Pod Security Policies (Legacy) in Kubernetes
1. Introduction
Pod Security Policies (PSPs) are a cluster-level resource in Kubernetes that control security-sensitive aspects of pod specification. They allow administrators to define a set of conditions that a pod must meet to be accepted into the system.
2. Key Concepts
- **Authorization**: Defines who can create or modify PSPs.
- **Admission Control**: Verifies pods against PSPs during the admission phase.
- **Security Context**: Defines privilege and access control settings for a pod or container.
3. Definitions
- **Pod**: The smallest deployable unit in Kubernetes, representing a single instance of a running process.
- **Pod Security Policy**: A policy that defines a set of conditions that a pod must meet to be accepted into the system.
- **ClusterRole**: A set of permissions that can be applied across the entire cluster.
4. Step-by-Step Process
Creating a Pod Security Policy
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: example-psp
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
runAsUser:
rule: MustRunAs
ranges:
- min: 1000
max: 2000
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
fsGroup:
rule: RunAsAny
Applying the Policy
kubectl apply -f example-psp.yaml
5. Best Practices
- Create minimal PSPs to enhance security.
- Regularly audit and update PSPs to align with security requirements.
- Use namespaces to segregate environments and apply PSPs accordingly.
6. FAQ
What happens if a pod does not meet the security policy?
The pod will be rejected during the admission control phase and will not be scheduled.
Are Pod Security Policies deprecated?
Yes, PSPs are deprecated in Kubernetes 1.21 and will be removed in future versions. Consider using alternatives like OPA Gatekeeper.