Pod Security Admission
Refer to the official Kubernetes documentation: Pod Security Admission
Pod Security Admission (PSA) is a Kubernetes admission controller that enforces security policies at the namespace level by validating Pod specifications against predefined standards.
TOC
Security Modes
PSA defines three modes to control how policy violations are handled:
| Mode | Behavior | Use Case |
|---|---|---|
| Enforce | Denies creation/modification of non-compliant Pods. | Production environments requiring strict security enforcement. |
| Audit | Allows Pod creation but logs violations in audit logs. | Monitoring and analyzing security incidents without blocking workloads. |
| Warn | Allows Pod creation but returns client warnings for violations. | Testing environments or transitional phases for policy adjustments. |
Key Notes:
- Enforce acts on Pods only (e.g., rejects Pods but allows non-Pod resources like Deployments).
- Audit and Warn apply to both Pods and their controllers (e.g., Deployments).
Security Standards
PSA defines three security standards to restrict Pod privileges:
| Standard | Description | Key Restrictions |
|---|---|---|
| Privileged | Unrestricted access. Suitable for trusted workloads (e.g., system components). | No validation of securityContext fields. |
| Baseline | Minimal restrictions to prevent known privilege escalations. | Blocks hostNetwork, hostPID, privileged containers, and unrestricted hostPath volumes. |
| Restricted | Strictest policy enforcing security best practices. | Requires: - runAsNonRoot: true - seccompProfile.type: RuntimeDefault - Dropped Linux capabilities. |
Configuration
Namespace Labels
Apply labels to namespaces to define PSA policies.
YAML file example
CLI command
Exemptions
Exempt specific users, namespaces, or runtime classes from PSA checks.
Example Configuration: