Goodbye Kubernetes Pod Security Policy. Hello stronger security! | SUSE Communities

Goodbye Kubernetes Pod Security Policy. Hello stronger security!


Kubernetes’ Pod Security Policy (PSP) is going to be deprecated in 1.21 and totally removed in 1.25. The PSP function determined how Kubernetes allowed users to define a set of criteria that a running pod had to meet. These criteria typically included the configurations and privilege of the pod. If the criteria could not be met, the pod would not be deployed in the Kubernetes cluster.

Many Kubernetes users consider this sanitation function one of the critical steps to secure their container environment in production. However, in the process of deciding not to move PSP to a stable feature, the Kubernetes community cited several limitations:

  • Conflicts in the authorization model
  • Difficulties in the deployment flow
  • Complexity in the function scope and API

In the meantime, Kubernetes community has been working on a proposal and prototype to replace PSP. It is still in the early stage of its development cycle. The target is to simplify the deployment and focus on a smaller range of use cases. If your use of PSP is relatively simple, you may want to consider the alternative when it becomes ready.

It is clear that the Kubernetes community has realized, because of its complexity, PSP as a security function should not be a built-in feature of Kubernetes, but left to the community and vendors to implement. As PSP is about to deprecate very soon, what is the alternative to prevent bad images from getting into your production environment? The good news is, NeuVector has you covered. Our Admission Control function has been battle-tested in the production environment at global enterprises for several years.

NeuVector’s admission control function takes advantage of Kubernetes’ validating and admission webhook mechanism. Some vendors recommend using the Open Policy Agent (OPA) to define the gating policies. OPA is a powerful tool for evaluating policies, but it does require some programming skills (See our OPA integration blog). Our customers can manage all policies in the user-friendly NeuVector console or automate the configuration with REST API. While PSP focuses on configuration and privilege checks, we greatly extend the admission control function to address many other use cases. NeuVector’s admission control function has several major advantages over PSP and other vendors’ solutions.

  • RBAC-aware and controlled by user roles
  • Monitor mode that allows users to test their rules
  • Capability to define policies based on image scan results and vulnerability profile
  • Granular control based on namespaces and the user who deploys the pod

You can find the full coverage of NeuVector’s admission control function in this blog.

To see a demonstration of NeuVector’s admission control and other production security capabilities, including a complimentary healthcheck of your environment, register here or schedule a session with one of our engineers.


Avatar photo