Understanding Pod Security Policies

1 min read Infrastructure & DevOps Security

Understanding Pod Security Policies

Pod Security Policies represented Kubernetes' first attempt at providing declarative security controls for pod specifications. PSPs function as admission controllers, intercepting pod creation requests and validating them against defined security policies. When enabled, PSPs prevent pods from running with dangerous configurations like privileged access, host network usage, or unrestricted capabilities. This preventive approach stops security misconfigurations before they reach production environments.

The power of PSPs lies in their cluster-wide enforcement model. Unlike security contexts that require pod-by-pod configuration, PSPs establish baseline security requirements that apply automatically. This centralized approach ensures consistent security standards across all namespaces and workloads. Security teams can define policies that enforce organizational requirements without relying on developers to configure each pod correctly.

PSP enforcement follows a specific workflow. When a pod creation request arrives, the admission controller identifies applicable PSPs based on the requesting user or service account. If multiple policies apply, Kubernetes selects the first policy that validates successfully, following alphabetical order. This selection process requires careful policy naming and design to ensure intended policies apply. Understanding this workflow prevents common implementation pitfalls where overly permissive policies inadvertently apply.