2

Why are we replacing PSP with PSS? What are the motivations and changes in fundamental design?

Both PSS and PSP's objective is to only permit Pods that fulfill a set of secure criteria and conditions before they can be deployed. Examples would be running the container as non-root, usage of volume types, etc.

Both PSS and PSP allow us to use a similar set of conditions/criteria https://kubernetes.io/docs/concepts/security/pod-security-policy

I've also read some articles that PSP is complex to provision and maintain. PSS aims to replace PSP and RBAC (e.g. Role Bindings). I haven't really read a thorough explanation on this yet.

UndercoverDog
  • 612
  • 2
  • 17
transcend3nt
  • 39
  • 4

1 Answers1

1

So Pod Security Standards are a documentation standard which describe three levels of security that can be applied to workloads in the cluster, it doesn't actually implement those levels.

Pod Security Admission is an in-built mechanism which can enforce those three levels.

In comparison to Pod Security Policy, it's less flexible as policies are implemented at a namespace level and it's harder to create exceptions (for things like side-car containers), however it's simpler to use than Pod Security Policy.

It's also important to note that Pod Security Policy is deprecated and is being fully removed from Kubernetes in 1.25, so it would not be a good thing to adopt in clusters that will be in use in the long term.

If you need more flexibility than Pod Security Admission provides, there are a number of third party admission controllers that can be used to put Pod Security Standard restrictions in place. Kyverno and OPA Gatekeeper are two of the more commonly used options.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217