Pod Security Admission (PSA)
Key Takeaways for AI & Readers
- Simplified Security: Pod Security Admission (PSA) replaces complex PodSecurityPolicies (PSPs) with easier-to-manage Pod Security Standards (PSS).
- Namespace-Based Enforcement: Security levels (Privileged, Baseline, Restricted) are applied to namespaces via labels, controlling what types of Pods can run.
- Enforcement Modes: Policies can either strictly
Enforce,Auditviolations, or simplyWarnusers, providing flexibility in adoption. - Granular Control: PSA allows administrators to define a range of security postures, from unrestricted to highly restrictive, based on the workload's needs.
Previously, Kubernetes used "PodSecurityPolicies" (PSP) to secure containers. They were complex and hard to manage. The new standard is Pod Security Admission (PSA), which uses Pod Security Standards (PSS).
1. Enforcement Levels
You apply security rules to Namespaces using simple labels.
😈
Privileged Pod
Runs as root, has host access.
🛡️
Baseline Pod
Standard security, no root escalations.
Admission Result
🔥
pod-security.kubernetes.io/enforce: privileged
The Levels
- Privileged: Unrestricted. (e.g. for kube-system or CNI pods).
- Baseline: Minimally restrictive. Prevents common privilege escalations.
- Restricted: Heavily restricted. Follows best practices for security.
2. Modes of Operation
You can define how the policy is applied:
- Enforce: Rejects any Pod that violates the policy.
- Audit: Allows the Pod, but adds a log entry.
- Warn: Allows the Pod, but sends a warning message to the user.
3. Example YAML
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: v1.24