Pod Security Standards

Replacing PSPs

PodSecurityPolicy was deprecated in Kubernetes v1.21, and removed from Kubernetes in v1.25
Pod Security Admission is its replacement
More info on the deprecation:
- Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller
- PodSecurityPolicy Deprecation: Past, Present, and Future.

Profiles¶

The Kubernetes Pod Security Standards define different isolation levels for Pods, via profiles:

Profile	Description
Privileged	Unrestricted policy, providing the widest possible level of permissions This policy allows for known privilege escalations
Baseline	Minimally restrictive policy which prevents known privilege escalations Allows the default (minimally specified) Pod configuration
Restricted	Heavily restricted policy Follows current Pod hardening best practices

Policy Instantiation¶

These profiles can be enforced in multiple ways:

Method	Description
Native	Pod Security Admission Controller (see below)
Third-party	OPA Gatekeeper, Kyverno, Kubewarden (see Compliance as Code - Kubernetes)

Pod Security Admission¶

Kubernetes offers a built-in Pod Security Admission controller to enforce the Pod Security Standards:

Pod security restrictions are applied at the namespace level when pods are created
Requirements are placed on a Pod's Security Context according to the three profiles defined by the Pod Security Standards (privileged, baseline, and restricted)
Labels are used to define which of the predefined Pod Security Standard levels you want to use for a namespace
The label you select defines what action the control plane takes if a potential violation is detected:

Mode	Description
`enforce`	Policy violations will cause the pod to be rejected
`audit`	Policy violations will trigger the addition of an audit annotation to the event recorded in the audit log, but are otherwise allowed
`warn`	Policy violations will trigger a user-facing warning, but are otherwise allowed

For each mode, there are two labels that determine the policy used:

# The per-mode level label indicates which policy level to apply for the mode.
#
# MODE must be one of `enforce`, `audit`, or `warn`.
# LEVEL must be one of `privileged`, `baseline`, or `restricted`.
pod-security.kubernetes.io/<MODE>: <LEVEL>

# Optional: per-mode version label that can be used to pin the policy to the
# version that shipped with a given Kubernetes minor version (for example v1.25).
#
# MODE must be one of `enforce`, `audit`, or `warn`.
# VERSION must be a valid Kubernetes minor version, or `latest`.
pod-security.kubernetes.io/<MODE>-version: <VERSION>

PrivilegedBaselineRestricted

apiVersion: v1
kind: Namespace
metadata:
  name: my-privileged-namespace
  labels:
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/enforce-version: latest

apiVersion: v1
kind: Namespace
metadata:
  name: my-baseline-namespace
  labels:
    pod-security.kubernetes.io/enforce: baseline
    pod-security.kubernetes.io/enforce-version: latest
    pod-security.kubernetes.io/warn: baseline
    pod-security.kubernetes.io/warn-version: latest

apiVersion: v1
kind: Namespace
metadata:
  name: my-restricted-namespace
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/enforce-version: latest
    pod-security.kubernetes.io/warn: restricted
    pod-security.kubernetes.io/warn-version: latest