In Kubernetes, security is a key concern, especially as containers and microservices grow in complexity. One of the essential features of Kubernetes for policy enforcement is Pod Security Admission (PSA), which replaces the deprecated Pod Security Policies (PSP). PSA provides a more straightforward and flexible approach to enforce security policies, helping administrators safeguard clusters by ensuring that only compliant pods are allowed to run.
This article will guide you through PSA, the available Pod Security Standards, how to configure them, and how to apply security policies to specific namespaces using labels.
What is Pod Security Admission (PSA)?
PSA is a built-in admission controller introduced in Kubernetes 1.23 to replace Pod Security Policies (PSPs). PSPs had a steep learning curve and could become cumbersome when scaling security policies across various environments. PSA simplifies this process by applying Kubernetes Pod Security Standards based on predefined security levels without needing custom logic for each policy.
With PSA, cluster administrators can restrict the permissions of pods by using labels that correspond to specific Pod Security Standards. PSA operates at the namespace level, enabling better granularity in controlling security policies for different workloads.
Pod Security Standards
Kubernetes provides three key Pod Security Standards in the PSA framework:
- Privileged: No restrictions; permits all features and is the least restrictive mode. This is not recommended for production workloads but can be used in controlled environments or for workloads requiring elevated permissions.
- Baseline: Provides a good balance between usability and security, restricting the most dangerous aspects of pod privileges while allowing common configurations. It is suitable for most applications that don’t need special permissions.
- Restricted: The most stringent level of security. This level is intended for workloads that require the highest level of isolation and control, such as multi-tenant clusters or workloads exposed to the internet.
Each standard includes specific rules to limit pod privileges, such as disallowing privileged containers, restricting access to the host network, and preventing changes to certain security contexts.
Setting Up Pod Security Admission (PSA)
To enable PSA, you need to label your namespaces based on the security level you want to enforce. The label format is as follows:
kubectl label --overwrite ns pod-security.kubernetes.io/enforce= <value>For example, to enforce a restricted security policy on the production namespace, you would run:
kubectl label --overwrite ns production pod-security.kubernetes.io/enforce=restrictedIn this example, Kubernetes will automatically apply the rules associated with the restricted policy to all pods deployed in the production namespace.
Additional PSA Modes
PSA also provides additional modes for greater control:
- Audit: Logs a policy violation but allows the pod to be created.
- Warn: Issues a warning but permits the pod creation.
- Enforce: Blocks pod creation if it violates the policy.
To configure these modes, use the following labels:
kubectl label --overwrite ns pod-security.kubernetes.io/enforce=baseline pod-security.kubernetes.io/audit=restricted pod-security.kubernetes.io/warn=baseline This setup enforces the baseline standard while issuing warnings and logging violations for restricted-level rules.
Example: Configuring Pod Security in a Namespace
Let’s walk through an example of configuring baseline security for the dev namespace. First, you need to apply the PSA labels:
kubectl create namespace dev
kubectl label --overwrite ns dev pod-security.kubernetes.io/enforce=baselineNow, any pod deployed in the dev namespace will be checked against the baseline security standard. If a pod violates the baseline policy (for instance, by attempting to run a privileged container), it will be blocked from starting.
You can also combine warn and audit modes to track violations without blocking pods:
kubectl label --overwrite ns dev pod-security.kubernetes.io/enforce=baseline pod-security.kubernetes.io/warn=restricted pod-security.kubernetes.io/audit=privilegedIn this case, PSA will allow pods to run if they meet the baseline policy, but it will issue warnings for restricted-level violations and log any privileged-level violations.
Applying Policies by Default
One of the strengths of PSA is its simplicity in applying policies at the namespace level, but administrators might wonder if there’s a way to apply a default policy across new namespaces automatically. As of now, Kubernetes does not natively provide an option to apply PSA policies globally by default. However, you can use admission webhooks or automation tools such as OPA Gatekeeper or Kyverno to enforce default policies for new namespaces.
Conclusion
Pod Security Admission (PSA) simplifies policy enforcement in Kubernetes clusters, making it easier to ensure compliance with security standards across different environments. By configuring Pod Security Standards at the namespace level and using labels, administrators can control the security level of workloads with ease. The flexibility of PSA allows for efficient security management without the complexity associated with the older Pod Security Policies (PSPs).
For more details on configuring PSA and Pod Security Standards, check the official Kubernetes PSA documentation and Pod Security Standards documentation.
Related articles:
Understanding Helm Hooks: A Guide to Using Hooks in Your Helm Charts
Ensuring Kubernetes Security: A Collaborative Journey for Developers and Operators
How To Enable SwaggerUI TIBCO BusinessWorks when Offloading SSL Certificate
CICD Docker: Top 3 Reasons Why Using Containers In Your DevSecOps pipeline