Pod Security Policy (PSP) Overview

Pod Security Policies (PSPs) are a deprecating feature in Kubernetes and are scheduled for removal in version 1.29. For new deployments, consider using Pod Security Admission (PSA) or Open Policy Agent (OPA) Gatekeeper.

Pod Security Policies (PSPs) were a cluster-level resource that controlled security-sensitive aspects of pod specification. PSPs allowed you to enforce security standards for all pods that are created in your cluster.

Important Note: Pod Security Policies (PSPs) are deprecated and will be removed in a future Kubernetes release (v1.29). You should migrate to Pod Security Admission (PSA) or a policy engine like OPA Gatekeeper. This documentation is for informational purposes and for existing clusters still using PSPs.

What is a Pod Security Policy?

A Pod Security Policy (PSP) is an object that defines a set of conditions that a pod must meet to be accepted into the system. These policies dictate requirements such as:

Privileged containers
Host network access
Host directory mounts
Allowed image registries
Capabilities granted to pods
SELinux contexts
AppArmor profiles
Read-only root file systems

When a pod is created, the Kubernetes API server validates it against all Pod Security Policies that are available to the requesting user or service account. If the pod violates any policy, it is rejected.

Why Use Pod Security Policies?

PSPs were crucial for enforcing security best practices and preventing common security misconfigurations within a Kubernetes cluster. They helped:

Reduce the attack surface: By restricting potentially dangerous configurations like privileged containers.
Enforce organizational standards: Ensuring that all deployed applications adhere to security requirements.
Prevent accidental misconfigurations: Guarding against human errors that could expose the cluster.
Improve compliance: Meeting regulatory or internal security mandates.

Deprecation and Alternatives

As mentioned, PSPs are no longer the recommended way to enforce pod security in Kubernetes. The Kubernetes community has moved towards more flexible and maintainable solutions:

Pod Security Admission (PSA): A built-in admission controller that enforces Pod Security Standards at the namespace level. PSA is simpler to configure than PSPs and is the recommended path for most users.
Open Policy Agent (OPA) Gatekeeper: A more powerful and flexible policy engine that allows for complex, custom policies using the Rego language. It can enforce policies not just on pods but on any Kubernetes resource.

Migrating from PSPs

The migration process typically involves understanding your existing PSP configurations and translating them into equivalent policies using PSA or Gatekeeper. This might require careful planning and testing to ensure no security gaps are introduced.

Tip: For existing AKS clusters, you can check if PSPs are enabled and review your current policies. However, prioritize planning your migration to PSA or Gatekeeper for future-proofing.

Key Concepts in PSPs (Historical Context)

While deprecated, understanding these concepts provides context for older deployments:

privileged: Controls whether a pod can run as privileged.
hostNetwork, hostPID, hostIPC: Controls access to the host's network namespace, PID namespace, and IPC namespace.
allowPrivilegeEscalation: Determines if a process can gain more privileges than its parent process.
readOnlyRootFilesystem: Enforces read-only root file systems for containers.
volumes: Specifies allowed volume types.
allowedHostPaths: Restricts allowed host paths that can be mounted.
allowedCapabilities: Controls which Linux capabilities can be added to pods.
seLinux: Configures SELinux contexts.
appArmor: Configures AppArmor profiles.
imagePullPolicy: Controls allowed image pull policies (e.g., IfNotPresent, Always).
allowedFlexVolumes: Restricts allowed flex volume drivers.

Remember, these concepts are primarily for understanding legacy PSP configurations. For new security enforcement, focus on Pod Security Admission and OPA Gatekeeper.

Conclusion

Pod Security Policies were a foundational security feature in Kubernetes, but they have been superseded by more modern and flexible solutions. It is essential to be aware of their deprecation and to plan your migration strategy to ensure your Kubernetes deployments remain secure and up-to-date.

For detailed guidance on migrating to Pod Security Admission or OPA Gatekeeper, please refer to the official Kubernetes documentation and AKS best practices.