod3 @simar7 Would you check if it is still relevant?

[simar7]

hi @hazcod - are you suggesting that we should remove this rule altogether as it does not make sense to evaluate for anymore?

Or should we make it only evaluate for clusters past a certain version? If can share more info on when this was deprecated, it will be helpful to make that decision.

[hazcod]

There's no reason to raise this issue since it will not exist on k8s >= 1.21

[simar7]

OK I've created #4603 to track it.