DEV Community

Santhosh S
Santhosh S

Posted on

🛡️Implementing Pod Security Admission in Kubernetes

#containers #kubernetes #security

This guide covers:

Why PSA replaces PodSecurityPolicies (PSPs)

How PSA works using namespace labels

The three enforcement modes: enforce, audit, and warn

Real-world examples of applying PSA to production and dev environments

“PSA allows cluster administrators to enforce standardized controls without relying on third-party tools or custom configurations.”

Audit Mode: 

kubectl label namespace <ns-name>l pod-security.kubernetes.io/enforce=restricted
Enter fullscreen mode Exit fullscreen mode

It does not block pod creation.
It does not show warnings to users.
It does log violations in the Kubernetes audit logs.

Enforce Mode (Blocks non-compliant pods): 

kubectl label namespace <your-namespace> \
  pod-security.kubernetes.io/enforce=restricted \
  pod-security.kubernetes.io/enforce-version=latest
Enter fullscreen mode Exit fullscreen mode

Warn Mode (Allows pods but shows warnings): 

kubectl label namespace <your-namespace> \
  pod-security.kubernetes.io/warn=restricted \
  pod-security.kubernetes.io/warn-version=latest
Enter fullscreen mode Exit fullscreen mode

To test this Block mode and warn mode run sample workload with test namespace 

apiVersion: v1
kind: Pod
metadata:
  name: insecure-pod
spec:
  containers:
    - name: nginx
      image: nginx
      securityContext:
        runAsUser: 0  # Violates restricted policy
        allowPrivilegeEscalation: true
Enter fullscreen mode Exit fullscreen mode

Note:

This PSA will apply only for new workloads or pods

Conclusion:

Implementing Pod Security Admission (PSA)
Pod Security Admission (PSA) is a powerful built-in Kubernetes feature that replaces the deprecated PodSecurityPolicy (PSP) mechanism. By using namespace-level labels and enforcement modes (enforce, audit, warn), PSA enables cluster administrators to apply consistent, standards-based security controls across workloads—without relying on external tools.

Implementing PSA helps:

Strengthen pod-level security posture

Simplify policy management using native Kubernetes constructs

Gradually roll out restrictions using audit and warn modes before enforcing

Whether you're securing production workloads or sandboxing development environments, PSA offers a flexible and transparent way to enforce best practices. As Kubernetes continues to evolve, PSA is the recommended path forward for pod security.

Top comments (0)