Pod Security Admission (PSA)
The PSA is a built-in Kubernetes admission controller that enforces the Pod Security Standards. It inspects incoming Pod creation and update requests and determines whether they comply with the configured PSS level for the relevant namespace.
Enforcement:
- PSA can be configured to enforce a specific PSS level at the cluster or namespace level.
PSA operates in three modes:
- Enforce: Rejects Pods that do not meet the specified PSS level.
- Audit: Logs violations but allows the Pod to be created or updated.
- Warn: Displays a warning to the user if the Pod violates the PSS, but still allows the operation.
Pod Security Standards (PSS)
The PSS define three distinct security levels for Pods, each with increasing restrictions:
Privileged:
- This policy offers the least restrictions and allows for known privilege escalations. It is suitable for system-level components that require extensive access.
Baseline:
- This policy is minimally restrictive and aims to prevent known privilege escalations while allowing the default (minimally specified) Pod configuration. It's suitable for most applications.
Restricted:
- This policy is highly restrictive and enforces current Pod hardening best practices. It's designed for applications that require the highest level of security.
Cluster-Level (Admission Controller) Setup
kubectl apply -f - <<EOF
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
configuration:
apiVersion: pod-security.admission.config.k8s.io/v1
kind: PodSecurityConfiguration
defaults:
enforce: "baseline"
enforce-version: "latest"
audit: "restricted"
audit-version: "latest"
warn: "restricted"
warn-version: "latest"
exemptions:
usernames: []
runtimeClasses: []
namespaces: [kube-system]
EOFThis activates the PodSecurity Admission on cluster level.
Test the pod security
kubectl run --image nginx nginxIt will show warning like below because we set the warn and audit to restricted policy. the pod still created because the enforce we set to baseline policy
Namespace-Level Enforcement
You can apply PSA per namespace, giving flexibility across environments.
Example: Apply Restricted Policy
kubectl create namespace secure-app
kubectl label namespace secure-app \
pod-security.kubernetes.io/enforce=restricted \
pod-security.kubernetes.io/audit=restricted \
pod-security.kubernetes.io/warn=baselineWhen users attempt to deploy a pod that violates this policy, the admission controller denies it:
Error from server (Forbidden): pod violates PodSecurity "restricted"
Verify PSA Configuration
To verify labels:
kubectl get ns secure-app --show-labelsTo check enforcement:
kubectl run --image nginx nginxIt will show error when we try to create pod without the least permission configuration because we set the policy enforce to restricted.
Conclusion
Pod Security Admission offers a lightweight, label-based approach to enforcing pod security.
- Admission level: Enabled at the cluster API server.
- Namespace level: Controlled via namespace labels.
For more details configuration please check the official documentation here https://kubernetes.io/docs/tutorials/security/