Pod Security Admission

Let's explore Pod Security Admission in detail.

We'll cover the following

PSA examples
Alternatives to Pod Security Admission
Towards a more secure Kubernetes

Pod Security Admission (PSA) enforces our desired PSS policies. It works at the Namespace level and is implemented as a validating admission controller.

PSA offers three enforcement modes:

Warn: Allows violating Pods to be created but issues a user-facing warning
Audit: Allows violating Pods to be created but logs an audit event
Enforce: Rejects Pods if they violate the policy

It’s a good practice to configure every Namespace with at least the baseline policy configured to either warn or audit. This allows us to start gathering data on which Pods are failing the policy and why. The next step is to enforce the baseline policy and start warning and auditing on the restricted policy.

Any Namespaces without a Pod Security configuration are a gap in our security configuration, and we should attach a policy as soon as possible, even if it’s only warning and auditing.

Applying the following label to a Namespace will apply the baseline policy to it. It will allow violating Pods to run but will generate a user-facing warning.

Get hands-on with 1400+ tech skills courses.

Kubernetes Primer

Kubernetes Principles of Operation

Getting Kubernetes

Working With Pods: Theory

Working with Pods: Hands-On

Virtual Clusters with Namespaces

Kubernetes Deployments

Kubernetes Services: Theory

Kubernetes Services: Hands-On

Ingress

WebAssembly on Kubernetes

Service Discovery Deep Dive

Kubernetes Storage

ConfigMaps

StatefulSets

API Security and RBAC

Kubernetes API

Threat Modeling Kubernetes

Real-World Kubernetes Security

Conclusion

Pod Security Admission