Quick Definition
A Pod Security Policy is a cluster-level admission control mechanism that defines a set of conditions a pod must meet to be accepted by the Kubernetes API server.
Analogy: A Pod Security Policy is like a building code for containers—rules that must be met before a tenant can move in, covering wiring, exits, and allowed activities.
Formal technical line: Pod Security Policy is an admission control resource that enforces pod-level security constraints such as allowed capabilities, privileged mode, volume types, host network usage, and user IDs.
Other meanings (less common):
- A shorthand for node-level or namespace-level pod hardening configuration enforced by other controllers.
- A conceptual set of organizational rules for pod security that may be implemented via OPA Gatekeeper or Kyverno rather than the legacy PSP object.
What is Pod Security Policy?
What it is / what it is NOT
- What it is: A declarative policy resource that defines pod-level constraints against which pod specs are evaluated during admission.
- What it is NOT: A runtime enforcement engine that modifies workloads at runtime; PSPs are evaluated at admission time only.
- What it often maps to in modern clusters: a policy contract enforced by admission controllers such as the built-in PSP (deprecated), OPA Gatekeeper, Kyverno, or the Kubernetes Pod Security admission.
Key properties and constraints
- Cluster-scoped or namespace-bound via RBAC bindings.
- Evaluated at API server admission time.
- Declarative and versioned like other Kubernetes resources.
- Limited to pod spec attributes (securityContext, volumes, host namespaces, capabilities, etc.).
- Does not continuously enforce runtime behavior once a pod is running.
- RBAC determines who can create or use a policy.
Where it fits in modern cloud/SRE workflows
- Prevents unsafe pod specifications from being scheduled in the first place.
- Reduces blast radius by standardizing least-privilege pod specs.
- Integrated into CI/CD pipelines as a gate (policy-as-code).
- Tied to observability and incident response: violations become failed deploys or admission denials that must be traced and resolved.
Text-only diagram description (visualize)
- API Server receives pod create request -> Admission controllers run in sequence -> Pod Security Policy/Policy Engine evaluates pod spec -> If rules pass, request continues to scheduler; if denied, API returns error -> CI/CD observes rejection, developer iterates -> If passed, scheduler assigns node and kubelet runs pod.
Pod Security Policy in one sentence
A Pod Security Policy is a declarative admission-time guard that enforces which pod features are permitted to reduce privilege and attack surface before pods are scheduled.
Pod Security Policy vs related terms (TABLE REQUIRED)
| ID | Term | How it differs from Pod Security Policy | Common confusion |
|---|---|---|---|
| T1 | Pod Security Admission | Broader admission plugin replacing PSP | People assume PSP and PSA are identical |
| T2 | OPA Gatekeeper | Policy engine using Rego policies | Mistaken for PSP replacement only |
| T3 | Kyverno | Kubernetes-native policy engine with validations | Thought to be only for mutating policies |
| T4 | SecurityContext | Pod/container spec field not a policy controller | Confused as active enforcement |
| T5 | RBAC | Authorization system, not pod constraints | Users think RBAC blocks unsafe pod specs |
| T6 | PSP (deprecated) | Legacy Kubernetes object often removed | Assumed to be present in all clusters |
| T7 | Admission Controller | Mechanism that runs policies, not a policy itself | Confusing mechanism vs policy |
| T8 | Pod Security Standards | Profiles like restricted/baseline | Mistaken for concrete enforcement object |
| T9 | Runtime Security | Monitors running containers, not admission-time | People expect admission policy to catch runtime drift |
| T10 | NetworkPolicy | Controls network traffic, not pod spec attributes | Confuses network controls with pod privileges |
Row Details
- T1: Pod Security Admission is the current admission mechanism providing built-in profiles; it enforces similar constraints but has different configuration method and lifecycle.
- T2: OPA Gatekeeper uses Rego policies and supports mutations, constraints, and templated enforcement; it can replace PSP capabilities with more expressiveness.
- T3: Kyverno provides policy-as-Kubernetes-resources, easier YAML authoring, and mutation support; it enforces and can generate or mutate resources on admission.
- T6: PSP is deprecated in Kubernetes upstream and removed in newer releases; clusters may still use it but relying on it is risky.
Why does Pod Security Policy matter?
Business impact (revenue, trust, risk)
- Reduces risk of data exfiltration by preventing privileged containers and hostPath mounts that commonly lead to breaches.
- Lowers regulatory and compliance exposure by ensuring standardized pod restrictions across environments.
- Minimizes costly outages from misconfigured pods that can affect node stability or cluster-wide resources.
Engineering impact (incident reduction, velocity)
- Prevents common misconfigurations from progressing to production; fewer incidents from runaway privileges.
- Improves developer velocity when policies are clear and testable in CI; teams iterate on fixed guardrails rather than ad-hoc reviews.
- Can reduce toil by automating enforcement rather than manual reviews.
SRE framing (SLIs/SLOs/error budgets/toil/on-call)
- SLI example: percentage of deploys rejected due to policy violations detected in CI vs in production.
- SLO example: 99% of production pods must comply with the restricted profile.
- Error budget: policy violations that reach production count against availability or security error budgets.
- Toil reduction: automated admission denial with clear developer feedback reduces on-call interruptions for security misconfigurations.
3–5 realistic “what breaks in production” examples
- A CI pipeline deploys a pod with privileged:true and hostPath:/ causing a node compromise that leads to lateral movement.
- Containers run as root and write to host filesystems, corrupting host configurations and causing node reboots.
- An app requests NET_RAW capability for ICMP checks and accidentally captures network traffic, creating data leakage risk.
- Pods mount cloud provider credentials via projected volumes incorrectly, exposing secrets across namespaces.
- A sidecar with hostPID enabled manipulates process namespaces and affects observability or crash loops cluster-wide.
Where is Pod Security Policy used? (TABLE REQUIRED)
| ID | Layer/Area | How Pod Security Policy appears | Typical telemetry | Common tools |
|---|---|---|---|---|
| L1 | Edge/Network | Prevent hostNetwork and hostPort usage | Admission deny counts | Kyverno Gatekeeper PodSecurity |
| L2 | Service/App | Enforce runAsNonRoot and readOnlyRootFilesystem | Compliance reports | OPA Gatekeeper Kyverno |
| L3 | Data/Storage | Restrict hostPath and privileged volumes | Volume mount violations | PodSecurityAdmission CSI policies |
| L4 | Cloud Infra | Block use of node IAM mounting techniques | Audit logs on denies | Cloud IAM scanning tools |
| L5 | Kubernetes Layer | Admission-time policy enforcement | API server audit events | PodSecurityAdmission OPA Gatekeeper |
| L6 | CI/CD | Pre-deploy policy checks in pipelines | Pre-deploy fail rate | Policy-as-code linters |
| L7 | Serverless/PaaS | Platform-level restrictions mapped from PSP | Platform policy audit | Managed platform policy controls |
| L8 | Observability | Tagging and alerting on denied creations | Alerts on unsafe pods | Prometheus Fluentd |
Row Details
- L1: Edge/Network details: use policies to block direct host networking; telemetry includes hostNetwork deny metric and API audit entries.
- L2: Service/App details: enforce non-root UIDs and filesystem immutability; telemetry shows noncompliant pods rejected in CI or admission.
- L3: Data/Storage details: disallow hostPath and dangerous volume types; track attempted mounts and admission denials.
- L5: Kubernetes Layer details: API server audit logs, admission controller metrics, and kube-apiserver metrics reveal enforcement rates.
- L6: CI/CD details: integrate policy checks in pipeline steps (lint, test, gate) with telemetry from pipeline failure counts.
When should you use Pod Security Policy?
When it’s necessary
- Environments handling sensitive data or regulated workloads where least privilege is required.
- Multi-tenant clusters where workloads belong to different teams or customers.
- Clusters running third-party or untrusted container images.
When it’s optional
- Single-team development clusters with isolated nodes and short-lived workloads.
- Tight resource-constrained experimental clusters where rapid iteration beats strict enforcement.
When NOT to use / overuse it
- Don’t use heavy-handed denial-only policies that constantly block developer workflows without providing a migration path.
- Avoid overly granular policies per-app when a namespace- or team-level policy suffices.
- Don’t assume admission-time policies replace runtime detection; they complement runtime security.
Decision checklist
- If you run regulated workloads AND multiple teams -> enforce restrictive policies cluster-wide.
- If you have a single dev team AND experimental workloads -> apply baseline policies and move to stricter only as maturity grows.
- If existing workloads fail many policy checks -> introduce policies gradually with mutation or exemptions rather than immediate denial.
Maturity ladder
- Beginner: Apply Pod Security Admission baseline profile at namespace level; add developer docs and CI lint step.
- Intermediate: Use Kyverno or Gatekeeper with templated constraints, automated mutation for missing fields, and CI gating.
- Advanced: Full policy-as-code with Rego/Kyverno tests, reporting dashboards, automated remediation playbooks, and runtime enforcement integration.
Example decisions
- Small team: Use Pod Security Admission with baseline for dev and restricted for production; implement a pre-commit lint and CI check.
- Large enterprise: Use OPA Gatekeeper for fine-grained policies, integrate with IAM and SSO for RBAC, run regular policy audits, and automate remediation.
How does Pod Security Policy work?
Components and workflow
- Policy definitions: Declarative YAML resources that describe allowed pod properties.
- Admission controller: API server plugin or external webhook that evaluates requests against policies.
- RBAC and bindings: Define which subjects can use or modify policies and which namespaces inherit what constraints.
- CI/CD integration: Policy checks in pipelines catch violations earlier.
- Audit & observability: Metrics and logs to trace denied requests and trends.
Data flow and lifecycle
- Developer creates or updates a Pod or Deployment manifest.
- The manifest is submitted to the API server.
- The admission controller executes policy evaluation.
- If the manifest passes: API server persists the object and scheduler places the pod on a node.
- If the manifest fails: API server returns a denial with a clear message; CI or developer handles remediation.
- Policies are updated via GitOps or policy management tooling, changing future admission behavior.
Edge cases and failure modes
- Policy misconfigurations can block critical system pods if namespace exemptions aren’t correctly set.
- Admission webhook unavailability can block all resource creations if not configured for fail-open vs fail-closed appropriately.
- Policies that rely on mutating behavior might not add fields required by other controllers, causing unexpected failures.
Practical examples (pseudocode)
- Example check: Deny privileged:true and hostPath mounts.
- Example mutation: Add runAsNonRoot:true for containers missing user.
Typical architecture patterns for Pod Security Policy
- Cluster-wide baseline: Apply a conservative profile for all namespaces, with exceptions for trusted namespaces.
- Use when multiple teams share a cluster and compliance is required.
- Namespace-tiered policies: Use baseline in dev, restricted in prod; test/qa get an intermediate profile.
- Use when environments need different stiffness.
- Policy-as-code pipeline: Policies stored in Git, evaluated in PRs, enforced at admission.
- Use when you want auditability and change control.
- Fine-grained Rego or Kyverno policies: Use for complex requirements like image provenance, injected secrets policy, or custom capabilities.
- Use when out-of-the-box profiles are insufficient.
- Runtime + Admission combination: Admission policies for prevention plus runtime agents for detection and remediation.
- Use when defense-in-depth is required.
Failure modes & mitigation (TABLE REQUIRED)
| ID | Failure mode | Symptom | Likely cause | Mitigation | Observability signal |
|---|---|---|---|---|---|
| F1 | Admission webhook down | All creates blocked | Webhook or network failure | Configure fail-open or high-availability | API server audit increase |
| F2 | Policy too strict | Critical pods denied | Overzealous rules | Create exemptions or staged rollout | Deployment fail metrics spike |
| F3 | Mis-scoped RBAC | Admins locked out | Incorrect rolebinding | Restore RBAC from backup | Unauthorized error logs |
| F4 | Silent mutation mismatch | Pods fail at runtime | Mutating policy conflicts | Align mutation with downstream controllers | Pod CrashLoop counts |
| F5 | Incomplete audit logs | Hard to trace denials | Audit policy not enabled | Enable API audit logs | Missing deny entries in audit |
| F6 | Performance degradation | Slow admission latency | Heavy Rego policies | Optimize policies or use caching | API server latency metric |
Row Details
- F1: Webhook down mitigation bullets:
- Deploy webhook in HA mode across nodes.
- Use fail-open during upgrades and test failover.
- Monitor webhook response time and error counts.
- F2: Policy too strict mitigation bullets:
- Start with audit mode and collect violations before deny.
- Provide exemptions namespace by namespace.
- Run shadow-testing in CI to find rejects early.
- F3: Mis-scoped RBAC mitigation bullets:
- Keep RBAC manifests in Git and apply with CI.
- Use a recovery role that can rebind RBAC if key bindings fail.
- F6: Performance degradation mitigation bullets:
- Move heavy checks to CI or pre-commit.
- Use lightweight policies at admission and more complex analysis asynchronously.
Key Concepts, Keywords & Terminology for Pod Security Policy
Pod Security Policy — A resource defining allowed pod attributes — Central enforcement object for admission-time pod constraints — Pitfall: assuming runtime enforcement.
Admission Controller — Component that intercepts API requests for validation or mutation — Runs policies during create/update — Pitfall: webhook availability affects API.
Pod Security Admission — Built-in admission plugin providing profile enforcement — Replaces legacy PSP in many clusters — Pitfall: different config model than PSP.
OPA Gatekeeper — Policy engine using Rego constraints — Enables complex policies and auditing — Pitfall: Rego complexity for new users.
Kyverno — Kubernetes-native policy CRD engine — Easier YAML-based rules and mutations — Pitfall: can mutate unexpectedly without tests.
RBAC — Role-based access control for Kubernetes — Controls who can create or modify policies — Pitfall: misbinding can lock admins out.
SecurityContext — Pod/container spec fields for user, capabilities, and filesystem — Used by policies to validate specs — Pitfall: absent fields are not defaulted unless mutated.
Capabilities — Linux kernel capabilities requested in securityContext — Policies control allowed capabilities — Pitfall: granting NET_ADMIN or SYS_ADMIN increases attack surface.
Privileged Containers — Containers with privileged:true get full host access — Policies typically deny privileged — Pitfall: some drivers require privileged; exemptions needed.
HostPath Volume — Volume that mounts host filesystem into pod — Policies often deny or restrict — Pitfall: misuse exposes host to container changes.
PodSecurity Standards — YAML profiles (restricted, baseline, privileged) guiding pod settings — Used as a language for policy targets — Pitfall: mapping profiles to admission implementation varies.
Mutating Admission — Admission stage that can modify objects (e.g., inject runAsNonRoot) — Useful to bring pods into compliance — Pitfall: unintended side effects if not tested.
Validating Admission — Admission stage that rejects nonconforming objects — Used when mutation is not safe — Pitfall: developer friction if applied too early.
Namespaces — Kubernetes logical boundary often mapped to policy scopes — Policies can be bound per namespace — Pitfall: inconsistent namespace labels cause misapplied policies.
Labels/Selectors — Used to apply policies to namespaces or resources — Pitfall: label drift causes unexpected policy application.
API Audit Logs — Record admission events including denials — Key for post-incident analysis — Pitfall: not enabled at needed granularity.
Admission Webhook — External endpoint used to evaluate policies — Pitfall: network partition can break admission.
Fail-open vs Fail-closed — Behavior when webhook unavailable — Fail-open allows requests; fail-closed denies — Pitfall: choosing wrong default for critical clusters.
PodSecurityPolicy (PSP) — Legacy Kubernetes resource (deprecated) — Replaced by other mechanisms in many clusters — Pitfall: assuming PSP is enabled upstream.
Service Account — Identity used by pods, policies may restrict creation or mounting — Pitfall: default SA usage gives more privileges than intended.
RunAsNonRoot — SecurityContext setting to avoid running as UID 0 — Policies typically enforce this — Pitfall: images that only run as root may need rebuilding.
RunAsUser — UID used inside container — Policies may require ranges — Pitfall: conflicts with images hard-coded to root.
Filesystem Permissions — readOnlyRootFilesystem and fsGroup settings — Policies enforce read-only root for immutability — Pitfall: stateful apps may require write paths.
Seccomp Profile — Kernel syscall filtering — Policies may require secure profiles — Pitfall: wrong seccomp breaks legitimate syscalls.
SELinux Context — Labels for process isolation — Policies may mandate SELinux types — Pitfall: host kernel support varies.
AppArmor — Linux LSM to confine processes — Policies may require AppArmor profiles — Pitfall: not supported on all distros.
NetworkPolicy — Controls pod network traffic, complementary to pod security — Pitfall: assumed to limit hostNetwork risk, but it does not.
Image Provenance — Rules that ensure images are signed or from allowed registries — Policies check image registry and signature — Pitfall: not all engines support image signature checks admission-time.
Immutable Infrastructure — Practice complementing policies; enforce immutable containers — Pitfall: policies can be bypassed with custom controllers.
Service Mesh Sidecars — Policies may need to account for sidecar containers and their privileges — Pitfall: sidecars may require elevated settings.
PodSecurityPolicy Audit Mode — When policies are applied only to log violations — Useful for migration — Pitfall: audit-only may lull teams into complacency.
Policy-as-Code — Storing policies in VCS and testing them — Enables traceability — Pitfall: broken CI policies affect deploy pipelines.
Shadow Testing — Run policies in audit mode against live traffic to measure impact — Pitfall: requires good telemetry to interpret results.
Mutation vs Validation — Mutation alters incoming objects; validation denies — Pitfall: conflicting order cause unexpected results.
Defaulting — Automatic insertion of fields at admission — Useful for compliance — Pitfall: defaults may hide misconfigurations.
PodSecurity Standard Profiles — Restricted, Baseline, Privileged — Profiles give a graded approach — Pitfall: mappings differ by enforcement mechanism.
Cluster Autoscaler Interaction — Policies that restrict resources may affect scaling behavior — Pitfall: pod eviction due to policy-induced failures.
Controllers and Operators — May create pods with special needs; policies must account for them — Pitfall: denying operator pods breaks platform functions.
Audit Sampling — Not all events may be captured if sampling is misconfigured — Pitfall: misses intermittent violations.
Policy Drift — Policies diverge from documented expectations over time — Pitfall: lack of governance.
Incident Response Playbooks — Processes to remediate policy-caused outages — Important to include RBAC fixes and temporary exemptions — Pitfall: no emergency bypass causes extended outages.
Compliance Evidence — Reports and dashboards created from policy telemetry — Useful for audits — Pitfall: raw deny counts without context are noisy.
Admission Latency — Time added by policy evaluations — KPI to monitor — Pitfall: complex Rego runs slow admission.
Policy Templates — Reusable policy snippets to standardize rules — Saves duplication — Pitfall: template misuse leads to incorrect semantics.
Guardrails — Minimal, safe defaults preventing common mistakes — Good starting point — Pitfall: too permissive guardrails don’t protect.
Policy Owners — People or teams responsible for policy lifecycle — Essential for fast incident response — Pitfall: unclear ownership delays fixes.
How to Measure Pod Security Policy (Metrics, SLIs, SLOs) (TABLE REQUIRED)
| ID | Metric/SLI | What it tells you | How to measure | Starting target | Gotchas |
|---|---|---|---|---|---|
| M1 | Admission deny rate | Fraction of pod creates denied | Deny events / total pod creates | < 1% in prod | Denies in CI inflate metric |
| M2 | Policy violation trend | Change in violations over time | Violations per day | Decreasing month over month | Shadow-mode hides immediate impact |
| M3 | Time-to-remediate violation | Time from deny to fix | Time tracked in ticketing | < 24h for prod | Quiet denies may never be remediated |
| M4 | Shadow-to-deny conversion | Ratio of shadow violations to denies | Shadow violations later denied / total | Improve toward 90% reliable | Shadow tests must be representative |
| M5 | Admission latency delta | Added ms per admission | Admission latency before/after policy | < 50ms per policy set | Rego heavy checks increase latency |
| M6 | Runtime security incidents tied to pod spec | Incidents where pod spec contributed | Postmortem tagged incidents | Decrease over time | Correlation work needed |
| M7 | Percentage compliant pods | Pods matching target profile | Compliant pods / total pods | 95% in prod | Sidecars may be noncompliant |
| M8 | Policy change lead time | Time from policy PR to deployment | Time in CI/CD pipeline | < 1 business day | Complex reviews slow rollout |
Row Details
- M1: Admission deny rate details:
- Break down by namespace and policy to identify hotspots.
- Track separately for CI vs production to avoid false alarms.
- M3: Time-to-remediate violation details:
- Automate ticket creation with policy denial to start clock.
- Include owner and severity mapping for triage.
- M5: Admission latency delta details:
- Measure p95 and p99 latencies; track when Rego rules added.
- Use synthetic tests to baseline.
Best tools to measure Pod Security Policy
Tool — Prometheus + kube-apiserver metrics
- What it measures for Pod Security Policy: Admission controller latency, webhook error rates, API audit events.
- Best-fit environment: Kubernetes clusters with Prometheus monitoring.
- Setup outline:
- Scrape kube-apiserver metrics and admission webhook metrics.
- Export custom metrics for deny counts.
- Create dashboards for latency and deny-rate trends.
- Strengths:
- Flexible queries and alerting.
- Widely used in cloud-native ecosystems.
- Limitations:
- Requires instrumentation of webhook servers.
- Aggregation across clusters needs federation or remote write.
Tool — Fluentd/Fluent Bit + central logging
- What it measures for Pod Security Policy: Denied request logs and detailed audit records.
- Best-fit environment: Organizations with centralized log platforms.
- Setup outline:
- Enable API server audit logs.
- Forward audit logs to central store.
- Parse and index admission denial reasons.
- Strengths:
- Rich context for postmortems.
- Searchable deny reasons.
- Limitations:
- Storage and retention costs.
- Complex parsing rules required.
Tool — OPA Gatekeeper reports
- What it measures for Pod Security Policy: Constraint violations, audit history, and template metrics.
- Best-fit environment: Clusters running Gatekeeper for policy.
- Setup outline:
- Install Gatekeeper CRDs and controllers.
- Create ConstraintTemplates and Constraints.
- Enable audit and collect constraint violation counts.
- Strengths:
- Policy-native telemetry.
- Constraint-specific insights.
- Limitations:
- Rego knowledge required for complex policies.
Tool — Kyverno reports
- What it measures for Pod Security Policy: Policy violation details, mutating events, audit logs.
- Best-fit environment: Clusters using Kyverno for policy enforcement.
- Setup outline:
- Deploy Kyverno and policies.
- Use Kyverno admission and audit modes.
- Export policy engine metrics to Prometheus.
- Strengths:
- YAML-based rules easier for Kubernetes teams.
- Mutation capabilities for automated remediation.
- Limitations:
- Mutation complexity can introduce unexpected states.
Tool — CI/CD pipeline policy checks (e.g., pre-commit test)
- What it measures for Pod Security Policy: Policy violations before admission; early feedback.
- Best-fit environment: Teams practicing GitOps or CI gating.
- Setup outline:
- Integrate policy checks into pipeline as a step.
- Run policies in shadow mode against PR changes.
- Fail PRs on deny rules for production branches.
- Strengths:
- Early detection prevents bad deploys.
- Faster developer feedback loop.
- Limitations:
- False-positives slow developer flow.
- Requires policy tooling to run in CI.
Recommended dashboards & alerts for Pod Security Policy
Executive dashboard
- Panels:
- Overall compliance percentage across clusters.
- Trend of admission denies month-over-month.
- Top 10 policies causing rejections.
- Number of exemptions and their owners.
- Why: Gives leadership visibility into policy effectiveness and risk posture.
On-call dashboard
- Panels:
- Recent admission denials in last 1h by namespace.
- Admission webhook health and latency p95/p99.
- Open remediation tickets for denied pods.
- Critical system pods denied in last 24h.
- Why: Immediate situational awareness for incidents impacting deploys.
Debug dashboard
- Panels:
- Admission reject logs with full reason and request payload snippets.
- Policy evaluation traces and timing breakdowns.
- Per-policy deny counts and recent offenders.
- API server audit stream filtered for admission events.
- Why: Deep diagnostics for engineers debugging policy causes.
Alerting guidance
- Page vs ticket:
- Page on admission webhook outage or p99 latency crossing critical threshold.
- Ticket on elevated deny rates in non-prod or increased policy violations without remediation.
- Burn-rate guidance:
- If policy violations consume >50% of deploy error budget over a 1-week window, escalate to policy owners.
- Noise reduction tactics:
- Aggregate similar deny events and group by namespace and policy.
- Suppress alerts for shadow-mode violations.
- Use deduplication windows and route high-volume noisy rules to digest notifications.
Implementation Guide (Step-by-step)
1) Prerequisites – Cluster with admission webhooks or PodSecurityAdmission available. – RBAC policies documented. – CI/CD integration and GitOps pipeline capability. – Observability stack (Prometheus, logging, dashboards).
2) Instrumentation plan – Expose deny counts as metrics. – Enable API server audit logs. – Add webhook/engine metrics and tracing.
3) Data collection – Collect audit logs and admission metrics centrally. – Tag denials with policy ID, namespace, and user. – Store historical data for trend analysis.
4) SLO design – Define SLOs for compliance and admission latency. – Map SLO violations to error budgets and incident playbooks.
5) Dashboards – Build executive, on-call, and debug dashboards as described above.
6) Alerts & routing – Page for webhook outages and critical denials. – Create tickets for repeated violations and owner escalation.
7) Runbooks & automation – Runbook steps for emergency exemption creation. – Automation to apply temporary namespace exemptions with audit and TTL. – Automated remediation for common misconfigurations (e.g., add runAsNonRoot via mutation).
8) Validation (load/chaos/game days) – Perform shadow testing in production to identify violations. – Run chaos by toggling policy enforcement to observe impact. – Run game days simulating webhook outages and RBAC failures.
9) Continuous improvement – Weekly review of new denies and owner feedback. – Quarterly policy review with engineering and security stakeholders. – Metrics-driven iteration of policies.
Pre-production checklist
- Policies stored in Git and peer-reviewed.
- Shadow mode enabled for at least one production-like week.
- CI runs policy checks against PRs and fails on critical rules.
- Dashboards showing deny and shadow counts.
Production readiness checklist
- Exemptions documented and TTL-based.
- Emergency RBAC recovery paths validated.
- Webhooks deployed HA and monitored.
- SLOs for admission latency and compliance set.
Incident checklist specific to Pod Security Policy
- Verify whether denial is caused by policy change or webhook outage.
- If webhook outage: check webhook pod health and networking; decide fail-open vs fail-closed action.
- If policy misconfiguration: roll back policy from GitOps, create emergency exemption with audit trail.
- Open postmortem and tag policy owner for follow-up.
Examples
- Kubernetes example: Use PodSecurityAdmission with namespace labels for baseline in dev and restricted in prod; add Kyverno mutation to default runAsNonRoot and collect metrics via Prometheus.
- Managed cloud service example: In managed Kubernetes, use the cloud provider’s policy controller or integrate Gatekeeper in a dedicated policy cluster; ensure audit logs are sent to cloud logging and align IAM roles.
What to verify and what “good” looks like
- Admission latency below threshold and stable.
- 95%+ pods in prod compliant with target profile.
- CI rejects 90% of policy violations before merge.
- Clear ownership and documented exceptions.
Use Cases of Pod Security Policy
1) Multi-tenant SaaS platform – Context: Shared cluster with multiple customers. – Problem: Tenants could deploy privileged pods. – Why PSP helps: Prevents host access and restricts volumes. – What to measure: Percentage of tenant pods noncompliant. – Typical tools: OPA Gatekeeper, Prometheus.
2) Regulated data processing – Context: Handles PII and must meet compliance. – Problem: Unrestricted filesystem access risks data leaks. – Why PSP helps: Enforces readOnlyRootFilesystem and restricted volumes. – What to measure: Audit evidence of denied hostPath mounts. – Typical tools: Kyverno, audit logs.
3) Platform operator protection – Context: Operators install controllers that need special permissions. – Problem: Locking policies break platform components. – Why PSP helps: Exempt operator namespaces via RBAC while protecting others. – What to measure: Denied system-critical pods count. – Typical tools: PodSecurityAdmission, RBAC.
4) CI/CD shift-left – Context: Frequent deploys across teams. – Problem: Misconfigurations discoverable too late. – Why PSP helps: Enforce policies in CI and admission to reduce incidents. – What to measure: PR fail rate due to policy violations. – Typical tools: Policy-as-code in CI, Gatekeeper.
5) Incident prevention for DB workloads – Context: Stateful databases need stable storage but are sensitive. – Problem: hostPath mounts risk data corruption. – Why PSP helps: Allow only CSI volumes and block hostPath. – What to measure: Volume type violations. – Typical tools: PodSecurityAdmission, CSI policy tagging.
6) Serverless platform hardening – Context: Managed PaaS runs user code in containers. – Problem: Users might attempt privilege escalation. – Why PSP helps: Enforce strict profiles at the tenancy boundary. – What to measure: User container privileges denied. – Typical tools: Managed platform policy controls.
7) Third-party add-on installation – Context: Installing external Helm charts. – Problem: Unknown charts may request privilege. – Why PSP helps: Block risky fields and require chart changes. – What to measure: Deny counts for chart-created pods. – Typical tools: Kyverno, Helm lint hooks.
8) Image provenance enforcement – Context: Security wants signed images only. – Problem: Untrusted images deployed. – Why PSP helps: Policies can require allowed registries or signatures. – What to measure: Deploys from unapproved registries. – Typical tools: OPA Gatekeeper with admission checks.
9) Dev/test islands – Context: Short-lived test clusters. – Problem: Tools with broad privileges reach prod by mistake. – Why PSP helps: Baseline in dev to match prod expectations. – What to measure: Drift between dev and prod compliance. – Typical tools: PodSecurityAdmission, CI checks.
10) Observability and sidecar safety – Context: Adding tracing and logging sidecars. – Problem: Sidecars may require extra capabilities. – Why PSP helps: Explicitly allow necessary capabilities for sidecars only. – What to measure: Number of sidecars denied and why. – Typical tools: Kyverno, Gatekeeper.
Scenario Examples (Realistic, End-to-End)
Scenario #1 — Kubernetes: Enforcing non-root containers in production
Context: A medium-sized ecommerce platform runs a Kubernetes cluster hosting customer-facing services. Goal: Prevent containers running as root to reduce privilege escalation risk. Why Pod Security Policy matters here: Root containers are a common vector for kernel-level escapes and data access. Architecture / workflow: PodSecurityAdmission applied with label-based namespace mapping; CI runs baseline checks; Kyverno used to mutate missing runAsNonRoot in dev. Step-by-step implementation:
- Add namespace label security.kubernetes.io/enforce=restricted for prod.
- Configure PodSecurityAdmission profiles for restricted.
- Add Kyverno mutation in dev namespaces to auto-add runAsNonRoot for testing.
- Add CI check to fail builds that reference images only runnable as root. What to measure: Percent of prod pods running as root; CI pre-merge fail rate. Tools to use and why: PodSecurityAdmission for enforcement; Kyverno for safe mutation; Prometheus for metrics. Common pitfalls: Third-party images hard-coded to root fail; need image rebuild or exception process. Validation: Shadow run for a week; then enforce deny; run smoke tests. Outcome: Reduced runtime privilege-related incidents and clearer developer guidance.
Scenario #2 — Serverless/Managed-PaaS: Tenant isolation in a managed platform
Context: Managed PaaS hosting user workloads on a multi-tenant cluster. Goal: Prevent tenants from gaining node-level access or mounting host credentials. Why Pod Security Policy matters here: Isolation is critical for multi-tenancy and compliance. Architecture / workflow: Platform maps tenant namespaces to restricted profiles; central policy engine enforces registry and volume rules. Step-by-step implementation:
- Implement Gatekeeper constraints to deny hostPath and privileged.
- Add constraints to require allowed registries only.
- Automatic mutation to add securityContext defaults for tenants.
- Central logging of denied attempts routed to tenant support for remediation. What to measure: Denied hostPath and privileged attempts per tenant. Tools to use and why: OPA Gatekeeper for expressive constraints; central logging for audits. Common pitfalls: Overzealous registry whitelists blocking internal images; need documentation and onboarding flow. Validation: Beta tenants test deploys; game day simulating policy violations. Outcome: Stronger isolation with measurable reductions in risky tenant behavior.
Scenario #3 — Incident-response/postmortem: Privileged pod led to node compromise
Context: Postmortem after an incident where an admin accidentally deployed a privileged daemonset. Goal: Prevent recurrence and create a fast remediation path. Why Pod Security Policy matters here: Admission controls would have prevented the privileged daemonset. Architecture / workflow: Introduce a deny policy for privileged pods and emergency exemption workflow. Step-by-step implementation:
- Audit existing cluster to find privileged pods.
- Create deny constraints for privileged across non-admin namespaces.
- Create an emergency exempt role with audit trail and TTL.
- Update runbook to include steps to revoke exemptions and roll back the offending resource. What to measure: Time from detection to remediation; number of privileged pods post-policy. Tools to use and why: Kyverno for validation; logging and SSO for traceable exemptions. Common pitfalls: Emergency exemptions abused; enforce TTL and approvals. Validation: Drill where a team must request and use an emergency exemption. Outcome: Faster remediation and reduced likelihood of future incidents.
Scenario #4 — Cost/performance trade-off: Admission latency vs policy complexity
Context: Large enterprise notices increased API server latency after adding many Rego policies. Goal: Maintain low admission latency while keeping necessary checks. Why Pod Security Policy matters here: Slow admissions cause CI timeouts and degraded developer experience. Architecture / workflow: Move heavy checks to CI or async scanners; keep admission checks minimal. Step-by-step implementation:
- Measure admission latency impact by policy.
- Move expensive image-scan signature checks to CI; keep simple deny rules at admission.
- Implement caching in Gatekeeper and use lighter-weight Kyverno where possible. What to measure: p95 admission latency before and after changes; CI pre-check success rate. Tools to use and why: Prometheus for latency, Gatekeeper for policy, CI for heavy checks. Common pitfalls: Inconsistent enforcement between CI and runtime; sync policies and reports. Validation: Synthetic high-throughput deploys to measure latency. Outcome: Restored API server responsiveness with retained security posture.
Common Mistakes, Anti-patterns, and Troubleshooting
1) Symptom: All pod creates blocked. -> Root cause: Admission webhook outage or fail-closed. -> Fix: Validate webhook health, set fail-open during maintenance, restore HA webhook pods.
2) Symptom: Critical system pods denied by policy. -> Root cause: Policies applied to system namespaces. -> Fix: Add namespace exemptions or labels and reapply policy from Git.
3) Symptom: High admission latency. -> Root cause: Complex Rego evaluations. -> Fix: Move heavy checks to CI, optimize Rego, cache results.
4) Symptom: Developers bypass policies by modifying ServiceAccount. -> Root cause: Loose RBAC. -> Fix: Harden RBAC, restrict who can create clusterrolebindings, audit changes.
5) Symptom: Shadow-mode violations not fixed. -> Root cause: No tracking of shadow results. -> Fix: Integrate shadow findings into backlog and automate ticket creation.
6) Symptom: Missing audit information. -> Root cause: API server audit not configured. -> Fix: Enable audit logs with relevant policies and retention policy.
7) Symptom: Unexpected pod crashes after mutation. -> Root cause: Mutations introduce incompatible fields. -> Fix: Test mutation policies in CI and staging; add schema checks.
8) Symptom: Policy drift between clusters. -> Root cause: Policies applied independently. -> Fix: Centralize policies in GitOps and sync clusters.
9) Symptom: Too many false positive denies. -> Root cause: Overly strict rules or lack of exemptions. -> Fix: Move to audit mode and refine rules.
10) Symptom: Operators broken after enforcement. -> Root cause: Operators need host access. -> Fix: Exempt operator namespaces and document rationale.
11) Symptom: Sidecar denied for necessary capability. -> Root cause: Generic policy blocks capability for all containers. -> Fix: Create targeted exceptions for sidecar labels.
12) Symptom: No one owns policy changes. -> Root cause: Undefined policy ownership. -> Fix: Assign policy owners and on-call rotation.
13) Symptom: High noise in alerts. -> Root cause: Alert per-deny firing. -> Fix: Aggregate alerts and add dedup windows.
14) Symptom: Misinterpretation of deny reasons. -> Root cause: Deny messages too terse. -> Fix: Improve policy messages and add remediation guidance.
15) Symptom: Failure to detect runtime violations. -> Root cause: Reliance on admission only. -> Fix: Add runtime detection agents and correlate with admission logs.
16) Observability pitfall: Missing context in logs -> Root cause: Audit logs not forwarding metadata. -> Fix: Include user, namespace, and resource in audit exports.
17) Observability pitfall: No dashboards for shadow-mode -> Root cause: Telemetry not captured. -> Fix: Emit shadow violation metrics to Prometheus.
18) Observability pitfall: Too coarse sampling -> Root cause: Audit sampling set too high. -> Fix: Adjust audit policy to capture relevant admission events.
19) Symptom: Policies inconsistent with cloud provider defaults -> Root cause: Assumed default behavior. -> Fix: Map cloud platform behavior to policy rules and test.
20) Symptom: Emergency bypass used frequently -> Root cause: Policies too strict or insufficient automation. -> Fix: Identify frequent exemptions and adapt policies or add automation.
21) Symptom: Difficulty reproducing denies locally -> Root cause: CI differs from cluster admission config. -> Fix: Run policy checks locally via policy tooling or mock admission.
22) Symptom: Policy changes cause wide CI failures -> Root cause: Policies merged without staged rollout. -> Fix: Use canary policies and staged rollout per namespace.
23) Symptom: Secrets mounted improperly despite policy -> Root cause: Policies not checking projected volumes. -> Fix: Add checks for projected and secret mounts.
24) Symptom: Image provenance checks bypassed -> Root cause: Private registries or proxy not included. -> Fix: Ensure registries and proxies are in allowed list and scanned.
Best Practices & Operating Model
Ownership and on-call
- Policy ownership: Assign a policy owner for each major policy and a cross-functional policy council.
- On-call: Have an escalation path to policy owners for urgent exemptions or rollbacks.
Runbooks vs playbooks
- Runbooks: Step-by-step operational steps for common incidents (webhook outage, emergency exemption).
- Playbooks: Higher-level strategies and decision trees for policy changes, audits, and postmortems.
Safe deployments (canary/rollback)
- Deploy policies in audit mode first, then staged denies per namespace.
- Use canary namespaces to validate strict policies before cluster-wide enforcement.
- Maintain GitOps rollback paths and emergency exemption automation.
Toil reduction and automation
- Automate common remediations (mutations that are safe).
- Create templates for exemption requests with TTL and approval flows.
- Automate ticket creation for repeated shadow violations.
Security basics
- Principle of least privilege for pods and RBAC.
- Default deny for host features with explicit allow lists.
- Maintain an approved image registry and signature verification in pipeline.
Weekly/monthly routines
- Weekly: Review new denies, shadow-mode findings, and owner actions.
- Monthly: Audit exemptions, update dashboards, and review policy coverage.
- Quarterly: Full policy review and compliance evidence preparation.
What to review in postmortems related to Pod Security Policy
- Whether policies contributed to the incident (denials, webhook outage).
- Timeliness and correctness of exemptions and rollbacks.
- Lessons learned and policy adjustments to prevent recurrence.
What to automate first
- Automatic mutation for safe defaults (runAsNonRoot, readOnlyRootFilesystem).
- Automated logging and ticket generation for shadow-mode violations.
- Emergency exemption creation with audit trail and TTL.
Tooling & Integration Map for Pod Security Policy (TABLE REQUIRED)
| ID | Category | What it does | Key integrations | Notes |
|---|---|---|---|---|
| I1 | Policy Engine | Validates and enforces admission rules | Kubernetes API, CI | Gatekeeper (Rego) example |
| I2 | Policy Engine | YAML-native validation and mutation | Kubernetes API, CI | Kyverno example |
| I3 | Native Plugin | Built-in profiles enforcement | Kubernetes namespaces | PodSecurityAdmission |
| I4 | CI Integration | Runs policy checks before merge | Git, CI runners | Use pre-merge scans |
| I5 | Logging | Collects audit and deny logs | Central log store, SIEM | Essential for postmortem |
| I6 | Monitoring | Expose metrics for denials and latency | Prometheus, Grafana | Alerting and dashboards |
| I7 | Secret Scanners | Ensure secrets not exposed via volumes | CI, admission | Integrate with policy constraints |
| I8 | Image Scanners | Enforce image policy and signatures | CI, registry | Move heavy scans to CI |
| I9 | GitOps | Stores and deploys policies centrally | ArgoCD Flux | Version control for policy lifecycle |
| I10 | Ticketing | Create remediation tickets from violations | Jira ServiceNow | Automate time-to-remediate tracking |
Row Details
- I1: Gatekeeper details:
- Use for complex constraints and admission audit reporting.
- Requires Rego expertise.
- I2: Kyverno details:
- Easier YAML policies and mutation capability.
- Good for teams preferring Kubernetes-native CRD approach.
- I3: PodSecurityAdmission details:
- Lightweight and built-in, ideal for broad profiles.
- Limited expressiveness compared to Gatekeeper.
Frequently Asked Questions (FAQs)
How do I start enforcing Pod Security Policy without breaking production?
Start in audit/shadow mode, collect violations for a week, fix common offenders, then switch to deny progressively per namespace.
How do I test policies before enforcing them?
Run policies in CI and in a staging namespace with representative workloads; use shadow-mode in production to observe real violations without denial.
How do I exempt a critical operator from a global policy?
Create a namespace or label-based exemption, restrict exemption RBAC, add TTL, and audit the exemption creation.
What is the difference between Pod Security Admission and OPA Gatekeeper?
Pod Security Admission is a built-in profile-based plugin; Gatekeeper is a flexible policy engine using Rego and custom constraints.
What’s the difference between validation and mutation policies?
Validation rejects objects; mutation changes them on admission. Mutation can make pods compliant; validation forces fixes before persistence.
What’s the difference between PodSecurity Standards and a PSP object?
PodSecurity Standards are profile guidelines; PSP is a concrete, legacy resource. Enforcement method differs across admission controllers.
How do I measure whether Pod Security Policy reduces incidents?
Track incidents tagged with pod-spec root cause before and after enforcement; measure downward trends and correlate with policy adoption.
How do I handle third-party Helm charts that violate policies?
Run chart checks in CI, request chart vendor changes, or use targeted exemptions with tight scope and TTL.
How do I avoid policy-related noisy alerts?
Aggregate events, route shadow-mode alerts to low-priority channels, and add dedupe/grouping logic in alert rules.
How do I ensure policy changes are auditable?
Store policies in GitOps, require PR reviews, and enable API audit logs for admission events.
How do I balance performance and policy complexity?
Move heavy checks to CI and keep admission checks minimal and fast; profile admission latency after policy changes.
How do I handle emergency bypass if policy blocks critical recovery?
Provide a controlled exemption mechanism with RBAC, TTL, and automatic audit logging; document the process in runbooks.
How do I enforce image provenance at admission time?
Use Gatekeeper or custom webhook to require images from approved registries or signed images; consider moving heavy scans to CI.
How do I test for policy regressions?
Create unit tests for policies (Rego unit tests or Kyverno tests) and include policy checks in CI for policy changes.
How do I roll back a policy causing cluster disruptions?
Use GitOps rollback to previous policy state, or apply emergency exemption to affected namespaces; restore from policy repo.
How do I integrate PSP checks into developer workflows?
Add policy linters into pre-commit hooks and pipeline stages with actionable error messages.
Conclusion
Pod Security Policy and its modern successors are essential admission-time controls that reduce privilege, limit attack surface, and provide a governance hook for cluster operators. They work best when combined with CI/CD gating, observability, and clear operational processes.
Next 7 days plan
- Day 1: Enable API audit logs and collect initial admission events.
- Day 2: Add PodSecurityAdmission baseline in audit mode for all namespaces.
- Day 3: Integrate a simple policy check into CI for new PRs.
- Day 4: Create dashboards for deny counts and admission latency.
- Day 5: Identify top 5 shadow violations and assign remediation owners.
- Day 6: Implement one safe mutation (runAsNonRoot) for dev namespaces.
- Day 7: Draft runbook for emergency exemptions and test it.
Appendix — Pod Security Policy Keyword Cluster (SEO)
- Primary keywords
- pod security policy
- PodSecurityAdmission
- Kubernetes pod security
- admission controller policy
-
policy-as-code Kubernetes
-
Related terminology
- PodSecurity Standards
- PodSecurity Admission profiles
- OPA Gatekeeper policies
- Kyverno policies
- Rego policies
- admission webhook health
- admission deny metrics
- pod security audit
- runAsNonRoot policy
- readOnlyRootFilesystem enforcement
- deny privileged containers
- hostPath denial
- restrict hostNetwork
- restrict hostPID
- runtime security vs admission security
- CI policy checks
- shadow mode policy
- policy mutation vs validation
- policy drift detection
- policy-as-code GitOps
- policy templates
- policy ownership
- emergency exemption workflow
- admission latency monitoring
- kube-apiserver audit logs
- deny count dashboards
- promote policies with canary
- multi-tenant cluster policy
- container capabilities policy
- seccomp profile enforcement
- AppArmor enforcement
- SELinux context policy
- image provenance policy
- signed image requirement
- registry allowlist
- operator namespace exemptions
- RBAC for policies
- mutation defaulting
- audit-only policy mode
- policy unit tests
- policy performance optimization
- policy shadow testing
- deny-to-remediate SLA
- policy incident response
- automated remediation policies
- deny message guidance
- policy telemetry
- policy violation tickets
- policy change lead time
- compliance evidence from policies
- pod security glossary
- policy enforcement patterns
- policy implementation guide
- policy runbooks
- policy canary rollout
- policy monitoring tools
- policy integration map
- pod security best practices
- prevent privileged pods
- restrict volume types
- secure default contexts
- pod security maturity ladder
- platform policy controls
- serverless tenancy isolation
- managed Kubernetes policy
- cloud-native policy enforcement
- policies for statefulsets
- sidecar-aware policies
- policy exemptions TTL
- policy audit retention
- admission hook fail-open
- admission hook fail-closed
- policy HUman readable messages
- policy remediation automation
- policy-driven SLOs
- policy SLIs and metrics
- admission webhook HA
- policy observability signals
- deny aggregation strategies
- policy noise reduction
- policy deduplication
- Grafana policy dashboard
- Prometheus policy metrics
- central logging for policy
- policy logging schema
- policy change governance
- policy PR reviews
- policy change rollback
- policy canary namespace
- policy migration strategy
- rewrite images for non-root
- mutate runAsNonRoot
- mutate seccomp defaults
- integrate policy into CI
- test policies pre-merge
- shadow test to deny conversion
- limit capabilities NET_ADMIN
- disallow SYS_ADMIN
- prevent host PID usage
- default readOnlyRootFilesystem
- restrict privileged escalation
- pod security incident response
- policy remediation playbook
- policy audit trail
- policy TTL exemptions
- policy labeling and selectors
- policy per-namespace strategy
- centralized policy repo
- policy federation across clusters
- policy for ephemeral workloads
- policy for databases and storage
- policy for sidecar injection
- policy for third-party charts
- policy for managed PaaS
- policy enforcement checklist
- pod security FAQ
- enforce non-root containers
- deny hostPath mounts
- require allowed registries
- policy metrics to track
- policy SLO examples