PSP
Definition
Pod Security Policies (PSPs) are a deprecated Kubernetes feature that provided a mechanism to control security-sensitive aspects of pod specifications. They allowed cluster administrators to define a set of conditions that a pod must meet to be accepted into the system, such as restricting the use of privileged containers, controlling volume types, and enforcing user and group IDs. PSPs were replaced by Pod Security Admission in Kubernetes 1.21 and are scheduled for removal in Kubernetes 1.25.
Secure Settings Example
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted-psp
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
runAsUser:
rule: MustRunAsNonRoot
seLinux:
rule: RunAsAny
fsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
Insecure Settings Example
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: permissive-psp
spec:
privileged: true
allowPrivilegeEscalation: true
requiredDropCapabilities: []
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'