Alauda Container Platform

Pod Security Admission

Refer to the official Kubernetes documentation: Pod Security Admission

Pod Security Admission (PSA) is a Kubernetes admission controller that enforces security policies at the namespace level by validating Pod specifications against predefined standards.

TOC

Security Modes

PSA defines three modes to control how policy violations are handled:

ModeBehaviorUse Case
EnforceDenies creation/modification of non-compliant Pods.Production environments requiring strict security enforcement.
AuditAllows Pod creation but logs violations in audit logs.Monitoring and analyzing security incidents without blocking workloads.
WarnAllows Pod creation but returns client warnings for violations.Testing environments or transitional phases for policy adjustments.

Key Notes:

  • Enforce acts on Pods only (e.g., rejects Pods but allows non-Pod resources like Deployments).
  • Audit and Warn apply to both Pods and their controllers (e.g., Deployments).

Security Standards

PSA defines three security standards to restrict Pod privileges:

StandardDescriptionKey Restrictions
PrivilegedUnrestricted access. Suitable for trusted workloads (e.g., system components).No validation of securityContext fields.
BaselineMinimal restrictions to prevent known privilege escalations.Blocks hostNetwork, hostPID, privileged containers, and unrestricted hostPath volumes.
RestrictedStrictest policy enforcing security best practices.Requires:
- runAsNonRoot: true
- seccompProfile.type: RuntimeDefault
- Dropped Linux capabilities.

Configuration

Namespace Labels

Apply labels to namespaces to define PSA policies.

YAML file example

apiVersion: v1
kind: Namespace
metadata:
  name: example-namespace
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: baseline
    pod-security.kubernetes.io/warn: baseline

CLI command

# Step 1: Update Pod Admission labels
kubectl label namespace <namespace-name> \
  pod-security.kubernetes.io/enforce=baseline \
  pod-security.kubernetes.io/audit=restricted \
  --overwrite

# Step 2: Verify labels
kubectl get namespace <namespace-name> --show-labels

Exemptions

Exempt specific users, namespaces, or runtime classes from PSA checks.

Example Configuration:

apiVersion: pod-security.admission.config.k8s.io/v1
kind: PodSecurityConfiguration
exemptions:
  usernames: ['admin']
  runtimeClasses: ['nvidia']
  namespaces: ['kube-system']