Pod Security
Pod Security Admission (PSA) is the built-in mechanism in Kubernetes for enforcing security standards on Pods at the API level. Introduced in Kubernetes v1.22 and stable in v1.25, it replaced the deprecated PodSecurityPolicy (PSP) feature.
PSA evaluates Pod specifications during creation or update and applies policy controls based on predefined security profiles.
Key Concepts
PSA is implemented as an admission controller that checks incoming Pod specs and enforces or audits their compliance with a chosen security profile.
There are three policy levels, each defining a different set of security requirements:
| Level | Description |
|---|---|
privileged |
No restrictions — full access to host features |
baseline |
Minimally restrictive, prevents known high-risk settings |
restricted |
Highly restrictive, follows best practices for multi-tenant hardening |
Each namespace can have policies assigned in one of three modes:
| Mode | Description |
|---|---|
enforce |
Reject non-compliant Pods |
audit |
Log violations but allow the Pod |
warn |
Send warnings to the user, but allow the Pod |
Configuring PSA
PSA is enabled by default in modern Kubernetes clusters. You can configure policy levels on a per-namespace basis using labels.
Example: Apply restricted policy with all modes
kubectl label namespace secure-ns \
pod-security.kubernetes.io/enforce=restricted \
pod-security.kubernetes.io/enforce-version=latest \
pod-security.kubernetes.io/audit=restricted \
pod-security.kubernetes.io/audit-version=latest \
pod-security.kubernetes.io/warn=restricted \
pod-security.kubernetes.io/warn-version=latest
This enforces, audits, and warns against any pod that doesn’t meet the restricted policy level.
Policy Examples
Here are a few settings disallowed at each level:
| Setting | baseline | restricted |
|---|---|---|
hostNetwork: true |
❌ | ❌ |
privileged: true |
❌ | ❌ |
runAsNonRoot: false |
✅ | ❌ |
allowPrivilegeEscalation: true |
✅ | ❌ |
capabilities.add: ["ALL"] |
❌ | ❌ |
Summary
- Pod Security Admission (PSA) enforces security standards for Pods at the API level.
- Use PSA to prevent risky Pod configurations and enforce best practices per namespace.
- Choose the right policy level and mode for your environment.
Tip
Start with baseline or restricted in new namespaces, and use audit and warn modes to monitor for violations before enforcing.
When to Use Each Profile
| Use Case | Recommended Level |
|---|---|
| Development namespace | baseline |
| CI/CD pipelines | baseline |
| Multi-tenant cluster workloads | restricted |
| System workloads or privileged apps | privileged |