Containerization & Orchestration

Pod Security Policies (PSP)

What are Pod Security Policies (PSP)?

Pod Security Policies in Kubernetes are cluster-level resources that control security sensitive aspects of the pod specification. They define a set of conditions that a pod must run with in order to be accepted into the system. PSPs are being deprecated in favor of Pod Security Standards.

In the world of software engineering, containerization and orchestration have become critical concepts in the deployment and management of applications. One of the key components in this realm is Pod Security Policies (PSP), a cluster-level resource that controls security-sensitive aspects of pod specification in Kubernetes.

The PSP concept is not a standalone one; it intertwines with other concepts such as containers, pods, and Kubernetes, which are all part of the broader containerization and orchestration landscape. Understanding PSP requires a deep dive into these related topics, and that is exactly what this glossary entry aims to provide.

Definition of Pod Security Policies (PSP)

Pod Security Policies (PSP) are a set of controls that define the conditions pods must meet to be accepted into the system. They allow administrators to establish security parameters at a granular level, controlling what a pod can do and what it can access within a Kubernetes cluster.

These policies are implemented as a Kubernetes Admission Controller, which intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized. The PSP defines a set of conditions that a pod must meet to be accepted into the system; if it doesn't meet these conditions, the request is denied.

Components of a PSP

A Pod Security Policy is made up of several key components, each of which plays a crucial role in defining the security parameters for a pod. These components include, but are not limited to, the following: Privilege Escalation, Capabilities, Host Network, Host Ports, Host PID, Host IPC, Read Only Root Filesystem, and Volumes.

Each of these components allows administrators to control specific aspects of a pod's behavior. For instance, the Privilege Escalation component determines whether a pod can gain more privileges than its parent process. The Host Network component, on the other hand, controls whether a pod can use the host network namespace, essentially determining whether the pod can access the network resources of the host machine.

Explanation of Pod Security Policies

Pod Security Policies are a critical part of maintaining the security of a Kubernetes cluster. They allow administrators to control the actions that pods can perform and the resources they can access, thereby limiting the potential damage that could be caused by a malicious pod or a pod that has been compromised.

Without PSPs, any user who can create a pod in a cluster can effectively run arbitrary code on any node in the cluster. This is because by default, users with the ability to create pods can also set any security context for those pods, which allows them to run the pods with elevated privileges. PSPs mitigate this risk by allowing administrators to control the security context settings for pods.

Working of PSPs

When a pod creation or modification request is made, the Kubernetes API server checks the request against all available PSPs. The check is done in two steps: first, the system checks whether the user making the request has permission to use the policy, and second, it checks whether the pod specification meets the conditions defined in the policy.

If the user has permission to use the policy and the pod meets the conditions of the policy, the request is allowed. If either condition is not met, the request is denied. This two-step check ensures that both the user and the pod are subject to the security controls defined in the PSP.

History of Pod Security Policies

The concept of Pod Security Policies was introduced in Kubernetes version 1.3 as a way to control the security-sensitive aspects of pod specification. The goal was to provide administrators with a tool to enforce security best practices in their clusters.

Since then, PSPs have become a fundamental part of Kubernetes security, with many organizations relying on them to protect their clusters from potential threats. However, it's worth noting that as of Kubernetes version 1.21, PSPs are deprecated and will be removed in version 1.25. The Kubernetes community is currently working on developing new security controls to replace PSPs.

Reason for Deprecation

The decision to deprecate PSPs was not taken lightly. The Kubernetes community recognized that while PSPs were a powerful tool for enforcing security best practices, they also had several shortcomings. For instance, PSPs have a complex and confusing API, and they often lead to unexpected behavior due to their interaction with other Kubernetes features.

In light of these issues, the community decided to deprecate PSPs and replace them with a set of new security controls that are easier to use and understand. These new controls are currently being developed and are expected to provide the same level of security as PSPs, but with a more user-friendly interface.

Use Cases of Pod Security Policies

Despite their impending deprecation, PSPs are still widely used in many Kubernetes clusters. They serve a variety of use cases, all centered around the goal of improving the security of the cluster.

One common use case for PSPs is to prevent pods from running as root. Running containers as root is a common security risk, as it gives the container full control over the host system. By using a PSP, administrators can enforce that all pods in the cluster run as a non-root user, thereby mitigating this risk.

Restricting Access to Host Resources

Another common use case for PSPs is to restrict pods' access to host resources. By default, a pod has access to all the resources of the host machine, including the network, the filesystem, and the process space. This can be a security risk, as a compromised pod could use these resources to attack the host machine.

With a PSP, administrators can restrict a pod's access to these resources. For instance, they can prevent a pod from using the host network or accessing the host filesystem. This can significantly reduce the potential damage that a compromised pod can cause.

Examples of Pod Security Policies

Let's take a look at some specific examples of how Pod Security Policies can be used to enforce security best practices in a Kubernetes cluster.

Consider a scenario where you want to prevent pods from running as root. You could create a PSP with the following specification:


apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
 name: non-root
spec:
 privileged: false
 runAsUser:
   rule: MustRunAsNonRoot

This PSP enforces that all pods run as a non-root user. Any pod that tries to run as root will be denied by the Kubernetes API server.

Restricting Host Network Access

Another example is restricting pods' access to the host network. This can be achieved with a PSP like the following:


apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
 name: no-host-network
spec:
 hostNetwork: false

This PSP prevents pods from using the host network. Any pod that tries to use the host network will be denied by the Kubernetes API server.

These are just a few examples of how Pod Security Policies can be used to enforce security best practices in a Kubernetes cluster. Despite their impending deprecation, PSPs remain a powerful tool for securing Kubernetes clusters, and understanding them is essential for any Kubernetes administrator.

High-impact engineers ship 2x faster with Graph
Ready to join the revolution?
Learn more
Go to Homepage
High-impact engineers ship 2x faster with Graph
Ready to join the revolution?
Learn more
Go to Homepage

Code happier

Join the waitlist