Core PSP Security Controls
Core PSP Security Controls
PSPs provide granular controls over numerous security-sensitive pod configurations. Privilege escalation controls prevent containers from gaining additional privileges at runtime. The allowPrivilegeEscalation field, when set to false, ensures containers cannot increase their privilege level through setuid binaries or other mechanisms. This control proves essential for preventing container escape attacks that rely on privilege escalation.
Volume controls restrict the types of volumes pods can mount. Host path volumes present particular security risks, potentially exposing sensitive host directories to containers. PSPs can completely prohibit host path volumes or restrict them to specific directories. Similarly, PSPs control access to persistent volumes, config maps, and secrets. These restrictions prevent containers from accessing sensitive cluster resources through volume mounts.
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted-psp
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
spec:
# Privilege Escalation Controls
privileged: false
allowPrivilegeEscalation: false
# User and Group Controls
runAsUser:
rule: MustRunAsNonRoot
runAsGroup:
rule: MustRunAs
ranges:
- min: 1000
max: 65535
fsGroup:
rule: MustRunAs
ranges:
- min: 1000
max: 65535
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1000
max: 65535
# Capability Restrictions
requiredDropCapabilities:
- ALL
allowedCapabilities:
- NET_BIND_SERVICE
# Volume Restrictions
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
# Host Namespace Restrictions
hostNetwork: false
hostPID: false
hostIPC: false
# Host Port Restrictions
hostPorts:
- min: 0
max: 0
# SELinux Controls
seLinux:
rule: RunAsAny
# Read-only Root Filesystem
readOnlyRootFilesystem: true
User and group controls enforce non-root execution and specific UID/GID ranges. Running containers as root remains one of the most common security mistakes in Kubernetes deployments. PSPs can enforce non-root execution cluster-wide, preventing this misconfiguration. The runAsUser rule supports various modes: MustRunAs requires specific UIDs, MustRunAsNonRoot prevents root execution, and RunAsAny allows any UID. Similar controls apply to groups and supplemental groups.