docs/doc/source/security/kubernetes/pod-security-policies.rst


.. pui1590088143541
.. _pod-security-policies:

=====================
Pod Security Policies
=====================

.. note::

   PodSecurityPolicy (PSP) ONLY applies if running on K8S v1.24 or earlier.
   PodSecurityPolicy (PSP) is deprecated as of Kubernetes v1.21 and removed from K8S v1.25.
   Instead of using PodSecurityPolicy, you can enforce similar restrictions on Pods using
   :ref:`Pod Security Admission Controller <pod-security-admission-controller-8e9e6994100f>`

|PSPs| enable fine-grained authorization of pod creation and updates.

|PSPs| control access to security sensitive aspects of Pod specifications
such as running of privileged containers, use of host filesystem, running as
root, etc. |PSPs| define a set of conditions that a pod must run with, in
order to be accepted into the system, as well as defaults for the related
fields. |PSPs| are assigned to users through Kubernetes |RBAC| RoleBindings.
See `https://kubernetes.io/docs/concepts/policy/pod-security-policy/
<https://kubernetes.io/docs/concepts/policy/pod-security-policy/>`__ for
details.

When enabled, Pod security policy checking will authorize all Kubernetes
API commands against the |PSPs| which the issuer of the command has access
to. If there are no |PSPs| defined in the system or the issuer does not have
access to any |PSPs|, the Pod security policy checking will fail to authorize
the command.

|prod-long| provides a system service-parameter to enable Pod security
policy checking. Setting this parameter also creates:

-	Two |PSPs| (privileged and restricted) such that users with cluster-admin
 	role (which has access to all resources) has |PSPs| to authorize against.

-	Two corresponding roles for specifying access to these |PSPs|
 	(privileged-psp-user and restricted-psp-user), for binding to other
 	non-admin type subjects.

-	A RoleBinding for the kube-system namespace of the privileged-psp-user Role
 	to serviceAccounts in kubesystem, such that privileged
 	Deployments/ReplicaSets/etc. can be created by any user with access to
 	Deployments/ReplicaSets/etc. in the kube-system namespace (e.g. user with
 	cluster-admin role).

-   A ClusterRoleBinding of the restricted-psp-user Role to any authenticated
    user, such that at least restricted Pods can be created by any
    authenticated user in any namespaces that user has access to based on other
    [Cluster]RoleBindings.

-	A ClusterRoleBinding of the restricted-psp-user Role to serviceAccounts in
 	kube-system, such that at least restricted Deployments/ReplicaSets/etc. can
 	be created by any authenticated user in any namespaces that user has access
 	to based on other [Cluster]RoleBindings.

PodSecurityPolicy (PSP) is deprecated as of Kubernetes v1.21 and will be
removed in v1.25. PSP will continue to be fully functional until being removed
in v1.25.

Since first introduced PSP has shown some serious usability problems.

The way PSPs are applied to Pods has proven confusing especially when trying to
use them. It is easy to accidentally grant broader permissions than intended,
and difficult to inspect which PSPs apply in a certain situation.

As a beta feature, Kubernetes offers a built-in Pod Security Admission (PSA)
controller, the successor to PSP. See :ref:`Technology Preview - Pod Security
Admission Controller <pod-security-admission-controller-8e9e6994100f>`.
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`.. pui1590088143541`
			`.. _pod-security-policies:`

			`=====================`
			`Pod Security Policies`
			`=====================`

Adding note of PSP removal from the project documentation Removal of PSP Support as part of k8s 1.25/1.26 transition, we are adding a note to each page that has pod security policy contexts from the project doc about its existence in K8S v1.24 and removal from K8S v1.25 Story: 2010590 Task: 48324 Change-Id: Ifefeda7ac181267b66398dbf45af9f6ee1239090 Signed-off-by: Rahul Roshan Kachchap <rahulroshan.kachchap@windriver.com> 2023-07-17 02:16:07 -04:00			`.. note::`

			`PodSecurityPolicy (PSP) ONLY applies if running on K8S v1.24 or earlier.`
			`PodSecurityPolicy (PSP) is deprecated as of Kubernetes v1.21 and removed from K8S v1.25.`
			`Instead of using PodSecurityPolicy, you can enforce similar restrictions on Pods using`
			:ref:`Pod Security Admission Controller <pod-security-admission-controller-8e9e6994100f>`

Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00			`\|PSPs\| enable fine-grained authorization of pod creation and updates.`

			`\|PSPs\| control access to security sensitive aspects of Pod specifications`
			`such as running of privileged containers, use of host filesystem, running as`
			`root, etc. \|PSPs\| define a set of conditions that a pod must run with, in`
			`order to be accepted into the system, as well as defaults for the related`
			`fields. \|PSPs\| are assigned to users through Kubernetes \|RBAC\| RoleBindings.`
			See `https://kubernetes.io/docs/concepts/policy/pod-security-policy/
			<https://kubernetes.io/docs/concepts/policy/pod-security-policy/>`__ for
			`details.`

			`When enabled, Pod security policy checking will authorize all Kubernetes`
			`API commands against the \|PSPs\| which the issuer of the command has access`
			`to. If there are no \|PSPs\| defined in the system or the issuer does not have`
			`access to any \|PSPs\|, the Pod security policy checking will fail to authorize`
			`the command.`

			`\|prod-long\| provides a system service-parameter to enable Pod security`
pod security policies updates New content: Minor Usability Enhancement to Default Pod Security Policies Implemented patchset 2 comment Implemented patchset 3 comments Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: I82d31f412c47bfecf4601169400bf090ceda636c Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-31 13:51:01 -04:00			`policy checking. Setting this parameter also creates:`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
pod security policies updates New content: Minor Usability Enhancement to Default Pod Security Policies Implemented patchset 2 comment Implemented patchset 3 comments Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: I82d31f412c47bfecf4601169400bf090ceda636c Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-31 13:51:01 -04:00			`- Two \|PSPs\| (privileged and restricted) such that users with cluster-admin`
			`role (which has access to all resources) has \|PSPs\| to authorize against.`

			`- Two corresponding roles for specifying access to these \|PSPs\|`
			`(privileged-psp-user and restricted-psp-user), for binding to other`
			`non-admin type subjects.`

			`- A RoleBinding for the kube-system namespace of the privileged-psp-user Role`
			`to serviceAccounts in kubesystem, such that privileged`
			`Deployments/ReplicaSets/etc. can be created by any user with access to`
			`Deployments/ReplicaSets/etc. in the kube-system namespace (e.g. user with`
			`cluster-admin role).`

			`- A ClusterRoleBinding of the restricted-psp-user Role to any authenticated`
			`user, such that at least restricted Pods can be created by any`
			`authenticated user in any namespaces that user has access to based on other`
			`[Cluster]RoleBindings.`

			`- A ClusterRoleBinding of the restricted-psp-user Role to serviceAccounts in`
			`kube-system, such that at least restricted Deployments/ReplicaSets/etc. can`
			`be created by any authenticated user in any namespaces that user has access`
			`to based on other [Cluster]RoleBindings.`
Support for Pod Security Admission Controller - Tech Preview Added new sections referring to Pod security admission controller Depends-On: https://review.opendev.org/c/starlingx/docs/+/847094 Story: 2009833 Task: 45631 Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com> Change-Id: Icbd36b28501edf767a96007d066303da2d0609f4 2022-06-23 17:11:30 -03:00
			`PodSecurityPolicy (PSP) is deprecated as of Kubernetes v1.21 and will be`
			`removed in v1.25. PSP will continue to be fully functional until being removed`
			`in v1.25.`

			`Since first introduced PSP has shown some serious usability problems.`

			`The way PSPs are applied to Pods has proven confusing especially when trying to`
			`use them. It is easy to accidentally grant broader permissions than intended,`
			`and difficult to inspect which PSPs apply in a certain situation.`

			`As a beta feature, Kubernetes offers a built-in Pod Security Admission (PSA)`
			controller, the successor to PSP. See :ref:`Technology Preview - Pod Security
			Admission Controller <pod-security-admission-controller-8e9e6994100f>`.