Skip to main content
Version: 123.3

Pod Security Admission

Pod Security Admission (PSA) is a feature in Kubernetes that enforces security policies on pod creation and deployment in a target cluster. PSA replaces the Pod Security Policies feature in Kubernetes, which was deprecated in Kubernetes version 1.21 and removed in 1.25 version. For more information, see PSA in Kubernetes documentation.

The PSA validates the security attributes of pods before they are deployed and running in the Kubernetes cluster, ensuring that the pods adhere to the security policies set by the administrator.

The PSA feature helps enforce security best practices, such as limiting the privileges of containers, restricting network access, and enforcing the use of secure communication protocols. This can help to prevent unauthorized access to sensitive data, mitigate the risk of data breaches, and enhance the overall security posture of the cluster. By enforcing security policies through the PSA feature, PDS administrators can ensure that their target cluster is secure and compliant.

PSA support in PDS

PSA allows Kubernetes users to specify security requirements for all pods running in a certain namespace. You can use the following three security levels to specify your requirements:

  • privileged: an unrestricted policy, which provides the widest possible level of permissions. This policy allows for known privilege escalations.
  • baseline: a minimally restrictive policy, which prevents known privilege escalations. This policy also allows the default (minimally specified) pod configuration.
  • restricted: a heavily restricted policy, following the best practices for hardening the current pod.

Each policy contains a set of security requirements a pod (its spec) must comply with. If there are any violations, the pod will not be allowed to run in the given namespace. To enable one of these policies for a namespace, you should label the namespace with an appropriate label. After labeling, the newly created Pods will be validated against the specified policy.

You must manage your own namespace. Kubernetes namespaces are often used for isolation of applications or teams, and you can tie the creation or modification of namespaces to internal policies and certifications.

Supported security levels for PDS resources

Following is the list of PDS resources deployed on a target cluster and their currently supported security levels:

PDS resources

Version

Supported PSA security levels

PDS chart

1.15.1 or newer

restricted

Cassandra

all versions

privileged

Consul

all versions

restricted

Couchbase

all versions

restricted

Elasticsearch

all versions

restricted

Kafka

all versions

restricted

MongoDB

all versions

restricted

MS SQL Server

all versions

restricted

MySQL

all versions

restricted

PostgreSQL

all versions

restricted

RabbitMQ

all versions

restricted

Redis

all versions

restricted

ZooKeeper

all versions

restricted

note

If you want to utilize the feature of creating dump files for troubleshooting in MS SQL Server, you must include the PDS_ADD_CAPABILITY_SYS_PTRACE=1 application configuration property. However, if you choose to do this, MS SQL Server will not be able to operate within the restricted namespace and will only be able to run in the privileged namespace.