Securing Kubernetes with Pod Security Standards (PSS)

Introduction to Kubernetes Pod Security Standards (PSS)

Pod Security Standards (PSS) were introduced in Kubernetes 1.21. They reached general availability in Kubernetes 1.25. PSS defines security policies for Kubernetes pods. These policies help enforce best practices and limit potential security risks. With PSS, clusters can maintain secure configurations, reducing vulnerabilities. The use of PSS is essential for Kubernetes security management.

Why Pod Security Standards Are Important

PSS helps control pod permissions. It restricts access to sensitive host system features. By enforcing PSS, excessive privileges are limited. This reduces the attack surface in a Kubernetes environment. Pod security is crucial to avoid breaches and unauthorized access. PSS ensures pods operate with the minimum required privileges. This leads to a more secure Kubernetes cluster.

Pod Security Standards Policies

PSS defines three main policies:

• Privileged: This policy allows full access to the host. It is suitable for trusted workloads. Privileged pods have unrestricted access.
• Baseline: This is less permissive. It applies to standard workloads. Only essential privileges are allowed. Dangerous host interactions are limited.
• Restricted: This is the most secure policy. It enforces strict security measures. Restricted is ideal for untrusted workloads. Privilege escalation and access to host resources are minimized.

How to Implement Pod Security Standards

PSS can be enforced using Kubernetes admission controllers. Admission controllers check pod configurations against defined policies. Pods violating security standards are rejected. Below are steps to enforce PSS using the Pod Security admission controller.

Note: For details about Admission Controller check the offical documentation here.

Setting Up PSS in Kubernetes

• Enable PodSecurity Admission Controller: 

The PodSecurity admission controller is enabled by default in Kubernetes 1.25 and later. To enable it manually, it can be specified in the kube-apiserver configuration:

root@rke2-server1:~# kube-apiserver --enable-admission-plugins=PodSecurity

• Labeling Namespaces:

PSS policies are applied to namespaces using labels. Namespaces can be labeled to enforce privileged, baseline, or restricted policies.

root@rke2-server1:~# kubectl label namespace <namespace-name> pod-security.kubernetes.io/enforce=baseline

• Testing PSS Enforcement:

To verify that PSS is working, a pod can be deployed in a labeled namespace. If the pod violates the defined policy, it will be denied.

apiVersion: v1
kind: Pod
metadata:
  name: restricted-pod
spec:
  containers:
    - name: nginx
      image: nginx
      securityContext:
        privileged: true

Deploying this pod in a restricted labeled namespace will result in the following error:

Error: pods "restricted-pod" is forbidden: violates PodSecurity "restricted:latest" policy: privileged (container "nginx" must not set securityContext.privileged=true)

This output confirms that the restricted policy is being enforced as expected.

Monitoring and Auditing Pod Security Standards

Pod security violations can be audited using Kubernetes auditing tools. Logs from the kube-apiserver can be monitored. Tools like Prometheus and Grafana can be integrated for advanced monitoring. Regular auditing ensures compliance with security policies.

Best Practices for Using PSS

• Start with <strong>baseline</strong> policies and gradually move to restricted.
• Regularly audit namespaces for compliance with PSS.
• Update security policies with each Kubernetes version.
• Use tools like OPA Gatekeeper for custom security policies.

Pod Security Standards (PSS) are essential for maintaining robust Kubernetes security. They enforce best practices, restrict excessive permissions, and shield the cluster from potential vulnerabilities. By consistently implementing and auditing PSS, Kubernetes environments can remain secure and compliant. This proactive security measure ensures that workloads operate with the principle of least privilege, significantly enhancing the overall security and resilience of the Kubernetes infrastructure. Embracing PSS is not just a best practice — it’s a critical step towards safeguarding your cloud-native applications.

For more insights and detailed guides on Kubernetes, be sure to check out my Kubernetes blog for the latest tips and best practices!