Open in app

Sign up

Sign in

Write

Sign up

Sign in

Mastodon
DevOps for you

Delve into hands-on DevOps articles offering readily applicable solutions to common challenges.

Follow publication

Member-only story

My experiments with Pod Security Admission in kubernetes cluster

Asish M Madhu
DevOps for you
Published in
9 min readJul 2, 2023

--

The importance of pod security is increasing in k8s clusters. We need controls to define them using policies.

Starting from K8s version v1.22 Pod Security Policy(PSP) is replaced with a new enhancement called Pod Security Admission (PSA). PSPs allow administrators to control the security of pods that are created in the k8s cluster. PSA provides a way to validate that a pod meets certain security requirements before it is allowed to run. Capabilities like which user can access a pod, which mount volume a pod can access, what network policies can be applied etc. PSA improves flexibility and security of PSP.

PSA works by intercepting requests to create or update pods and sending them to an admission controller. The admission controller then evaluates the security policies defined and either approves or denies the pod creation request based on those policies. By enforcing security policies at the pod level, PSA can help ensure that containers are running in a secure environment and that they are not vulnerable to attacks such as privilege escalation, network sniffing, and code injection.

Why is Pod Security Admission Important?

Pod Security Admission is important because it helps prevent security risks associated with running containers. By enforcing security policies at the pod level, PSA can help ensure that containers are running in a secure environment and that they are not vulnerable to attacks such as privilege escalation, network sniffing, and code injection.

Some of the security policies that can be enforced with PSA include:

  • Preventing privileged containers: Containers that run with root privileges are a security risk, and PSA can prevent them from being deployed.
  • Enforcing container image policies: PSA can ensure that only trusted container images are used in pods.
  • Limiting host access: PSA can limit a pod’s access to the host operating system to prevent unauthorized access.
  • Restricting network access: PSA can restrict a pod’s network access to prevent unauthorized access or data exfiltration.

PSA Levels

--

--

DevOps for you
DevOps for you
Follow

Published in DevOps for you

14 Followers
Last published Mar 11, 2025

Delve into hands-on DevOps articles offering readily applicable solutions to common challenges.

Follow
Asish M Madhu
Asish M Madhu
Follow

Written by Asish M Madhu

101 Followers
20 Following

I enjoy exploring various opensource tools/technologies/ideas related to CloudComputing, DevOps, SRE and share my experience, understanding on the subject.

Follow

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech