How to enhance Kubernetes security by migrating from Pod Security Policies to Pod Security Admission Controller

Pod Security Policies (PSPs) are a cluster-level resource in Kubernetes that controls security-sensitive aspects of pod specifications. For years, they’ve served as the cornerstone of security enforcement in Kubernetes clusters by ensuring only pods adhering to specific criteria like running as a non-root user, not running privileged containers, and more are deployed, minimizing vulnerability risks. However, after the release of Kubernetes 1.26, PSPs became deprecated, paving the way for a more robust and flexible approach: the Pod Security Admission Controller. If you’re looking for a step-by-step migration process with examples, here it is.

What is the Pod Security Admission Controller in Kubernetes 1.26

In Kubernetes 1.26, the Pod Security Admission Controller (PSAC) is a new mechanism to replace Pod Security Policies (PSPs). It uses namespace labels to enforce security policies at different levels: Privileged, Baseline, and Restricted. This approach provides granular control over pod security while reducing administrative overhead.

Why use Pod Security Admission Controller?

• Deprecation of PSP: PSPs are deprecated in Kubernetes 1.21 and removed in 1.25. Continuing to use them leaves clusters without proper security controls.
• Simplified management: The new system is easier to manage and understand, especially in large clusters.
• Flexibility: Allows more straightforward application of different security policies to different namespaces.
• Standardization: Uses predefined security levels, making understanding and communicating security postures easier.
• Futureproofing: Aligns with Kubernetes’ direction, ensuring supported and up-to-date security practices.
• Performance and scalability: More efficient and scalable, especially in large, multi-tenant clusters.

Example Scenario with PSP in Kubernetes 1.25

Create namespace

kubectl create namespace security-namespace

Create PSP in `security-namespace`

#psp.yaml 
apiVersion: policy/v1beta1 
kind: PodSecurityPolicy 
metadata: 
  name: security-namespace-psp 
spec: 
  privileged: false 
  runAsUser: 
    rule: MustRunAsNonRoot

Apply the changes

kubectl apply -f psp.yaml

Deploy nginx pod in `security-namespace`

#nginx.yaml 
apiVersion: v1 
kind: Pod 
metadata: 
  name: nginx 
  namespace: security-namespace 
spec: 
  containers: 
  - name: nginx 
    image: nginx:latest 
    securityContext: 
      runAsNonRoot: true

Apply the changes

kubectl apply -f nginx.yaml

Steps to migrate from PSP to Pod Security Admission Controller in Kubernetes 1.26

Step 1. Add Security Labels to Namespace:

#security-namespace-update.yaml 
apiVersion: v1 
kind: Namespace 
metadata: 
  name: security-namespace 
  labels: 
    pod-security.kubernetes.io/enforce: baseline 
    pod-security.kubernetes.io/audit: restricted 
    pod-security.kubernetes.io/warn: restricted

Apply the changes

kubectl apply -f security-namespace-update.yaml

Step 2. Update nginx Pod Definitions: (read more..)