0
0
KubernetesConceptBeginner · 3 min read

Pod Security Policy in Kubernetes: What It Is and How It Works

A Pod Security Policy in Kubernetes is a set of rules that controls what pods can do and what resources they can access. It helps secure the cluster by restricting pod actions like running as root or using host networking.
⚙️

How It Works

Think of a Pod Security Policy (PSP) as a security guard for your Kubernetes pods. It sets rules about what pods are allowed to do, such as which users they can run as, whether they can use privileged mode, or if they can access the host's network or filesystem.

When you create or update a pod, Kubernetes checks the PSPs to see if the pod meets the security rules. If the pod doesn't follow the rules, Kubernetes will block it from running. This helps prevent risky or harmful pod configurations that could compromise the cluster.

PSPs work by defining a policy object with allowed and disallowed settings. Then, you attach these policies to users or service accounts through roles and bindings, controlling who can create pods with certain permissions.

💻

Example

This example shows a simple Pod Security Policy that forbids running containers as root and disallows privileged mode.

yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted-psp
spec:
  privileged: false
  runAsUser:
    rule: MustRunAsNonRoot
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - configMap
  - emptyDir
  - secret
  - persistentVolumeClaim
Output
podsecuritypolicy.policy/restricted-psp created
🎯

When to Use

Use Pod Security Policies when you want to enforce security rules on pods to protect your Kubernetes cluster. For example, you can prevent pods from running as root, using privileged containers, or accessing host resources.

This is especially useful in multi-tenant clusters where different teams deploy pods, and you want to limit what each team can do to reduce risks. It also helps meet compliance requirements by enforcing consistent security settings.

Key Points

  • Pod Security Policy controls pod permissions and security settings.
  • It works by defining rules that pods must follow to be allowed to run.
  • Policies are linked to users or service accounts via roles and bindings.
  • PSP helps protect the cluster from risky pod configurations.
  • Note: Pod Security Policy is deprecated in Kubernetes 1.21+ and replaced by newer mechanisms like Pod Security Admission.

Key Takeaways

Pod Security Policy sets rules to control pod permissions and security in Kubernetes.
It prevents pods from running with unsafe settings like running as root or privileged mode.
PSPs are applied by linking policies to users or service accounts with roles.
Use PSPs to secure multi-tenant clusters and enforce compliance.
PSP is deprecated in recent Kubernetes versions; consider newer alternatives.

Related by keyword

Pod Lifecycle in Kubernetes: What It Is and How It WorksPodsPod Affinity in Kubernetes: What It Is and How It WorksSchedulingHow to Copy File from Pod in Kubernetes Using kubectl cpPodsHow to Copy File to Pod in Kubernetes QuicklyPodsHow to Create a Pod in Kubernetes: Simple StepsPods

Up next

How to Use Prometheus with Kubernetes for MonitoringPrometheus vs Datadog in Kubernetes: Key Differences and UsageHow to Check Container Logs in Kubernetes QuicklyHow to Check Pod Events for Debugging in Kubernetes

More in Security

How to Encrypt Secrets in Kubernetes: Simple GuideHow to Limit Capabilities in Kubernetes Pods for SecurityHow to Run Kubernetes Pod as Non-Root UserHow to Scan Images for Vulnerabilities in Kubernetes