Pod Security Standards
Replacing PSPs
PodSecurityPolicy
was deprecated in Kubernetesv1.21
, and removed from Kubernetes inv1.25
Pod Security Admission
is its replacement- More info on the deprecation:
Profiles¶
The Kubernetes Pod Security Standards define different isolation levels for Pods, via profiles:
Profile | Description |
---|---|
Privileged |
|
Baseline |
|
Restricted |
|
Policy Instantiation¶
These profiles can be enforced in multiple ways:
Method | Description |
---|---|
Native | Pod Security Admission Controller (see below) |
Third-party | OPA Gatekeeper, Kyverno, Kubewarden (see Compliance as Code - Kubernetes) |
Pod Security Admission¶
Kubernetes offers a built-in Pod Security Admission controller to enforce the Pod Security Standards:
- Pod security restrictions are applied at the namespace level when pods are created
- Requirements are placed on a Pod's Security Context according to the three profiles defined by the Pod Security Standards (
privileged
,baseline
, andrestricted
) - Labels are used to define which of the predefined Pod Security Standard levels you want to use for a namespace
- The label you select defines what action the control plane takes if a potential violation is detected:
Mode | Description |
---|---|
enforce |
Policy violations will cause the pod to be rejected |
audit |
Policy violations will trigger the addition of an audit annotation to the event recorded in the audit log, but are otherwise allowed |
warn |
Policy violations will trigger a user-facing warning, but are otherwise allowed |
For each mode, there are two labels that determine the policy used:
# The per-mode level label indicates which policy level to apply for the mode.
#
# MODE must be one of `enforce`, `audit`, or `warn`.
# LEVEL must be one of `privileged`, `baseline`, or `restricted`.
pod-security.kubernetes.io/<MODE>: <LEVEL>
# Optional: per-mode version label that can be used to pin the policy to the
# version that shipped with a given Kubernetes minor version (for example v1.25).
#
# MODE must be one of `enforce`, `audit`, or `warn`.
# VERSION must be a valid Kubernetes minor version, or `latest`.
pod-security.kubernetes.io/<MODE>-version: <VERSION>
apiVersion: v1
kind: Namespace
metadata:
name: my-privileged-namespace
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce-version: latest
apiVersion: v1
kind: Namespace
metadata:
name: my-baseline-namespace
labels:
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/enforce-version: latest
pod-security.kubernetes.io/warn: baseline
pod-security.kubernetes.io/warn-version: latest
apiVersion: v1
kind: Namespace
metadata:
name: my-restricted-namespace
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: latest
pod-security.kubernetes.io/warn: restricted
pod-security.kubernetes.io/warn-version: latest