pod-security-admission is a Kubernetes Admission Webhook to ensure Pod Security Standards.
pod-security-admission aims to be a simple Pod Security Policy replacement.
The enforcement of security settings for Pods has previously been achieved using Pod Security Policy (PSP). However, it was announced that PSP is going to be removed in Kubernetes 1.25. We need technology to replace PSP.
- Enforcement of Pod Security Standards
- Easy to use without complicated settings
- Can specify the group of Pods to which each policy is applied
- Can customize rules to be applied for each policy
- Providing flexible policy engine, such as adding a new rule, customizing rules beyond Pod Security Standards
Pod Security Standards define three policy types: Privileged, Baseline and Restricted.
pod-security-admission will provide ValidatingWebhook and MutatingWebhook endpoints for each of these policies.
However, for Priviliged, the policy can be archived by not applying the webhook endpoint.
Thus, by default, pod-security-admission serves four endpoints:
- Validating webhook for
Baseline - Mutating webhook for
Baseline - Validating webhook for
Restricted - Mutating webhook for
Restricted
Why didn't we provide webhooks for Privileged?
Some privileged pods, such as CNI plugins, DNS and other system pods, need to be started before admission webhooks.
If those pods are webhook targets, there will be a problem that those pods cannot be launched.
Therefore, we will achieve Privileged by not applying webhooks.
In pod-security-admission, you can specify the Pods to which each policy is applied with the label of their namespace.
Therefore, if the creator of the Pod could modify the namespace label, they would be able to avoid applying the policy.
Cluster administrator must properly manage the permissions of namespace resources.
In PSP, you can do it with binding ServiceAccount to the profile using RBAC. pod-security-admission does not provide that mechanism.