Understanding Pod Security Policies in Kubernetes

Pod Security Policies (PSPs) are a crucial security feature in Kubernetes that allow you to control the security-sensitive aspects of pod specifications. They act as admission controllers, enforcing security standards before pods are admitted to the cluster. This ensures that only pods meeting your defined security requirements can run, significantly enhancing your cluster's security posture.

What are Pod Security Policies?

PSPs are cluster-level resources that define a set of conditions that a pod must meet to be accepted into the cluster. They provide fine-grained control over various security contexts, such as:

Privileged containers: Preventing containers from running with elevated privileges.
Host namespaces: Restricting access to host network, PID, or IPC namespaces.
Volume types: Controlling which types of volumes pods can use.
Capabilities: Managing Linux capabilities granted to containers.
Seccomp, SELinux, and AppArmor: Enforcing security profiles.

PSPs act as gatekeepers for pod creation, enforcing security rules.

Think of PSPs as a security guard at the entrance of your Kubernetes cluster. They check each incoming pod (application component) to ensure it adheres to a predefined set of security rules before allowing it to enter and run. If a pod doesn't meet the criteria, it's denied entry.

Pod Security Policies are implemented as Kubernetes Admission Controllers. When a user or controller attempts to create a Pod, the API server sends the Pod definition to the admission controller. If a PSP is configured and matches the Pod's namespace and service account, the PSP's rules are evaluated. If the Pod violates any of the PSP's defined security constraints, the admission controller rejects the Pod creation request. This prevents potentially insecure workloads from being deployed, thereby reducing the attack surface of the cluster.

Key Concepts and Configuration

A Pod Security Policy resource defines a set of policies that can be applied to pods. Key fields include:

Field	Description	Example
spec.privileged	Whether pods are allowed to run as privileged.	false
spec.hostNetwork	Whether pods can use the host's network namespace.	false
spec.hostPID	Whether pods can use the host's PID namespace.	false
spec.hostIPC	Whether pods can use the host's IPC namespace.	false
spec.allowPrivilegeEscalation	Whether pods can increase their privilege level.	false
spec.capabilities.add	List of capabilities that can be added to containers.	["NET_BIND_SERVICE"]
spec.volumes	List of allowed volume types.	["configMap", "emptyDir", "secret", "persistentVolumeClaim"]

To enforce a PSP, you need to create a

code

PodSecurityPolicy

object and then bind it to users or service accounts using

code

Role

and

code

RoleBinding

(or

code

ClusterRole

and

code

ClusterRoleBinding

). The

code

use

verb is used to grant permission to a PSP.

What is the primary function of a Pod Security Policy in Kubernetes?

To enforce security constraints on pods before they are admitted to the cluster.

Deprecation and Alternatives

It's important to note that Pod Security Policies have been deprecated since Kubernetes v1.21 and removed in v1.25. The recommended approach for enforcing pod security standards is now using the built-in Pod Security Admission (PSA) controller, which enforces the Pod Security Standards (PSS) at the namespace level.

While PSPs are deprecated, understanding their functionality is still valuable for anyone working with older Kubernetes versions or for comprehending the evolution of Kubernetes security.

Pod Security Admission (PSA) offers a simpler, namespace-scoped approach to security enforcement, aligning with the Pod Security Standards (e.g.,

code

privileged

code

baseline

code

restricted

Learning Resources

Pod Security Policies - Kubernetes Documentation(documentation)

The official Kubernetes documentation detailing Pod Security Policies, their purpose, and configuration.

Pod Security Admission - Kubernetes Documentation(documentation)

Learn about the successor to Pod Security Policies, Pod Security Admission, and how it enforces Pod Security Standards.

Pod Security Standards - Kubernetes Documentation(documentation)

Understand the different levels of the Pod Security Standards (privileged, baseline, restricted) that PSA enforces.

Kubernetes Security Best Practices: Pod Security Policies(video)

A video tutorial explaining the concepts and implementation of Pod Security Policies in Kubernetes.

Securing Kubernetes Pods with Pod Security Policies(blog)

A blog post offering practical insights and examples for securing Kubernetes pods using PSPs.

Kubernetes Pod Security Policies Explained(video)

An in-depth video walkthrough of how Pod Security Policies work and how to configure them.

Understanding Pod Security Admission in Kubernetes(blog)

A blog post from CNCF discussing the transition from PSPs to Pod Security Admission.

Kubernetes Pod Security Policy Tutorial(tutorial)

A step-by-step tutorial guiding users through the creation and application of Pod Security Policies.

Kubernetes Security: Pod Security Policies(blog)

An overview of PSPs and their role in enhancing Kubernetes cluster security from a security vendor's perspective.

Kubernetes Pod Security Policy - A Deep Dive(video)

A comprehensive video that dives deep into the technical aspects and use cases of Kubernetes Pod Security Policies.