PSP migration → Pod Security Standards
Definition
Pod Security Standards (PSS) are a set of policies in Kubernetes that define different levels of security for pods, replacing the deprecated PodSecurityPolicies (PSP). PSS provides a framework for applying security controls to pods by categorizing them into three levels: Privileged, Baseline, and Restricted. These levels help ensure that pods adhere to security best practices by enforcing constraints on aspects such as privilege escalation, host networking, and filesystem access.
Secure Settings Example
apiVersion: policy/v1
kind: PodSecurityPolicy
metadata:
name: restricted-psp
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
Insecure Settings Example
apiVersion: policy/v1
kind: PodSecurityPolicy
metadata:
name: privileged-psp
spec:
privileged: true
allowPrivilegeEscalation: true
requiredDropCapabilities: []
volumes:
- '*'
hostNetwork: true
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'