Chapter 10. Pod and Container Security
When it comes to pod security via the Kubernetes API, you have two main options at your disposal: Pod Security Admission and RuntimeClass. In this chapter, we review the purpose and use of each API and provide best practices for their use.
Pod Security Admission Controller
This cluster-wide resource creates a single place to define and manage
all the security-sensitive fields found in pod specifications. Prior to
the creation of the Pod Security Admission resource, cluster administrators and/or
users used PodSecurityPolicy, which was complex and could be challenging to
set up correctly. Before PodSecurityPolicy, users
would need to independently define
individual SecurityContext
settings for each pod or Deployment in their workloads or enable
bespoke admission controllers on the cluster to enforce some aspects of pod security.
Note
The Pod Security Admission controller replaced the beta PodSecurityPolicy API starting with Kubernetes 1.22. PodSecurityPolicy was removed in Kubernetes 1.25. Pod Security Admission provides a simplified API for securing pods, but it does not provide complete feature parity with PodSecurityPolicy. For that you will need to install a more complete policy solution like the Gatekeeper project.
Pod Security Admission was developed to address this complexity and make it fairly straightforward for a cluster administrator to secure pods on their cluster. While it is markedly less complicated than other solutions, Pod ...
Get Kubernetes Best Practices, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
