Advanced PSP Patterns and Use Cases

Advanced PSP Patterns and Use Cases

Complex environments often require advanced PSP patterns beyond basic security controls. Multi-tenant clusters need PSPs that isolate tenants while allowing flexibility within tenant namespaces. Hierarchical PSPs can provide tenant-specific baseline policies while allowing teams to define additional restrictions. This pattern maintains security boundaries while enabling tenant autonomy.

Development environments present unique PSP challenges. Developers may need elevated permissions for debugging and testing that would be inappropriate in production. Environment-specific PSPs can provide different security levels across clusters. Automated promotion pipelines ensure production deployments use appropriate restrictive policies regardless of development configurations.

# PSP for development environments with relaxed restrictions
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: development-psp
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
  privileged: false
  allowPrivilegeEscalation: true
  
  # Allow some debugging capabilities
  allowedCapabilities:
  - SYS_PTRACE
  - NET_ADMIN
  
  # Relaxed volume restrictions
  volumes:
  - '*'
  allowedHostPaths:
  - pathPrefix: "/tmp"
  - pathPrefix: "/var/log"
  
  # Allow host network for debugging
  hostNetwork: true
  
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny

Workload-specific PSPs address applications with unique security requirements. Database workloads may require specific capabilities for performance optimization. Monitoring agents need host access for metrics collection. Creating targeted PSPs for these workloads maintains security while enabling functionality. Documentation of exceptions and regular reviews ensure special cases remain justified.