Migration to Pod Security Standards

Migration to Pod Security Standards

The deprecation of PSPs necessitates migration to Pod Security Standards (PSS), Kubernetes' replacement security framework. PSS provides three predefined security levels: privileged, baseline, and restricted. Unlike PSPs' flexibility, PSS offers standardized policies that simplify security configuration. This standardization improves consistency across clusters and reduces configuration complexity.

Migration planning begins with mapping existing PSPs to PSS levels. Restrictive PSPs typically align with the "restricted" level, while permissive policies map to "privileged." The "baseline" level provides a middle ground for workloads requiring some elevated permissions. Organizations must analyze each PSP to determine appropriate PSS mappings and identify workloads requiring policy adjustments.

# Namespace labels for Pod Security Standards
apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    # Enforce restricted security standard
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/enforce-version: latest
    
    # Audit baseline violations
    pod-security.kubernetes.io/audit: baseline
    pod-security.kubernetes.io/audit-version: latest
    
    # Warn about privileged violations
    pod-security.kubernetes.io/warn: restricted
    pod-security.kubernetes.io/warn-version: latest

Gradual migration strategies minimize disruption during the transition. Organizations can run PSS in "warn" or "audit" modes alongside existing PSPs. This parallel operation identifies workloads that would fail under PSS without blocking deployments. Teams can address violations incrementally while maintaining PSP protection. Once all violations are resolved, PSS enforcement can replace PSP admission control.